Page 46 - cdm-2014
P. 46
) # 3.#- &$.$ - ( )-. )'')( 3* - )! .. %-
By Mark Byers, Director of Products at Fortinet
Many IT professionals think they’re safe from DDoS attacks either with protections in their
current firewall, switches and other network devices, or mistakenly think their ISP is able to
provide 100% mitigation. The following are a few common misconceptions and truths about
DDoS attacks.
My ISP takes care of DDoS attacks for me. Many ISPs and hosting companies are happy to
null-route an attacked IP domain to solve the problem of DDoS attacks. This works for many
bulk layer 3 and 4 events, however smaller layer 7 attacks easily bypass their protections and
they pass along these application-level threats to your network. Most successful attacks are
under 1 Gbps, with 80% of all DDoS attacks under 50 Gbps. An ISP can assist in arresting a
high-volume packet flood to your network, however data centers need additional layer 7
protections. Some also mistakenly believe their ISP will help them get to the root of the attack.
Most ISPs are too busy and they have strict and bureaucratic processes for reaching one
another. Typical response times from ISPs are in days and weeks to help determine the sources
of DDoS attacks.
It only happens to the other guy. Most network and security operations engineers usually only
hear about DDoS attacks happening to other organizations. They think that they don’t have
enemies or have any other reason to be the target of an attack. In reality, their perceptions of
risk factors and susceptibility are often misplaced in that simply having a web presence makes
them a target, even if by mistake.
Server DDoS protections have me covered. Many engineers think that they can custom-
compile kernel code, set some options in Apache, install “mod_dosevasive” and use “iptables”
and their DDoS attacks problems are solved. In reality, most servers do not have the capacity to
handle DDoS attacks. Under most average-sized DDoS attacks, the server CPUs will be too
overloaded to give the Apache modules or Linux commands a chance to mitigate the event.
It’s against the law. Call the police! Yes, DDoS attacks are illegal but most law enforcement
agencies will only pursue large attacks (10 Gbps and up) on large companies or institutions like
banks, government agencies and major international corporations. Most likely they’ll politely tell
you that you’re going to need to work with your ISP or a private investigator.
My routers and switches protect me from DDoS attacks. Even though your networking
hardware may have access control lists (ACLs) that can block DDoS threats, the attackers can
adapt quickly. The average hacker can easily get around your ACLs within minutes with a little
determination.
A dedicated DDoS appliance will just get flooded too. Many wonder if there is any point in
buying specialized DDoS appliances. Without DDoS mitigation equipment, your servers will be
thoroughly exposed even to ordinary attacks. Newer devices on the market provide capacities of
over 20 Gbps of throughput that can be overprovisioned to protect you from larger attacks.
! " $ !
! # ! "
