Dispelling the myths behind DDoS attacks
by Jag Bains - CTO at DOSarrest - Tuesday, 8 July 2014.
Distributed Denial of Service (DDoS) attacks are quickly becoming the preferred method for cyber attackers to wreak havoc on the internet. With a recent spate of attention grabbing headlines focused on the hacker's favorite tool, this article busts some myths about DDoS attacks.

Myth 1: DDoS attacks are merely a nuisance with no lasting damage

This is a dangerous assumption to make, just ask CodeSpaces; actually, you can't - a DDoS attack put it out of business. Yes, this is an extreme case, but you only have to look back a few weeks and see headlines involving major companies like Feedly and Evernote, who rely heavily on their web presences, get taken down by DDoS attacks. And not only were their customer experiences disrupted, but the hackers attacking the sites demanded a ransom, in some cases, to cease the attacks.

A further consideration of being taken down by a DDoS attack is one of a loss of SEO ranking, something which is like gold dust to some highly web-dependent businesses. So, we have loss of customer confidence, loss of revenue, extortion; and throw into the pot loss of SEO ranking - not looking like a mere nuisance now, is it?

Myth 2: Volumetric attacks are the biggest threat

Despite the media hype surrounding large Gb/sec DDoS attacks, the largest which has reached up to 400Gb/sec, these are not the most common types of attack that we see; and they are not the biggest threat to websites. These are what we like to call “big & dumb” style attacks. They’re easy to spot and relatively easy to defend against (providing you have the right technology in place). These days, attackers prefer to be less obvious about DDoS attacking a website. They will do reconnaissance and figure out what the weak point is in a website and exploit that weakness.

For example, a gaming website might be able to handle thousands of people playing the game at the same time, but the moment just 25 try to register or log in at the same time, it can crash the site. Hackers will identify this and use it against the company to keep defenders on their toes. In addition, attack methods such a slow loris and headless browser based attacks mean that hackers can sometimes get in unnoticed- especially if the IT team doesn’t know what they are looking for.

Myth 3: My hosting provider will take care of DDoS attacks, so I don’t have to worry

This may be true; or it may not. Assuming that your hosting provider or any other third party service will automatically defend your website against DDoS attacks is not recommended. After all, you most likely wouldn’t rely on a neighbor to let you know that you’ve been burgled; so making this kind of assumption is foolhardy considering that an ISP's operations and monitors will no doubt be focused on data center metrics like cooling, power status, aggregate bandwidth and customer ticket queues, which are hardly granular enough to see an attack in real time against their customers. Add to this the growing sophistication of DDoS attacks that make it difficult to distinguish an attack from regular traffic patterns and it’s not difficult to see why ISPs are ill-equipped to deal with the problem. The best advice is to first speak to your provider and find out what is covered and if they can recommend or work with a good DDoS mitigation specialist.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th