Description & protection of DDoS attacks

When the DDoS attacks strike


Distributed Denial of Service (DDoS) cyberattacks can take down entire websites and IT systems. Read on to find out about the impact of such massive streams of data and how companies can protect themselves against these attacks.


Text: Felix Raymann/Andreas Heer, Image: Swisscom, 14 november 2018, updated on 11.06.2024




The geopolitical situation encourages cyberattacks. Specifically in Switzerland, these are primarily attempts to disrupt the availability of IT infrastructure and to take down websites in direct response to political activities. The weapon of choice: Distributed Denial of Service (DDoS) attacks designed to overwhelm servers with a large number of access requests.

 

This became apparent in June 2023, when DDoS assaults rendered various government and city websites partially or completely inaccessible for two weeks. During this time, the National Cyber Security Centre (NCSC) received 85 reports of related attacks, of which around a third were blocked.


Politically motivated DDoS attacks

Politics, rather than financial crime, was the primary motivating factor in these. The Noname057(16) hacktivist group behind the DDoS assault on Swiss websites put its attacks on the public sector in the context of the war of aggression against Ukraine. As part of its DDoSia project, NoName is presumed to be paying volunteers to make their computers available for attacks. According to French cybersecurity provider Sekoia, the project involves around 10,000 people.

 

In other words, Switzerland and Swiss companies are also affected by DDoS attacks. The examples simply demonstrate the wide range of potential motives and the ever-present risk. The current Swisscom Cybersecurity Threat Radar also identifies DDoS attacks as threats that companies should take into account in their cybersecurity measures.


Blackmail with DDoS threat

The majority of attacks are likely to have purely financial motives. In most such cases, DDoS attacks are used to put additional pressure on victims of a ransomware attack to pay a ransom. After all, such infrastructure failures can result in significant damage for the company. If web services are unavailable for a certain period, the company risks a significant loss of revenue. This can lead to notable losses for online shops, banks or any other service provider that depends on its web presence. What’s more, a company risks damage to its reputation if a website is stigmatised as ‘insecure’. There are also costs associated with restoring the status quo. In the aftermath of the attacks, in turn, there is a risk of data loss for affected companies.


Increasingly sophisticated attacks

DDoS attacks all follow a similar pattern: a company’s Internet servers are flooded with so many requests that they can no longer process the high volume of data or high number of IP packets, and collapse under the load. To be able to execute such a high number of requests in the first place, the attackers need the appropriate infrastructure or to hire a botnet of infected devices. These may be poorly protected PCs, but can also be networked everyday devices, such as surveillance cameras, routers, household appliances or similar Internet-connected devices.

 

The increasing sophistication of the attacks is making defence more difficult. Initially, attacks often took place on the lower network layers (OSI layers); by means of PING or SYN flooding, for instance. Such attempts can be blocked relatively easily by protection systems such as firewall or IDS/IPS.

 

Some attackers, however, combine different attack vectors and UDP reflection attacks. In this case, the cybercriminals take advantage of the fact that services such as DNS (Domain Name Service) provide a comprehensive response to small request packets. With approaches such as DNS amplification, for example, it is therefore sufficient to make numerous requests from the victim’s IP address to flood the victim with a much larger amount of data (IP spoofing). Combined with other forms of attack, such as HTTP(S) flooding on the application layer (layer 7), these DDoS attacks are very efficient and difficult to block on the victim’s systems.


Effective protection against DDoS attacks

DDoS attacks are taking place every day and all of the targets are accessed over the Internet. Any provider of web and Internet services with a publicly accessible IP address, therefore, can become a target. Preventive measures (see list below) are therefore essential, but not sufficient to ensure complete protection. Companies can only protect themselves against DDoS attacks to a limited extent. For example, if a simple DoS filter is enabled on the corporate firewall, it can analyse and filter incoming traffic. However, if the attack is distributed and exceeds the available bandwidth of the Internet connection or the performance of the firewall, this filter no longer provides protection. The same situation results from a large number of IP packets.

Effective DDoS protection therefore starts with the Internet backbone of the service provider. Here, a distributed attack is repelled with a ‘distributed defence mechanism’. With Swisscom’s DDoS Protection Service, for example, sensors on various routers in the Internet backbone deliver important information about current Internet traffic at all times. This allows the protection systems to respond in real time and activate appropriate filters. Attacks can thus be fended off while ensuring that only legitimate traffic is routed to the customer infrastructure.


Prevention and protective measures against DDoS


From a business perspective, operating a web service without effective DDoS protection measures and crossing your fingers that you will not be considered an interesting target for cybercriminals in any case should be considered wilfully negligent behaviour. Therefore, precautions should be taken to prevent damage in the event of possible attacks:


Prevention in the Internet backbone

The Swisscom DDoS Protection Service helps you effectively prepare for DDoS attacks. All relevant services operated on different servers must be protected by the same DDoS Protection Service.


Early detection

The IT managers should be aware of the normal system status (baseline), so that anything unusual immediately stands out. Regular automatic evaluation of the log files will highlight any anomalies. Monitoring also includes the view from outside: the availability of services from outside the company must be controlled over the Internet.


Assessment of consequences

What would the consequences of a system outage following a DDoS attack be? Companies should calculate the direct and indirect damage that could result from hours, days or even weeks of interruption to their systems.


Disaster recovery plan

An internal disaster recovery plan should be in place for emergencies, which also covers the worst-case scenario. The persons responsible must have the right training, be familiar with the necessary procedure and be able to swiftly notify relevant contact persons (internal and external).


Restricting access

Access to your own web service may be restricted by restricting the sender IP. If necessary, for example, you can block all server requests from outside Switzerland or certain countries. In addition, the assignment of rights for the entire network should be strictly adhered to at all times.


Cloud-based firewall with scalable resources

The firewall should have sufficient resources and be able to accommodate additional blocking rules at short notice in the event of an attack. A cloud-based managed firewall with scalable resources is recommended for this.


Threats

Technical measures to prepare for the threat of an attack should be taken with the Internet service provider. Ransom demands should never be paid.




Hand with smartphone

Newsletter

Would you like to regularly receive interesting articles and whitepapers on current ICT topics?




More on the topic