Our incident response team regularly engages with companies under DDoS attacks and often encounters security/IT teams that have been overconfident about their protection levels. Primarily, this is due to misconceptions about DDoS protection.
Here are three such misconceptions and how they can be solved.
The key misconception here relates to the extent of protection.
There are two types of DDoS attacks: network layer attacks (which overtax the network bandwidth) and application layer attacks (which target the “top” layer in the OSI model to consume server resources).
Typically, DDoS protection provided by an ISP can only cover network layer attacks. This means that at best, protection is partial. Blocking application-level attacks requires decrypting web traffic. However, most ISPs do not have the relevant technologies, and as evidence, they do not require customers to insert the keys to decrypt the traffic.
Solution: To cover yourself against application-level attacks you should also add a Web Application Firewall (WAF), either on-premise or preferably, a cloud-based WAF.
Except for very large ISPs (the size of AT&T), most ISPs lack the capacity, accuracy, and skills to stop large network DDoS attacks. This is particularly risky for companies in higher-risk categories like banks, financials, insurance, and gaming.
The typical ISP (particularly in smaller countries) cannot invest enough in protection equipment, compared to global DDoS mitigation vendors. Consequently, such ISPs often cannot stop larger DDoS attacks and are also not very good at handling false negatives and false positives. In most cases, ISP teams handling DDoS lack skills and are not knowledgeable enough.
Solution: For some customers ISP protection may be sufficient. The key point is to be aware of the limitations. For companies that want to ensure higher protection levels, additional elements should be added to the mix – DDoS infrastructure protection (to enable BGP-based traffic diversion) or Cloud-WAF (to enable DNS-based diversion).
Cloud WAF services that provide DDoS protection are often sold as a “24×7 managed security service.” This builds an expectation with customers that DDoS protection is fully owned by the service provider with zero responsibility for the customer.
However, similarly to a traditional, on-premises firewall, a WAF service is based on a shared responsibility security model. Without defining your own DDoS security settings, you will not be protected during an attack. Even though Cloud-WAF services are managed in the sense that you don’t need to deploy any hardware, the security configuration is your responsibility.
For example, one of the prominent cloud-based WAF providers has a default DDoS protection of Cookie challenge that is triggered at 1,000 RPS. You need to adjust this threshold to your site’s needs. Furthermore, you must decide if to use a more aggressive challenge such as Cookie Validation or CAPTCHA.
Solution: Just like you would define a firewall security policy, you should invest time in defining your DDoS policy that suits your security architecture. Some examples of settings include rate limit, API protection, and Geo protection. But I’ll cover these in more depth separately.