By Nikhil Taneja
The nature of denial of service (DDoS) attacks is shifting, and while some organizations might believe that DDoS is a thing of the past, this is not the case. Here are the top five DDoS myths for this year.
Myth 1: DDoS is No Longer a Problem
According to the 2019-2020 Global Application & Network Security Report, about one-third of respondents experienced a DDoS attack. Attackers are moving away from simple volumetric floods, and focusing on more sophisticated, harder to mitigate application-layer (L7) DDoS attacks.
According to Radware’s research, 90% of attacks were under 10 Gbps, and the average packet-per-second (PPS) declined, but nearly all respondents (91%) who reported a DDoS attack, indicated that the preferred attack vector was the application layer.
Furthermore, volumetric pipe saturation attacks declined by about 9%, but there was an increase in attacks targeting specific network components such as application servers, firewalls and SQL servers.
This means that while the nature of DDoS attacks is changing, DDoS attacks are still very much a concern for organizations, and a high priority to protect against.
Myth 2: DDoS Ransom Notes Are a Thing of the Past
Likewise, the past few months have seen a resurgence in DDoS ransom attacks. According to the 2019-2020 Global Application Security Report, ransom attacks increased 16% year-over-year, and 70% of North American companies ranked ransom as the primary motivation for cyberattacks.
The past few months have seen two significant DDoS ransom campaigns: first against banks in South Africa in October 2019, and more recently a targeted campaign against Australian banks and financial institutions. In both cases, ransom notes preceded large-scale, sophisticated and sustained campaigns to knock-down financial services.
This means while we may not hear as much about DDoS ransom attacks as in the past, attackers have not given-up on this attack vector, and organizations must stay vigilant and watchful for this type of attack.
Myth 3: Your ISP Can Protect You
Battling sharply decreasing connectivity costs, more and more internet service providers (ISPs), carriers and mobile operators are offering DDoS protection services as a way to provide value-added services and increase customer retention.
For many customers, getting low-cost security services bundled with their internet service can be a compelling proposition; after all, who can beat the price of free?
The problem, however, is that for the most part, security is a side business for your ISP. This means that they lack the technology and security expertise to provide truly effective protection. Moreover, since it is frequently a loss-leader product to support their other services, ISPs are frequently incentivized to invest as little as possible in defenses.
As a result, they frequently provide only the simplest, most basic protections which cost them the least. Consequently, such customers do not receive protection against the latest, most sophisticated types of attack such as burst attacks, dynamic IP attacks, application-layer DDoS attacks, SSL DDoS floods, and more.
Customers relying on their ISP for protection might enjoy the short-term savings in the cost of service, but may very well discover that this type of low-cost protection will end up being far more expensive down the road.
Myth 4: Your Public Cloud Provider Can Protect You
As organizations increasingly adopt public cloud infrastructure, many customers are opting for the built-in, free DDoS protections offered by their public cloud hosting providers. Many security managers are happy to see DDoS as a network problem, and have it handled by their cloud provider. For example, according to Radware’s 2019-2020 Global Application & Network Security Report, 31% of organizations rely primarily on the native security tools of the public cloud vendors, and a similar number combine native tools with third-party solutions.
The problem, however, is that security tools offered by public cloud vendors are frequently rudimentary, ‘good-enough’ tools that will provide basic protection, but not much more.
This is particularly true for DDoS protection, where like ISPs, public cloud vendors frequently opt for the most basic, cost-effective (for them) protections. To illustrate, one large public cloud provider has no qualms about declaring that their free tier provides protection only against the ‘most common, frequently occurring network and transport layer DDoS attacks’.
Moreover, such tools will usually protect only those assets which are hosted on that provider’s public cloud environment, but not assets hosted elsewhere, on other cloud environments or in physical data centers. As a result, organizations running multi-cloud environments and relying on their cloud providers for DDoS protection will end up with siloed security mechanisms, inconsistent security policies, and segregated reporting.
Myth 5: All DDoS Protections are the Same
As more and more services migrate online, security is increasingly focused on application security and data protection, and less on network-layer security. This has led some organizations to believe that DDoS protection is a network-layer issue, a thing of the past, and consequently, that DDoS protections are all the same.
As we explained above, the nature of DDoS attacks is shifting, and protections that used to be adequate not long ago are no longer effective. DDoS attackers are concentrating more and more on the application-layer, leveraging sophisticated bots to launch attacks, and use sophisticated attack vectors such as burst attacks, SSL floods, and carpet-bombing attacks.
DDoS protection services vary wildly by technology, network, and service. This is why it’s important to choose a DDoS protection service that offers behavioral protections which go beyond simple signature and rate limits, have the capacity to deal even with the largest attacks, and back their marketing claims with quantifiable and measurable SLA metrics.
(The author is Managing Director-India, SAARC & Middle East, Radware and the views expressed in this article are his own)