Mythbusting the Beliefs of DDoS Protection

Distributed denial of service (DDoS) is probably not a good name to use anymore. Its term brings to mind old-school network attacks much in the way Pittsburgh still carries a reputation for being a dirty and smoky city. Neither of these could be further from the true. Both have evolved beyond their original descriptions—Pittsburgh for the better, and DDoS...not so much.

DDoS attacks, like most other security threats, have expanded in scope and impact. While the more traditional flood-based attacks are still used to deny access, the attack method has shifted from TCP- and UDP-based flooding to HTTP-based attacks that exploit new vulnerabilities. In the corporate envi¬ronment, these HTTP attacks threaten availability by targeting smaller "pipes" and going after the application-layer as opposed to flooding the upstream network pipe. DDoS attacks have also become part of larger attack-based campaigns to deflect the attention of security and network experts so that something far more sinister can occur.

The use case for DDoS has changed, too. Once considered a nuisance, DDoS attacks now impact businesses at a much higher level. Since the Web's inception, organizations have grown more dependent on the Internet and Web-based services. Today's DDoS attacks are an easy way to interrupt businesses. From holding a website hostage for a ransom, to blocking access to an application to make a political statement, or simply deflecting attention while other threat vectors steal information, DDoS is a growing concern for enterprises.

Yet even in today's dynamic threat landscape, many enterprises still hold the belief that a dedicated DDoS protection solution is not important when their existing security solution may protect them 80 percent of the time. Others believe that what they adopted two years ago—let alone five years ago—still works today. In these instances, enterprises are gambling with their network. It's time to debunk some outmoded myths. There are five common mistakes that enterprises make when addressing DDoS. This white paper will shed some light on these failed practices, and provide insight into why they do not work.

Common Enterprise Mistakes

Mistake 1
Content Delivery Networks (CDNs) Are the Panacea

The truth is that a CDN merely addresses the symptoms of a DDoS attack. By absorbing these large volumes of data, a CDN actually lets all the information into and through the network— providing an "all are welcome" approach.

There are three caveats to consider when relying on CDNs for DDoS protection. First, make sure enough bandwidth is available to absorb the high-volume traffic. Some attacks exceed 300 Gbps. There is a price for utilizing this amount of capacity.

Second, there are ways around the CDN. Not every Web page or asset will utilize the CDN. The average website for an enterprise can easily exceed 150 pages. Each page will have a purpose, but all pages do not have high hit rates. Many organizations will select specific objects and Web pages to utilize the CDN, particularly those with high hit rates. But what if a DDoS attack injected a request for a different page number? And what if that page number is not utilizing the CDN? In these instances, the attack bypasses the CDN and goes directly to the organization.

Third, DDoS attacks are not always volumetric-based. In many instances, they are part of an advanced threat designed to distract the organization so that a more nefarious and less obvious intrusion can occur. DDoS attacks are also used for application-layer attacks that flood the pipe to an application, thereby blocking access. Similarly, volumetric-based attacks flood the entire network to the point of shutdown. With application-layer attacks, however, the volume of attack traffic is significantly lower—in some instances, low enough to go unsuspected. Many such applications that can be used for an attack do not utilize a CDN because the cost does not support the average volume of utilization. In these instances, the CDN offers zero protection. So instead, let the CDN do what it was intended to do, and look to a DDoS protection solution to provide you with the needed security.

Mistake 2
Meet the Attack at the Security Perimeter

The evolution of IT infrastructures and the dependency on third-party clouds have created a complex environment that no longer has a perimeter. However, traditional "perimeter" security solutions such as firewalls and intrusion detection/prevention solutions (IDS/IPS) still have a vital purpose as part of an integrated and multi-layered security posture. These solutions provide stateful inspection and dynamic traffic filtering of network connections, which result in latency.

And that's the problem. By increasing latency, IDS/IPS solutions make networks vulnerable to DDoS attacks. Utilizing these solutions to inspect DDoS attack traffic further increases the latency and creates a bigger bottleneck for network traffic. To make it more complex, DDoS attacks can often consume the connection state tables in these perimeter devices, causing them to be bypassed and offer no protection from the DDoS attack. Attackers understand that state tables can be quickly over¬whelmed. That's why these traditional perimeter security devices are often the first targets of a DDoS attack. By the time an attack reaches one of these devices, it may already be too late.

Mistake 3
We Have Not Become A Target Yet, So It Is Worth the Risk

Denial is one of the psychological steps in facing loss, but it should not be a position you take when considering DDoS protection or your network may truly be lost. Organizations need to consider the consequences associated with a DDoS attack. From there, they should evaluate a variety of DDoS solutions and establish a plan of action on how to mitigate attacks.

Each DDoS attack is unique. It can have many different faces and many different purposes (such as hacktivism or ransom). How each business addresses DDoS in its network environment is also unique. Is a network operations-based solution the way to go? Or is a security operations-based managed solution the answer?

Regardless of who owns the solution, availability is the common concern. DDoS means downtime—which can mean lost revenue, angry customers and a tarnished brand. Enterprises should have a business continuity plan (BCP) in place in case of a DDoS attack or other disaster.

For more information about Arbor, contact the Arbor Product Manager at Networks Unlimited at or on +27 11 202 8400.