Real Time Network Protection
Myths about DDoS
Last month we explored the History of Distributed Denial of Service
(DDoS) Attacks and how they have developed over time. DDoS attacks are
one of the most fundamental and their use in disrupting services online
has been unabated since the early 1970’s. That being said, DDoS attacks
are still one of the top threats to networks the world over, constantly
adapting to new standards of protection and security.
There are many different flavors of DDoS attack and almost as many misconceptions.
Myth 1: It only happens to the other guy
Most network and security operations engineers usually only hear
about DDoS attacks happening to other organizations. They think that
they don’t have enemies or have any other reason to be the target of an
attack. In reality, their perceptions of risk factors and susceptibility
are often misplaced as by simply having a web presence makes them a
target, even if by mistake.
Myth 2: Server DDoS protections have me covered
Many engineers think that they can custom compile kernel code, set
some options in Apache, install “mod_dosevasive” and use “iptables” and
their DDoS attacks problems are taken care of. In reality, most servers
do not have the capacity to handle DDoS attacks. Under most average
sized DDoS attacks, the server CPUs will be too overloaded to give the
Apache modules or Linux commands a chance to mitigate the event.
Myth 3: My ISP takes care of DDoS attacks for me
Many ISPs and hosting companies are happy to null-route an attacked
IP domain to solve the problem of DDoS attacks. This works for many
basic ones, however smaller layer 7 attacks easily bypass their
protections and they pass along these application-level threats to your
network. Unless your ISP advertises an advanced DDoS mitigation service,
you can assume you’re not completely protected. Some also mistakenly
believe their ISP will help them get to the root of the attack. Most
ISPs are too busy and they have strict and bureaucratic processes to
reach each other. Typical response times from ISPs are in days and weeks
if you want to rely on them to help determine the sources of DDoS
attacks.
Myth 4: It’s against the law. Call the police!
Yes, DDoS attacks are illegal however most law enforcement agencies
will only pursue large attacks (10 Gbps and up) on large companies or
institutions like banks, government agencies and major international
corporations. Most likely they’ll politely tell you that you’re going to
need to work with your ISP or a private investigator.
Myth 5: My routers and switches protect me from DDoS attacks
Even though your networking hardware may have access control lists
(ACLs) that can block DDoS threats, the attackers can adapt quickly. The
average hacker can easily get around your ACLs within minutes with a
little determination.
Myth 6: A dedicated DDoS appliance will just get flooded too
Many wonder if there is any point in buying specialized DDoS
appliances. Without DDoS mitigation equipment, your servers will be
thoroughly exposed even to ordinary attacks. Newer devices on the market
provide capacities of over 20 Gbps of throughput that can be
overprovisioned to protect you from larger attacks. Combined with ISP
DDoS protections you get a solution for bulk and sophisticated layer 7
attacks.
The Flavors of DDoS:
No comments:
Post a Comment