From Misconception to the truth: Understanding DDoS better
In recent years, DDoS attacks have become the weapon of choice for cyber threat actors who wish to wreak havoc in leading organizations’ websites and networks. DDoS attacks are a popular attempt to disrupt and deny availability, and often succeed because traditional mitigation efforts are not regularly updated with evolving attack vectors. Many organizations lack the necessary visibility into their dynamic attack surface, and such organizations operate under common misconceptions that leave them exposed to attacks that result in losses and damages.
The purpose of this article is not to scare you, but to inform you of some important myths that should be debunked. But before we begin, let’s put it on the table: DDoS attacks are officially considered the current major cyber threat in the market. Governments, banks and financial institutions, gaming companies, and insurance organizations – are all targeted, for many reasons. Some perpetrators wish to simply disrupt, others perform their attacks to create a diversion for their cyber-attacks, and some perpetrators are politically motivated. Whatever the cause is, DDoS attacks have become more sophisticated and malicious and are the current leading cyber threat in the world. In this article, we will present three major misconceptions about DDoS attacks, and deconstruct them.
Misconception #1 – Firewall sounds serious, but it’s not enough
Firewalls are an essential part of the mitigation layers. They stop unwanted traffic based on information that was determined to be so, according to security protocols. For example, destinations, ports, and sources. But firewalls cannot detect malicious traffic that originates from trusted ports like HTTP/S or IMAP. Not easily, anyway. In addition, web application firewalls, known as WAF, don’t inspect traffic that isn’t web-based. Since many DDoS attacks use multiple devices and IP types, WAFs can’t see the majority of DDoS attack traffic.
It is true that firewalls can mitigate some types of DDoS, but at the same time, firewalls and WAFs are vulnerable targets that contribute to network outages or failures. WAFS are being used in multiple organizations as part of a DDoS protection layer due to their bot detection capacities, but WAFs are not designed to protect against DDoS attacks. When under a DDoS attack, such as SYN flood, for example, both the firewalls and the WAFs can cause online service to be unavailable, resulting in severe loss of traffic, and business.
An organization that relies solely on firewalls is making a huge mistake, and we’re pretty sure there isn’t an organization that actually does that nowadays. Firewalls are just one piece of the entire mitigation protocol that should include several layers. If for some reason your organization is midsized and up and is using firewalls alone as your mitigation, please realize that you are not protected.
Misconception #2 – CDN should do the trick
Content Delivery Networks (CDNs) distribute content, placing it as close to the end user as possible to improve performance. CDNs should handle big surges as sometimes a surge of traffic is expected and normal. For example, testing the system, or even a well-deserved performance of the organization. And yes, a huge surge in traffic could also be a DDoS attack, and on the surface level, a CDN should be able to handle that.
But CDNs can provide just a part of the solution. DDoS attacks are not limited to web applications alone but can also target resources and the system itself. An organization cannot rely on CDNs alone, or even CDNs and WAFs. This is because CDN DDoS protection is based on DNS diversion, which can also be referred to as DNS routing. Imagine threat actors reaching and targeting your organization’s true IP address. In that case, they will “bypass” your CDN, so that case, the CDN is useless.
CDNs and WAFs are a common combination that is sometimes referred to as “enhancement in protection”, but in fact, even this combination still leaves an organization with a wide dynamic attack surface and exposed DDoS attacks, and with
Misconception #3 – What are the odds?
The most common misconception of them all is the most human – “we’d rather not know”. On one hand, many organizations know for a fact that DDoS is impossible to stop, and once they’ll get hit, it’s game over. Or at least, a lot of downtime and a hefty remediation budget. On the other hand, many organizations are convinced they will never be attacked with DDoS, for various reasons. The fact is, both assumptions are incorrect, to put it lightly.
Recent years have proven that DDoS attacks have become the most sought-after cyber-attack, which can hit many organizations in various fields. The perpetrators may attack for political reasons, criminal reasons, or just a desire to disrupt business and activity. But if there’s one thing that recent years have proven, is that DDoS can hit anyone, anytime. So, in the face of this reality, many organizations live in denial, pretending that they won’t get attacked, or that no matter what they do, they can’t protect themselves.
And the truth is, of course, that every organization can and should have DDoS resilience. There are many mitigation solutions and vendors, and once implemented, an organization can constantly run DDoS tests to validate its mitigation, increase visibility into the critical vulnerabilities and the dynamic attack surface. In fact, closing gaps in the mitigation layers can be achieved rather quickly, with the right solutions.
Want to know more and improve your mitigation?