DDoS Attack Myths: Does Size Really Matter?
Major DDoS attacks are often portrayed in the media using measurement terms like “a 10Gbps DDoS attack hit site X” or “an 8 Million packet-per-second DDoS flooded site Y”. While these numbers are easy to understand – they may be misleading to organizations that are planning for and implementing network security solutions. Radware’s 2011 Global Application & Network Security Report not only debunks DDOS myths – it serves as a guide for improving your organization’s overall security posture.
While DDoS attack numbers are easy to understand and grab the attention of the media – they do not really explain what is happening during a DoS attack or give other organizations any insight.
Reading through our 2011 Radware Global Application & Network Security Report I have learned a few things that could be considered misleading. Here are a few common myths that should be mentioned:
The Big Myth: Organizations Need to Prepare for Enormous Attacks
Although some organizations do incur massive DDoS attacks, many more never experience a high-magnitude attack. Instead, these organizations are brought down by less intensive, but equally serious attacks. According to our report, 76 percent of attacks were less than 1Gbps in bandwidth, with 32 percent less than 10Gbps. Only nine percent of attacks in 2011 were over 10Gbps.
Figure 1 – Radware Security Report: Attacks by Bandwidth
A review of cyber attack cases reveals that industry reports capturing public attention perpetuate a myth that only size counts. The thinking goes that if the bandwidth is bigger, then the attack is more severe. In fact, Radware’s ERT found that the type of attack is also significant. A much smaller HTTP flood on the application level may do more damage than a larger UDP flood on the network. When evaluating DoS attacks it is important to understand both the size and type of attack.
Also, the proper way to measure attacks is by their bytes-per-second (BPS) and packets-per-second (PPS) properties. If the number of packets is high, the attack is more serious. Following this logic, a 10Mbps UDP flood would be more severe than a 5Mbps HTTP flood, which is not necessarily true.
Figure 2 – Radware Security Report: Network versus Application by Bandwidth
While enormous DDoS attacks are really about network flood attacks, the majority of organizations that are targeted by sub 1Gbps attacks are targeted with a mix of network and application flood attacks. The impact of application flood attacks are much more severe than network flood attacks – it is much easier to detect and block a network flood attack (which is about sending a large volume of irrelevant traffic such as UDP floods, SYN floods and TCP floods, typically spoofed) rather than an application flood attack where the attackers are using real IP addresses from real machines and running complete application transactions – it’s the users which are not real.
What is clear from figure 3 is that attackers are using multi-vulnerability attack campaigns, a mix of network and application attacks. Attackers are seeking for the blind spots in the security architecture of the victims – and pushing strongly on those attack vectors that go undetected.
Figure 3 – Radware Security Report: Network and Application attacks coexists
In fact more attack vectors target the application resources rather than the network resources – which mandate the need for on-premises security solutions in addition to DDoS protection service that are offered by service provider.
Firewalls or IPS alone can stop DDoS attacks
Despite being designed to provide network security, firewalls and intrusion prevention systems (IPS) are impacted by DDoS attacks. Often the firewall is the weakest link. The report shows that in 32 percent of DDoS attacks, the firewall or IPS became the bottleneck. To stop DDoS attacks you need dedicated hardware solutions, not IPS and firewall technologies.
Content Delivery Network (CDN) providers protect a business against DDOS attacks
The CDN occasionally can handle the less sophisticated, large-volume attacks by simply absorbing them (while the target customer will pay for that bandwidth, of course, as it was recognized as legitimate traffic). However, as seen by the recent cyber attacks that tried to bring down the Israeli financial system and national airline, the CDN was easily bypassed by changing the page request in every Web transaction. These random request techniques force CDNs to “raise the curtain” and forward all the attacks directly to the customer premise, in essence making the CDN act as a proxy unloading the attack traffic directly at the target servers.
The core DoS attack mitigation strategy is to defend and absorb
Businesses can and should have the ability to be proactive in their mitigation steps to stop malicious traffic or Website degradation with a strategy for going on the offense. This changes the rules in which the attacker always has the edge, and instead, levels the playing field. This can be done by identifying the attack tool used as the vehicle to carry the attack campaign and expose and exploit its inherent weaknesses to neutralize the attack tool in a “passive”, non-intrusive way.
Conclusion: Recommendations from the Radware ERT
Radware’s ERT recommends the following tactics for businesses to protect against DoS and DDoS attacks:
- Collect information about attacks such as type of attacks, size and frequency. Use the correct measures for the attack type. For example, the proper measurement for UDP floods is in bandwidth and PPS, while the measurement scale for HTTP floods is in transactions per second, concurrent connections, and new connections per second.
- Perform risk analysis at the business level to determine the budget you should allocate to improve your business resilience against DDoS attacks.
- For bandwidth saturation attacks, make sure your service provider can mitigate volumetric attacks that may saturate your bandwidth.
- For application attacks, deploy anti-DoS and network behavioral technologies on site.
- Have a consolidated or “context aware” view into enterprise security with a security event information management (SEIM) system. An SEIM system can build a centralized architecture that simplifies such tasks as monitoring the millions of messages and log records generated by security edge devices. Also, an SEIM is essential when prosecuting a perpetrator.
- Education and internal security policies are important defense tools, too. Regularly refresh technical skills and practical experience within the security group; but also help employees be aware of how hackers can exploit opportunities throughout the enterprise, especially in the age of ‘bring your own device’.