In recent days and weeks, Distributed Denial of Service (DDoS) attacks on websites of cities, municipalities, and other organizations have been all over the news. Especially in the run-up to local elections, these incidents have caused some nervousness, raising various questions:
- What is a DDoS attack?
- How can I protect my organisation against it?
- Is Belgium particularly vulnerable to such attacks?
- Can we contribute individually?
In this article, Wim Remes, Head of Operations at Spotit, clearly explains what a DDoS attack is, why this type of attack is possible, what the actual impact is, and how we can better protect ourselves against it. Hold on tight…
What is a DDoS attack?
In cybersecurity, we recognize different types of attacks. A Distributed Denial of Service (DDoS) attack is a subcategory of the broader Denial of Service (DoS) category. In this type of attack, someone manages to make an online service, website, or application entirely or partially unavailable to legitimate users. Every online service has limited resources, such as bandwidth, processing power, storage capacity, memory, etc. If an attacker can exhaust one of these resources, the online service will suffer, and legitimate users will no longer experience it as reliable. There are, in principle, two types of Denial of Service attacks.
Application-Level Denial of Service Attack
In this scenario, an attacker exploits a weakness in the online service or underlying infrastructure to achieve their goal. This could involve depleting memory or manipulating the application in such a way that it starts spinning in circles. A simple example is the misuse of a search function that, with the right parameters, can generate so many results that the underlying database consumes too much memory.
For attackers, this is a complex scenario because it requires a lot of knowledge about the application and the infrastructure. This is why it’s much less common than the second type.
Volumetric Denial of Service Attack
In this case, an attacker targets the available bandwidth of an online service. By exhausting this, the attacker achieves their goal. This type of attack also includes the Distributed Denial of Service attack.
Simply put: every online service receives requests from its users and responds to them. A volumetric Denial of Service generates so many requests that the online service can no longer respond to all of them.
In some cases, it’s possible to achieve this from a single system, but in most cases, an attacker will use thousands of systems under their control to generate enough requests. And this is the exact meaning of a Distributed Denial of Service attack.
How can I protect myself?
The internet is a chain of “pipes” with varying bandwidths. In most cases, like a typical water pipe, the narrowest pipe is closest to the server itself. If this connection overflows with requests, a Denial of Service occurs. Fortunately, there are a few solutions that can protect an online service and make it much harder for an attacker to achieve their desired results. In most cases, a combination of these solutions is needed to create a resilient online service.
Firewalls
With a firewall between your online service and the internet, you can limit the locations from which your service is accessible. This way, the service only handles requests from specifically allowed locations, and other requests are blocked by the firewall.
For example, it’s possible to:
- Allow traffic only from Belgian IP addresses.
- Allow traffic only from European IP addresses.
- Specifically block IP addresses from countries known for attacks (Russia, China, etc.).
This strategy is feasible for most companies, but there are some disadvantages. First, it’s impossible to apply this for an online service that needs to be globally available. On the other hand, large amounts of traffic still reach your infrastructure, and even the firewall or internet connection itself can be overwhelmed.
Content Delivery Networks (CDNs)
To efficiently ward off a DDoS attack, it’s crucial to maximize the distance between the requester and the online service. This enables you to stop the attacker’s requests as early as possible, preserving your infrastructure’s resources.
Here, you use Content Delivery Networks (CDNs) like Akamai, Cloudflare, and others. Initially, these gained popularity for efficiently handling the early explosion of images and videos on the internet. They were especially popular among media companies to deliver content faster to end users. Since then, CDN solutions have invested heavily in security technology, such as deeply integrated “web application firewall” technology.
By integrating a CDN into your online strategy, you achieve several goals:
- Malicious traffic is kept away from your infrastructure.
- Attackers are detected and blocked early.
- Your website’s content is delivered faster to users.
- Managing TLS certificates becomes simpler.
It’s no coincidence that Cloudflare recently reported successfully blocking a 3.8 Tbps attack in an automated manner (https://blog.cloudflare.com/how-cloudflare-auto-mitigated-world-record-3-8-tbps-ddos-attack/). This is truly a level of traffic that no infrastructure is expected to withstand—a digital equivalent of a Category 5 hurricane.
Organizations offering one or more online services that are essential to the public or their customers are advised to consider a CDN service.
Is Belgium particularly vulnerable to such attacks?
Belgium is not an exception on the internet. As a country, we are not necessarily more vulnerable than other nations. However, in today’s geopolitical context, we do walk around with a target on our back. On the one hand, many headquarters of international and European organizations are located in our country, and on the other, Belgium is rightly active in protecting human rights in various regions. It’s therefore logical that groups of attackers supporting other regimes choose Belgian targets to reinforce their message.
With upcoming elections, where more citizens are voting digitally, the question arises whether attackers could sabotage this. That seems unlikely. Firstly, the infrastructure used for recording and counting votes in Belgium is not dependent on or connected to the internet. As a country, we can be genuinely proud of our digital infrastructure. From the eID, to electronic voting, to electronic doctor prescriptions—these are strong implementations where security and integrity requirements were carefully considered. Additionally, initiatives led by the Center for Cybersecurity Belgium (CCB) have a significant impact on European resilience, and we can take pride in our capabilities.
Can we contribute individually?
Given the highly technological nature of DDoS attacks, this might seem like a redundant question, but it’s far from it.
In the attack that Cloudflare repelled, the attackers used vulnerable internet routers. Vulnerable infrastructure is used to attack other infrastructure.
As regular internet users, we have a responsibility to keep the devices under our control as secure as possible. It’s important to:
- Regularly update your computers, routers, and other systems.
- Make your passwords unique and long, using a password manager to manage them easily.
- Use multi-factor authentication wherever possible instead of relying solely on passwords.
- Avoid connecting devices to the internet unnecessarily.
As the saying goes, “It takes a village…” and the internet is no different. If every user, large or small, takes responsibility, we all become a little safer.
CSIRT to the rescue
At spotit, we are always ready to help organizations when disaster strikes. Whether it’s a DDoS attack, a ransomware attack, another type of cyber incident, or a catastrophic network outage, our CSIRT service ensures that you have access to a team of experts 24/7. You will always have an experienced incident manager and a team of technical experts at your disposal, focusing with you on the incident’s impact, safeguarding your infrastructure and data, and recovering from the damage.
Read more about CSIRT, your lifeline in case of a cyber attack.