Sam Curry, CSO & CTO, Arbor Networks
Defending organizations’ networks against DDoS attacks has long been a daunting challenge—but now cybercriminals are making it even more so; headlines today are rife with news of another DDoS attack, data breach or other security incidents. Yet even in today’s dynamic threat landscape, many organizations still believe that the DDoS protection they adopted a few years ago still works today. In these instances, organizations are gambling with their network. It’s time to debunk some outmoded misconceptions about DDoS.
5 Common Misconceptions about DDoS Protection
Misconception #1: Firewalls, IPS or Content Delivery Networks Are the Answer
The evolution of IT infrastructures and the dependency on third-party clouds have created a complex environment that no longer has a perimeter. Traditional “perimeter” security solutions such as firewalls and IDS/IPS are still vital parts of an integrated security posture. However, because these devices conduct stateful inspection of network connections, they are susceptible to some DDoS attacks, which can make matters worse.
Many organizations also erroneously believe that Content Delivery Networks (CDN) provide a solution to stopping DDoS attacks. The truth is that a CDN merely addresses the symptoms of a DDoS attack. By absorbing these large volumes of data, a CDN actually lets all the information into and through the network— providing an “all are welcome” approach. In addition, most CDN based DDoS protection solutions only focus on absorbing HTTP/ HTTPS DDoS attacks, ignoring all others such as NTP/DNS amplification attacks, which are very common.
Misconception #2: A Single Layer of DDoS Protection is Enough
Because modern day DDoS attacks use a dynamic combination of volumetric, TCP state exhaustion and application-layer attack vectors, industry best practices recommend that organizations take a layered approach to protection.
That is, the best place to stop large flooding attacks is upstream in a service provider’s cloud before they overwhelm local Internet connectivity or on-premises DDoS protection systems. And the best place to stop stealthy application-layer attacks is on the customer premises, closer to where key applications or services reside. Just as importantly, you must have an intelligent form of communication between these two layers backed by up-to-date threat intelligence to stop dynamic, multi-vector DDoS attacks.
Unfortunately many organizations choose only a single layer of protection resulting in an incomplete DDoS protection solution.
Misconception #3: The Odds are We Will Not Become a Target, So it’s Worth the Risk
Then dramatic rise in the number of DDoS attacks is due to two main factors: Ease of launching an attack and multiple motivations behind attacks. It’s never been easier in history to launch a DDoS attack. Anyone can simply download a Do-It-Yourself DDoS attack tool for free or pay a small fee to third-party to conduct a DDoS attack as a service. And while the price for launching an attack is in the tens of dollars, the losses for organizations can be in the tens of millions. The motivations behind DDoS attacks are plenty. No longer are DDoS attacks motivated by financial gain or conducted by state sponsored organizations.
Today, all it takes is for someone to simply disagree with your opinion, political affiliation or stance on a topic to launch a DDoS attack using the plethora of tools or services available to them. To make matters worse, if your services are housed in a shared cloud environment, you don’t even have to be the target of the DDoS attack to be impacted by the collateral damage. So you have to ask yourself, “Do I feel lucky?”
Misconception #4: The Impact of a DDoS Attack Does Not Justify the Cost for Protection
The impact of a DDoS attack can be immediate and severe. The fact is that many organizations do not conduct the proper risk and counter-measure analysis to help justify the purchase of a comprehensive DDoS protection solution. Sure, calculating the cost of downtime for a revenue generating service may be a no brainer; but have you considered all the other costs that are associated with a DDoS attack?
There are many other indirect costs that are routinely overlooked such as SLA credits, legal/regulatory fees, PR costs for brand repair, and customer churn. There are even documented cases where executive or board members have been fired due to their organizations not being adequately prepared to stop DDoS attacks and other threats.
Misconception #5: DDoS Attacks are Not Advanced Threats
Yes, technically speaking DDoS attacks by themselves may not be advanced. However, recent research into botnets and DDoS attacks has determined that they are actually very closely related to advanced threats campaigns that use malware, and RATs.
For example, there have been documented cases where DDoS attacks were used during:
• The early reconnaissance stage to test an organization’s abilit to respond to certain threats.
• The weaponization or malware delivery stage, where they were used to fill security forensic product log and data files; making the search for the planted malware much more challenging.
• The data extraction stage where the attacks were used as a diversionary tactic.
So this begs the question… “Was that last DDoS attack an isolated event or was it part of a more advanced threat campaign against my organization?” To hedge your bets it’s highly recommended that you use global threat intelligence to proactively “hunt” for signs of compromise or breach before they impact your organization.
It’s Time for an Intelligent, Multi-Layered Approach to DDoS Protection
Using traditional security solutions such as firewalls or IPS—or betting against the cybercriminals and hacktivists by doing nothing—is a huge risk. Can you afford your critical applications to be unavailable? Can you recover from the costs associated with a breach which exposes millions of customer’s confidential data? The reality is you need to protect your organization at all times by taking an integrated, multi-layered approach to DDoS defense.