As leaders in the DDoS protection industry for over a decade, Corero has witnessed plenty of bad advice thrown around, by various cyber “experts.” Below are just a few of the myths we have heard over the years, with our perspective on them:
1. Content Delivery Networks Offer Protection
It is a common misconception that the protection offered by your CDN is the only DDoS protection you need – that is typically not the case. While your CDN may be able to protect your website and the associated data that it is being distributed across the globe for you, they usually do not protect any of your services and assets that are directly connecting to the Internet. These assets include any data or content living on servers you host, the origin files that the CDN distributes, and even remote access for your employees. This means that even with CDN DDoS protection, you can still be at risk from an attack. Corero experts recommend also investing in an on-premises solution, to protect your origin files and data, as well as other critical services against business continuity impact from DDoS.
2. Cloud-based DDoS Mitigation is all you need
Many enterprises believe that they are completely protected against DDoS attacks with a cloud-based scrubbing solution. However, industry experts are now recognizing that a hybrid solution, which includes an always-on on-premises component, is required to deliver the most effective DDoS protection. Cloud protection services are largely based on legacy detect-and-redirect approaches to DDoS, which were designed to help get organizations back online after being hit by large, persistent, attacks. As attacks have increased in sophistication, small attacks are just as damaging and are easily missed by solutions that rely on this legacy approach. Cloud-based solutions are typically slow to react and fail to protect vulnerable services from the initial impact of DDoS attacks and the negative effect they have on business continuity. Cloud–only solutions typically leave you paying for downtime and leave you at risk of further attacks. Even cloud DDoS solutions now offering always-on options, are often not ‘always-protecting’, as they still rely on the legacy detect and redirect approach within their scrubbing clouds. This means you are still impacted by a DDoS attack for the time it takes that mitigation to engage.
3. Most DDoS Attacks Are Meant to Bring Down an Entire Organization
Although we continue to see to the ‘next biggest attack’ grabbing the headlines, most attacks are now sized to be just large enough to knock out a specific server, website, or service. These ‘surgical’ attacks are small enough in volume and duration that traditional legacy DDoS solutions struggle to deal with them and cannot react in time to effectively mitigate them. Our research consistently finds that the vast majority of attacks are now low-threshold and short in duration, which are increasingly being used for extortion purposes.
4. A Firewall Can Protect Against DDoS Attacks
Firewalls are not effective against DDoS attacks and, instead, can either act as DDoS entry points, or be the actual target of an attack. The challenge is, by definition, that they are stateful, which means they must keep track of traffic flows, in order to deliver their protection effectively and efficiently. The limits on internal memory and the processing resources required to track all of this state information makes them a soft target for DDoS attackers, who can easily overwhelm those resources with specific attack techniques, taking the whole network, behind them, offline.
5. Block and Allow lists Can Control Access
It is not easy, or wise, to rely on block/allow lists to control who has access to your Network. By their very nature they are static, based on what happened in the past, and are typically outdated the moment you apply them. They can be helpful for reducing the background noise of unwanted traffic but has limited effectiveness when you become the specific target of a DDoS attack, as those will often emanate from sources that you would not ordinarily treat as suspicious and have already included in your block list.
6. Traffic Thresholds are Sufficient for Triggering DDoS Protection
OK, so you are trying to ensure you are properly protected, and you have an alert set for when traffic spikes: big deal. That alert does nothing to prevent or stop a DDoS attack from happening; it only monitors the situation, so you can then call up your DDoS scrubbing service, leaving your Network still in the face of danger. And, guess what; by the time the DDoS mitigation begins, ten or more minutes will likely have passed, by which time the damage will already be done. Minutes, or even seconds, of downtime can hurt your brand image and cost you tens-of-thousands of dollars. At best, your website, or service will be down, and will need recovering by your IT team, but there is also the chance that the perpetrators will have carried out more nefarious activities during this period, leaving you open to critical information being exfiltrated.
Closing Thoughts
The above DDoS myths are just a sample of the many floating around; unfortunately, too many people are unaware of the danger that a DDoS attack brings to an organization, or don’t have the facts to know any better. A modern DDoS protection solution is one that detects and blocks DDoS attacks of all types and sizes, in real-time, all the time.