A DDoS Attack Is Not a Hack, but That’s Cold Comfort When Your Website Is Inaccessible for Hours or Even Days. Where Do Such Attacks Come From, Who’s Behind Them, and Most Importantly: How Can Your Company Protect Itself Against Them?
“The purpose of a DDoS attack is to make a service inaccessible and cause economic damage,” says Wesley Hof, CTO at hosting specialist Combell. His company has the complex task of keeping customers’ websites accessible, even when they are affected by such a Distributed Denial of Service attack.
DDoS attacks are becoming more popular, but also more advanced. What exactly is a DDoS attack? Hof first points out the important difference between DDoS and a classic hack. “In a regular hack, someone with malicious intent breaks in with a specific goal. Often, that’s to somehow access a company’s sensitive data. Hackers can then steal the data, or encrypt it and demand a ransom to undo it.”
read also
DDoS attacks rise sharply again in fourth quarter 2024
Those Who Fall Victim to Malware and Hackers Are Dealing with a Real Digital Break-In. Something or Someone Has Bypassed the Security Through a Bug or Human Error and Gained Access to Certain Systems. This Contrasts with a DDoS Attack, Which You Shouldn’t Actually Call a Hack.
Traffic Jam on the Highway
A DDoS attack doesn’t affect the integrity of online services themselves, but blocks the path to them. Hof clarifies with an analogy. “Imagine customers want to visit your company physically via the road. Your office is accessible via the highway, for example. When there’s too much traffic on that highway, it becomes saturated, traffic jams form, and eventually, traffic comes to a standstill. The customer can’t get through and doesn’t reach your company.”
Digitally, the Situation Is Similar. Online Services Are Connected to Each Other via Connections with Variable Capacity: Roads and Highways. DDoS Attacks Aim to Saturate the Connection to a Service with Useless Requests, So That a Legitimate Visitor Can’t Get Through Either. To Give You an Idea: Recently, Akamai Blocked the Largest DDoS Attack Ever in Europe. It Generated About 853 Gbps of Data Traffic in an Attempt to Make the Connection to the Target Inaccessible.
Shooting with a Botnet
To carry out a DDoS attack, an attacker doesn’t need access to the target’s systems. However, criminals must have sufficient capacity to saturate the highway to their victim. “They get this through what’s colloquially called a botnet,” Hof knows. “That’s a zombie network consisting of devices, such as computers and servers, that have been hacked without the owner realizing it. On command, thousands or even millions of hacked devices send their connection requests to the target of an attack, making it inaccessible.”
read also
Cloudflare blocks largest ever DDoS attack
Because the attack comes from different devices all over the world, we call it a distributed attack. “Regular DoS attacks don’t really occur anymore,” Hof observes. “It’s been decades since I’ve seen one. Non-distributed attacks struggle to achieve sufficient capacity to succeed, and are also easier to trace.”
Ideology Over Financial Gain
Because DDoS attacks don’t exploit a vulnerability in the target itself, anyone can theoretically be a victim. However, Hof sees a pattern: “DDoS attacks are more often carried out from an ideological conviction, in contrast to a classic hack where a criminal wants to make money. As a result, we see an increased DDoS risk for more extreme political parties on both sides of the spectrum, matters related to religion, or other outspoken opinions.” Recently, several government websites in Belgium were hit by a DDoS attack from a Russian hacker collective.
DDoS Attacks Are More Often Carried Out from an Ideological Conviction.
Wesley Hof, CTO Combell
This doesn’t mean there’s never an economic motive for attackers. They can demand a ransom from victims to stop the DDoS attack. “This mainly happens with larger companies where the attackers feel the victim would quickly resort to payment, such as insurance companies or banks.”
Protect or Isolate?
Quick patching and a good security policy protect you against classic hacks, but what can you do against a DDoS attack? “First and foremost, your access to the internet must be broad enough,” says Hof. “On a narrow highway, traffic gets stuck quickly.” As a company, you usually don’t manage your internet connectivity yourself, which is precisely why we’re having a digital coffee with Combell’s CTO. After all, DDoS mitigation largely happens at the hosting provider level.
“Some providers choose to temporarily isolate the victim during a DDoS attack,” Hof knows. “This way, other customers of the same provider don’t experience any hindrance, but the target becomes digitally unreachable, which is of course the attackers’ goal.” Combell tries to keep clients accessible at all times and uses a set of tools that immediately indicate how to overcome a DDoS attack.
Private Highway
For the provider, the large internet pipe takes the form of a self-managed backbone with peering to major players. Hof: “During a large DDoS attack from the internet, traffic between us and major Belgian providers is not impacted. We have a kind of private highway, called peering, that isn’t dependent on the internet.” This large capacity with alternative routes already makes it difficult for DDoS attackers to take down websites. They need a lot of cars to bring down the traffic to customers.
Furthermore, Combell has great visibility over its network. “When network traffic increases irregularly, we see it immediately and can take action right away.” Filters in that proprietary network then block the DDoS traffic so it doesn’t reach the end customer. As a result, a DDoS attack on a Combell customer is essentially an attack on the provider itself. It’s the hosting party’s capacity that an attacker has to bring down. This comes at a cost: Combell effectively invests in a huge surplus of network capacity to be able to handle enormous peaks caused by DDoS attacks.
Temporary Diversion
Of course, this capacity isn’t infinite either. If the flood of packets becomes too large, Combell activates its scrubbing service. In this case, the traffic towards the victim is rerouted through a specialized partner with enormous throughput capacity. They filter out the bad packets and let the good ones through.
The traffic is diverted at the provider level to the scrubbing partner’s enormous highway, so Combell itself remains unaffected. This way, it’s always possible to keep targeted parties online. “Although the reality is that we can never be one hundred percent certain,” Hof humbly states. The DDoS protection operates automatically and proactively, and is included up to a certain level. “We see multiple DDoS attacks daily, from small to medium-sized. We don’t need to take action for these. Not everything needs to be scrubbed.”
We see multiple DDoS attacks daily, from small to medium-sized.
Wesley Hof, CTO Combell
Scrubbing is a paid service, although Combell won’t let a customer suffer during a first attack. “When necessary, we activate the service and ensure everything is in order. If the attacks persist, we do sit down with the customer.”
As an end-user, you can also contribute. “Next-gen firewalls and web application firewalls help in handling a DDoS attack. Protection always happens across multiple layers.”
Storm to Weather
Ultimately, anyone can be targeted by DDoS attacks, regardless of your company’s size. What happens then largely depends on the party ensuring your internet connection. In the worst case, your website is temporarily taken offline to protect parties sharing the same hosting provider. Hof himself doesn’t support this approach, as mentioned, because it plays into the attackers’ hands. In the best case, nothing happens at all, thanks to mitigation, a large digital highway capacity, and scrubbing via specialized parties.
Stopping a DDoS attack, unfortunately, isn’t possible. The DDoS attack itself is a storm; all you can do is try your best to keep your head above water. Sooner or later, the storm will subside. Hof: “Attackers also take a risk by directing a large botnet at a victim.” Large and dangerous botnets are actively sought out and neutralized if possible. This happened last year with the Emotet botnet.
Rising Danger
In practice, Belgian hosting providers and their customers are therefore not the preferred targets of the most dangerous organizations. ‘We are not in the target group,’ Hof observes. ‘Our customers are not attractive enough for the attackers. Facebook and Microsoft might be.’
On the other hand, attacks are becoming increasingly larger. Just like in all other aspects of security, DDoS protection is a cat-and-mouse game. The capacity of DDoS attacks is constantly increasing, so the capacity of defense mechanisms must also improve. For now, this seems to be working quite well.
This is an editorial contribution in collaboration with Combell. Click here for more information about the company’s offerings.