DDoS attacks: where do they come from and how can you stop them?

A DDoS attack is not actually a hack, but that is cold comfort when your website is unavailable for hours or even days. Where do such attacks come from? Who is behind them? And most importantly, how can you protect your business against them?

"The purpose of a DDoS attack is to make a service unavailable and cause financial damage", says Wesley Hof, CTO at hosting specialist Combell. His company has the challenging task of keeping customers' websites available, even when they are hit by such a Distributed Denial-of-Serviceattack.

DDoS attacks are becoming more widespread, but what exactly is a DDoS attack? Hof starts by pointing out the significant difference between DDoS and a classic hack. "A regular hack is when a malicious person breaks in for a specific purpose. Most of the time, that purpose is to somehow get hold of a company's sensitive data. Hackers can then steal the data, or encrypt it and then ask for a ransom to make it usable again."

Anyone who falls victim to malware and hackers is dealing with real digital theft. Something or someone has managed to get past the security system by exploiting a bug or human error and has thus gained access to certain systems. This is in contrast to a DDoS attack, which cannot really be called a hack.

Like a traffic jam on the highway

A DDoS attack does not affect the integrity of online services themselves, but blocks the access to them. Hof clarifies this point with an analogy. "Suppose customers want to visit your company physically and that your office can only be reached by car, taking the highway. When there is too much traffic on that highway, it becomes congested, causing traffic jams and eventually a complete standstill. The customer can no longer make his way through the traffic and does not come to visit your company."

In the digital world, the situation is very much the same. Online services are connected via connections with variable capacity: roads and highways. DDoS attacks aim to flood the connection to a service with useless requests, making it impossible for any legitimate visitor to pass through. Just to give you an idea, Akamai recently blocked the largest DDoS attack ever recorded in Europe. It generated some 853 Gbps of data traffic in an attempt to make the connection to the target impossible to establish.

Shooting with a botnet

So, when an attacker wants to carry out a DDoS attack, he or she does not need to have access to the target's systems. However, the criminal must have sufficient resources to be able to flood the highway leading to his or her victim. "Attackers achieve that through what is commonly known as a botnet," Hof says. "That is a zombie network consisting of devices, such as computers and servers, which have been hacked without the owner noticing. When activated, thousands or even millions of hacked devices send their connection requests to the target of an attack, which thereby becomes unavailable."

Given that the attack originates from various devices across the globe, we refer to this as a distributed attack. "Ordinary DoS attacks are actually no longer occurring nowadays", Hof observes. "It has been decades since I have seen one. Non-distributed attacks struggle to get enough resources to be successful, and are also easier to track."

Ideology comes before money

Theoretically, considering that DDoS attacks do not exploit a vulnerability on the website of the target itself, anyone can be a victim. Still, Hof sees a pattern here: "DDoS attacks are carried out more out of ideological conviction. Regular hacking, on the other hand, is a way for criminals to make money. As a result, we see an increased DDoS risk for more extreme political parties on both ends of the spectrum, things to do with religion or other outspoken opinions."

DDoS attacks are carried out more out of ideological conviction.

Wesley Hof, CTO Combell

This, however, does not mean that there is never a financial incentive for attackers. They can require payment of a penalty fee from victims to make the DDoS attack stop. "This happens mainly with larger companies where the attackers know that the victim will probably pay the price very quickly, such as insurance companies or banks."

Protect or isolate?

Fast patching and a solid security policy protect you from regular hacks, but what can you do against a DDoS attack? "First and foremost, your access to the Internet must be broad enough," says Hof. "On a narrow highway, traffic jams form quickly." As a company, you usually do not have the connectivity to the Internet under your control, which is also the reason why we went for a digital coffee with Combell's CTO. DDoS mitigation is indeed largely provided by the hosting provider.

"Some providers choose to temporarily isolate the victim during a DDoS attack," Hof knows. "This way, the other customers of that same provider cannot be affected, but the target remains unavailable on the Internet, which is of course what the attackers want." Combell always strives to keep its customers online and therefore uses a set of tools that immediately show you how to overcome a DDoS attack.

Private highway

For the provider, the large Internet pipeline takes the form of a self-managed backbone with peering to large ISPs. Hof: "In the event of a major DDoS attack occurring on the Internet, the traffic between us and major Belgian providers would not be affected. We have some kind of private highway, called peering, that is not dependent on the Internet." That large capacity with alternative routes alone makes it difficult for DDoS attackers to take down websites. They really need a lot of cars to bring the traffic to customers to its knees.

Furthermore, Combell closely monitors its network. "When network traffic increases irregularly, we immediately notice it and can take immediate action." The filters in this in-house network then block the DDoS traffic so that it does not reach the end customer. This means that a DDoS attack that targets one of Combell's customers is in fact an attack on the provider itself. It is the capacity of the hosting provider that the attacker needs to bring down. And that comes at a price: Combell actually invests in a huge surplus of network capacity in order to be able to cope with the extreme peaks caused by DDoS attacks.

Temporary bypass

Of course, this capacity is not unlimited either. If the flood of packets grows too large, Combell activates its scrubbing service. In that case, the traffic to the victim is re-routed through a specialised partner that boasts enormous throughput capacity. This partner takes out the bad packets and lets the good ones through.

The traffic is already redirected at provider level to the scrubbing partner's huge highway, so that Combell itself remains unaffected. This way, we always manage to keep the targeted customers online. "Although the reality is that we can never be 100% sure", Hof says humbly. DDoS protection is automatic and proactive, and is included to a certain level. "Every single day, we spot several small to medium-sized DDoS attacks. We do not have to do anything about those. Not everything needs to be scrubbed."

Every single day, we spot several small to medium-sized DDoS attacks.

Wesley Hof, CTO Combell

Scrubbing is a paid service, but Combell will not let a customer down after a first attack. "When necessary, we activate the service and make sure everything is fine. If the attacks continue, we meet with the customer to discuss the matter."

As an end user, you can also do your bit. "Next-gen firewalls and web application firewalls can be helpful in dealing with a DDoS attack. Protection is always achieved across multiple layers."

Storms to brave

Ultimately, anyone can be targeted by DDoS attacks, regardless of the size of your business. What happens in such cases is largely dependent on the company that provides your connection to the Internet. At worst, your website is temporarily taken offline to protect those who share the same hosting provider. As previously mentioned, Hof does not support this approach, because it is playing into the hands of the attackers. And at best, nothing happens at all, thanks to mitigation, a large digital highway capacity and scrubbing services provided by experts.

Unfortunately, there is no way to stop a DDoS attack. The DDoS attack itself is like a storm, and all you can do is try your best to keep your head above water. Sooner or later, the storm will pass. Hof: "Attackers are also taking a risk themselves by targeting a victim with a large botnet. After all, large and dangerous botnets are actively sought out and, if possible, neutralised. That happened last year with the Emotet botnet."

Increasing danger

In practice, Belgian hosting providers and their customers are therefore not among the preferred targets of the most dangerous organisations. "We are not in the target group," observes Hof. "Our customers are not attractive enough for the attackers. Facebook and Microsoft, on the other hand, might very well be."

But at the same time, attacks are becoming more and more powerful. As in all other areas of security, DDoS protection is a game of cat and mouse. The capacity of DDoS attacks is constantly increasing, which means that the capacity of the defence mechanisms must grow accordingly. For the time being, this seems to be working out quite well.