There are certain topics it’s mostly fine to go through life only pretending to know about. Gluten intolerance. Jonathan Franzen. Global warming…for now. So long as you aren’t, say, endangering the life of someone with Celiac Disease or having brunch with Jonathan Franzen, it’s perfectly fine to coast on myths and misinformation about these topics. And then there are some topics about which you really need the cold hard facts. Like DDoS attacks.
DDoS stands for distributed denial of service, which is a type of cyber attack that uses a number of internet-connected devices assembled into a botnet to overwhelm a target server or network with malicious traffic. The end goal of a DDoS attack is taking the target offline or even just slowing it down enough that it’s unusable. This where the denial of service comes into the distributed denial of service attack.
A successful DDoS attack can result in frustrated users, diminished loyalty, software damage, hardware damage, or theft of intellectual property or confidential data, including user or financial information.
To be sure, there are industries that are at a higher distributed denial of service attack risk than others: online gaming, software as a service and the financial industry, to name a few. But in the year 2016 the reality is that if you have a website, you're a target.
This has become especially true now that DDoS for hire is a cruel reality. For mere dollars, anyone can target a website with an attack. Not only does this lead to petty grievances being settled with cyber attacks, but it’s also increased the number of DDoS ransom notes being sent out demanding payment in return for not launching an attack. Smaller websites that likely don’t have distributed denial of service protection make meaty targets for anyone looking to make some quick cash.
This ties in with myth #1, thinking you’re a small enough fish in a big enough pond that no attacker is going to bother assembling a major botnet army against you. That may be true, but it doesn’t take a big attack to do big-time damage.
Massive distributed denial of service attacks tend to grab headlines, but small, concentrated and well-crafted attacks like an HTTP flood on the application layer can be just as insidious. Especially if it doesn’t come with the malicious traffic swell that tips off security solutions to something being amiss. A 2015 study conducted by DDoS mitigation provider Corero found that 93% of attacks are under 1 Gbps.
Unless that blank is filled in with anything other than professional DDoS protection, unfortunately, no, you’re not safe.
Lots of bandwidths, ISP-based protection, a strong router and IP blacklisting are all things website owners often think provide distributed denial of service protection. It’s true that they all provide partial protection, but in this age of multi-vector attacks, partial protection won’t cut it. For instance, ISP-based protection can identify bad traffic, but it isn’t built to deal with it efficiently so while it’s handling bad traffic, legitimate traffic will be caught in a bottleneck trying to get through. And all the bandwidth in the world won’t help in the face of a crafty application layer attack.
As evidenced by DDoS protection provider Incapsula, true blanket DDoS protection against all DDoS attacks requires a multi-faceted approach that combines a robust network backbone and granular traffic inspection solutions to protect against network layer, application layer, and protocol attacks.
There are two parts to this myth. The first part involves the erroneous assumption that users think not being able to access your website precisely when they want to isn’t a big deal. But think about how many websites offer the same content, products or experience your website offers. The number is probably somewhere approaching infinite. If you give someone a reason to abandon your website for another, he or she will likely take it.
The second aspect of this myth is that a successful DDoS attack is merely a website availability issue. As referenced above, a distributed denial of service attack can be used as a smokescreen for intrusions that can result in the theft of customer information. Internet users know this. Whether or not information is stolen from your website is almost irrelevant: damage to your reputation is damage to your reputation, and when a DDoS attack succeeds, you’ve proven that you’re not protecting your users.
Staying informed on all the things you think you’re supposed to can be exhausting. Make it easy on yourself and free up brain space for the things that truly matter, like DDoS attacks, by ignoring the things that truly don’t.