DDoS Attack

The web shop no longer loads, the customer portal reports timeouts: DDoS attacks target the availability of digital services and thereby strike the foundation of many business models. Unlike a break-in, the attackers do not penetrate any system. They overload it from the outside until regular requests no longer receive a response.

The barriers to entry are low. Ready-made attack services can be rented on the underground market for little money, and the targets range from online retailers to public administration. A robust plan against DDoS therefore belongs to the basic equipment of operational security, just like backups or antivirus protection.

What is a DDoS attack?

DDoS stands for "Distributed Denial of Service". The goal is to overload an online service, a server or a network connection so severely that legitimate requests are no longer answered. The service is then unreachable for customers and employees, even though no break-in into systems has taken place. Depending on the target, the attack is directed against individual web applications, against the internet connection of a site or against upstream services such as DNS.

The "distributed" part describes the method: the requests come from many distributed sources at once, often from a botnet of thousands of hijacked computers, servers and IoT devices. This distribution makes defense considerably harder, because the attack traffic can hardly be blocked via individual sender addresses. The strength of an attack is expressed, depending on the type, in gigabits per second, packets per second or requests per second.

Common motives are extortion, distraction from break-in attempts running in parallel and politically motivated actions. In the context of ransomware campaigns, too, perpetrators use DDoS attacks as an additional means of pressure.

How such an attack works

The basis is almost always a botnet: a network of compromised devices that the attacker controls centrally. The devices belong to unsuspecting owners whose routers, cameras or servers are misused in the background. On command, all of them send requests to the target simultaneously. By technique, three categories can be distinguished:

  • Volumetric attacks: They flood the target's internet connection with enormous amounts of data until the line is saturated. Amplification techniques via openly accessible DNS or NTP servers multiply the traffic generated, turning small requests into huge streams of responses.
  • Protocol attacks: They exploit weaknesses in network protocols and exhaust the resources of servers, firewalls and load balancers. One example is the SYN flood, in which vast numbers of half-open TCP connections fill the connection tables until no new connections are accepted.
  • Application-layer attacks (Layer 7): They imitate regular user requests, such as complex search queries or login attempts, and drive up the load on the application. These attacks require comparatively little bandwidth and are hard to distinguish from genuine traffic.

In practice, perpetrators combine several techniques and switch vectors during the attack. Forged sender addresses (IP spoofing) additionally obscure the origin. Short test attacks serve as proof of feasibility, followed by an extortion message with the threat of expanding the attack.

Why this topic matters

At first glance, DDoS seems like a purely technical problem. In fact, it affects revenue, reputation and compliance in equal measure:

  • Direct revenue losses: every minute of unavailability costs money, especially in online retail, booking systems and customer portals.
  • A low barrier to entry for perpetrators: rentable attack services turn DDoS into a mass phenomenon that can hit any reachable target.
  • Diversionary tactics: while IT is busy with defense, break-in attempts or data theft sometimes run in the background.
  • Loss of trust: repeated outages get around quickly, among customers as well as partners, and burden business relationships lastingly.
  • Regulatory requirements: requirements such as NIS-2 demand demonstrable measures to maintain operations from many companies.
  • Dependence on third parties: attacks on hosting providers, DNS providers or other service providers can also drag your own services into an outage.

Typical scenarios

As different as the targets are, the patterns resemble one another:

  • Extortion in online retail: shortly before a high-revenue period, a retailer receives a ransom demand, accompanied by a short demonstration attack on the shop.
  • Layer 7 attack on the customer portal: a botnet sends vast numbers of login requests. The database collapses under the load, even though the internet connection remains inconspicuous.
  • An attack as a smokescreen: in parallel with the DDoS wave, perpetrators try to penetrate the network via a vulnerability. The security team notices the break-in only with a delay.
  • An overloaded site connection: the attack targets the public IP address of the company headquarters. VPN access, cloud connectivity and telephony fail at the same time.
  • Continuous strain on an API: over weeks, ever new waves of requests hit the interfaces of a software provider. Without automated filtering, the defense ties up the operations team around the clock.

DDoS and DoS: the difference

A DoS attack (Denial of Service) originates from a single source, such as a single server. Such attacks can be stopped comparatively easily by identifying and blocking the source. The term DoS also generally describes the state of unavailability, regardless of the number of sources involved.

In a DDoS attack, the traffic is distributed across thousands of sources worldwide. Blocking individual addresses comes to nothing, and the sheer volume exceeds the capacity of local protection systems. Local appliances are structurally at a disadvantage against large volumetric attacks, because their effect ends at the bandwidth of their own connection. Effective defense therefore filters the traffic upstream in globally distributed cloud infrastructures before it reaches the company's own line. For planning, this means: bandwidth can hardly be sensibly oversized on-site, whereas filtering capacity in the cloud can.

Protection with KAEMI

Availability can be planned. KAEMI protects web applications, APIs and networks with Application Security based on the globally distributed Cloudflare platform, including DDoS mitigation, a web application firewall and bot management. In addition, our experts analyze your architecture for bottlenecks as part of the Professional Services and draw up a response plan for an emergency together with you. This keeps your organization able to act while automatic filters intercept the bulk of the attack traffic. Via the contact page , you can reach our team for an initial assessment.

Frequently asked questions about DDoS Attack

How do I recognize a DDoS attack on my company?

Typical signs are suddenly greatly slowed or unreachable services, unusually high incoming data traffic, many requests from changing addresses to the same resource, and saturated firewalls or load balancers. It is important to compare against other causes such as configuration errors or legitimate load peaks. Monitoring with baseline values for the normal state makes the deviation quickly visible.

How long does a typical DDoS attack last?

The spectrum ranges from a few minutes to several days. Many attacks are short and serve as a test or a means of pressure, while others run in waves over weeks. What is decisive is less the duration than the preparation: with upstream protection, the attack traffic is filtered automatically, without your teams having to fend off every wave manually.

Can a firewall fend off a DDoS attack?

Only to a very limited extent. Against small protocol attacks, firewall rules and rate limiting help. Large volumetric attacks, however, saturate the internet connection before the firewall can intervene, and under protocol attacks the connection tables of the devices themselves collapse. Effective protection therefore filters the traffic upstream in a globally distributed cloud infrastructure before it reaches your line.

What does DDoS protection cost for a mid-sized company?

The cost depends on the scope of protection: the number of applications and domains, the required bandwidth, the requirements for a web application firewall and bot management, and the desired level of support. Cloud-based services are usually billed as a monthly subscription and are considerably cheaper than your own defense infrastructure. As a managed service provider, KAEMI calculates the protection to fit your environment and takes on operation and adjustment.

Are DDoS attacks a criminal offense, and should I file a report?

Yes. In Germany, DDoS attacks are a criminal offense as computer sabotage, and commissioning an attack service is also a crime. Affected companies should secure evidence, namely log data, timestamps and extortion messages, and file a report with the central cybercrime contact points of the state criminal police offices. For critical services, reporting obligations toward the BSI are added.

From term to implementation: KAEMI supports you from the first assessment to day-to-day operations.