Only a well-designed network with intelligent DDoS mitigation systems can prevent DDoS attacks to succeed. However, for many organizations, common myths can lead to poor choices and overconfidence when it comes to properly architecting a solution.
Distributed Denial of Service (DDoS) attacks have been around for over 20 years, and due to that, most organizations have some form of protection in place from DDoS attacks. However, legacy protection measures may be inadequate to secure organizations from modern-day DDoS attacks, thereby putting businesses at risk.
The latest DDoS Threat Intelligence Report from NETSCOUT captures several trends such as adaptive DDoS, direct-path TCP-based DDoS, the proliferation of botnets, sociopolitical fallout, and collateral damage. All these trends have a common aspect which is they are designed to evade common DDoS defense measures and cause severe harm. When a public-facing website or app is unavailable, that can lead to angry customers, lost revenue, and brand damage. When business-critical applications become unavailable, operations and productivity grind to a halt. Internal websites that partners rely on are attacked, which leads to disruption in the supply chain and production.
Only a well-designed network with intelligent DDoS mitigation systems can prevent DDoS attacks to succeed. However, for many organizations, common myths can lead to poor choices and overconfidence when it comes to properly architecting a solution.
Myth #1: DDoS cannot be stopped or they don’t target all organizations
Many organizations are convinced that DDoS is either impossible to stop or simply isn’t going to target them. This is like the notion that natural disasters either don’t exist in your location or can’t be mitigated, which simply isn’t true.
In places where disasters are common, communities take a more aggressive approach to building more resilient structures and learn from past events how to improve future defenses. In areas rarely affected, they learn and take design cues for improvements. In the same way, the best practices for DDoS defenses are well understood and can be implemented by any organization with the foresight to do so.
Myth #2: Firewalls can effectively mitigate DDOS attacks
Firewalls are an essential part of any security stack. They play a critical role as a traffic cop on the network, stopping unwanted traffic based on predetermined information such as source and destination, port, and protocol. But although firewalls can stop much unknown and unwanted traffic, they cannot easily detect malicious traffic traversing trusted protocols and ports such as HTTP/S, DNS, or IMAP. Furthermore, web application firewalls are commonly deployed to stop application-layer DDoS, but they don’t even inspect traffic that isn’t web-based and, therefore, can’t see the majority of DDoS attack traffic.
Amongst others, one of the common DDOS attacks is state exhaustion. This attack vector targets the state limitation of security devices e.g. connection per second. Stateful Firewalls are vulnerable to state exhaustion attacks and hence are not ideal for DDOS protection.
While firewalls can mitigate some types of DDoS, they are also often vulnerable targets that contribute to the network outage or failure. As such, they need to be protected by a stateless, purpose-built DDoS solution.
Myth #3: CDNs effectively mitigate DDoS attacks
Content delivery networks (CDNs) are designed to massively distribute (mostly web) content, placing it as close to the end user to improve performance, reliability, and latency, among other benefits. In fact, part of the design is intended to weather these surges, whether benign (such as vendor patch or OS upgrade distributions) or malicious (such as DDoS attack traffic). CDNs can be quite effective at mitigating DDoS when resources within their infrastructure are the target. Unfortunately, they provide only part of the solution. Although many DDoS attacks target web resources and applications, the majority do not, making organizations relying on CDN-based DDoS protection still vulnerable to most DDoS vectors.
Applications and services not delivered via the CDN remain vulnerable and need to be protected by a stateless, purpose-built DDoS solution.
Current Best Practice for DDoS Mitigation
The broadly accepted best practice for DDoS mitigation is a layered, defense-in-depth approach. This involves combining cloud-based or upstream protections from volumetric DDoS traffic floods with inline, on-premises, and/or in-cloud intelligent DDoS mitigation systems that are stateless and purpose-built to defend against all DDoS vectors targeting any protocol or application. Another layer of protection can be provided by a real-time feed of highly curated DDoS threat intelligence. This final layer ensures the solution is always ready for the latest evolving threat vectors and enables an automated response to instantly react to DDoS threats.
- Vinay Sharma, Regional Director, India and SAARC, NETSCOUT
Add new comment