Don’t fall for these DDoS myths

Posted By



June 26, 2024

Are we experiencing a knowledge gap in DDoS (distributed denial-of-service) attacks? They’ve been around so long that it’s hard not to wonder whether these pesky attacks get deprioritised by the cybersecurity industry.

You could blame ransomware and AI-led cybercrime for hogging up a lot of the attention today. After all, they’re the more ‘exciting’ forms of cybersecurity threats. But old hat as the relatively more stable DDoS may be, there’s a risk of bad habits settling in. And given enough time, common misconceptions will go unchallenged, or even evolve into full-blown myths.

If you’re already taking steps to protect yourself against cybercrime, you shouldn’t sleep on DDoS attacks. It’s well worth taking the time to brush up on your knowledge, to re-examine what you know and what’s changed.

Speaking of myths, let’s take a look at the three biggest myths I regularly see in the DDoS space.

Myth #1: (DDoS) Size matters the most

Generally speaking, the cybersecurity field does a pretty good job of raising awareness regarding evolving threats. The way ‘evolving’ usually gets communicated when it comes to DDoS attacks is fairly typical stuff: larger attack sizes, longer durations and more complex multi-vector techniques. Bigger equals better, right?

Well, not quite. Now, make no mistake, attack size is definitely on the rise. Lots has already been said about Google, Amazon, and Cloudflare reporting the largest-ever DDoS attack in history last year. By another vendor’s measurements, many DDoS attacks in Q1 2024 actually exceeded the 1 terabit per second rate, almost on a weekly basis – with the largest reaching 2Tbps.

These complex, large-scale attacks may be the most publicised ones, but it doesn’t mean that attack size is the only consideration you should worry about. Verizon’s 2023 Data Breach Investigations Report showed that many bad actors are increasingly leaning into short, intermittent low-volume attacks.

The smaller attacks are just as dangerous, if not more so because they are harder to detect. We see the danger of this quite clearly with ‘bits and pieces’ attacks (also known as ‘carpet bombing’). They work a lot like any other DDoS attack, except instead of flooding a single system with infinite requests, they hide the excess traffic by spreading requests across an entire network. Spreading these tiny request packets across multiple hosts and an ocean of legitimate traffic makes detection a lot harder. Traditional cybersecurity methods like thresholds and firewalls simply aren’t as useful here.

The damage from ‘smaller’ attacks like this might not seem immediately obvious, but when they go undetected, they will inevitably degrade the service rather than take it offline altogether. This sort of thing can be devastating for a company’s reputation. There’s also the fact that not all attacks require high Gbps to be effective. Some attacks like protocol or application layer attacks exist, which can disrupt services by exhausting server and application resources, or disrupting the transaction handshake – ultimately making size irrelevant.

Myth #2: Content Delivery Networks make DDoS protection irrelevant

Content Delivery Networks have gained a lot of popularity over the years because they put content closer to consumers. There are an estimated 1.5 million companies using CDNs to improve their online services’ speed, reliability and scalability.

It’s true that CDNs lessen the risk of DDoS somewhat, often offering features that can help reduce the impact of attacks. But security is not their main purpose, so the scope of protections on offer can best be described as limited rather than comprehensive.

The large distributed networks of a CDN can mitigate some attacks, sure, but they also add a single point of failure. If there’s ever a CDN outage, any sites relying on this go dark too. This can come about through internal errors, as we saw years ago with Fastly’s outage or specific DDoS attacks that exploit vulnerabilities in HTTP range requests to amplify traffic and overwhelm select servers.

All that is to say that, while they are handy as part of your DDoS protection strategy, CDNs cannot be relied on as the entire strategy by themselves.

Myth #3: All DDoS protection services are built equally

There’s a misconception that every DDoS protection service works the same way. This is perhaps understandable, given that every Internet Service Provider or standard home router comes equipped with DDoS protection. That should indeed be the baseline, but it hardly guarantees protection. Many of these services have the rather infamous reputation of failing when they’re most needed, which kind of defeats the point of the supposed protection in the first place.

The only way to truly protect yourself against DDoS attacks is through a mix of solutions. Case in point, firewalls can stop basic DDoS attacks like SYN floods or fragmented packet attacks, but they won’t do well against more complex DDoS attack techniques all by themselves. Modern DDoS techniques, like ones that mimic legitimate traffic, can easily get through more traditional defences like firewalls.

So, you have to account for the fact that bad actors are likely going to use a variety of attacks, from single-vector to multi-vector attacks. That means you need a more comprehensive strategy that mixes in specialised, cloud-based DDoS protection services and intrusion detection systems for additional security. Any protection service you choose should have a proven track record of conducting regular tests and drills to ensure these services actually work well when under attack. And this bit is quite crucial to understand because attackers have been known to ‘test’ systems’ capacity and defences with ‘minor jab’ attacks.

One last bit of advice: never assume that your company is safe from a DDoS attack. If bad actors find a vulnerability, they will exploit it. You don’t want to find yourself in a situation of prolonged disruption to services, or worse, a complete outage. Even OpenAI learned this the hard way when it suffered disruptions across the organisation’s tools and services, including ChatGPT.

A little bit of disruption at the wrong time is all it takes to wreak havoc on not just your company’s reputation, but the customer base and bottom line, too.