Myth 1: DDoS attacks are merely a nuisance with no lasting damage
This is a dangerous assumption to make, just ask CodeSpaces; actually, you can't - a DDoS attack put it out of business. Yes, this is an extreme case, but you only have to look back a few weeks and see headlines involving major companies like Feedly and Evernote, who rely heavily on their web presences, get taken down by DDoS attacks. And not only were their customer experiences disrupted, but the hackers attacking the sites demanded a ransom, in some cases, to cease the attacks.
A further consideration of being taken down by a DDoS attack is one of a loss of SEO ranking, something which is like gold dust to some highly web-dependent businesses. So, we have loss of customer confidence, loss of revenue, extortion; and throw into the pot loss of SEO ranking - not looking like a mere nuisance now, is it?
Myth 2: Volumetric attacks are the biggest threat
Despite the media hype surrounding large Gb/sec DDoS attacks, the largest which has reached up to 400Gb/sec, these are not the most common types of attack that we see; and they are not the biggest threat to websites. These are what we like to call “big & dumb” style attacks. They’re easy to spot and relatively easy to defend against (providing you have the right technology in place). These days, attackers prefer to be less obvious about DDoS attacking a website. They will do reconnaissance and figure out what the weak point is in a website and exploit that weakness.
For example, a gaming website might be able to handle thousands of people playing the game at the same time, but the moment just 25 try to register or log in at the same time, it can crash the site. Hackers will identify this and use it against the company to keep defenders on their toes. In addition, attack methods such a slow loris and headless browser based attacks mean that hackers can sometimes get in unnoticed- especially if the IT team doesn’t know what they are looking for.
Myth 3: My hosting provider will take care of DDoS attacks, so I don’t have to worry
This may be true; or it may not. Assuming that your hosting provider or any other third party service will automatically defend your website against DDoS attacks is not recommended. After all, you most likely wouldn’t rely on a neighbor to let you know that you’ve been burgled; so making this kind of assumption is foolhardy considering that an ISP's operations and monitors will no doubt be focused on data center metrics like cooling, power status, aggregate bandwidth and customer ticket queues, which are hardly granular enough to see an attack in real time against their customers. Add to this the growing sophistication of DDoS attacks that make it difficult to distinguish an attack from regular traffic patterns and it’s not difficult to see why ISPs are ill-equipped to deal with the problem. The best advice is to first speak to your provider and find out what is covered and if they can recommend or work with a good DDoS mitigation specialist.