5 Myths About DDoS in 2020

The nature of DDoS attacks is shifting, and while some organizations might believe that DDoS is a thing of the past, this is not the case. Here are the top 5 DDoS myths for 2020.

Myth 1: DDoS is No Longer a Problem

According to Radware’s 2019-2020 Global Application & Network Security Report, about one-third of respondents experienced a denial of service (DDoS) attack. Attackers are moving away from simple volumetric floods, and focusing on more sophisticated, harder to mitigate application-layer (L7) DDos attacks.  According to Radware’s research, 90% of attacks were under 10 Gbps, and the average packet-per-second (PPS) declined, but nearly all respondents (91%) who reported a DDoS attack, indicated that the preferred attack vector was the application layer.

Furthermore, volumetric pipe saturation attacks declined by about 9%, but there was an increase in attacks targeting specific network components such as application servers, firewalls and SQL servers.

[You may also like: Network Security in an App-Driven World]

This means that while the nature of DDoS attacks is changing, DDoS attacks are still very much a concern for organizations, and a high priority to protect against.

Myth 2: DDoS Ransom Notes Are a Thing of the Past

Likewise, the past few months have seen a resurgence in DDoS ransom attacks. According to Radware’s 2019-2020 Global Application Security Report, ransom attacks increased 16% year-over-year, and 70% of North American companies ranked ransom as the primary motivation for cyberattacks.

The past few months have seen two significant DDoS ransom campaigns: first against banks in South Africa in October 2019, and more recently a targeted campaign against Australian banks and financial institutions. In both cases, ransom notes preceded large-scale, sophisticated and sustained campaigns to knock-down financial services.

[You may also like: Emotet Attacks Spread Alongside Fears of Coronavirus]

This means while we may not hear as much about DDoS ransom attacks as in the past, attackers have not given-up on this attack vector, and organizations must stay vigilant and watchful for this type of attack.

Myth 3: Your ISP Can Protect You

Battling sharply decreasing connectivity costs, more and more internet service providers (ISPs), carriers and mobile operators are offering DDoS protection services as a way to provide value-added services and increase customer retention.

For many customers, getting low-cost security services bundled with their internet service can be a compelling proposition; after all, who can beat the price of free?

The problem, however, is that for the most part, security is a side business for your ISP. This means that they lack the technology and security expertise to provide truly effective protection. Moreover, since it is frequently a loss-leader product to support their other services, ISPs are frequently incentivized to invest as little as possible in defenses.

As a result, they frequently provide only the simplest, most basic protections which cost them the least. Consequently, such customers do not receive protection against the latest, most sophisticated types of attack such as burst attacks, dynamic IP attacks, application-layer DDoS attacks, SSL DDoS floods, and more.

Customers relying on their ISP for protection might enjoy the short-term savings in the cost of service, but may very well discover that this type of low-cost protection will end up being far more expensive down the road.

Myth 4: Your Public Cloud Provider Can Protect You

As organizations increasingly adopt public cloud infrastructure, many customers are opting for the built-in, free DDoS protections offered by their public cloud hosting providers. Many security managers are happy to see DDoS as a network problem, and have it handled by their cloud provider. For example, according to Radware’s 2019-2020 Global Application & Network Security Report, 31% of organizations rely primarily on the native security tools of the public cloud vendors, and a similar number combine native tools with third-party solutions.

The problem, however, is that security tools offered by public cloud vendors are frequently rudimentary, ‘good-enough’ tools that will provide basic protection, but not much more.

[You may also like: The Move to Multiple Public Clouds Creates Security Silos]

This is particularly true for DDoS protection, where like ISPs, public cloud vendors frequently opt for the most basic, cost-effective (for them) protections. To illustrate, one large public cloud provider has no qualms about declaring that their free tier provides protection only against the ‘most common, frequently occurring network and transport layer DDoS attacks’.

Moreover, such tools will usually protect only those assets which are hosted on that provider’s public cloud environment, but not assets hosted elsewhere, on other cloud environments or in physical data centers. As a result, organizations running multi-cloud environments and relying on their cloud providers for DDoS protection will end up with siloed security mechanisms, inconsistent security policies, and segregated reporting.

Myth 5: All DDoS Protections Are the Same

As more and more services migrate online, security is increasingly focused on application security and data protection, and less on network-layer security. This has led some organizations to believe that DDoS protection is a network-layer issue, a thing of the past, and consequently, that DDoS protections are all the same.

[You may also like: Why ‘Free’ DDoS Protection Can be the Most Expensive]

As we explained above, the nature of DDoS attacks is shifting, and protections that used to be adequate not long ago are no longer effective. DDoS attackers are concentrating more and more on the application-layer, leveraging sophisticated bots to launch attacks, and use sophisticated attack vectors such as burst attacks, SSL floods, and carpet-bombing attacks.

DDoS protection services vary wildly by technology, network, and service. This is why it’s important to choose a DDoS protection service that offers behavioral protections which go beyond simple signature and rate limits, have the capacity to deal even with the largest attacks, and back their marketing claims with quantifiable and measurable SLA metrics.

Read Radware’s “2019-2020 Global Application & Network Security Report” to learn more.

Download Now

Eyal Arazi

Eyal is a Product Marketing Manager in Radware’s security group, responsible for the company’s line of cloud security products, including Cloud WAF, Cloud DDoS, and Cloud Workload Protection Service. Eyal has extensive background in security, having served in the Israel Defense Force (IDF) at an elite technological unit. Prior to joining Radware, Eyal worked in Product Management and Marketing roles at a number of companies in the enterprise computing and security space, both on the small scale startup side, as well as large-scale corporate end, affording him a wide view of the industry. Eyal holds a BA in Management from the Interdisciplinary Center (IDC) Herzliya and a MBA from the UCLA Anderson School of Management.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center