Myth #1: DDoS can be Solved by Adding Bandwidth
Truth: As illustrated in the graph below, attacks in 2011 were quite varied and over 76% of application-level attacks were non-volumetric in nature (that is bandwidth was not an attribute of the service disruption). Thus adding bandwidth would not have remedied the problem, and in some cases, would have made the attack worse!
Attack Types and Bandwidth have Varied!
Myth #2: DDoS Attacks are Based on Network Attacks – Mostly SYN Floods
Truth: 2011 was a watershed year not only logging more application-layer attacks then network, but also, the network level attacks were varied across UPD / TCP and IPv4 & IPv6 (as illustrated in the graph below)!
Radware Security Survey: Attack Count by Type and Bandwidth
Myth #3: DDoS Attacks Can be Mitigated by Internet / Cloud “Scrubbers”
Truth: DDoS “Cleaning” requires a layered approach (almost like all other security approaches). Cloud scrubbers have value, however premise-based devices are required for application-layer, encrypted and advanced anti-CDN attacks (as illustrated in the graph below).
Myth #4: My firewall and IPS devices protect me from DDoS Attacks
Truth: In 2011, IPS’ and Firewalls contributed to 1/3 of all originating service disruptions (see graph below).
Firewall and IPS Security Devices Accounted for 1/3 of Availability Outage/Bottleneck Problems in 2011
Carl is an IT security expert and responsible for Radware’s global security practice. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense. Carl writes about network security strategy, trends, and implementation.