1. What is DDoS?:
DDoS stands for “Distributed Denial of Service.” A large number of simultaneous attacks are used to overload the targeted website, network, or server so that it is no longer accessible to users or only accessible to a very limited extent. DDoS attacks are classified as cybercrime.
2. Pattern of a DDoS attack
Many different end devices are first infected with malware and then combined into a so-called botnet that can be controlled remotely. The owners of the compromised devices usually do not notice this. The botnet then simultaneously generates a large number of requests or data packets that are sent specifically to a server or website. This overloads both server resources and the available Internet connection. As a result, websites and applications respond much more slowly or are temporarily unavailable.
3. Distributed Reflected Denial of Service Attack (DRDoS)
DRDoS attacks are a special form of DDoS and combine IP spoofing, reflection, and often amplification. Attackers send a large number of small requests with the target's fake sender IP address (IP spoofing) to uninvolved, open resolvers or other reflective services (known as reflectors). These reflectors send their responses back to the actual target (reflection), overloading its bandwidth and availability. A well-known example of this is DNS amplification as well as NTP, SSDP, or CLDAP amplification. With these services, the response packets are significantly larger than the original requests, resulting in a high amplification factor (e.g., 50 or more).
In practice, DDoS attacks often occur as so-called multi-vector attacks. This involves using multiple types of attacks across different OSI layers (see Section 6, “Attacker Methods”) to circumvent protective measures and amplify the effect of the attack.
4. Potential attackers and their targets
Criminal organizations usually pursue financial motives through extortion or fraud. They typically select their victims specifically, such as online shops, banks, or payment services. Criminal competitors who want to weaken the competition also use DDoS attacks. Politically or ideologically motivated hacktivists use DDoS attacks to express protest, make statements, or exact revenge by attacking government websites, authorities, or the media.
State actors such as secret services or military cyber units use cyber attacks for warfare, intimidating enemy countries and severely damaging their infrastructure by attacking media, banks, institutions, or communication channels. Distracting or influencing information can also be primary objectives. In addition, there are individuals, also known as “script kiddies,” who tend to have less expertise and attack various targets such as websites or game servers out of boredom or for “fun.”
5. Attacker methods
There are various types of DDoS attacks, which can be divided into seven layers according to the OSI model. Layers 3 (volumetric attacks on the network layer), 4 (protocol attacks on the transport layer), and 7 (application layer attacks on the application layer) are particularly relevant for DDoS attacks.
5.1. Layer 3 and Layer 4 attacks
Layer 3 attacks aim to exhaust the available bandwidth. This involves sending massive amounts of data at high data rates to a target, causing the Internet connection to the server or router to become overloaded. One example is UDP floods, in which random UDP packets are sent to the target, which the server must check and respond to, even though the requests are useless, thereby consuming unnecessary bandwidth. Another example is ICMP floods, which flood a target server or router with ping requests. The server attempts to process and respond to these requests, consuming CPU and bandwidth.
Layer 4 attacks use weaknesses in TCP or UDP transport protocols and target transport layer resources such as ports, memory, and CPU. A classic example is TCP SYN floods, in which attackers send a large number of SYN packets to a server, which responds with SYN-ACK packets but does not receive a final ACK (to complete the connection). The resulting half-open connections remain in the SYN backlog, consuming memory and CPU and blocking the data channel, preventing legitimate connections from being established. In addition to SYN floods, TCP-based attacks can also take the form of ACK, RST, and FIN floods.
5.2. Layer 7 attacks
Attacks on Layer 7 look like normal traffic and are therefore particularly difficult to detect. They target web applications (rather than the network connection), with attackers using normal HTTP requests that appear to be genuine user requests, for example. Another type of Layer 7 attack is low and slow attacks (such as Slowloris), in which attackers send very slow or incomplete requests to keep connections open for as long as possible and block server resources such as threads. DNS query floods are also considered Layer 7 attacks, as they flood DNS servers with seemingly legitimate requests using random subdomains without resorting to reflection or amplification.
5.3. Combined layer attacks
There are also attack methods that can be assigned to multiple OSI layers, such as DNS amplification, a variant of DRDoS. Attackers exploit both the properties of the network layer (layer 3) by spoofing the sender's IP address (IP spoofing) and those of the transport layer (layer 4) via the connectionless UDP protocol. By sending small requests to open DNS servers, they are tricked into sending significantly larger response packets to the actual target, overloading its bandwidth and availability.
6. Legal classification
DoS/DDoS attacks regularly constitute computer sabotage under Section 303b (1) No. 2 of the German Criminal Code (StGB) if they intentionally cause significant disruption to data processing that is essential for another party. Such measures are only permissible within the scope of expressly authorized security checks or load tests, for example on one's own network or with the clear consent of the operator.
7. Consequences of an attack
DDoS attacks can result in economic damage, damage to reputation, and security risks in particular. Economic consequences arise from direct losses in revenue due to the blocking of sales and service channels, particularly for online retailers, banks, games/streaming, and other real-time services. Other serious consequences include downtime costs for incident response, recovery, and additional security investments, as well as contractual penalties for SLA violations. Damage to reputation arises from repeated outages, which reduce the trust of customers and partners, lead to customer churn, and impair market value in the long term. Data theft also often occurs as a secondary consequence, as DDoS serves as a distraction: while IT teams are busy dealing with the overload, parallel attacks such as ransomware or exfiltration take place.
8. Relevance of IoT devices
IoT in connection with DDoS attacks primarily refers to the use of insecure Internet of Things (IoT) devices. Due to often inadequate security measures (e.g., default passwords or missing firmware updates), these devices can be compromised en masse as “zombies” in botnets. Examples of particularly vulnerable IoT devices include smart home components such as smart TVs, but also network devices such as printers, webcams, or Wi-Fi repeaters, as well as industrial IIoT systems such as sensors. Since there are a huge number of IoT devices and they often pose an increased security risk, there is enormous potential for attack. When connected in botnets, they are ideal for DDoS attacks. In addition, IoT devices are usually permanently online and rarely monitored, so compromises often go unnoticed for a long time.
9. Which industries are affected?
DDoS attacks affect all industries, as almost all business processes today depend on the availability of digital services. However, industries whose services are publicly accessible and time-critical are particularly frequently affected. These include banks, financial service providers, and insurance companies, where online system failures quickly lead to financial losses and a loss of trust. Public administration and healthcare institutions are also at risk, as their IT systems provide essential services for citizens and medical care. In addition, operators of critical infrastructure (KRITIS), manufacturing companies, e-commerce providers, and media companies are also targeted by attackers.
10. Defense against DDoS attacks:
DDoS protection solutions work in multiple stages. They analyze, filter, and distribute incoming traffic to defend against attacks while allowing legitimate requests to continue reaching the application. Multi-layered filtering continuously monitors incoming connections, e.g., based on IP reputation, protocol anomalies, request rates, header patterns, or known signatures, to filter out malicious packets/requests at an early stage. This involves a combination of network filters (ACLs, firewalls), DDoS appliances, web application firewalls (WAF, at the customer's site), and, if necessary, bot management, which check different criteria (volume, protocol, content, and behavior) one after the other. All traffic is first routed through an upstream HTTP/S reverse proxy (at the customer's site) or a scrubbing center, which removes attacks. This means that only valid requests are passed on, reducing the load on backend systems. This ensures that web-based services such as APIs and online shops remain accessible even under attack load, minimizing timeouts, server errors, and interruptions, which protects the user experience, performance, and revenue. Services that are sensitive to latency and packet loss, such as VoIP, also benefit, as volume and protocol attacks on SIP and RTP traffic are intercepted before they reach the communication servers, maintaining call quality and stability. The availability of the DNS infrastructure is also ensured by defending against amplification and query floods, so that name resolutions continue to be fast and dependent services remain functional.
This is precisely the multi-stage process we follow at aixit: through a combination of network and infrastructure measures, we reliably protect customer environments from volumetric and protocol-based DDoS attacks. With the help of continuous traffic analysis, intelligent filtering mechanisms, and the use of network filters and firewalls, malicious traffic is detected and blocked at an early stage, while legitimate requests continue to be allowed through. This ensures that your infrastructure remains stable and available even under high load.
Further information on our DDoS protection can be found here.
We are happy to assist you with any questions or provide individual advice on suitable protective measures for your infrastructure.
