The Story of the 16-Year-Old in His Basement
In the network security field, DDoS attacks have always been around. There is a myth going around, that the person behind the first ever DDoS attack, was in the 70s with a teenager playing around on a computer. He apparently managed to shut down a server after sending towards it a bulk of problematic requests. We might never know the truth behind this story but what we do know, is DDoS attacks no longer look like that. And as for the attackers, they are much closer to well-seasoned political hacktivists than bored teenagers in the 70s.
The World Has Changed
Evidently, we can say that when it comes to DDoS attacks, everything that we used to know has changed. The motives, the tools, the scale and even the profile of the attackers. The misconception that a DDoS attack is one of the simplest modes of attack on the network layer, is fading. Today hackers understand that simple vector DDoS attacks are no longer having impacts on the organizations they are trying to bring down. Attack tools have to be innovative, more complex and extremely sophisticated.
On that quest to find the latest brand of DDoS attacks with the most malicious impact on an organization, came the surge of Web DDoS attacks. Some say that after hackers exploited the network layer, they decided to move on to DDoS threats on the application layer. Others will say that inventing this new bread of attacks puts certain players on the map and attracts the fame they are constantly searching for. But one thing is clear: the web DDoS attacks have brought the attackers to a gray area filled with vulnerabilities.

The Gray Area
All of us are familiar with the OSI model. We understand that each layer has its specific threats. This understanding led cybersecurity models to secure separately each layer with a different strategy and protection. That worked very well for a long time. And then came the web DDoS attacks.
DDoS attacks are traditionally targeting the network layer with massive traffic and therefore a protection is deployed in the same layer to protect from the scale. Web attacks are targeting the application layer with small-scale attacks and protection such as WAF are deployed in the same layer. So, what happens when a large-scale attack with millions of RPS targets the application layer? The WAF cannot handle the scale that a DDoS solution is usually equipped to work with, and the DDoS solution protecting the network layer is completely futile since it is not in the right place. This is the gray area. Attackers have achieved an important task which is finding a vulnerability where appropriate protections are simply absent.
The Price of Panic
Like with any emerging surge of attacks that is threatening the availability of services to many organizations globally, it wreaked havoc. And where there's panic there is bad decision making. Cyber security firms tried to tackle this new threat and provide protection. But with these types of attack not being well known, and the scale that could reach several million RPS, the protections that were available came at a very high cost. The price to pay for immediate protection was legitimate users’ experience. The solutions could not identify the malicious requests from the legitimate ones since they were so similar and ended up blocking sometimes over half of the legitimate users during an attack. While it might be acceptable to block legitimate users under attack simply based on hoping for their understanding, most organizations will not settle for that. Especially when those attacks can hit on a weekly or daily basis.
The X Factor
The web DDoS attacks require security experts to rethink the way they protect their assets. The roles of WAFs and DDoS solutions are now intertwined more than ever and need to be working together facing this threat. Most importantly, in light of the similarity between malicious and legitimate web transactions, a solution differentiating between the two whiles being able to withstand the scale, is essential to preserve users and their experience. A solution able to do that will make the entire difference, the next time you are under a Web DDoS attack.