For years, network operators have known that Distributed Denial of Service (DDoS) attacks are a persistent and evolving threat. Threat actors launch DDoS attacks for various reasons, including extortion, competitive rivalry, ideological motivations, disputes related to online gaming, and most often, for monetary gain. But the means to protect against these new threats are often still misunderstood.

The following are three myths of DDoS protection that we need clarify, as well as best practices for mitigation now and in the future:

Myth #1: DDoS attacks won’t target our organization.

Despite the rapid proliferation in new DDoS attacks every day, with numbers reaching north of 6 million in the first half of 2022, many organizations are convinced that they are impervious to new and persistent threats at the network level. Just as certain natural disasters are happening more frequently across the world in areas that were previously relatively safe, the internet climate also evolves over time. That’s especially true of enterprise security stances as the attack surface on networks grows exponentially in numerous industries, including satellite communications and education.

It’s shortsighted to ignore the threat or thinking that it can’t happen, but don’t lose hope as there are new ways to protect company assets. Going back to the natural disaster analogy, in the places where disasters are common, communities take a more aggressive approach to building more resilient structures and learn from past events about how to improve their future defenses. In the same way, the best practices for a DDoS defense strategy are well understood and any security team can  implement them with some advanced planning.

Network operators often look to DDoS mitigation tools provided by content delivery networks (CDNs) and web application firewalls (WAFs) to thwart attacks. While those are robust tools, they do not tell the whole story of mitigating the challenges of evolving DDoS attacks.

Myth #2: CDNs are the best method of protection.

Content delivery networks (CDNs) are designed primarily to distribute web content, placing it as close to the end user as possible to improve performance, reliability, and latency. By nature of their architecture, they are well-suited to absorb large surges in traffic. In fact, part of the design aims to weather these rises, whether benign surges like vendor patches or OS upgrades, or malicious, such as DDoS attack traffic.

CDNs are often highly effective at mitigating DDoS when resources within their infrastructure are the target. However, they offer only part of the solution. In fact, organizations that rely on CDN-based DDoS protection are still vulnerable to most DDoS vectors. We find the same vulnerabilities with WAFs. Ultimately, while CDNs can effectively mitigate attacks traversing their infrastructure, the applications and services that are not delivered via the CDN remain vulnerable and we need to protect them with a stateless, purpose-built DDoS solution.

Myth #3: Firewalls offer adequate protection against application-layer attacks.

Generally, firewalls do play a critical role as a defender of networks, stopping unwanted traffic based on predetermined information, such as source and destination, port, and protocol. As such, they are an essential part of the security stack. But although firewalls can stop unknown and unwanted traffic, they cannot easily detect malicious traffic spanning trusted protocols and ports, such as HTTP/S, DNS, or IMAP.

As a way to stop application-layer DDoS attacks, security teams often deploy WAFs. While WAFs can help filter or block attempts to gain access to servers or data, like all firewalls, they are vulnerable to state or resource exhaustion attacks. They also don’t inspect traffic that isn’t web-based and, therefore, can’t see the majority of DDoS attack traffic.

An application-layer attack often functions as just part of a larger “blended” campaign employing multiple attack vectors, which may not target the application layer that a WAF analyzes. If security teams over-rely on WAFs for DDoS protection, they may not even realize they are under attack when a site goes offline. If that happens, they may have to restore service on the fly, diverting IT resources for hours or days that can translate into millions of dollars of lost business.

Taken together, CDNs and WAFs can mitigate many threats, but they won’t offer complete protection against the next DDoS attack. Increasingly, IT management teams should instead invest in hybrid security solutions as a best-practice for DDoS protection. A hybrid network security strategy combines an on-premises, detection and mitigation system with on-demand cloud-based mitigation capabilities. While there’s still no one-size-fits-all product, taking this approach ensures that an organization can thwart new and evolving DDoS attacks now and in the future.

Gary Sockrider, director, security solutions, NETSCOUT