DDoS: Permanent Flood of Data Without a Protection Strategy – And How To Protect Yourself Against It

The threat landscape around web appli­ca­tions and IT systems is becoming increas­ingly sophis­ti­cated. While tradi­tional attacks such as SQL injec­tions, cross-site scripting and session hijacking are still active in 2025, modern web frame­works, web appli­cation firewalls (WAF) and adherence to best practices have signif­i­cantly mitigated them.

But have you ever heard of attacks that don’t involve stealing or manip­u­lating confi­dential data? There are also attacks that are solely aimed at taking IT systems out of service for as long as possible and maximizing the damage to those affected.

In this article, we look at one such malicious attack method, which reached a new dimension in 2013 with the spamhaus.org spikes. 5 years later, GitHub experi­enced a DDoS attack with an almost unbelievable data rate of 1.35 Tbit/s. Such attacks are not isolated incidents — any company or organi­zation could be affected tomorrow.

What are DDoS attacks?

DDoS stands for Distributed Denial of Service and describes an attack technique in which an enormous number of packets or requests are sent simul­ta­ne­ously to a target system in order to severely impair its avail­ability or cause the system to crash. In contrast to classic DoS (Denial of Service), DDoS uses a group of compro­mised computers instead of just a single computer.

DDoS attacks can occur at different levels of the widely used OSI model, leading to a variety of attack possi­bil­ities. These can be broadly divided into two categories: blunt attacks and intel­ligent attacks, depending on which layer of the OSI model is the target.

Attack methods: From simple to sophisticated

1. SYN flood attack

A frequently used attack is the SYN flood attack, which is carried out at the transport level (layer 4). The attacker abuses the TCP three-way handshake that is used when estab­lishing a connection between two computers. The attacker sends numerous SYN packets with falsified source IP addresses to the server, which responds with SYN-ACK packets. Since the last step of the handshake (ACK from the client) is omitted, the connec­tions remain open and overload the system. Such attacks are relatively easy to carry out and can be fended off using techniques such as SYN cookies.

2. DNS ampli­fi­cation (DNS reflection / amplification)

A far more sophis­ti­cated and harder to detect attack method is DNS ampli­fi­cation. In this method, the target system is flooded with DNS responses from legit­imate DNS servers that it has never requested. Compro­mised computers in a botnet use publicly acces­sible DNS servers to make queries, the answers to which are then forwarded to the target via fake source IP addresses. The resulting data volume is often extremely high and can quickly overload the target system. In the case of the attack on spamhaus.org, this led to consid­erable disruption in global network traffic.

The damage caused by DDoS attacks

Whether simple flood attacks or sophis­ti­cated DNS ampli­fi­cation attacks — the damage caused by DDoS attacks can be enormous. In addition to direct sales losses and recovery costs, reputa­tional damage and legal costs can also have consid­erable financial consequences.

Protective measures against DDoS attacks

To protect against DDoS attacks, it is important to develop proactive protection strategies. Here are some essential measures:

1. Prior­itize critical services

Determine which services are essential to your business, such as web appli­ca­tions, email servers or databases, and ensure that these are prior­i­tized for protection.

2. Use specialized DDoS protection services

Use services such as Cloud­flare or Akamai that can protect your infrastructure from attacks and filter traffic.

3. Implement intrusion detection systems (IDS)

Use IDS and centralized log analysis to detect anomalies early and respond to DDoS attacks.

4. Create a DDoS response strategy

Develop a DDoS response strategy and train your team so that everyone knows what to do in the event of an attack. Regular testing will ensure that the plan works.

5. Operate critical systems on a separate Internet uplink

Operating systems that are critical should be operated on a different Internet uplink in order to place them specif­i­cally under DDoS protection measures without affecting the entire infrastructure.

6. Geographic traffic filtering

Configure your firewall to block or prior­itize traffic from non-relevant geographic regions to reduce the pressure on your systems.

Advanced protection strategies: training and best practices

DDoS attacks are just one part of the wider threat landscape affecting web appli­ca­tions. To build lasting knowledge of security measures and arm yourself against modern threats, we recommend practice-oriented intensive training courses. These training courses cover a broad spectrum of attack techniques and defense mecha­nisms and offer you the oppor­tunity to take targeted action against cyber attacks.

Conclusion: Protection against DDoS attacks

DDoS attacks are a serious threat to companies and organi­za­tions worldwide. However, with the right protective measures and a well thought-out response strategy, you can ensure that your systems remain functional even in the event of an attack and that the damage is minimized.

For even deeper expertise, we recommend iSAQB-certified web security training, which will equip you with the necessary skills to effec­tively protect your web applications.

Sources

1. spamhaus history (retrieved on 14.09.2024)
2. GitHub DDoS Incident Report (retrieved on 03.09.2024)

This is a trans­lation of ITech Progress’ blog post “DDoS: Dauer­hafte Datenflut ohne Schutzs­trategie – und wie man sich davor schützen kann”. Here you can find the original blog post in German.