The nature of DDoS attacks is shifting, and while some organizations might believe that DDoS is a thing of the past, this is not the case. Here are the top 5 DDoS myths for 2020.
Myth 1: DDoS is No Longer a Problem
According to Radware’s 2019-2020 Global Application & Network Security Report, about one-third of respondents experienced a denial of service (DDoS) attack. Attackers are moving away from simple volumetric floods, and focusing on more sophisticated, harder to mitigate application-layer (L7) DDos attacks. According to Radware’s research, 90% of attacks were under 10 Gbps, and the average packet-per-second (PPS) decline, but nearly all respondents (91%) who reported a DDoS attack, indicated that the preferred attack vector was the application layer.
Furthermore, volumetric pipe saturation attacks declined by
about 9%, but there was an increase in attacks targeting specific network
components such as application servers, firewalls and SQL servers.
This means that while the nature of DDoS attacks is changing, DDoS attacks are still very much a concern for organizations, and a high priority to protect against.
Myth 2: DDoS Ransom Notes Are a Thing of the Past
Likewise, the past few months have seen a resurgence in DDoS
ransom attacks. According to Radware’s 2019-2020 Global Application Security
Report, ransom attacks increased 16% year-over-year, and 70% of North American
companies ranked ransom as the primary motivation for cyberattacks.
The past few months have seen two significant DDoS ransom
campaigns: first against
banks in South Africa in October 2019, and more recently a
targeted campaign against Australian banks and financial institutions. In
both cases, ransom notes preceded large-scale, sophisticated and sustained
campaigns to knock-down financial services.
This means while we may not hear as much about DDoS ransom attacks as in the past, attackers have not given-up on this attack vector, and organizations must stay vigilant and watchful for this type of attack.
Myth 3: Your ISP Can Protect You
Battling sharply decreasing connectivity costs, more and more internet service providers (ISPs), carrier and mobile operators are offering DDoS protection services as a way to provide value-added services and increase customer retention.
For many customers, getting low-cost security services
bundled with their internet service can be a compelling proposition; after all,
can beat the price of free?
The problem, however, is that for the most part, security is
a side business for your ISP. This means that they lack
the technology and security expertise to provide truly effective
protection. Moreover, since it is frequently a loss-leader product to support
their other services, ISPs are frequently incentivized to invest as little as
possible in defenses.
As a result, they frequently provide
only the simplest, most basic protections which cost them the least.
Consequently, such customers do
not receive protection against the latest, most sophisticated types of attack
such as burst attacks, dynamic IP attacks, application-layer DDoS attacks, SSL
DDoS floods, and more.
Customers relying on their ISP for protection might enjoy the short-term savings in the cost of service, but may very well discover that this type of low-cost protection will end up being far more expensive down the road.
Myth 4: Your Public Cloud Provider Can Protect You
As organizations increasingly adopt public cloud
infrastructure, many customers are opting for the built-in, free DDoS
protections offered by their public cloud hosting providers. Many security
managers are happy to see DDoS as a network problem, and have it handled by
their cloud provider. For example, according to Radware’s 2019-2020 Global
Application & Network Security Report, 31% of organizations rely primarily
on the native security tools of the public cloud vendors, and a similar number
combine native tools with third-party solutions.
The problem, however, is that security tools offered by
public cloud vendors are frequently rudimentary, ‘good-enough’ tools that will
provide basic protection, but not much more.
This is particularly true for DDoS protection, where like
ISPs, public cloud vendors frequently opt for the most basic, cost-effective
(for them) protections. To illustrate, one large public cloud provider has no
qualms about declaring that their free tier provides protection only against
the ‘most common, frequently occurring network and transport layer DDoS attacks’.
Moreover, such tools will usually protect only those assets which are hosted on that provider’s public cloud environment, but not assets hosted elsewhere, on other cloud environments or in physical data centers. As a result, organizations running multi-cloud environments and relying on their cloud providers for DDoS protection will end up with siloed security mechanisms, inconsistent security policies, and segregated reporting.
Myth 5: All DDoS Protections Are the Same
As more and more service migrate online, security is
increasingly focused on application security and data protection, and less on
network-layer security. This has led some organizations to believe that DDoS
protection is a network-layer issue, a thing of the past, and consequently,
that DDoS protections are all the same.
As we explained above, the nature of DDoS attacks is shifting, and protections that used to be adequate not long ago are no longer effective. DDoS attackers are concentrating more and more on the application-layer, leveraging sophisticated bots to launch attacks, and use sophisticated attack vectors such as burst attacks, SSL floods, and carpet-bombing attacks.
DDoS protection services vary wildly by technology, network,
and service. This is why it’s important to choose
a DDoS protection service that offers behavioral protections which go
beyond simple signature and rate limits, have the capacity to deal even with
the largest attacks, and back their marketing claims with quantifiable
and measurable SLA metrics.