As leaders in the DDoS protection industry for over a decade, Corero has witnessed plenty of bad advice thrown around, by various cyber “experts.” Below are the top 5 myths we have heard over the years, with our perspective on them:
1. Content Delivery Networks Offer Total Protection
It is a common misconception that the protection offered by your CDN is the only DDoS protection you need, and that is simply not the case. While your CDN may be able to protect your website and the data that it is being distributed around the globe for you, they typically do not protect any assets that you are directly connecting to the Internet. These assets include any data or content living on your own servers, including any origin source files that a CDN distributes, leaving you at risk of a DDoS attack. Corero experts recommend investing in on-premises protection to ensure access to your source data is not impacted by the threat from DDoS.
2. Cloud-based DDoS Mitigation is all you need
Enterprises commonly believe that they are adequately protected against DDoS attacks with an on-demand cloud-based service. However, many are now recognizing that always-on protection, such as a hybrid solution that includes an always-on, on-premises component, is required to deliver the most effective DDoS protection. The challenge with many Cloud protection services is, they have based are legacy detect-and-redirect approaches to DDoS. This on-demand architecture cannot prevent downtime andis only capable of getting a victim organization back online after it has already been impacted by an attack. As attacks have increased in sophistication, smaller attacks are now just as damaging and are increasingly missed altogether by on-demand solutions. Cloud-based solutions are typically slow to react and fail to protect vulnerable services from the initial impact of DDoS attacks and the negative effect they have on business continuity. Cloud–only solutions typically leave you paying for downtime and at risk of further attacks.
3. Most DDoS Attacks Bring Down an Entire Organization
Although it’s the biggest attacks that continue to grab the headlines, most are just large enough to knock out a specific server, website, application, or service. These ‘surgical’ attacks are small enough in volume and duration that traditional legacy DDoS solutions may not notice them and cannot react in time to effectively mitigate them. Our research is consistently finding that the vast majority of DDoS is now low threshold, short duration, attack and these are increasingly used for ransom extortion purposes.
4. A Firewall Can Protect Against DDoS Attacks
Firewalls are not effective against DDoS and, instead, can be the actual target of an attack. The challenge, by definition, is that modern Firewalls are stateful, which means they must keep track of traffic flows in order to deliver their protection effectively and efficiently. Their limits on internal memory and the processing resources required to track all of this state information makes them a soft target for DDoS attackers, who can easily overwhelm those resources with specific attack techniques, taking the whole network, behind them, offline.
5. Traffic Thresholds are Sufficient for DDoS protection
OK, so you are trying some homegrown defenses, and you have an alert set for when traffic spikes occur. That alert does nothing to prevent or stop a DDoS attack from happening or, even to distinguish it from a burst of legitimate traffic; it only monitors the situation. You still need to decide what action to take; either, issuing your own blackhole and taking your attacked service completely offline, or calling up your DDoS scrubbing service. And, guess what; by the time that DDoS mitigation begins, ten or twenty minutes will have passed, by which time the damage will definitely already be done. Minutes, or even seconds, of downtime can hurt your brand and easily cost you tens-of-thousands of dollars. At best, your website, or service will be down, and will need recovering by your IT team, but there is also the chance that the perpetrators will have carried out more nefarious activities during this period, leaving you open to critical information being exfiltrated.
Final Thoughts
The above DDoS myths are just a sample of the many floating around; unfortunately, too many people are unaware of the danger that a DDoS attack brings to an organization or don’t have the facts to know any better. A modern DDoS Protection Solution is one that detects and blocks DDoS attacks of all types and sizes, in real-time, all the time.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s flexible deployment models, click here. If you’d like to learn more, please contact us.