Working in security, I often hear what people think about cyber security and DDoS. What I’ve learned is there are a lot of misconceptions out there and I wanted to take some of the most common ones and talk about them.
DDoS attacks can be damaging; especially for an online business that depends on valuable client relationships and reliable user experiences. But business organizations aren’t the only targets of malicious web bots. Banking institutions, governments, hospitals and schools have all suffered from debilitating attacks in the past few years.
I recently wrote an article called “The Seven Myths of DDoS Attacks” to address misleading information about DDoS threats that persist. One thing is certain: Knowing the facts will help you keep your website safe.
Myth 1: I’m safe as long as I (have) “___ ”
It’s easy to have a false sense of complacency with a fill-in-the-blank approach to DDoS threats. For example:
- I have “enough bandwidth” – Even high bandwidth won’t protect your site from concentrated packets-per-second (PPS) and application layer attacks.
- I have “a strong router” – Unfortunately, a strong router will not keep you safe if your bandwidth is being inundated with web bots, or if you are the target of an application layer attack.
- “Validate that my web server is fully protected” – Hopefully you’ll be shielded from some application layer attacks. But high requests per second (RPS) attacks will also sneak through. And, what if your bandwidth is saturated?
- “Block certain user-agents” – This can help, but it’s only a partial solution. Advanced attacks will always find a way around to your network.
It’s certainly possible that the internet protocols you currently use will protect your site from a DDoS attack. But it’s risky relying solely on a fill-in-the-blank solution. Imperva Incapsula data from last year confirms that an increase in high-volume assaults can easily flood any network.
Myth 2: “I’m not a target”
It’s no longer the case that DDoS attacks only target large global organizations like banks and insurance companies. Smaller and local sites (florists and caterers, for example) often fall victim to hackers as well.
Myth 3: “DDoS attacks are launched by masterminds and kids”
There are all kinds of cyber criminals who can harass you with a DDoS threat. There’s the hacktivist who pushes a political agenda, the harasser who trolls online users and the extortionist who threatens sites with ransom notes. Sometimes, many of these individuals are employees and contract workers with direct access to your site.
Myth 4: “It’s just some downtime”
Any downtime is bad for ecommerce sites. It annoys customers, adversely affects the bottom line and undermines your reputation. And reputations are hard to rebuild on the internet.
Myth 5: “A box can fix it”
Don’t rely on a pre-existing appliance to block an incoming DDoS assault. Attacks today are so big (in both bandwidth and PPS) that it can overwhelm your firewall appliance or mitigation appliance. Your best defense is having a DDoS mitigation strategy in place before a single web bot reaches your network.
Myth 6: “If I have more bandwidth, there will be less downtime”
Server maintenance, server crashes and power outages, these are just a few of the things that can cause website downtime. Unfortunately, no amount of bandwidth can guarantee 100 percent uptime. High-volume DDoS attacks, in particular, can easily bring down an unprotected site no matter how much bandwidth is being used.
Myth 7: “DDoS protections are all the same”
Not really. Take my (free) advice and select a provider that thoroughly understands the DDoS landscape and has the mitigation experience you need. It’s important to review and compare options when choosing website security.
More free advice: stay informed
The best approach is to learn more about your options. If you’d like to read more about DDoS, I encourage you to check out the DDoS Bootcamp online training site from Imperva Incapsula. Being prepared will help you build a security plan that will protect your company’s online assets.