DDoS Attack & Protection – 7 Myths Every Entrepreneur Should Be Aware Of
DDoS attacks in their different forms are the most damaging to the organization in terms of financial losses and losses in terms of clients, reputation and brand image. There are several myths surrounding DDoS attack protection. Here, we discuss 6 such myths with high potential for jeopardizing organizations.
- 1 Myth #1 My organization is small/ insignificant to be a potential DDoS attack target
- 2 Myth #2 DDoS is easy to fix and therefore, a low-priority web security problem
- 3 Myth #3 Hardware and/or on-campus protection gives more control and therefore, sufficient
- 4 Myth #4 Multi-layer defense is optional
- 5 Myth #5 Blackholing mitigates DDoS attacks
- 6 Myth #6 Automated DDoS mitigation solution is adequate
- 7 Myth #7 DDOS are just volumetric network attacks
Myth #1 My organization is small/ insignificant to be a potential DDoS attack target
The first thing we need to understand about DDoS attacks to debunk this myth is that DDoS attacks are neither always large scale, nor do they always target the entire infrastructure and resources of an organization. Fact is that many DDoS attacks are less than 1 Gbps and can slip through the eyes of the security team if they are not aware and proactive. These small attacks are as damaging as any high-volume attack. This is because they overwhelm the infrastructure, resources and bandwidth of the organization and involve heavy costs not just monetarily, but in terms of loss of clients, reputation and goodwill.
These attacks could even be launched by a competitor looking to bring disrepute to the organization and redirect traffic to their websites or a crime syndicate/ black hat hacker looking to extort money from the organization. So, all organizations, irrespective of their size, nature or scale of operation, are potential DDoS attack targets.
Myth #2 DDoS is easy to fix and therefore, a low-priority web security problem
It is true that DDoS attacks are often used as smokescreens to divert the attention of the security professionals away from other vulnerabilities. But that does not make this attack type a low-priority problem.
Also, the existence of several DDoS mitigation solutions does not necessarily make it easy to fix. Making the right choice of security solution that is comprehensive, managed and provides round-the-clock protection against a wide range of security threats (including DDoS) is essential.
Myth #3 Hardware and/or on-campus protection gives more control and therefore, sufficient
Hardware solutions do provide higher infrastructure-level protection and coverage, but they provide static protection, get outdated quickly and need to be updated regularly, making them costly solutions for many organizations. It must also be understood that DDoS attacks are multi-layer and complex that combine several vectors. So, the DDoS mitigation solution must provide multi-layer protection and must be equipped with Machine Learning and Global Threat Intelligence to make them effective solutions.
Having on-campus DDoS protection does ensure more control to the organization but that does not mean better security per se. Human security professionals, however skilled, may not be completely up-to-date with threats and may get overwhelmed when a new kind of attack takes place.
The choice of a security solution must be made on the basis of the risk profile of the organization, its existing infrastructure and size, variety and complexity of possible attacks and threats faced by the organization.
Myth #4 Multi-layer defense is optional
As mentioned earlier, DDoS attacks target multiple layers and combine several different vectors. So, multi-layer defense is necessary. The best DDoS protection is one that gives you infrastructure-level protection against volumetric attacks and always-on, instant protection against attacks on specific applications by botnets. These solutions layer the best breed of technology with different strengths and weaknesses together as vulnerabilities and gaps in one layer will be secured by another layer.
Myth #5 Blackholing mitigates DDoS attacks
As explored in a previous blog (can include link to the blackhole routing blog), DDoS blackholing/ blackhole routing by itself is not a viable and optimal solution to prevent DDoS attacks. As it does not discriminate between good and bad traffic and reroutes all traffic during an attack to the blackhole, it is counterproductive and helps the attackers achieve their motive of making the web application unavailable to legitimate users.
Myth #6 Automated DDoS mitigation solution is adequate
Automated scanners, firewalls and other mitigation solutions can go a certain level in securing applications and servers against DDoS attacks. Managed solutions that have certified security experts enable organizations to finetune their strategies and solutions with custom rules and zero assured false positives and build a strong defense to ensure that the network is always available.
Myth #7 DDOS are just volumetric network attacks
This is the most common myth to think of DDOS to be nothing more than a volumetric blast to bring a network down.
As a business owner, having an online presence is crucial and central to online presence are web applications. Since applications are becoming more complex, deployed more frequently and have many moving parts, the security risks are also higher at the application level.
The biggest worry of the business owner with respect to DDoS attacks is their application going down and not being able to service their customers/ partners/ employees or whatever the app is intended for. The intent of a DDOS attack is to cause business disruption. Today, the attacks can be orchestrated more easily with lesser compute resources by targeting vulnerabilities and/or business logic capacity related problems at the application level.
For instance, if you have a file upload feature, it is far easier to cause application DDOS by generating just a few 100 large file uploads exploiting the application feature instead of just creating a volumetric attack. Or, if there is an SQL injection attack that causes big database queries to be run in backend with just a few targeted SQLi payload, the application can be made unresponsive.
Business has to accord greater focus and risk mitigation efforts to stop application-level DDOS attacks with a Managed WAF offering that provides custom rule support. The network-level attack prevention nowadays is automatically offered as part of the hosting provider and/or public cloud offering as part of the infrastructure as a service. A very simple application-level custom work flow rules and policy in the WAF layer can be a big mitigation for Application DDOS attacks.
Remember that the cost of putting in place a managed, customized, intelligent and multi-layer defense against DDoS attacks that is part of a comprehensive security solution is lower in comparison to not having such protection in place. The best DDoS attack protection solutions such as AppTrana have managed solutions endowed with the expertise of certified security experts who create customized and precise protection, Global Threat Intelligence Platform and an intelligent WAF which enable organizations to focus on their core business while AppTrana ensures that the application is always available to legitimate users.
About The Author:
This post has been contributed by Venkatesh Sundar, Founder, CMO at Indusface – Total Application Security.
Apptrana by Indusface takes a 360-degree view of application security and provides round-the-clock, end-to-end website security with zero assured false positives through everyday scanning of the website, blocking malicious/bad requests by patching the application-layer vulnerabilities until fixed, continuously monitoring for DDoS attacks, analyzing attack patterns and so on.