5 Things You Didn’t know About DDoS Attacks—That Can Cost You

As organizations consider the steps needed to mitigate the risk from DDoS attacks and maintain resilience and availability, they should keep the following five areas in mind:

  1. Be mindful of stateful attacks. When most people think about DDoS attacks, they think first of volumetric attacks. But state-exhaustion DDoS attacks that block stateful devices such as firewalls, load balancers, and VPN concentrators from serving incoming connections from legitimate clients can also negatively impact vital applications, services, infrastructure, and data. This problem is particularly acute now, when we are increasingly reliant on remote connections through VPN concentrators. To protect against state-exhaustion attacks, it is important to design network infrastructure, including applications and service delivery stacks, to minimize state wherever possible.

There is a common misconception that firewalls are sufficient to protect against DDoS attacks. This is simply not true, as they are vulnerable to state-exhaustion attacks. This is why best practices (including from firewall vendors) recommend that companies deploy stateless DDoS protection in front of firewalls to protect them from state-exhaustion DDoS attacks.

  1. Cloud-based protection is not enough. The most common form of DDoS attack protection is a cloud-based mitigation service, often from ISPs or independent providers. And while such services are indeed vital to stop large, volumetric DDoS attacks that outstrip the volume of internet circuits, that is only one part of a comprehensive protection strategy. For state-exhaustion and application-layer attacks, which are just as common, the industry best practice is a stateless, on-premises solution that can automatically detect and stop such attacks.
  2. Be aware of shifting tactics. Many savvy DDoS attackers use attack performance management tools to monitor the effectiveness of their attack in real time. These tools help determine whether defenses are deployed when attack vectors are altered. This can lead to the launch of multivector attacks, which are far more challenging to mitigate without the right solution in place.
  3. Size doesn’t always matter. The vast majority of DDoS attacks today are not massive in scale, but rather are smaller-sized and short-lived. It’s important to keep in mind that a DDoS attack does not need to be big and last a long time to have a negative impact. In fact, the overwhelming majority of DDoS attacks last one hour or less, and nearly a quarter of them last less than five minutes. This means organizations need DDoS attack protection that can instantaneously detect and mitigate attacks before the damage is done.
  4. Consider a hybrid approach to DDoS protection. At NETSCOUT, we recommend a hybrid approach to DDoS protection. The cloud-based model, which relies on a service provider to deliver DDoS mitigation services against volumetric DDoS attacks, can be highly effective. However, to adequately protect the dynamic nature of most organizations from smaller application-layer DDoS attacks, we recommend augmenting with on-premises DDoS protection. This allows organizations to rapidly deploy customized DDoS protection as new applications or services are rolled out.

The fact is, DDoS attacks can be mitigated—if you are prepared. A key part of that preparation lies in a regular reassessment of your DDoS attack protection strategy. After all, today’s DDoS attacks are ever-changing, and traditional methods of protection may not be enough. Organizations should keep up with the latest trends in DDoS attacks, know what the current best practices are for defense, and test those defenses on a regular basis. Source

iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Cloud security best practice and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.

Leave a Reply

Your email address will not be published. Required fields are marked *