DDoS protection

DDoS protection and cybersecurity

DDoS protection tools are more important than ever

DDoS mitigation and cybersecurity

DoS stands for Denial of Service, the increasing form of which is DDoS - the additional D stands for Distributed Denial of Service. This is a frequently used type of attack on the Internet. In this security incident, countless requests / queries are sent to this service (YouTube, GitHub, Twitter etc.) in the shortest possible time. This ultimately leads to an overload and the corresponding page is then no longer available for the user. This can lead to considerable financial damage for the operator of the Internet service. Attackers can blackmail the operators for protection money. Learn more details about this topic and about DDoS protection here.

DDoS attack without appropriate DDoS protection

DDoS attacks have an increasing impact. They overwhelm services with ever increasing amounts of data. For DDoS security, DDoS protection tools are needed to disperse these data volumes. At the same time, more and more attacks are being recorded in which cybercriminals attack only specific areas of the IT infrastructure. These attacks are of course less noticeable. The smaller the application or service, the less data volume is needed for the attack. On the other hand, DDoS attacks no longer serve only to deny service, but are increasingly being used as a cover to disguise other cyberattacks. These include data breaches and financial fraud. Organizations should implement a DDoS monitoring and protection tools that detects and block all potential DDoS attacks as they occur. This gives them a comprehensive overview of their networks.

Botnets play a decisive role

Cybercriminals use botnets in most DDoS attacks. Attackers hijack foreign computers in advance. They usually apply malware such as Trojans or worms. They remotely control those foreign computers by using C&C servers (Command & Control Server). In the case of DDoS, they exploit the bandwidths of the victim systems. They make identical requests to the victims' servers simultaneously. You can prevent those attacks by DDoS protection and by implementing proper DDoS security measures.

Memcached server: Cyberattacks are also possible without botnets

Capturing foreign computers or IoT devices can sometimes be very troublesome for attackers. That's why some attacks do not use botnets. Just take a look on the attack on Github 2018, where the use of memcached servers was exploited. These database caching services have the purpose of making networks and websites faster. Access from the Internet to these servers is possible without authentication; you just have to get the IP address. Then the attackers send small requests to several memcached servers simultaneously - about 10 per second per server. These memcached servers are then designed to produce a much larger response. They then return 50 times the requested data to the victim system. In this way, data requests of several terabytes per second can be generated - these easily lead to the collapse of a service. DDoS protection effectively prevents this type of cyberattack as well.

DDoS protection prevents attacks via DNS reflection

In the same way, DDoS cyberattacks via DNS reflection techniques are used. The attacker makes the DNS query using the victim's IP address (IP spoofing) and is thus successful. The DNS server sends the request to the victim. This is where the amplification, i.e. the amplification in the next step, comes into play.

"UDP packets with DNS queries are typically relatively small (< 100 bytes). Response packets are significantly larger (< 500 bytes) depending on the queried entry. As a result, an attacker can achieve a significant increase in the attack load on the victim side if the DNS query is cleverly chosen with a comparatively small bandwidth; the attack is thus amplified (amplification)."
Federal Office for Information Security (German: Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI)

DDoS protection: DDoS protection solutions

Our DDoS protection tools and measures prevent DDoS attacks:

These include web application firewalls (WAF for short), which protect online services on the application layer. In general, these ensure that:

  • The WAF only allows incoming connections from services that are allowed to access. For this purpose there is the approach of blacklists (listing of non-permitted connections) or whitelists (listing of permitted connections)
  • The same then applies to outgoing connections - these are only possible with explicit permission. This can paralyze botnets, for example, because they can then no longer contact the attackers' command & control server.

Amplicification attacks via memcached servers:

  • Remove exposed memcached servers from the Internet and deploy them securely behind firewalls in internal networks.
  • Filters in WAFs that block memcached traffic when a suspicious amount of requests is detected.
  • If network operators can detect the attack command used, they can nip the malicious traffic in the bud by blocking all memcached packets of that length.

Reflection attacks via “Network Time Protocol”:

  • This is where the web application firewall and a correspondingly existing network infrastructure consisting of several data centers can help.
  • Even if a single IP address is the target of the attack, you can distribute the flood of data with a corresponding feature in the firewall. The WAF distributes the incoming load to different data centers. Thus, the attacked service is still available.

Effective DDoS protection: R&S®Web Application Firewall

  • Identification of DDoS attacks and differentiation between good and harmful traffic - detection of an attack and limitation of damage
  • Ensuring availability for users during an attack.
  • Minimization of downtime
  • Anticipating future attacks and combating them more effectively

If you have further questions, please contact us.

Featured content for DDoS protection and cybersecurity

Boost your cloud native applications with automation

The pandemic has strengthened the necessity for cloud automation as more organizations are going digital-first.

Register now

White paper: How to protect your APIs

Learn in this white paper how to protect your APIs with the R&S Web Application Firewall.

Register now

White paper: Choosing a web application firewall

This white paper helps you to identify the key factors to consider when choosing a Web application firewall.

Register now


Can a Denial of Service be traced back?

It is difficult to trace the origin of a denial of service. This makes good DDoS protection solutions all the more important. Most traffic floods originate from botnets, which are mostly computers of uninvolved parties. Whoever hacked these systems is rarely traceable. The same applies to reflection & amplification attacks. This is mainly because the attacker uses the victim's IP address. The attack itself is then performed by a legitimate service, such as a DNS server.

What offers optimal protection against DDoS attacks?

Existing infrastructure solutions such as firewalls, application provisioning controls and load balancing provide basic protection against DDoS attacks. However, they only solve known cybersecurity attacks. It is therefore essential that you additionally secure the application layer. You can prevent web-based attacks best by using a web application firewall (short WAF).

What are volumetric DDos attacks?

ICMP flood, IP/ICMP fragmentation, UDP flood and IPSec flood are so-called volumetric attacks, in which attackers attempt to use up bandwidth, e.g. within the target network/service or between the target network/service and the rest of the Internet, in order to cause congestion.

Your monthly cybersecurity update

Your monthly cybersecurity update

Contact Us

Do you have questions or need additional information? Simply fill out this form and we will get right back to you.

Marketing permission

I want to receive information from Rohde & Schwarz via

What does this mean in detail?

I agree that Rohde & Schwarz GmbH & Co. KG and the Rohde & Schwarz entity or subsidiary company mentioned in the imprint of this website, may contact me via the chosen channel (email or postal mail) for marketing and advertising purposes (e.g. information on special offers and discount promotions) related to, but not limited to, products and solutions in the fields of test and measurement, secure communications, monitoring and network testing, broadcast and media, and cybersecurity.

Your rights

This declaration of consent may be withdrawn at any time by sending an email with the subject "Unsubscribe" to news@rohde-schwarz.com. Additionally, a link to unsubscribe from future email advertisements is contained in each email sent. Further details on the use of personal data and the withdrawal procedure are set out in the Statement of Privacy.

Your request has been sent successfully. We will contact you shortly.
An error has occurred, please try again later.