6 DDoS Attack Protection Myths
Having been in the business of DDoS protection for many years, Corero has seen plenty of bad advice thrown around by various cyber pundits. Below are a few nuggets of bad advice, and our response to them.
1. Content Delivery Networks Offer Protection
So you think your CDN can distinguish between legitimate traffic and bad traffic, and easily swing the bad traffic out for cleaning? Think again. A CDN alone is not designed to provide security; it might be able to absorb some attacks, but not all – make sure you check whether it supports specific DDoS mitigation capabilities and whether they are included with your service. Either way, a CDN-based service alone is unlikely to protect you fully, from modern DDoS attacks.
2. Cloud-based DDoS Mitigation is Enough
Wrong – Cloud-based protection is typically based on legacy approaches to DDoS which are designed to mitigate large, persistent, brute-force, volumetric attacks. They are typically slow to react, often fail to protect vulnerable services from the initial effects of these attacks, and can miss today’s surgically-crafted DDoS attacks altogether. Plus, if the cloud service does mitigate an attack, you’ll likely pay a high price for it, on top of your monthly fee, based on the size and duration of the incident, which could range from thousands to millions of dollars.
3. Most DDoS Attacks Are Meant to Bring Down an Entire Organization
Although they continue to grab the headlines, only a small minority of today’s DDoS attacks are large enough to cripple an entire organization; the majority are just large enough to knock out a specific server, website, or web application. These ‘surgical’ attacks are small enough in volume and duration that traditional/legacy DDoS solutions don’t notice them at all, or can’t react in time to effectively mitigate them. Our research has found that the vast majority (93%) of DDoS attacks are these low-threshold, short-duration, attacks which are increasingly used for extortion purposes, or serve as a smokescreen for more nefarious activities.
4. A Firewall Can Protect Against DDoS Attacks
Firewalls are not effective against complex DDoS attacks and, instead, can either act as DDoS entry points, or be the actual target of an attack. The challenge, by definition, is that they are stateful, which means they have to keep track of traffic flows in order to deliver their protection effectively and efficiently. The limits on internal memory and processing resources required to track all of this state information makes them a soft target for DDoS attackers, who can easily overwhelm those resources with specific attack techniques, taking your whole network offline.
5. Blacklists and Whitelists Can Control Access
It is not easy, or wise, to rely on black/whitelists to control who has access to your Network. By their very nature they are static, based on what happened in the past, and are typically outdated the moment you apply them. They can be helpful for reducing the background noise of unwanted traffic, but have limited effectiveness when you become the specific target of an attack, as those will often emanate from sources that you wouldn’t ordinarily treat as suspicious and have included in your blacklist.
6. Traffic Thresholds are Sufficient for DDoS protection
OK, so you have an alert set when traffic spikes: big deal. That alert does nothing to prevent or stop a DDoS attack from happening; it only monitors the situation so you can then call up your DDoS scrubbing service. But guess what; by the time the DDoS traffic spike is noticed, and mitigation begins, twenty or thirty minutes will likely have passed, by which time the damage will be done. At best, your website, or application will be down, and need recovering by your IT team, but there is also the chance that the perpetrators will have carried out more nefarious activities during this period, leaving you open to critical information being taken.
The above myths are just a sample of the many DDoS myths floating around; unfortunately, too many people don’t have the facts to know any better. A modern DDoS Protection Solution is one that detects and blocks DDoS attacks of all types and sizes, in real-time, all the time.
If you’d like to learn more, please contact us.
Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.