How to Handle DDoS Attacks: A Critique of DDoS Myths
A recent TechSpective article listed 20 ways to help prevent a distributed denial of service (DDoS) attack. Some of the suggestions are helpful, but many of them have little benefit against the types of DDoS attacks which are common today. So, in the interest of busting some DDoS myths, this blog puts the recommendations in context. It may be worth reading the entire article to fully appreciate the “20 ways” which are proposed but, for the sake of brevity, I’ve pared them down to the essentials, and listed my counterpoints next to each one.
The truth is, this step won’t be overly helpful. Over-provisioning is an expensive approach which has little impact on protecting against the largest DDoS attacks and no effect at all on stopping the much smaller, surgical, “dark DDoS” attacks.
This is sound advice, in general, which may help protect you from large attacks, but it will have no affect at all on stopping surgical “dark DDoS” attacks, or the impact of the targeted exfiltration attacks which these often mask.
The author wrote, “A DDoS action plan might include using automated reports to send an internal alert when your traffic increases beyond normal levels.”
Detecting abnormal traffic levels can detect very large attacks, but is also prone to false positives, blocking spikes in legitimate traffic, and it will certainly not detect surgical “dark DDoS” attacks.
Improving IoT security is a general best practice, but securing your own IoT devices will not prevent hackers from creating a botnet comprised of the millions of other unsecured IoT devices around the world and them using those to attack you.
The author wrote, “The best way to detect a DDoS attack is to look out for these abnormal spikes in traffic to your website. Stay alert, monitor traffic and set thresholds for automated reports when these are exceeded.” Similar to the advice about creating an action plan; unless your website never has spikes of legitimate traffic you can’t “look out for them” because that is almost certain to result in false positives, blocking significant amounts of good traffic. It’s virtually impossible to manually discern good traffic from bad traffic, and certainly not in time to prevent the damage from a DDoS attack, which is why an automated, granular DDoS mitigation solution is important.
Yes, a CDN can be helpful for protecting served content and websites from large attacks, but it is not at all effective in stopping surgical “dark DDoS” attacks on your own public IP addresses which don’t go through the CDN. Furthermore, as was mentioned in the article, CDNs are not cheap.
Yes, regular penetration testing is a good approach, if you can find a window where you can risk the test attacks taking you offline. And you should make sure you test short, sub-saturating, attacks as well as those which are long-duration and saturating.
“Purchasing a dedicated server will give you more bandwidth and greater control over security. Unlike co-location servers, dedicated servers’ hardware and infrastructure will be managed by a third-party provider. Dedicated servers can also be purchased with automatic DDoS attack mitigation in the event of an attack and you’ll receive support from your provider.”
The above piece of advice feels confusing – I would more simply say, to just choose a hosting provider who can give you DDoS protection as a service!
It’s always wise to educate your customers in best practices for cyber security, but this is no way to ensure DDoS protection. Your users—whether they are customers or employees—have no control over preventing a DDoS attack. Even if they did, you could not count on them to be infallible; human error is inevitable.
Yes, if you train someone they’ll better understand what’s really needed to protect from DDoS of all types and they’ll know what to do, to minimize impacts in the event of an attack. Their training can help you choose the best defense solution, and will help you deal with the fallout from an attack, but as the old saying goes, “an ounce of prevention is worth a pound of cure.”
This may protect you from collateral damage due to attacks on other hosted customers, but likely only if the provider has DDoS protection in place.
“A lot of network hardware is capable of mitigating certain types of DDoS attacks. For example, many commercially available network firewalls and load balancers can protect a business against layer 4 attacks (protocol attacks) and application-layer attacks.”
This may be helpful for application attacks, but these are a tiny fraction of all attacks – less than a few percent. It is no substitute for dedicated volumetric protection, which can block infrastructure attacks and keep you online.
This might help but, most often in the case of DDoS, it is someone else’s vulnerable device/software (e.g., WordPress pingback) which is being exploited to attack you.
es, this helps protect from application attacks, but these are a tiny fraction of all attacks – less than a few percent – like recommendation #12, it is no substitute for dedicated volumetric protection, which can block the attacks and keep you online.
This is rather ineffective advice – if you try this, attackers will just use traffic with variable spoofed source addresses, which look to be legitimate. If you think you need to do this, you should be deploying proper DDoS protection.
Yes, but this is slow and you’ll likely already be offline due to the attack and stay offline the whole time your ISP is null-routing your traffic. The best advice is to pick a provider that offers always-on, automatic DDoS protection as an added service.
This is typically a manual and static process, so it is hard to do this accurately without risk of large numbers of false positives, or negatives.
Same as recommendation #17 – it’s a manual and static process, so hard to do accurately without risk of large numbers of false positives, or negatives.
“If a DDoS attack strikes, there’s no use trying to cover it up. Your customers will know and your service desk or customer service will get buried with emails, phone calls and social media messages.” This is sound advice, but seldom easy, because when your network or website is down it is more difficult to communicate widely to your stakeholders/customers. Many organizations under DDoS attack turn to Twitter to communicate externally, but that platform is only moderately effective at reaching all of your customers or end-users.
Yes, of course this is a best practice for your stakeholders. It’s important to analyze what happened, so as to prevent or understand the weaknesses in your network security.
Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.