Cyber attacks using DDoS (Distributed Denial of Service) paralyse entire websites and IT systems. What this barrage of data can do and how companies can protect themselves against it.
Text: Felix Raymann/Andreas Heer, Image: Swisscom, 14 november 2018, updated on 28.06.2023
June 2023 will go down in cybersecurity history as an especially intense month. Two major DDoS attacks paralysed websites and online services, with people and companies in Switzerland among those affected.
At the beginning of June, the availability of some Microsoft cloud services was limited due to a DDoS attack. And about a week later, Switzerland was impacted directly. Various websites of the federal government and larger cities were temporarily or partially unavailable due to the attack.
Notably, in both cases the focus was less on financial criminal motives than on political ones. Hacktivists from the groups Anonymous Sudan and NoName launched their attacks on Microsoft and the Swiss public sector in the context of the war of aggression against Ukraine. As part of its ‘DDosia’ project, NoName also appears to be paying people who make their infrastructure available to participate in the attacks. According to Avast security researchers, this group involves around 7,000 people.
In other words, Switzerland and Swiss companies are also affected by DDoS attacks. The examples from June demonstrate the wide range of potential motives and the ever-present risk of attacks. The current Swisscom Cybersecurity Threat Radar also describes the threat as increasing.
The majority of attacks are likely to have purely financial motives. In most such cases, DDoS attacks are used to put additional pressure on victims of a ransomware attack to pay a ransom. After all, such infrastructure failures can result in significant damage for the company. If web services are unavailable for a certain period, the company risks a significant loss of revenue. This can lead to notable losses for online shops, banks or any other service provider that depends on its web presence. What’s more, a company risks damage to its reputation if a website is stigmatised as ‘insecure’. There are also costs associated with restoring the status quo. In the aftermath of the attacks, in turn, there is a risk of data loss for affected companies.
DDoS attacks all follow a similar pattern: a company’s Internet servers are flooded with so many requests that they can no longer process the high volume of data or high number of IP packets, and collapse under the load. To be able to execute such a high number of requests in the first place, the attackers need the appropriate infrastructure or to hire a botnet of infected devices. These may be poorly protected PCs, but can also be networked everyday devices, such as surveillance cameras, routers, household appliances or similar Internet-connected devices.
The increasing sophistication of the attacks is making defence more difficult. Initially, attacks often took place on the lower network layers (OSI layers); by means of PING or SYN flooding, for instance. Such attempts can be blocked relatively easily by protection systems such as firewall or IDS/IPS.
Attackers such as the «NoName», on the other hand, combine different attack vectors with UDP reflection attacks. In this case, the cybercriminals take advantage of the fact that services such as DNS (Domain Name Service) provide a comprehensive response to small request packets. With approaches such as DNS amplification, for example, it is therefore sufficient to make numerous requests from the victim’s IP address to flood the victim with a much larger amount of data (IP spoofing). Combined with other forms of attack, such as HTTP(S) flooding on the application layer (layer 7), these DDoS attacks are very efficient and difficult to block on the victim’s systems.
DDoS attacks are taking place every day and all of the targets are accessed over the Internet. Any provider of web and Internet services with a publicly accessible IP address, therefore, can become a target. Preventive measures (see list below) are therefore essential, but not sufficient to ensure complete protection. Companies can only protect themselves against DDoS attacks to a limited extent. For example, if a simple DoS filter is enabled on the corporate firewall, it can analyse and filter incoming traffic. However, if the attack is distributed and exceeds the available bandwidth of the Internet connection or the performance of the firewall, this filter no longer provides protection. The same situation results from a large number of IP packets.
Effective DDoS protection therefore starts with the Internet backbone of the service provider. Here, a distributed attack is repelled with a ‘distributed defence mechanism’. With Swisscom’s DDoS Protection Service, for example, sensors on various routers in the Internet backbone deliver important information about current Internet traffic at all times. This allows the protection systems to respond in real time and activate appropriate filters. Attacks can thus be fended off while ensuring that only legitimate traffic is routed to the customer infrastructure.
From a business perspective, operating a web service without effective DDoS protection measures and crossing your fingers that you will not be considered an interesting target for cybercriminals in any case should be considered wilfully negligent behaviour. Therefore, precautions should be taken to prevent damage in the event of possible attacks:
The Swisscom DDoS Protection Service helps you effectively prepare for DDoS attacks. All relevant services operated on different servers must be protected by the same DDoS Protection Service.
The IT managers should be aware of the normal system status (baseline), so that anything unusual immediately stands out. Regular automatic evaluation of the log files will highlight any anomalies. Monitoring also includes the view from outside: the availability of services from outside the company must be controlled over the Internet.
What would the consequences of a system outage following a DDoS attack be? Companies should calculate the direct and indirect damage that could result from hours, days or even weeks of interruption to their systems.
An internal disaster recovery plan should be in place for emergencies, which also covers the worst-case scenario. The persons responsible must have the right training, be familiar with the necessary procedure and be able to swiftly notify relevant contact persons (internal and external).
Access to your own web service may be restricted by restricting the sender IP. If necessary, for example, you can block all server requests from outside Switzerland or certain countries. In addition, the assignment of rights for the entire network should be strictly adhered to at all times.
The firewall should have sufficient resources and be able to accommodate additional blocking rules at short notice in the event of an attack. A cloud-based managed firewall with scalable resources is recommended for this.
Technical measures to prepare for the threat of an attack should be taken with the Internet service provider. Ransom demands should never be paid.
More on the topic