Incident Response, TDR, Threat Management

Thought you knew about DDoS? Think again

Twitch.tv is just the latest distributed denial-of-service (DDoS) victim in a seemingly never-ending stream of attacks. Shortly after Amazon announced that it had acquired the streaming gaming service, Twitch.tv experienced a coordinated DDoS attack that completely shut it down. For those who make their livelihood through the service, this attack was more than a nuisance. Failing to understand how DDoS attacks work and how dangerous they can be leaves your network open to risk. Below is a compilation of myths that you need to overcome if you hope to protect your assets.

Myth #1: Only hackers initiate DDoS attacks.

With the new outsourcing model, anyone can make an attack happen. Some hackers specialize in discovering vulnerabilities, some develop tools, some are responsible for system intrusion and some are adept at processing account information. For DDoS attacks, some hackers create and maintain so-called “attack networks.” After assembling their attack capability, they rent out their resources to a customer. It is not necessary for this hacking customer to have any specialized knowledge: engage a hacker, enter the address of the attack target and launch a full attack. DDoS attacks can be carried out by cybergangs, a business competitor or a disgruntled employee. With hackers for hire, there are potential attackers everywhere.

Myth #2: DDoS mitigation methods are interchangeable.

Many kinds of attacks fall under the term DDoS, and each kind may need its own

mitigation method. Normally, cloud-based cleaning services mainly use traffic dilution and diversion and are specifically designed for traffic-type DDoS attacks. Local mitigation devices can only handle a relatively small volume of traffic, and it is easier for them to use multiple cleaning techniques in combination. They are suited to defend against system and application resource consumption DDoS attacks. Users should select suitable mitigation solutions based on their own business characteristics and the particular dangers they face.

Myth #3: IDS/IPS and firewalls work fine against DDoS attacks.

The design principles of firewalls don't take DDoS attack mitigation into account. With traditional firewalls, defense is carried out through intense inspection and vigilance to detect attacks. The greater the intensity of the inspection, the higher the computing costs. Massive levels of DDoS attack traffic will significantly reduce a firewall's performance and make it unable to effectively complete packet forwarding tasks. At the same time, traditional firewalls are generally deployed at network inlet locations. Firewalls themselves also commonly become DDoS attack targets.

Though they have the broadest range of applications, intrusion detection and defense systems, when faced with a DDoS attack, generally cannot satisfy user needs. Intrusion detection and defense systems generally perform rule-based application layer attack detection. These devices were initially designed to detect application layer attacks based on certain attack characteristics. However, the majority of current DDoS attacks use attack traffic consisting of legal packets. Thus, the intrusion detection and defense systems cannot effectively detect DDoS attack traffic based on its characteristics. At the same time, intrusion detection and defense systems experience the same performance issues as firewalls.

Myth 4: Adjusting system parameters and increasing bandwidth can mitigate DDoS attacks.

IT administrators will sometimes try to optimize a system under attack by adjusting its core parameters. For example, increasing the number of Transmission Control Protocol (TCP) connection tables and reducing the timeout for establishing TCP connections is one adjustment. System optimization can mitigate small-scale DDoS attacks to a certain extent. However, when hackers increase DDoS attack scale and traffic volume exponentially, the effect of system optimization is negligible.

Another strategy is to increase bandwidth, which includes purchasing redundant hardware and adding servers with better performance. So long as the resources consumed by a DDoS attack do not exceed the load-bearing capabilities of the current bandwidth, computing and other resources, the attack will be ineffective. However, once the resources consumed by the attack exceed the system's capabilities, further retreat is needed to make the attack ineffective. In theory, increasing bandwidth should completely resolve the problems posed by DDoS attacks. However, the investment required to continually increase bandwidth, server quantity and other infrastructure enhancements to mitigate DDoS attacks cannot increase without limit. Therefore, retreat strategies like this are not effective DDoS attack mitigation methods.


When a DDoS attack hits, it creates not only a business disruption but sometimes a financial one, too – as Twitch.tv recently found out. DDoS attacks are not all the same and must be handled according to their particular scope and speed. Standard methods like increasing bandwidth and system optimization are often not sufficient to mitigate an attack or are just not economically feasible. These realities apply to organizations both large and small – anyone can become a target. It is critical, therefore, to overcome the myths about DDoS attacks in order to protect your organization.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds