Visit us at it-sa in Nuremberg from October 7 to 9. Get your free ticket now!
Home>
What is "DDoS"?
CP SYN floods and UDP-based reflection attacks are among the most frequent attacks on the network and transport layer (layers 3 and 4). Other common attack methods are:
ICMP flood
UDP fragmentation
UDP amplification through DNS
NTP
rpcbind
SSDP
ACK flood
RST flood
All of these attacks either overload the target with very high bandwidth or enormous packet rates. Legitimate attempts to access the data channel to establish communication are no longer possible.
In a SYN-ACK flood attack (or SYN and ACK floods), for example, a botnet remotely controlled by attackers bombards a server with SYN packets. They are usually part of a three-way handshake. This happens when a TCP connection is set up between a client and a server.A SYN/ACK attack creates many half-open connections. It does this by sending lots of SYN packets but no ACK packets to complete the connection. As a result, no new connections can be established and the website is no longer accessible.
Myra Network DDoS Protection defends IT infrastructure from volumetric attacks at the network and transport layers. Detailed traffic analyses are provided by automatic flow monitoring. The failover of affected networks in case of an attack is fully automated.
DDoS attacks on the application layer (layer 7) target existing connections. They are now one of the most common attack types. HTTP GET, POST, and other flood attacks as well as low and slow attacks are particularly popular with cybercriminals. They seek to penetrate the weakest component of an infrastructure, causing an overload of the web application.
An attacker might launch an HTTP GET flood attack. This sends a huge number of requests to a web server, targeting pages that have high load volumes. This causes the server to overload and it is no longer able to process legitimate requests. As a result, the website is no longer accessible to users.
Attacks on the application layer are usually not detected by the sensors used to protect the network and transport layers. Since they consist of standard URL requests, flood attacks are difficult to distinguish from normal traffic. Layer 3 and 4 protection systems, for example, cannot distinguish between an HTTP GET flood attack and a valid download. Accordingly, securing a web application requires IT security on all relevant layers. Specifically, attacks aimed at stealing sensitive data can only be detected and fended off by using Layer 7 protection.
Myra DDoS Protection protects web applications on layer 7 fully automatically. Myra offers complete traffic visibility. This allows for smart load balancing and reliable site failover. As a result, response times are fast and dependable.
The motives of the attackers are varied. They range from blackmail and destruction to political protest or boredom. The goal is always the same: slow down and paralyze targeted applications and infrastructures with fake requests.
The term “script kiddies” refers to cyber attackers with basic skills. They rely on ready-made tools and free scripts to carry out their attacks. Even though they’re called “amateurs,” their actions can lead to serious harm. This is especially true if the targeted applications and infrastructures lack proper protection systems.
The absolute majority of all DDoS attacks are carried out by cybercriminals and hacktivists. Cybercriminals mainly aim for money, like extorting ransom. In contrast, hacktivists want to create damage and gain public attention to push their political agenda. This often leads to uncertainty among people.
In hybrid warfare, cyber actors from authoritarian states use DDoS attacks. They aim to destabilize the infrastructure of enemy countries. For example, attacks on energy suppliers and government networks are rising. This trend follows recent geopolitical tensions.. Such attacks are often part of larger cyber warfare strategies.
06
DDoS attacks are not just a technical challenge; they are often part of a larger strategy by cybercriminals. The targets of these attacks can vary. It's important to know the motives behind them. This understanding helps in taking effective security measures.
A widespread aim of DDoS attacks is to blackmail companies. Attackers often use DDoS attacks as leverage to demand a ransom. They threaten to disrupt a company's services for a certain period of time unless they receive payment. This can be particularly devastating for companies that rely on their online presence.
DDoS attacks can also be used to damage a company's reputation. If a company is offline during an attack, this can deter potential customers and damage credibility. In highly competitive industries, some companies use DDoS attacks. They do this to hurt their rivals or take away market share.
Sometimes DDoS attacks are a tool of activism. Groups campaigning for social or political change use DDoS attacks to draw attention to their causes. These so-called “hacktivists” see their actions as forms of protest, even if in many cases they enter legal and ethical gray areas.
DDoS attacks can also be used as a distraction to carry out other, more subtle attacks. As the IT department works to stop the DDoS attack, attackers might try to break into the network and steal sensitive data. This tactic underscores the need for a holistic approach to security that does not view DDoS protection in isolation.
Another reason for DDoS attacks can be the intention to test a company's defense mechanisms. Cybercriminals can use DDoS attacks as a way to find out how well a company responds to such threats and what vulnerabilities may exist.
An attack always harms affected companies and institutions, regardless of which method is chosen. Victim organizations still suffer from the consequences even years later. It is therefore extremely important to be adequately protected against DDoS attacks.
A few minutes offline can quickly cost thousands of euros. Lost profits and wasted marketing budgets are only one example of the financial damages suffered.
The extent of damage to a company’s reputation caused by a successful DDoS attack is incalculable. Recovery costs a great deal of resources and may take years.
During a DDoS attack, systems no longer operate normally. The heavy load or overload causes some systems to suddenly become vulnerable and opens up new vectors of attack.
09
DDoS mitigation requires the use of special protection technologies. These are available both as an appliance for use on premises as well as a SECaaS service. The latter variant is not throttled by the available bandwidth of the company’s own connection and can therefore be used much more agilely. Anti-DDoS solutions filter incoming traffic. They help tell valid requests from harmful ones. Frequent targets of DDoS attacks keep their security measures on all the time. Other companies, however, use these solutions only when needed to save costs and effort.
To the Myra DDoS ProtectionDDoS Protection on the application level
Malicious traffic flows are blocked by multi-level filter layers. Valid requests, on the other hand, continue to reach your infrastructure as usual via a redundant HTTP/S reverse proxy.
DDoS Protection on the application level
Malicious traffic flows are blocked by multi-level filter layers. Valid requests, on the other hand, continue to reach your infrastructure as usual via a redundant HTTP/S reverse proxy.
11
DDoS attacks are becoming increasingly intensive, specialized and automated. In the past, DDoS attacks were simply designed to flood data. Today, they are technically sophisticated, automated multi-vector attacks.
The recent record attacks with load peaks of up to 11.5 TBit/s show how much the level has risen. Modern attacks use various methods to circumvent protection mechanisms and achieve maximum impact. Typical approaches include reflection and amplification techniques (e.g. via open DNS or NTP services) or carpet bombing. This involves overloading many ports at the same time.
Artificial intelligence plays a central role when it comes to attacks. With the help of AI tools, attackers can find vulnerabilities and adapt their attacks to the target's defenses. Botnets often consist of thousands of devices such as IoT, server and router devices. They are the technical basis for gigabit and terabit attacks.
Another trend is DDoS-as-a-Service. This enables complex and scalable attacks even for less technically experienced players. Politically motivated attacks, hacktivism and attacks on critical infrastructures and financial service providers are increasing significantly due to DDoS-as-a-Service.
There are more and more attacks. They are getting bigger and bigger and lasting longer and longer. The most massive attacks already exceed the 10 TBit/s mark. They reach a packet rate in the multi-billion range. The attacks are often orchestrated in waves that last several days or weeks. In addition to websites, the target now also includes APIs, authentication servers and backend infrastructures. This leads to major disruptions and service interruptions.
Attack techniques are getting better and better. It is therefore no longer enough to protect yourself reactively. It's about arming yourself against attacks and constantly improving security. In this way, companies and infrastructures can better deal with the dangers from the Internet.
12
Large language models (LLMs) and other AI tools are making cyber threats worse. Attackers are using advanced technologies to hide DDoS attacks. They change their methods to get around existing defenses. Also, they look for weaknesses in applications and infrastructures.
The use of AI-supported attack tools is exacerbating the DDoS threat situation immensely. Cybercriminals are increasingly using AI-optimized amplification attacks (intelligent amplification attacks) to ensure that attacks have maximum impact with minimal use of resources - for example, by dynamically adapting attack vectors in a matter of seconds. In addition, cyber actors benefit from the use of AI-supported solutions through largely automated and more efficient orchestration of attacks, botnets and attack vectors.
Intelligent attack systems are also able to specifically bypass defense mechanisms such as rate limiting and firewalls. They recognize vulnerabilities and flexibly adapt their attack patterns, which enables the development of auto-evasive attack tactics. In addition, particularly complex and difficult-to-detect attacks can be carried out that increasingly undermine traditional protective measures. Last but not least, AI ensures the autonomous and effective management of botnets, significantly increasing their resilience and attack potential
DDoS stands for Distributed Denial of Service. It refers to cyber attacks that disrupt websites by sending fake requests. Unlike regular DoS attacks, DDoS attacks come from many sources, usually a large botnet. This makes them harder to defend against.
In Germany, DoS/DDoS attacks on online services are seen as computer sabotage. This is under Section 303b of the German Criminal Code (StGB). Such attacks are subject to criminal prosecution. It does not matter if the attack aims for ransom or is part of a political protest.
In a DDoS attack, cyber criminals cause a large number of artificial requests to a targeted service on the internet. As soon as the victim's web servers are overloaded by the incoming requests, there are delays and outages of the affected service. If no countermeasures are initiated (activation of DDoS protection), the problems continue until the attacker stops the attack.
DDoS attacks cause malicious load on websites and data centers. The attackers aim to cause delays or complete failures. Cyber criminals usually use botnets for the attacks, which bombard the intended target with huge numbers of requests.
Stefan Bordel
Senior Editor
Stefan Bordel has been working as an editor and technical writer at Myra Security since 2020. In this role, he is responsible for creating and maintaining website content, reports, whitepapers, social media content and documentation. This role allows him to bring his extensive experience in IT journalism and technical knowledge to an innovative cyber security company. Stefan previously worked at Ebner Verlag (formerly Neue Mediengesellschaft Ulm) for 7 years and joined the online editorial team at com! professional after working for Telecom Handel. He gained his first journalistic experience during various internships, including at the IT website Chip Online. As a passionate Linux user, he follows the IT scene closely, both privately and professionally.