Myths and Realities About DDoS Attacks

Many IT professionals think they’re safe from DDoS attacks either with protections in their current firewall, switches and other network devices, or mistakenly think their ISP is able to provide 100% mitigation. The following are a few common misconceptions and truths about DDoS attacks.

My ISP takes care of DDoS attacks for me. Many ISPs and hosting companies are happy to null-route an attacked IP domain to solve the problem of DDoS attacks. This works for many bulk layer 3 and 4 events, however smaller layer 7 attacks easily bypass their protections and they pass along these application-level threats to your network. Most successful attacks are under 1 Gbps, with 80% of all DDoS attacks under 50 Gbps. An ISP can assist in arresting a high-volume packet flood to your network, however data centers need additional layer 7 protections. Some also mistakenly believe their ISP will help them get to the root of the attack. Most ISPs are too busy and they have strict and bureaucratic processes for reaching one  another. Typical response times from ISPs are in days and weeks to help determine the sources of DDoS attacks.

It only happens to the other guy. Most network and security operations engineers usually only hear about DDoS attacks happening to other organizations. They think that they don’t have enemies or have any other reason to be the target of an attack. In reality, their perceptions of risk factors and susceptibility are often misplaced in that simply having a web presence makes them a target, even if by mistake.

Server DDoS protections have me covered. Many engineers think that they can custom-compile kernel code, set some options in Apache, install “mod_dosevasive” and use “iptables” and their DDoS attacks problems are solved. In reality, most servers do not have the capacity to handle DDoS attacks. Under most average-sized DDoS attacks, the server CPUs will be too overloaded to give the Apache modules or Linux commands a chance to mitigate the event.

It’s against the law. Call the police! Yes, DDoS attacks are illegal but most law enforcement agencies will only pursue large attacks (10 Gbps and up) on large companies or institutions like banks, government agencies and major international corporations. Most likely they’ll politely tell you that you’re going to need to work with your ISP or a private investigator. My routers and switches protect me from DDoS attacks. Even though your networking hardware may have access control lists (ACLs) that can block DDoS threats, the attackers can adapt quickly. The average hacker can easily get around your ACLs within minutes with a little determination.

A dedicated DDoS appliance will just get flooded too. Many wonder if there is any point in buying specialized DdoS appliances. Without DDoS mitigation equipment, your servers will be thoroughly exposed even to ordinary attacks.  Newer devices on the market provide capacities of over 20 Gbps of throughput that can be overprovisioned to protect you from larger attacks. Combined with ISP DDoS protections you get a solution for bulk and sophisticated layer 7 attacks.

DDoS attacks are on the rise for almost any organization,large or small. The potential threats and volumes are increasing as more devices including mobile handsets join the Internet. If you have a web property, the likelihood of getting attacked has never been higher.

A hardware-based DDoS appliance can be a predictable cost-effective solution that provides full layer 3, 4 and 7 DDoS protection for your data center. Some models, such as FortiDDoS, offer advanced features like line rating for congestion prevention, and 100% behavior-based detection that eliminates the need for signature updates.

Call or email us to evaluate a FortiDDoS Attack Mitigation Appliance