Description & protection of DDoS attacks
Hacker attacks using DDoS (distributed denial of service) paralyse entire Web platforms and IT systems. We explain the effect such a flood of data can have and how companies can protect themselves.
Text: Felix Raymann, Image: iStock by Getty Images,
It was probably no coincidence that the hackers chose to attack on a Saturday, in other words, when staff numbers and IT surveillance were reduced to a minimum and an attack would go unnoticed for longer than on a weekday. On 12 March 2016, targeted server overload attacks ensured that various Swiss online retailers, including Digitec, Galaxus, Interdiscount and Microspot, could not be reached by customers for several hours. Although the case was amongst the largest and most high-profile in Switzerland, it was only one of the thousands of DDoS attacks that cyber criminals conduct against Swiss companies in a targeted manner every year.
Often enough, it’s unclear who the perpetrators are. According to official statements, the companies affected by the aforementioned cases did not receive written demands for ransom. Nevertheless, such infrastructure outages can definitely cause companies considerable damage. If their Web services are unavailable for a certain time, it can lead to a massive drop in revenue. That could mean painful losses for online shops, banks and all other service providers that rely on their online presence. Added to this, their reputation is damaged because their Web site is subsequently considered “unsafe.” Re-establishing the status quo can also prove costly. Targeted companies may risk losing data after an attack. The effects of DDoS attacks can quickly spread to other areas, as the case of Digitec shows. There, the attacks not only took down its online shop, but also had an impact on the IT systems of its stores and customer service department, shutting them down too for a while.
In general, most DDoS attacks follow a similar pattern: the servers of online service providers are bombarded with countless queries. Because they cannot process the flood of data or the enormous number of IP packages they receive every second, the Web services simply crash under the weight of the requests. To be able to send so many server queries, attackers need suitable infrastructure or they must “rent” such a service from an illegal source on the Darknet. Another attack strategy is to create what is known as a botnet: attackers hack as many devices with Internet access as possible and manipulate these so that they can be made to send queries to a specified target on demand and therefore overwhelm it with data. The pirated devices may be insufficiently protected PCs, but also networked everyday equipment such as surveillance cameras, routers, household appliances or other machines that have a public IP address.
DDoS attacks may target different network (OSI) layers. Frequently, DDoS attacks aim at the application layer (layer 7), which includes HTTP and FTP servers that are flooded with immense volumes of data. Another frequently used tactic is to attack the network layer (layer 3), although this often requires greater capacities. However, in general all seven layers can be attacked.
DDoS attacks take place every day and are aimed at all targets accessible via the Internet. Therefore, all providers of Web services – in other words, ever publically accessible IP address – could potentially be attacked. According to the National Cyber Security Centre NCSC, DDoS attacks are hard to defend against, but not impossible. Preventative measures (see the list below) are therefore essential, even though they cannot provide complete protection on their own. Companies can only protect themselves against DDoS attacks to a limited extent. For example, activating a simple DoS filter on the company firewall can analyse and filter incoming data traffic. But if a distributed attack is carried out and the volume of the attack exceeds the available bandwidth of the Internet connection, this filter no longer offers any protection. The same situation arises if a large number of IP packages are received every second.
For this reason, the Internet backbone of the service provider must provide effective protection against a DDoS. Here, a distributed attack is defended against using a “distributed defence mechanism.” With Swisscom’s DDoS Protection Service, for example, sensors set up on various routers along the Internet backbone supply important information about current Internet traffic flows. This enables the protection systems to react in real-time and activate appropriate filters. In this way, attacks can be repelled, while at the same time ensuring that only legitimate traffic is routed to the customer infrastructure.
From an entrepreneurial perspective, operating a Web service without having effective DDoS safety measures and simply hoping that you won’t look like an interesting target for hackers must be considered malicious and gross negligence. For this reason, steps must be taken to prevent possible attacks causing any damage.
The Swisscom DDoS Protection Service provides effective help in warding off DDoS attacks. All relevant services that are operated on different servers must be protected by the same DDoS protection service.
IT managers must know the normal status quo of their systems so that unusual events are apparent immediately. Regular automatic analyses of logfiles provide information on anomalies. Monitoring must also cover the external perspective: the availability of the services from outside the company must be checked over the Internet.
What consequences will a DDoS-generated system outage have? Companies must calculate the direct and indirect damage that could result from their systems being out of action for hours, days or even weeks.
Companies must have an internal emergency plan in place that also covers the worst-case scenario. The responsible employees must be trained appropriately, know the necessary procedures and be able to notify the relevant contacts (both internally and externally) quickly.
Access to a company’s Web service can be limited by restricting the sender IP addresses. For example, all server queries emanating from outside Switzerland or from specific countries can be blocked. Furthermore, the rights allocation system must be complied with strictly for the entire network at all times.
A company’s firewall must have sufficient resources and the capacity to add further blocking rules at short notice in the event of an attack.
Whenever an attack is threatened, technical measures must be taken together with the Internet service provider to prepare for a possible attack. Ransom demands must never be responded to.
More on the topic