It is unfortunate that a lot of baseless advice by the so called cyber security experts has been making rounds as far as ways to ensure protection from possible DDoS attacks is concerned. In the ensuing discussion you will find the six most common myths of DDoS attack protection and explanation about their futility.

Types of DDoS Attacks

Obviously, most of the organizations that suffered due to DDoS attacks including financial institutions, gaming sites, and large corporate organizations must have had Firewalls and other security measures in place. There are many types of myths that need to be demystified in order to adopt right methods of protection against these dreaded attacks.

It would be logical to understand the major types of attacks that are categorized as DDoS attacks. Most of attacks of the amplified nature are reflective attacks including SNMP, Chargen, DNS, TCP, and SSDP/UPnP. Then there are major attacks that are known as volumetric floods such as HHTTP floods. Resource exhaustion DDoS attack involves slow requests and malformed traffic.


Set Traffic Thresholds to Avert DDoS Attacks

There is widespread belief that by fixing thresholds or alerts for traffic spikes, one can make sure that DDoS attack i s prevented. This is far from being true. At the most such traffic threshold would facilitate monitoring of the situation to help you contact the DDoS scrubbing service.

Even if you happen to notice the spike and begin the mitigation process the damage is bound to be done because there would be a time lag of almost thirty minutes. Such thresholds will cause your site or application to experience downtime and will require your IT team to restore the activities. In addition to this the time period might be used by the attackers to inflict more severe damage and theft of mission critical data.

Leverage Content Delivery Networks for DDoS Protection

It is naïve to assume that Content Delivery Networks have ability to differentiate between a bad traffic and a genuine traffic. Content Delivery Networks are not built to provide security. These networks may probably help absorb attacks to some extent.

In order to understand the ability of your CDN to absorb or reduce effect of DDoS attacks, you need to examine your service agreement. In short, a Content Delivery Service offers no protection against DDoS attack.

DDoS Attacks Can be Mitigated by Cloud Services

Cloud based security is based on traditional approach to DDoS attack mitigation and is aimed at handling persistent, large, and brute force attacks in spite of being too slow to respond. These services are not effective to handle initial effects of attacks for protecting vulnerable services.

One must not underestimate surgical precision of modern DDoS attacks and cloud services miserably fail to offer protection against these attacks. In the unlikely event of cloud hosting services being able to secure your services from an attack, the fee can run into millions of dollars, depending upon the duration and size of the attack.

Access Control is Possible by Relying on Blacklists and Whitelists

Depending on blacklists or whitelists for controlling network access is not only difficult but can also prove to be a costly mistake. These are of highly static in nature and are created by relying on the past events. Hence these would be obsolete as soon as you have applied and can only offer mitigation of unwanted traffic or background noise.

Black/ whitelists are of no use for protecting your digital assets against specific attacks such as DDoS due to the fact that such attacks originate from sources that are not marked as blacklisted ones.


DDoS Attacks are Aimed at Wiping Out the Entire Organization

It is interesting to note that as many as 93 percent of DDoS attacks are extremely low in threshold and last for very short duration of time. Such attacks are more commonly used for the purpose of extortion or are designed to act as some kind of a smokescreen for carrying out more evil activities. DDoS attacks continue to influence headlines because of over publicity.

Most of the reporting is blown out of proportion and in reality vast majority of these attacks have ability to inflict damage to an application, a server, or a website. These are aptly called as surgical strikes because of the extent of damage caused by common DDoS attack is restricted to specific area and not the entire organization.

It is Possible to Use a Firewall for Protection Against DDoS Attack

Firewalls are not capable of providing protection against DDoS attacks. On the contrary, these serve as entry points and become the targets of DDoS attacks. Firewalls are stateful resources and are designed for tracking flows to execute their functionality of protection.

This puts great limitations on resources of memory and processing that are needed for tracking relevant traffic information. Attackers can easily overpower resources by way of special attack techniques. As a consequence, firewalls become victims of DDoS attacks and cause the network to go offline. In addition, the DDoS attacks target ports 443, 80, 25, and 53, since these are the entry points of traffic for service delivery and hence always remain open.


We must act as responsible professionals and need to make sure that such unjustified myths regarding DDoS protection are not encouraged to proliferate any more. There are many reliable and modern methods of DDoS protection that need to be promoted.