Slaying 3 Myths for a New Decade

* 2 minutes read.

Looking back at our achievements in 2019 with leading enterprises and security professionals in the industry, these are the top three myths we’ve heard time and again -

Myth 1: DDoS vulnerabilities are like CVE vulnerabilities

Myth 2: DDoS mitigation is a plug & play solution

Myth 3: The perfect DDoS mitigation configuration exists

 

To start 2020 in the best Slaying Myths (Resized)possible way, we’ve called in our Head of R&D, Yotam Alon, to slay these myths by explaining the underlying issues to lay the foundation and bring clarity to DDoS threat landscape in new decade ahead.

Myth 1: DDoS vulnerabilities are like CVE vulnerabilities

CVE vulnerabilities generally refer to a specific software code that can be manipulated for malicious activity, such as the Apache Struts CVE-2017-5638 vulnerability that compromised Equifax in 2017. Patching CVE vulnerabilities like this requires rewriting a piece of code (Patched).

DDoS mitigation solutions work by analyzing traffic using several attack mitigation mechanisms to detect malicious DDoS traffic and prevent it from reaching the network downstream. When these mitigation mechanisms are not perfectly configured malicious DDoS traffic leaks through the mitigation and hits the downstream network environment causing latency, service disruption and downtime. DDoS vulnerabilities or ‘DDoS mitigation vulnerabilities’ are essentially misconfigurations between the DDoS mitigation solutions and the underlying network they are protecting. Read more about DDoS Vulnerabilities in this blog.

Unlike CVE vulnerabilities, DDoS vulnerabilities cannot be “patched” by rewriting code but rather need to be resolved by fine-tuning the DDoS mitigation configuration to perfectly match the network being protected.

Myth 2: DDoS mitigation is a plug & play solution

The beauty of Plug & Play technology is that once it’s plugged into the network, all it takes is a simple set up to install and it runs, and runs, and runs. Think of a proxy, router or load balancer for example.

If your network environment was static and never changed, with no changes to applications, no new servers, services or new IP addresses being added to your initial DDoS mitigation setup then configurations would probably hold over time and protect your network from DDoS attacks.

All those with perfectly static networks say “I!”

CIOs, CTOs, CISOs and security professionals are tasked today more than ever before with embracing change while delivering 6 sigma availability nevertheless. Organizational pressure for digital transformation and an endless torrent of new services and applications are being pushed into production and introduce continuous change. Constant change is the status-quo and downtime is not an option. For DDoS mitigation to work effectively in these conditions each change needs to be reflected in the DDoS mitigation policy and updated continuously.

DDoS mitigation is anything but ‘Plug & Play’. Read the blog to know more about this.  

Myth 3: A perfect DDoS mitigation configuration, exists.

It doesn’t exist.

When asked about their DDoS mitigation configuration, Customers and prospects will sometimes share that they work with Professional Services or DDoS experts that help them fine-tune their DDoS mitigation’s configuration. Examples they give usually refer to network level configurations such as blocking: Out-of-State-Packets (for example an URG-ACK-SYN-FIN Flood), ICMP traffic or DNS Requests – all of which can be set in a ‘blanket’ configuration to prevent these types of traffic from reaching the underling network environment or specific IP ranges.

There are two main problems with the mindset of a “perfect DDoS mitigation configuration”.

The first presents itself when you start considering DDoS mitigation configurations on an IP level. IP addresses generally receive specific traffic profiles. For example: An IP address serving a static website (like https://en.wikipedia.org/wiki/DDoS_mitigation) expects to receive only ‘Get’ requests, while an API service will expect to receive both ‘Get’ & ‘Post’ requests and yet other specific IP user ranges will expect to receive DNS responses as well. DDoS mitigation configurations are complex to start with and when considering the need to fine-tune IP configurations they get even more complicated very quickly.

Secondly, these configurations are a moving target with network environments constantly changing.

There is no single “perfect” configuration for DDoS mitigation solutions.

Getting DDoS mitigation right, consistently, nevertheless.

So to sum this up:

  1. In most cases, DDoS vulnerabilities are basically misconfigurations that need to be fine-tuned.
  2. Whether you have Cloud scrubbing, On-Premise, CDN, hybrid solution or any proprietary DDoS mitigation technology, its mitigation configurations are fixed. It was never designed to automatically correct its mitigation configuration as the network it protects changes.
  3. There is no “perfect DDoS mitigation configuration”. It’s a constantly changing set of configurations that need to be fine-tuned, continuously.

The only way to secure service availability and know the DDoS mitigation solution is configured correctly, is to gain continuous visibility of DDoS vulnerabilities generated due to the changes in the underlying network and fix them where the DDoS mitigation configuration needs to be updated.

 

Read More About  Proactive Feedback Module

Picture of Yotam Alon

About Yotam Alon

Yotam is the Dev Lead at MazeBolt and is in charge of all R&D activities, infrastructure and security. With five years in the security industry, Yotam brings fresh perspectives and insights into current technologies and development flows. He holds a BSc. in mathematics and philosophy and enjoys hitting the archery range in his spare time.