Distributed Denial of Service (DDoS) attacks have been a part of the Internet since its inception.
The first documented DDoS attack of the “SYN flood” type occurred in 1996. This type of attack is still used today because it exploits a vulnerability in the way the Internet Protocol (TCP/IP) establishes connections between computers to overload the target server and render it inoperable.
Since then, DDoS attacks have evolved and become more sophisticated, with attackers developing new methods (also called vectors) to achieve their goals. Today, DDoS attacks are a widespread threat to businesses and individuals alike.
Felix Stolba is the Team Leader of Network Engineering and his team deals with DDoS mitigation on a daily basis. For many years, he has observed that the attacks are increasing in number and becoming more technically sophisticated in their implementation.
What is a DDoS attack?
Can you please briefly explain what you mean by a DDoS attack?
Felix: A Distributed Denial of Service attack is a type of cyberattack in which an attacker attempts to overload a server or network by sending a large number of requests to the attack target.
It’s best thought of as a real-world business analogy.
Imagine trying to enter a business at the same time as a thousand other people. The entrance to the store would be overcrowded and no one would be able to get in or out. A DDoS attack is very similar. The attacker acts like the crowd blocking the store to shut down the store entrance.
How do attackers proceed in a DDoS attack?
Felix: In most cases, the attackers use a so-called botnet, which consists of many distributed computers, to generate the countless requests. These are often virus-infected systems – they can be regular PCs or, as in the case of Mirai some time ago, inconspicuous IoT devices such as cameras. But the cloud is also changing the business, and short-lived compute instances are increasingly being used by multiple vendors.
The countless requests from the botnet then flood the target of the attack with nonsense data or requests, blocking legitimate users from accessing the service or website.
What are the objectives of DDoS attacks?
This disruption inevitably causes damage to the image of the victim of the attack and often financial damage due to inaccessibility. While the website or store is down, no transactions can take place.
How can you protect yourself against DDoS attacks?
Felix: There are several methods to protect or defend against DDoS attacks. First, networks need to be constantly monitored to identify suspicious traffic.
To do this, we use special tools and systems that analyze traffic and look for patterns that indicate a DDoS attack. By analyzing traffic patterns, anomalies can be detected. These can include unusually high traffic volumes, conspicuous request patterns, or abnormal packet behavior.Is DDoS protection included with Anexia?
Felix: Yes, Anexia DDoS Guard is always automatically included in the European Backbone. This is a very advanced solution to effectively protect our customers from DDoS attacks. We use a solution from a leading manufacturer in the field of DDoS protection, that has been enhanced by our own technology. Due to its modular design, Anexia DDoS-Guard is perfectly tailored to our own and our customers’ requirements and can provide excellent protection against volumetric DDoS attacks (OSI Layer 3 and Layer 4).
How do you detect DDoS attacks?
Felix: One of the ways we detect attacks early is through behavioral analysis. By learning and monitoring the normal behavior of the network or server over a period of time, anomalies can be detected. A sudden large increase in traffic or unusual patterns may indicate a DDoS attack.
Attack signature analysis is also very helpful. This involves creating signatures or patterns of known DDoS attacks and sharing them with other providers. If a traffic pattern matches a known attack signature, the traffic is blocked.
The mechanisms mentioned so far all work at the network level. For customers with particularly high protection requirements, we combine them with a Web Application Firewall (WAF) tailored to the application in question. The WAF then checks form entries for plausibility, among other things, in order to intercept attacks such as SQL injections or cross-site scripting (XSS).
How to defend against DDoS attacks?
Felix: When a DDoS attack occurs, traffic is often redirected to relieve the target. This is done by filtering the traffic and forwarding only legitimate traffic to the target. Another method is to increase the capacity of the network or server to mitigate the impact of a DDoS attack. By adding additional bandwidth or resources, the system can better handle the additional traffic.
Is DDoS protection included with Anexia?
Felix: Yes, Anexia DDoS Guard is always automatically included in the European Backbone. This is a very advanced solution to effectively protect our customers from DDoS attacks. We use a solution from a leading manufacturer in the field of DDoS protection, which has been enhanced by our own technology. Thanks to its modular design, Anexia DDoS Guard is perfectly tailored to both our own and our customers’ requirements and can provide excellent protection against volumetric DDoS attacks (OSI Layer 3 + Layer 4).
What does “reflection” mean in the context of DDoS attacks?
Felix: A “reflection” is a technique often used by attackers to amplify the impact of attacks and to hide the identity of the attacker. In a reflection DDoS attack, the attacker uses insecurely configured services on the Internet to send traffic back to the target of the attack.
The flow of a reflection attack looks something like this: The attacker sends spoofed requests to a set of servers or services. These requests typically contain the IP address of the actual target victim as the source address. The queried services then send their response to the supposed source address (the actual reflection victim), generating a lot of unwanted traffic.
A reflection DDoS attack allows the attacker to use the bandwidth and resources of many other systems to send massive traffic to the target. This increases the impact of the attack and makes it more difficult to trace the attacker, since the responses come from the “reflective” servers and services rather than directly from the attacker.
Finally, it is important to note that metadata monitoring alone is not sufficient to reliably detect DDoS attacks. The combination of multiple monitoring mechanisms and the application of algorithms that automatically detect anomalies are critical to detecting a DDoS attack in its early stages.
Related Topics
How a Syn-Flood DDoS attack works →
Comprehensive protection against DDoS attacks with Anexia DDoS Guard
Anexia defends largest cyber attack on Austria to date (DE) →