What is a DDoS attack - and how do I protect myself against it?
by Tina Siering
What is a DDoS attack?
The abbreviation DDoS is short for Distributed Denial of Service, which means "distributed denial of service attack". So, this form of attack aims to deny a service. The basic idea behind this type of attack is that every system reaches its service capacity limit at a certain point. Unlike DoS, denial of service attacks, in a DDoS attack numerous systems participate in the attack. In most cases, the target of DDoS attacks are servers that are accessible via the Internet and provide a specific service. This is the case, for example, with a web or FTP server.
How does a DDoS attack work?
A DDoS attack begins with coordinated requests from as many systems as possible. The origin is often botnets that are under the control of hackers. The computers in these botnets are usually hijacked with the help of malware and controlled centrally. Thus, the attackers have a distributed network that is used for the attack.
Through this botnet, the hackers direct requests to a specific target. This target is thus inundated with a flood of requests in a short period of time. The hackers resort to different methods here. Either they use enormously large data packets or manipulated requests. This puts a strain on the server and the connection. If there is not enough bandwidth available, the connection quality drops. With consequences for the victim's local network as well as regular users trying to access the services. At the same time, the server also reaches the limits of its load capacity. The high number of requests overloads the processor, memory and databases. The server simply runs out of resources. As a result, the server rejects new connection requests, the speed drops massively and finally the entire service collapses. The attackers have thus achieved their goal.
Why are DDoS attacks so dangerous?
DDoS attacks are considered particularly dangerous for two reasons. First, DDoS attacks use quite regular actions that are commonplace in Internet data traffic. These include, for example, requests to establish a connection. The servers are even specifically designed to handle these requests. This makes some forms of DDoS attacks particularly insidious.
On the other hand, defense is more difficult because the attack originates from an enormous number of points. There is not a single IP address behind the attack, but hundreds, thousands or even more individual computers. These come from the most diverse areas of the world and accordingly have different IP addresses. Banning a single IP address therefore does not stop the attack. Bandwidths of IP addresses cannot be banned either, because then the exclusion of numerous normal users located in these areas takes place.
In the past few years, hackers have been given more and more opportunities to easily set up bot networks for this purpose. For DDoS attacks, the attackers need as many computers as possible. Bringing these under their own control has always been a challenge. In addition, the owners of the computers have always discovered and removed the infections with malware. In the meantime, however, the number of systems on the global Internet has exploded due to the spread of IoT. Small devices have a permanent connection to the Internet as they exchange data this way.
IoT systems are particularly vulnerable, however, as there are often no patches available for security vulnerabilities. In addition, frequently no one actively monitors the systems, so a compromise goes unnoticed. This gives hackers more opportunities to build their own botnets, which are then available for DDoS attacks.
It's also not as easy to stop a DDoS attack. Restarting the server that is affected by a DDoS attack initially makes it accessible again. However, as long as the attackers continue to target the botnet, an enormous load is immediately placed on it again, which inevitably leads to another collapse.
What are the protective measures against a DDoS attack?
First of all, the best defense technique against a DDoS attack is prevention. A DDoS attack can happen at any time, there are no signs of it, because it comes from outside. So, if you want to build a protection from such cyber threats, you cannot avoid preventive measures. Below is a list of measures companies can take to prepare for DDoS attack threats and reduce their impact.
1: Firewall configuration
The correct use of the firewall is one of the most important defenses against DDoS attacks. Basically, the firewall is a passive tool and is of little help against this form of attacks. However, there are software solutions that take control of the firewall. This type of firewall uses blocking lists to ban IPs from which unwanted or malicious requests originate. These blocking lists can be generated dynamically. The software monitors incoming requests and directly identifies requests that aim to overload the network. The firewall then reacts to them, limiting traffic from these IPs or blocking access completely. This reduces the load on the network and protects it from congestion.
2: Use a content delivery network
It is possible to use a service provider with a Content Delivery Network (CDN) for your own web services. These CDN service providers distribute the content over their own network. This consists of an enormous number of servers, some of which are distributed all over the world. Thus, a DDoS attack on a single server is ineffective because the other servers of the CDN provider pick up the service. In addition, these service providers have their own protection techniques from DDoS attacks and stop attacks. In the same way, these and similar service providers offer distributed DNS services. This makes it possible to prevent DDoS attacks on DNS services. However, such measures do not protect the company's own network if it is accessible via the Internet, but are primarily designed for websites.
3: Distribute the services to different hosts and IPs
A sensible measure is to distribute one's own services across several hosts. This applies to all web-based applications that require a connection to the public Internet or can be reached via this route. If each service is set up on its own host and its own IP, it is more difficult for an attacker to hit all services. In addition, it is possible to disconnect or shut down individual services from the Internet in an emergency if other defensive measures fail. Individual services are then affected, but the remaining applications and the network remain accessible. This can also be implemented very easily in practice with virtual servers, containers and similar techniques.
4: Deploy intrusion prevention systems and active attack defense
The first step in preventing an active DDoS attack is to detect it. Solutions are available for this purpose that identify such attacks in real time and report them to the responsible parties. For example, if a DDoS attack begins outside of business hours, it may take hours for someone to identify the attack. During this time, systems are compromised, website accessibility is interrupted, or the DDoS attack is used to prepare for another cyberattack.
For these reasons, it is important to respond to incipient attack activity as quickly as possible. Intrusion Prevention Systems (IPS) or Intrusion Detection Systems (IDS) as well as an Active Cyber Defense (ACD) service are the right tools for implementing such concepts. Service providers from the IT security sector provide these solutions. IDS and ACD monitor network traffic and identify malicious actions. Suspicious activity then triggers an alert and enables a response.
5: Use filtering services
Specialized service providers offer traffic filtering services. Here, Internet traffic that normally flows directly to the company's own servers is first routed through this service provider via a VPN. All incoming requests thus pass through these so-called scrubbing centers. The service providers have implemented special protection mechanisms to detect DDoS attacks. Thus, the service providers filter out such packets and requests before they even reach their own network.
6: Load balancing and dynamic bandwidth
Those who outsource their web servers and other parts of the IT infrastructure have the opportunity to influence scalability. Load balancing is part of the service for many cloud services and web services. Those who use bare metal servers have to take care of load balancing themselves. Load balancing is a technique that responds to increasing loads within fractions of a second. This is achieved by providing additional resources. Of course, load balancing only works to the extent that resources are available. Virtual servers on clusters are theoretically almost infinitely scalable. A dynamic increase in bandwidth can be implemented in a similar way.
Although load balancing does not prevent the DDoS attack itself, it does prevent such an attack from directly blocking the company's own services. This gives IT security more time to deal with the cyber attack. Load balancing is an effective method of thwarting the attackers' plans, especially against smaller DDoS attacks.
What are the defenses against DNS tunneling?
Defense against DNS tunneling is comparatively complex. Classic virus scanners usually do not detect such forms of activity, as no software is used at all. Virus scanners primarily focus on searching for malware that is present on a computer.
Firewall settings also offer no protection against DNS tunneling. This is because all DNS requests travel over the same port. This is UDP and TCP port 53, and if traffic is prohibited on this port, computers on the network will no longer be able to receive DNS requests, which will cause Internet browsing and many network services to stop working.
There are also firewall solutions that have blacklists and block domains as well as IP addresses that are known to host command-and-control servers. However, these blacklists usually only have the known domains. In APTs, however, attackers set up new domains and use unburned IPs. Accordingly, even such systems do not provide sufficient protection, especially against targeted attacks.
An effective defense technique, on the other hand, are systems that actively scan the network. Such solutions for early attack detection access logs and search for conspicuous activities. These logs include the DNS queries of computers and the event logs of routers. These data contain the manipulated or atypical DNS queries that are generated during tunneling.
Attack early detection has the ability to identify such log entries as indications of a cyberattack because they are atypical. These systems constantly scan the network and use artificial intelligence to look for activity that does not match normal traffic or otherwise indicates unauthorized activity. With these features, early attack detection is one of the best defenses against DNS tunneling.
There are also some techniques that focus on analyzing DNS traffic. These are mainly payload and traffic analysis. Payload analysis evaluates what the contents of DNS requests are. The focus here is on atypical content. This includes, for example, modules in the queries such as "TXT", which do not occur in a normal DNS query. A policy can also be introduced if there is an internal DNS server that is used for caching queries. With DNS tunneling, this path is ignored and the infected system sends the DNS requests directly to the attackers' server. However, there are also DNS attacks that run via the internal DNS server and thus also overcome this defense method.
On the other hand, it is promising to introduce another policy that focuses on the length of the queries. An important clue is the length of the host name. Most hosts have comparatively short names, such as secion.de. With DNS tunneling, attackers use the area reserved for the host name in the request to transmit commands. Accordingly, these requests are long. It is possible to implement a policy that highlights hostname requests that are longer than 52 characters. Then IT security is able to check these requests more closely. During a manual check, such strings then stand out immediately, whereas they would otherwise be lost in the mass of log entries.
Traffic analysis focuses on evaluating the volume as well as the IP addresses. In the case of attacks via DNS tunneling, it happens that the number of requests to the hacker's IP address increases excessively. An accumulation of requests to a specific IP address is noticeable. It is also possible to observe the size of the requests. Typical DNS requests are compact and limited to 512 bytes. If, on the other hand, the hackers use the DNS queries to transmit commands, for example to control malware, then the packets exceed the size of 512 bytes. This is also an indication of DNS tunneling.
Conclusion on the subject of DDos attacks
Every company's IT security strategy must be prepared for all situations. This also includes DDoS attacks. These attacks do not always pose a direct threat to data, but DDoS attacks are still a serious threat. This is mainly because companies are dependent on their own IT systems due to the high degree of digitalization. The failure of the entire network and all digital services for hours or even days thus ensures enormous damage. As with many other cyber threats, prevention is the best defense when it comes to DDoS attacks. In principle, a direct response to an active DDoS attack is not possible. It is therefore important for companies to invest in prevention and early attacker detection and thus prevent greater damage from IT failures.