2022 / Penetration test category

What DDoS attacks are, how they work and what DDoS protection is currently available

What DDoS attacks are, how they work and what DDoS protection is currently available

What is a DDoS attack, who carries it out and what exactly is the difference between a DoS and a DDoS attack? Today we are going to explain all these questions and more in detail about popular DDoS attacks.

So if you haven’t yet set up a contingency plan in your company on how to respond to a DDoS attack, now is the time to address the issue. Here with us, as always, you will learn everything there is to know.

What is a DDoS attack?

DDoS attack refers to one of the most common attacks. This involves a distributed network attack, so that an incredible number of requests are made at once. These, in turn, inevitably cause almost every system to collapse.

This is exactly what DDoS attacks aim to do: crash any web servers, cause lasting damage to file systems, or simply ensure the longest possible downtime, which can cost the provider a lot of money. DDoS attacks have always existed and will always exist, as they are quite simple in theory and thus comparatively trivial to implement.

Botnets (i.e. zombie networks) are used for the attack. These consist of infected computers, which follow the attacker’s command and constantly request certain resources at his command. Because this happens simultaneously and in incredibly large numbers, the attacked system collapses quite quickly as a result.

What is the difference between DoS and DDoS?

Thus, the Denial of Service attack always has to do with an overload of the respective service. The goal of such an attack is thus to violate availability – one of the three protection goals of information security. Let’s take the example of a server that is overloaded by too many requests and therefore crashes. Such attacks are not that rare, which is why appropriate protection mechanisms are usually already in place to ward off such attacks.

Anyone who detects a DoS attack can block it accordingly. This is relatively easy to achieve, as an attacker can be quickly identified and henceforth blocked before they can cause any major damage. In the case of a Distributed Denial of Service attack (i.e. a DDoS attack), on the other hand, this is no longer so easy. This is because a network of many different attackers is used here, which is why it becomes difficult to impossible to specifically block each of them.

Large botnets are often used for DDoS attacks. All at once, many different computers are accessing or retrieving certain resources at the same time, thus causing server overloads for the respective service.

What is the target of a DDoS attack?

If a DDoS attack takes place, the goal is always to bring a service to its knees as much as possible until it is completely down. In other words, due to an overload of the server structures, the service should fail and no longer be accessible. This is a big problem for operators, because, for example, sales in a store are no longer possible if a DDoS attack occurs. Or entire services fail because the infrastructure has been attacked.

Therefore, if a Distributed Denial of Service attack is carried out, it is usually an extortion attempt. DDoS attacks also serve to damage the competition or cause a lot of trouble and loss of trust among their customers. DDoS attacks are in some ways a form of sabotage or pure vandalism.

In gaming or media, for example, DDoS attacks are often used as a form of protest. Similar to how protesters would break a window or spray paint something on a house wall, they often perform vandalism in the digital environment via DDoS attack. This makes it clear that dissatisfaction prevails and corresponding offers are at least partly difficult or even impossible to reach. Often this happens in multiplayer games or on websites, following critical articles against certain groups.

Can you buy DDoS attacks?

Yes, you can also buy DDoS attacks. This is because botnet services are often offered on the darknet or within the scene and in hacker forums accordingly. Like a form of service that hackers can use if they don’t have a botnet themselves.

However, since DDoS attacks can always be detected and gradually contained, DDoS attacks are not attacks that can be sustained. Rather, there are usually attacks that paralyze a service for a few hours or a few days. More is usually not possible and also not useful.

Purchased DDoS attacks are logically not paid in euros or dollars, but with Bitcoin or through other anonymous payment methods. However, then you can almost certainly talk about script kiddies who just hate something and want to cripple it. Serious DDoS attacks are not bought in and, for the most part, are also aimed not just at inaccessibility, but at damage to file systems.

What role do botnets play in this?

The often-titled zombie networks, or botnets, are nothing more than infected computers. These “zombies” live their lives and at no time indicate to the owner that they have already been infected. Only when a botnet has become really large does it make sense to attack with just that.

So hackers infect one device after another until there is an almost infinite number of “zombies” available on the network. On demand, they now obey his command and control certain resources. This is the basis for a DDoS attack.

Because only supposedly harmless devices, in gigantic numbers, access something at the same time, does the DDoS succeed at all. A DoS could eventually be blocked immediately by means of an IP address. With a DDoS, this is more difficult because the number of requests is huge and it must first be determined who belongs to the attack and who does not.

What protection is there against DDoS attacks?

In theory, it is difficult for servers to fail due to the cloud. Load balancing would ensure that overloaded instances are supplemented by new ones, so that additional servers are added if there is an overload. At least in a perfect world.

Because, of course, it all costs a lot of money and usually there is not an infinite pool of computing power available to withstand a DDoS attack. Basically, therefore, it is not possible to simply evade the DDoS attack and maintain normal operations.

The most important protection against DDoS attacks is very accurate logging of requests and appropriate monitoring of all activities. If there are increased accesses, these can be blocked quickly and, in some cases, automatically by the security expert. There are some service providers, such as Cloudflare, that achieve relatively great success with their DDoS protection. A web application firewall is also logically mandatory here, in order to be able to block out already known attackers in advance.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.