Security professionals are under extreme pressure to stop a dizzying array of threats against their organizations. Said one Arbor client, “ … I feel like I’m in a constant gun fight with an enemy that is surrounding me and completely stealth.”
The nature of security these days is often just trying to make the most educated guesses as quickly as possible. For example. When deciding what to use for DDoS protection…why not go with what’s existing – the firewall. The vendor’s literature states that it stops DDoS attacks. “Check… Onto the next problem”.
Unfortunately, this is where many organizations fail. A common misconception is that firewalls will stop DDoS attacks. The reality is that they may stop ‘some’ but not ‘all’ DDoS attacks – in fact they can make matters worse.
Firewalls are required to track state, which makes them extremely vulnerable to certain types of DDoS attacks. Modern day attackers know this all too well and commonly deploy TCP state exhaustion attacks that are designed to fill state tables of firewalls. When this happens, the performance of legitimate traffic flowing through the firewall will be greatly slowed or worse — stopped all together, thus completing the DDoS attack for the attacker.
In addition to a firewall, organizations need purpose-built, dedicated DDoS protection solutions that are constantly armed with up-to-date threat intelligence — otherwise known as Intelligent DDoS Mitigation Systems (IDMS). Today DDoS attacks are a dynamic combination of:
- Large volumetric attacks;
- TCP state exhaustion attacks; and
- Stealthy, low and slow application-layer attacks.
Taking a layered approach provides the most comprehensive protection:
- Volumetric attacks must be stopped in the cloud. In other words: using your ISP or MSSP.
- TCP and application-layer attacks should be stopped with purpose-built, stateless, DDoS protection devices, on-premise, closer to where you can control and protect your most critical services.
- Due to the dynamic multi-vector nature of modern day DDoS attacks, there must be an intelligent form of communication between the in-cloud and on-premise solutions.
- Finally, solutions must be constantly updated with the latest and greatest threat intelligence.
For other common misconceptions about DDoS, click here.
You wouldn’t think about bringing a water balloon to a gun fight right? Or is this possibly just another common misconception? Check out the video below — you may be surprised.