Dispelling the myths behind DDoS attacks
Distributed Denial of Service (DDoS) attacks are quickly becoming the preferred method for cyber attackers to wreak havoc on the internet. With a recent spate of attention grabbing headlines focused on the hacker’s favorite tool, this article busts some myths about DDoS attacks.
Myth 1: DDoS attacks are merely a nuisance with no lasting damage
This is a dangerous assumption to make, just ask CodeSpaces; actually, you can’t – a DDoS attack put it out of business. Yes, this is an extreme case, but you only have to look back a few weeks and see headlines involving major companies like Feedly and Evernote, who rely heavily on their web presences, get taken down by DDoS attacks. And not only were their customer experiences disrupted, but the hackers attacking the sites demanded a ransom, in some cases, to cease the attacks.
A further consideration of being taken down by a DDoS attack is one of a loss of SEO ranking, something which is like gold dust to some highly web-dependent businesses. So, we have loss of customer confidence, loss of revenue, extortion; and throw into the pot loss of SEO ranking – not looking like a mere nuisance now, is it?
Myth 2: Volumetric attacks are the biggest threat
Despite the media hype surrounding large Gb/sec DDoS attacks, the largest which has reached up to 400Gb/sec, these are not the most common types of attack that we see; and they are not the biggest threat to websites. These are what we like to call “big & dumb” style attacks. They’re easy to spot and relatively easy to defend against (providing you have the right technology in place). These days, attackers prefer to be less obvious about DDoS attacking a website. They will do reconnaissance and figure out what the weak point is in a website and exploit that weakness.
For example, a gaming website might be able to handle thousands of people playing the game at the same time, but the moment just 25 try to register or log in at the same time, it can crash the site. Hackers will identify this and use it against the company to keep defenders on their toes. In addition, attack methods such a slow loris and headless browser based attacks mean that hackers can sometimes get in unnoticed- especially if the IT team doesn’t know what they are looking for.
Myth 3: My hosting provider will take care of DDoS attacks, so I don’t have to worry
This may be true; or it may not. Assuming that your hosting provider or any other third party service will automatically defend your website against DDoS attacks is not recommended. After all, you most likely wouldn’t rely on a neighbor to let you know that you’ve been burgled; so making this kind of assumption is foolhardy considering that an ISP’s operations and monitors will no doubt be focused on data center metrics like cooling, power status, aggregate bandwidth and customer ticket queues, which are hardly granular enough to see an attack in real time against their customers. Add to this the growing sophistication of DDoS attacks that make it difficult to distinguish an attack from regular traffic patterns and it’s not difficult to see why ISPs are ill-equipped to deal with the problem. The best advice is to first speak to your provider and find out what is covered and if they can recommend or work with a good DDoS mitigation specialist.
Myth 4: I am not at risk; a DDoS attack would never happen to me
The reality is that if you take payments, collect data, have customers or have competition in the marketplace, then you are at risk to face a DDoS attack. In fact, recent BT research showed that more than half of UK organisations polled said their systems had been taken down for more than six hours in the past year. The level of risk will obviously vary from business to business and it will increase with brand reputation, perceived wealth and value of transactions or customer data. The best advice is for companies to think about whether or not they can afford that risk. At the very least, companies would be well advised to have a DDoS plan in place in case the worst happens, so they can react quickly and smartly to protect the most public facing aspect of the business.
Myth 5: DDoS protection is beyond reach of my budget
There are two main categories of DDoS protection: hardware and cloud-based. While it is true that the former tends to be on the pricey side, as there is physical equipment to purchase, deploy and staff, cloud-based protection can be surprisingly cost effective depending on the service. In fact, your hosting provider might even be able to point you to a preferred service or partner, so make sure you do your own reconnaissance when looking into DDoS protection options. Some will charge you by the amount of bandwidth used and others offer 24×7 always on protection for a flat fee. Weigh up the options and chose the best fit for your organisation.
There you have it: some of the most common DDoS myths busted. The fact is that DDoS attacks are becoming more effective as well as more successful and if companies do not take the threat seriously, there is a real risk that they will be subjected to extortion, loss of customer confidence, reduced revenues or even face closure in extreme cases. Some key takeaway advice to prevent falling victim to DDOS attacks is:
1. Make sure your site gets tested for vulnerabilities regularly.
2. Put a system in place to monitor that your site is available in all countries that you operate in.
3. Speak to your hosting provider about DDoS protection.
4. Have a DDoS playbook prepared so everyone knows what to do if your site is attacked.
5. Consider using cloud- based DDoS protection.