October is Cybersecurity Awareness Month in the United States, an annual period when the government urges citizens and organizations alike to take steps to safeguard their cyber assets and provides tips for better cyber hygiene. It’s a worthy initiative, because consumers and organizations of all types face a daily onslaught of cyber threats. You may have heard of doing a proverbial spring cleanup; well, fall cleanup is important too. This is a good time, in the northern hemisphere at least, to assess which of your cyber practices and technologies should be tidied up, discarded, or upgraded.
It’s a Sisyphean task to defend against, and educate people on, the constantly evolving cyber threat, but it must be done. Some of these, such as phishing emails and malware scams, can be prevented by instilling better cyber hygiene practices among business partners and employees. But many cyber threats must be contained with proven defenses at the network level.
It can be difficult to determine which threats are most dangerous, most imminent, and how to defend against them because there is an overwhelming amount of information and opinions out there. In the midst of the constant fray of cyber threats, some cybersecurity myths unfortunately persist. The following blog post will attempt to clear the air regarding just a few of the common myths that surround the topic of distributed denial of service (DDoS) attacks, and how organizations can protect themselves from them.
Myth #1: We’re not a likely target
Actually, many organizations, from across all industries and sectors, are targeted by DDoS attacks; it’s not limited to high-profile or large organizations. You may be targeted by an unscrupulous competitor, a random attacker looking to cause disruption or, increasingly, by a cybercriminal who wants to extort your organization with a ransom demand.
Myth #2: We’re already safe because we have plenty of bandwidth
Some organizations feel they should increase the size of their Internet connections, or server capacity, in an attempt to overpower any attacks that target them. First of all, if a cybercriminal wants to overwhelm your website or business application, with a volumetric attack, you can be pretty sure that is what they will do, regardless of how much bandwidth your network has. Second, Corero’s DDoS research shows that the majority of DDoS attacks are not as high volume as you might expect; they are more typically short, sub-saturating attacks that are still able to disrupt services and result in downtime. Ironically, these negative impacts could be more easily accomplished if you have plenty of bandwidth.
Myth #3: Our Content Delivery Network (CDN) will protect us
Although CDNs can protect served content and websites from DDoS attacks, they do not prevent attacks directed at your organization’s public IP addresses which don’t go through the CDN. This can include attacks directly on your origin servers that feed the CDN, meaning your content served by it can start to become stale, the longer a DDoS attack persists.
Myth #4: Our firewall and load balancers work well
While some commercially available network firewalls and web application firewalls (WAFs) can protect a business against application (layer 7) attacks, those are not typically distributed or volumetric in nature and only represent a tiny fraction of all denial of service (DoS) attacks – less than a few percent. Firewalls, of any kind, are no substitute for dedicated volumetric protection that blocks infrastructure attacks and keep your business online.
Myth #5: Our homegrown, inhouse, solution does the job
Alas, modern DDoS attacks are too sophisticated to detect and accurately block with a home-grown solution. Criminals increasingly use multi-vector DDoS attacks that are automated and change every few minutes. Corero regularly sees eight, or more, different vectors, in the course of an attack, that may only last ten or twenty minutes, in order to evade legacy, homegrown, or manual approaches to DDoS defense. Also, homegrown and legacy DDoS mitigation tools, which are typically based on simple traffic thresholds, struggle to discern the difference between the latest DDoS attacks and regular (clean) traffic. As a result, such attacks still get through, and IT staff end up null-routing all traffic, after the impact has already been experienced, which still takes their services offline and completes the attack for the cybercriminal. Furthermore, the cat-and-mouse process of fighting DDoS attacks in this way ties up a lot of valuable IT staff resource.
Myth #6: We have a static website as a backup in case of attack
That’s nice, but again, how many modern businesses can continue to function with such a simplistic fallback option?. In this age of digital transformation, attackers are more likely to focus on disrupting web services and applications, interrupting customer and partner transactions and impacting business continuity.
Myth #7: We’re safe because we monitor our traffic levels for unusual spikes
Unless your website never has spikes of legitimate traffic you can’t “look out for them” because that is almost certain to result in highly damaging false-positives, blocking significant amounts of good traffic. It’s virtually impossible to manually discern good traffic from bad traffic, and certainly not at a pace which can prevent the damage from a DDoS attack, which is why automated, granular DDoS mitigation is now so important.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. If you’d like to learn more, please contact us.