Can firewalls prevent denial of service attacks ? What other methods are available to deal with such attacks?

What will be an ideal response?

---

Since a firewall is simply another computer system placed in front of some intranet services that require protection, it is unlikely to be able to prevent denial of service (DoS) attacks for two reasons:
• The attacking traffic is likely to closely resemble real service requests or responses.

• Even if they can be recognized as, a successful attack is likely to produce malicious messages in such large quantities that the firewall itself is likely to be overwhelemed and become a bottleneck, preventing communication with the services that it protects.
Other methods to deal with DoS attacks: no comprehensive defence has yet been developed. Attacks of the type, which are dependent on IP spoofing (giving a false ‘senders address’) can be prevented at their source by checking the senders address on all outgoing IP packets. This assumes that all Internet sites are managed in such a manner as to ensure that this check is made - an unlikely circumstance. It is difficult to see how the targets of such attacks (which are usually heavily-used public services) can defend themselves with current network protocols and their security mechanisms. With the advent of quality-of-service mechanisms in IPv6, the situation should improve. It should be possible for a service to allocate only a limited amount of its total bandwidth to each range of IP addresses, and routers thorughout the Internet could be setup to enforce these resource allocations. However, this approach has not yet been fully worked out.