According to a study by ANSSI, DDoS attacks were carried out with high intensity against French entities—public and private—throughout 2024. They come in a variety of forms and are surrounded by numerous misconceptions. Yet, these clichés are sometimes more dangerous than the attacks themselves.
Indeed, these preconceived notions can leave companies vulnerable to other types of cyberattacks and can mislead neutralization strategies or prevent teams from detecting an offensive operation.
Myth 1: DDoS attacks are rare, target only large enterprises, and are carried out by sophisticated, malicious actors
DDoS attacks are increasingly common and target businesses of all kinds, regardless of their size. According to the CESIN barometer, DDoS attacks constitute one of the main vectors of attacks experienced by 41% of companies in France. Such activity demonstrates that this threat is real and that all organizations must implement appropriate measures.
If nation-states run their own sophisticated DDoS campaigns, many are carried out by inexpensive or even free on-demand DDoS service providers (DDoS-for-hire) that rely on global botnets or networks of infected devices. In many cases, the sponsors of on-demand DDoS attacks are not high-level hackers, but operate in response to geopolitical events and target companies, individuals, or infrastructures that oppose their interests.
ANSSI notes that « More recently, sabotage attempts on small industrial facilities have been observed, » which proves, contrary to popular belief, that attacks are no longer limited to large corporations but are turning toward diversified targets: they aim at critical infrastructures or key services such as electricity networks to exert a deep impact on the general public.
Small businesses are far from spared: the 2024 Hiscox report on cyber risk management in France notes, « attacks affect more SMEs (20–249 employees) and micro-enterprises (0–19 employees) than before. Indeed, while large companies refine their protection, the threat is increasingly shifting toward their smaller partners. »
Facing today’s cyberattacks, a company’s size is no longer a shield. It is therefore essential to understand the objective of these attacks to fight them effectively.
Myth 2: DDoS attacks have as their sole aim to flood networks that carry large volumes of data
Originally, DDoS attacks were volumetric: they typically manifested as massive traffic bursts before evolving to become more targeted and complex. The media continue to report the most violent and impressive attacks that reach several terabits per second, reinforcing this stereotype.
While these large-scale assaults remain dangerous, most smaller-scale offensives—below 1 Gbit/s—are just as dangerous and target application layers such as the DNS and the HTTP protocol.
The severity of a cyberattack does not depend on how much data is touched: these new application-layer attacks are more covert and go unnoticed when protection solutions focus on large volumetric attacks and ignore the smaller ones delivered to the client.
State-exhaustion attacks on the Transmission Control Protocol (TCP) are also among the most common lower-scale threats. They aim to overwhelm the processing resources of a network device. They specifically target dynamic on-site devices such as firewalls, load balancers, or VPN gateways, and fill their state tables with fake connections, preventing legitimate users from accessing certain areas of the network.
These new attacks are becoming more numerous and render traditional defensive solutions obsolete.
Myth 3: Next-generation firewalls can block DDoS attacks
Next-generation firewalls are powerful tools that can significantly improve the overall security of organizations.
However, their dynamic design makes them vulnerable to several DDoS attack types, such as state-exhaustion: ANSSI has observed « an intensification in the exploitation of vulnerabilities affecting devices exposed to the Internet, including security devices deployed by many entities to secure remote access to their infrastructure (for example firewalls or VPN gateways) » and explains that these devices become critical vulnerability points because attackers exploit their flaws.
Myth 4: Cloud-based DDoS protection is sufficient
When a DDoS attack overwhelms an organization’s bandwidth, the only way to neutralize it is to rely on cloud-based protection. Yet, smaller-scale attacks can slip through, underscoring the need for additional measures.
To circumvent defense lines, modern DDoS attacks use multiple vectors, meaning they can combine a volumetric or state-exhaustion attack with an application-layer attack to target several areas of the network, making detection and mitigation more challenging.
Adopting a multi-layer defense strategy helps organizations protect themselves more effectively against agile, multi-vector DDoS attacks, maximizing uptime and availability. To date, according to the CESIN barometer, adopting a trusted cloud remains a concern for 52% of French companies.
Myth 5: DDoS protection does not require AI or machine learning
Many leaders believe there is no need to rely on artificial intelligence (AI) or machine learning (ML) to shield their business from DDoS. Yet attackers use AI/ML to scale attack volumes, increase sophistication, and evade detection. This means defensive measures must operate similarly: leveraging AI/ML-based traffic anomaly detection to identify abnormal traffic patterns that reveal DDoS threats.
AI/ML can take the form of structured information flows that automatically and in real time block known active DDoS threats. With continuously updated intelligence, the latest threats are no match for AI- and ML-powered protections. AI/ML can also automate real-time tuning of countermeasures to block multi-vector attacks.
In short, the myths discussed above lead organizations to underestimate the danger of DDoS attacks.
As ANSSI recommends, it is essential for infrastructures to debunk these clichés and adopt a defense-in-depth strategy to ensure resilience in the face of cyber threats. Companies will also benefit from debunking these myths to better protect their infrastructures.
