DDoS mitigation and cybersecurity
DoS stands for Denial of Service, the increasing form of which is DDoS - the additional D stands for Distributed Denial of Service. This is a frequently used type of attack on the Internet. In this security incident, countless requests / queries are sent to this service (YouTube, GitHub, Twitter etc.) in the shortest possible time. This ultimately leads to an overload and the corresponding page is then no longer available for the user. This can lead to considerable financial damage for the operator of the Internet service. Attackers can blackmail the operators for protection money. Learn more details about this topic and about DDoS protection here.
DDoS attack without appropriate DDoS protection
DDoS attacks have an increasing impact. They overwhelm services with ever increasing amounts of data. For DDoS security, DDoS protection tools are needed to disperse these data volumes. At the same time, more and more attacks are being recorded in which cybercriminals attack only specific areas of the IT infrastructure. These attacks are of course less noticeable. The smaller the application or service, the less data volume is needed for the attack. On the other hand, DDoS attacks no longer serve only to deny service, but are increasingly being used as a cover to disguise other cyberattacks. These include data breaches and financial fraud. Organizations should implement a DDoS monitoring and protection tools that detects and block all potential DDoS attacks as they occur. This gives them a comprehensive overview of their networks.
Botnets play a decisive role
Cybercriminals use botnets in most DDoS attacks. Attackers hijack foreign computers in advance. They usually apply malware such as Trojans or worms. They remotely control those foreign computers by using C&C servers (Command & Control Server). In the case of DDoS, they exploit the bandwidths of the victim systems. They make identical requests to the victims' servers simultaneously. You can prevent those attacks by DDoS protection and by implementing proper DDoS security measures.
Memcached server: Cyberattacks are also possible without botnets
Capturing foreign computers or IoT devices can sometimes be very troublesome for attackers. That's why some attacks do not use botnets. Just take a look on the attack on Github 2018, where the use of memcached servers was exploited. These database caching services have the purpose of making networks and websites faster. Access from the Internet to these servers is possible without authentication; you just have to get the IP address. Then the attackers send small requests to several memcached servers simultaneously - about 10 per second per server. These memcached servers are then designed to produce a much larger response. They then return 50 times the requested data to the victim system. In this way, data requests of several terabytes per second can be generated - these easily lead to the collapse of a service. DDoS protection effectively prevents this type of cyberattack as well.
DDoS protection prevents attacks via DNS reflection
In the same way, DDoS cyberattacks via DNS reflection techniques are used. The attacker makes the DNS query using the victim's IP address (IP spoofing) and is thus successful. The DNS server sends the request to the victim. This is where the amplification, i.e. the amplification in the next step, comes into play.
DDoS protection: DDoS protection solutions
Our DDoS protection tools and measures prevent DDoS attacks:
These include web application firewalls (WAF for short), which protect online services on the application layer. In general, these ensure that:
- The WAF only allows incoming connections from services that are allowed to access. For this purpose there is the approach of blacklists (listing of non-permitted connections) or whitelists (listing of permitted connections)
- The same then applies to outgoing connections - these are only possible with explicit permission. This can paralyze botnets, for example, because they can then no longer contact the attackers' command & control server.
Amplicification attacks via memcached servers:
- Remove exposed memcached servers from the Internet and deploy them securely behind firewalls in internal networks.
- Filters in WAFs that block memcached traffic when a suspicious amount of requests is detected.
- If network operators can detect the attack command used, they can nip the malicious traffic in the bud by blocking all memcached packets of that length.
Reflection attacks via “Network Time Protocol”:
- This is where the web application firewall and a correspondingly existing network infrastructure consisting of several data centers can help.
- Even if a single IP address is the target of the attack, you can distribute the flood of data with a corresponding feature in the firewall. The WAF distributes the incoming load to different data centers. Thus, the attacked service is still available.
