DDoS (Distributed Denial of Service) attacks by computer hackers can paralyse entire web platforms and IT systems. Discover the damage such a flood of data can wreak and how companies can protect themselves.
Text: Felix Raymann, Image: iStock by Getty Images, 14 november 2018, updated on 21.07.2021
It’s a dangerous combination: the increased use (and significance) of cloud and Internet services driven by the corona pandemic coupled with the falling cost of DDoS attacks on various darknet forums. A botnet for such distributed denial of service attacks can be hired for a few dollars to potentially paralyse important components of a corporate infrastructure, such as a website or online shop.
Companies in Switzerland are also feeling the effects as the number of attacks continues to rise both at home and around the world. There is disagreement among security providers as to the extent of these rises. Estimates range from between 20 percent to a threefold increase. Given the high-volume business involved, any company is essentially susceptible to becoming a random victim of a DDoS attack.
The perpetrator of the attacks often remains unidentified. What is certain, however, is that such infrastructure outages can cause major damage to a company. If web services are unavailable for a certain period, the company risks a significant loss of revenue. This can lead to notable losses for online shops, banks or any other service provider that depends on its web presence. What’s more, a company risks damage to its reputation if a website is stigmatised as ‘insecure’. There are also costs associated with restoring the status quo. In the aftermath of the attacks, in turn, there is a risk of data loss for affected companies.
Last August, DDoS attacks by a previously unknown group of cybercriminals were discovered, which had developed a business model for this form of attack. After quite a minor attack, the attackers, generally referred to as the Lazarus Bear Armada, sent a blackmail letter with a demand for Bitcoin. Should their demand not be met, they threatened a much larger DDoS attack. In many cases, such blackmail attempts prove to be an empty threat. But this is not guaranteed, as some institutions have found to their cost. Any company can fall victim to a DDoS blackmail attempt.
DDoS attacks all follow a similar pattern: a company’s Internet servers are flooded with so many requests that they can no longer process the high volume of data or high number of IP packets, and collapse under the load. To be able to execute such a high number of requests in the first place, the attackers need the appropriate infrastructure or to hire a botnet of infected devices. These may be poorly protected PCs, but can also be networked everyday devices, such as surveillance cameras, routers, household appliances or similar Internet-connected devices.
The increasing sophistication of the attacks is making defence more difficult. Initially, attacks often took place on the lower network layers (OSI layers); by means of PING or SYN flooding, for instance. Such attempts can be blocked relatively easily by protection systems such as firewall or IDS/IPS.
Attackers such as the Lazarus Bear Armada, on the other hand, combine different attack vectors with UDP reflection attacks. In this case, the cybercriminals take advantage of the fact that services such as DNS (Domain Name Service) provide a comprehensive response to small request packets. With approaches such as DNS amplification, for example, it is therefore sufficient to make numerous requests from the victim’s IP address to flood the victim with a much larger amount of data (IP spoofing). Combined with other forms of attack, such as HTTP(S) flooding on the application layer (layer 7), these DDoS attacks are very efficient and difficult to block on the victim’s systems.
DDoS attacks are taking place every day and all of the targets are accessed over the Internet. Any provider of web and Internet services with a publicly accessible IP address, therefore, can become a target. Preventive measures (see list below) are therefore essential, but not sufficient to ensure complete protection. Companies can only protect themselves against DDoS attacks to a limited extent. For example, if a simple DoS filter is enabled on the corporate firewall, it can analyse and filter incoming traffic. However, if the attack is distributed and exceeds the available bandwidth of the Internet connection or the performance of the firewall, this filter no longer provides protection. The same situation results from a large number of IP packets.
Effective DDoS protection therefore starts with the Internet backbone of the service provider. Here, a distributed attack is repelled with a ‘distributed defence mechanism’. With Swisscom’s DDoS Protection Service, for example, sensors on various routers in the Internet backbone deliver important information about current Internet traffic at all times. This allows the protection systems to respond in real time and activate appropriate filters. Attacks can thus be fended off while ensuring that only legitimate traffic is routed to the customer infrastructure.
From a business perspective, operating a web service without effective DDoS protection measures and crossing your fingers that you will not be considered an interesting target for cybercriminals in any case should be considered wilfully negligent behaviour. Therefore, precautions should be taken to prevent damage in the event of possible attacks:
The Swisscom DDoS Protection Service helps you effectively prepare for DDoS attacks. All relevant services operated on different servers must be protected by the same DDoS Protection Service.
The IT managers should be aware of the normal system status (baseline), so that anything unusual immediately stands out. Regular automatic evaluation of the log files will highlight any anomalies. Monitoring also includes the view from outside: the availability of services from outside the company must be controlled over the Internet.
What would the consequences of a system outage following a DDoS attack be? Companies should calculate the direct and indirect damage that could result from hours, days or even weeks of interruption to their systems.
An internal disaster recovery plan should be in place for emergencies, which also covers the worst-case scenario. The persons responsible must have the right training, be familiar with the necessary procedure and be able to swiftly notify relevant contact persons (internal and external).
Access to your own web service may be restricted by restricting the sender IP. If necessary, for example, you can block all server requests from outside Switzerland or certain countries. In addition, the assignment of rights for the entire network should be strictly adhered to at all times.
The firewall should have sufficient resources and be able to accommodate additional blocking rules at short notice in the event of an attack. A cloud-based managed firewall with scalable resources is recommended for this.
Technical measures to prepare for the threat of an attack should be taken with the Internet service provider. Ransom demands should never be paid.
More on the topic