Even though distributed denial-of-service (DDoS) attacks are more prevalent than ever, there remains unsubstantiated myths around them.
DDoS attacks have the potential to cripple your online business by damaging client relationships and putting a dent in financial revenue. Even worse, these threats are constantly evolving with new technologies and increasingly complex strategies. It doesn’t matter if your business is a worldwide banking institution or a
local florist - it’s likely your organization may be the target of a DDoS attack.
We put together a list of seven common myths that continue to persist about DDoS attacks.
Myth #1: “Only ____ Matters”
Does this sound familiar to you?
“Only bandwidth matters”
Not really. High packets-per-second (PPS) and application layer attacks get through even if you have a high bandwidth.
“Only a strong router matters”
Unfortunately, no. A strong router will not help if your bandwidth is saturated, or you have an application layer attack.
“Only validating that my web server is fully protected matters.”
You’ll probably be protected against some application layer attacks, but high requests per second (RPS) attacks will still get through. And what if your bandwidth is saturated?
“Only blocking certain user-agents matters”
This solution is partial and can be by-passed by more advanced attacks.
And the list goes on. Security staff can check off one solution and say, “DDoS? I’ve dealt with it by doing X”. The reality is that attackers don’t care about what is protected, they will go after what you haven’t protected.
The fill-in-the-blank can represent many things, but a partial solution is not enough against DDoS attacks. It’s possible that the Internet protocols you currently use will be enough to shield your site from a DDoS threat. Data culled from our
Q4 2015 Global DDoS Threat Landscape Report confirms that an increase in high-volume assaults can easily flood any network.
Myth #2: “I Am Not a Target”
Many people still believe that DDoS attacks are only directed at large global institutions like banks and insurance companies. This is no longer the case. Dating sites, online
gaming sites, and small, local businesses (like catering companies) often fall prey to Internet criminals too.
Myth #3: “DDoS Attacks Come from Masterminds/Kids”
The truth is that there are
many types of cyber criminals out there. There’s the “Hacktivist,” who pushes a political agenda, the “Harasser” who bullies online users, and the “Extortionist” who threatens sites with ransom notes. And, alarmingly, many attacks come from employees and contract workers with direct access to the site.
Myth #4: “Just Some Downtime”
For websites, a little downtime equals a lot of irritated customers. It’s been proven that
downtime undermines a site’s reputation. And reputations are hard to rebuild on the internet. If an e-commerce site is offline it will inevitably lose valuable revenue in the short and long term.
Myth #5: “A Box Would Fix It”
There’s an ancient myth that an appliance in the organization should mitigate DDoS. You have a backup appliance, a firewall appliance, a DDoS mitigation appliance, and you’re done.
Right?
Wrong.
Attacks today are so big (in terms of bandwidth and PPS) that even if your DDoS mitigation appliance does a fantastic job, your line will still be flooded by the attack, and legitimate traffic will not arrive to the DDoS mitigation appliance.
Your best defense is having DDoS mitigation in place before it even reaches your organization in a distributed cloud service.
Myth #6: “More Bandwidth, Less Downtime”
There are many things that can cause downtime such as server maintenance, server crashes, power outages, and more. When that happens, no amount of bandwidth can help. DDoS attacks, in particular, are getting larger and more sophisticated every day. We’ve noticed an uptick in
high-volume DDoS attacks in the past year. These concentrated assaults are capable of bringing down any unprotected site, regardless of the amount of bandwidth being consumed.
Myth #7: “DDoS Protections are all the Same”
Not really. Our advice is to choose a provider that completely understands the DDoS landscape and has a proven track record. It’s important to review and compare your options when it comes to website security.
No myths zone
There’s a lot of information out there about DDoS attacks. If you’d like to read up about DDoS, here’s our online training site. I hope this has helped dispel some of the common myths about DDoS. Being prepared for the possibility of an attack on your website will go a long way in helping you build a plan that will protect your organization’s web assets.
This blog post was written by Ben Herzberg, Security Research Group Manager, at Imperva Incapsula.