Hackers use DDoS attacks to crash websites. How can companies protect themselves?

DDoS attacks – Cardiac arrest for IT systems

Amazon, Twitter, the German Chancellor's office – DDoS attacks cause systems to collapse more and more frequently by using connected devices in the Internet of Things.
Distributed Denial of Service attacks can cause servers to collapse – Amazon and Twitter are prominent examples. The number of attacks is growing rapidly. How can companies protect themselves?
Amazon and Twitter, the blog of US security expert Brian Krebs and the German Chancellor’s office website: The list of victims of Distributed Denial of Service (DDoS) attacks is constantly growing and the number of DDoS attacks is rising. According to an IDG Connect DDoS survey, companies experience up to 15 DDoS attacks each year and systems are offline for an average of 17 hours.

Dire consequences for businesses

The principle behind DDoS attacks is as simple as it is successful – and painful for its victims. Cyber criminals channel more data traffic to an IP address than it can process and thereby paralyze the servers. In September 2016, hackers directed about 1 terabyte of traffic per second to the server of a French host and in doing so, broke a previous data record.
The consequences of a DDoS attack can be dire: online stores are inaccessible; e-mail servers can’t send or receive messages and employees can’t be reached. Loss of revenue and reputation can do permanent damage to the company and impact customer confidence. DDoS attacks can sometimes be followed up by blackmail attempts where attackers threaten to strike the systems again. 

Connected devices involved in DDoS attacks

While it used to be difficult to flood one target with large quantities of data, connected devices in the Internet of Things now seem to give hackers totally new options for DDoS attacks. Video cameras, heating control or receivers: every device connected to the Internet also contains a small processor. While individual devices are not especially powerful, hackers can easily bundle them and turn them into botnets, which then bombard servers with tens of thousands of transmissions per second. Criminals don’t even need advanced IT skills to carry out such an attack: Tools for DDoS attacks can be bought on the Internet. 

Different methods to avert DDoS attacks

More than one third of the 250 IT decision-makers and consultants surveyed in a study by Link11 and TeleTrusT have been victims of DDoS attacks. What could be done to protect their systems? Many IT departments consider themselves powerless against such attacks, since even special firewalls cannot stop them. They may be able to prevent an attack from reaching the servers; to do so, however, they must close the ports and block access from all web traffic.

Filter data traffic in the backbone

Providers can offer an alternative. They can analyze data traffic in the backbone of the network and disable traffic when they detect abnormally high volumes directed at an IP address. The provider can closely coordinate the methods used with the targeted company. With the blackholing method, for instance, experts delete all the traffic going to an IP address not used by the customer and thereby free up the connection. Filter lists also have a useful effect. The company specifies senders that have permission to access the connection and all other requests are deleted. Another method is a type of virtual machine that flags and discards harmful IP packets in the customer’s data traffic, thereby ensuring that only clean traffic reaches the customer’s system and the company can continue working with no interruption.

Monitor the connection and react to attacks

When the company detects a DDoS attack, it should contact its provider as soon as possible so defensive measures can be initiated and damage can be kept as minimal as possible. Experts will monitor the connection for the duration of the attack, which can last for several weeks. This will allow them to adjust their methods if the cyber criminals change their tactics. Once the attack has subsided, the provider will switch back to the original routing and the customer will once again have a transparent Internet connection. Filter lists can remain active. 
The provider can only fight off a DDoS attack once the connection is already under attack. The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) suggests a preparatory measure (German): For instance, the company and provider can coordinate in advance to specify which methods should be used and exchange emergency phone numbers. The BSI offers tips for anti-DDoS measures. 

Further Articles