Reviving a two-year-old thread might be considered a little faux pas, but that doesn’t render your question invalid. I’ve relocated it to a separate topic to avoid resurrecting past discussions.
In essence, envision iptables as a sturdy brick wall. If I were to approach it with a hammer, it might hold up reasonably well. Depending on its construction, it might even withstand a sledgehammer. However, if a barrage of ballistic missiles is unleashed upon it, the wall stands little chance, irrespective of its construction.
It’s crucial to recognize that iptables is a piece of software, and every operation it performs incurs a cost in terms of CPU and memory. The objective of a DDoS attack is to escalate this cost to an unsustainable level. Hence, it’s advisable to keep your firewall distinct from your server to prevent your security resources from being consumed by your Minecraft binary.
Even if voipms were entirely locked down, a determined attacker could employ a larger botnet to exhaust resources. Each dropped packet in your rules represents a nibble at your resources. However, the challenge lies in the fact that such services, like voipms, cannot be completely secured because they function as ITSPs, requiring people to connect to them. They lack the luxury of erecting absolute walls, making connection attacks against legitimate services a notable attack vector. Moreover, these services operate higher up in the stack, and the resources needed to reject or ignore a connection are more substantial.
To sum it up, firewall rules do matter, but they can be circumvented. The moment you introduce openings due to business necessities, the circumvention becomes more rapid. This complexity also leads you down additional paths, such as session border controllers, highlighting that security is seldom a straightforward solution akin to a hammer meeting a nail.
Side note the cost:
Netscout’s researchers analyzed 19 DDos-for-hire groups that claim to have successfully launched over 10 million attacks in total.
Many service providers often offer flexible payment plans based on the attack configuration, duration, and power measured in bandwidth and throughput.
Some offer free tests, while others charge a nominal fee of $5 over a five-day trial. A full attack that includes 100 concurrent attacks, no daily limits, and a committed 1 million packets per second (Mpps) cost a mere $6,500.
One DDoS-for-hire service provider claims to offer a 1 Tbps attack size using 150,000 bots for $2,499. Report’s authors note, however, they are yet to observe such an attack range actually developed by the group in real life.