Busting three common DDoS myths

DDoS (distributed denial-of-service) protection occupies a peculiar spot in cybersecurity. While "newer" threats like AI-enabled cybercrime and the ongoing ransomware spree take up many airwaves, DDoS is relatively stable. For many, it's a known quantity. But this is where the problem lies. DDoS has been around for so long, and companies have been mitigating against it for all this time that a knowledge gap is slowly creeping in.

Because things change, bad habits get picked up, or common misconceptions go unchallenged and evolve into full-blown myths. Companies might be ‘protecting’ themselves under false pretenses, so it pays to revisit what you know, explore what’s changed and rebuild your knowledge of the threat landscape semi-regularly. So, with that in mind, let's explore three common myths we regularly encounter in the DDoS space. 

Bigger is better

The cybersecurity industry does a reasonably good job of spreading awareness about increasing or evolving threats. For DDoS attacks, this typically means you read how attacks are getting larger, longer in duration, and more complex with multiple attack vectors. In general, attack size is increasing; for example, Google Cloud reported the largest-ever DDoS attack on October 23. However, it is incorrect to assume that attacks are always massive or need to be.

A recent report found that the average size of attacks in H1 of 2023 was less than 1Gbps, lower than the previous period and YoY. Despite this, the maximum attack size was a massive 250 Gbps. So why is this? First, DDoS requires attackers to commit resources they are not looking to waste or over-expend. Attacks might be used as more minor 'jabs' to test a system’s capacity or defenses. Alternatively, attacks like protocol or application layer attacks exist, which don't necessarily require high Gbps to be effective. These can disrupt services by exhausting server and application resources or disrupting the transaction handshake, making the sheer size less relevant.

Content Delivery Networks (CDNs) remove the need for DDoS protection

Content Delivery Networks (CDNs) have grown increasingly popular, providing a way to deliver content closer to end users. Nearly 1.5 million companies are estimated to employ CDNs to improve their online services' speed, reliability, and scalability. CDNs can also mitigate the risk of DDoS attacks to an extent, but can you employ a CDN to outsource DDoS protection to such a degree that you don’t need to think about it? That is a myth.

While many CDNs offer features that can help mitigate against certain types of attacks like DDoS, security is not the primary function, so the scope of protection is too limited to offer complete protection. And while a CDN’s large distributed networks can help absorb some attacks, they add a single point of failure. A CDN outage means sites that rely on this go dark, too. This can happen from internal errors like Fastly’s outage a few years ago or specific DDoS attacks, such as the RangeAmp attacks, which exploit vulnerabilities in HTTP range requests to amplify traffic and overwhelm the targeted servers. So, while CDNs are handy tools that can be a practical element of a DDoS protection strategy, they are not enough alone.

The myth of DDoS 'protection'

The final myth is the misconception that all DDoS protection services are built equally. These days, every Internet Service Provider (ISP) or even standard home routers come equipped with DDoS protection. While this is nice to have, the presence of a DDoS protection feature does not mean you are truly protected. Many of these services fail when they are most needed, rendering the supposed protection they offer obsolete. 

Effectively protecting from DDoS often requires a mix of tools. For example, while firewalls might stop basic DDoS attack types, such as SYN floods or fragmented packet attacks, they are not fully equipped to handle sophisticated DDoS attacks alone. Modern DDoS methods, especially those that mimic legitimate traffic, can often bypass traditional firewall defenses.

However, more complex and multi-vector attacks require a broader, more comprehensive security strategy. This strategy should include specialized, cloud-based DDoS protection services and intrusion detection systems, offering additional layers of security. Choosing a DDoS protection service with a proven track record is essential, as is conducting regular tests and drills to ensure these services function effectively when under attack.

Photo Credit: Fabio Berti/Shutterstock

Donny Chong is Director, Nexusguard.