DDoS: What we can do to prevent it

DDoS explosionDistributed Denial of Service, DDoS for short, is the shooting star in today’s Internet nightmare gallery. Here is a quick overview over what each and everyone of us can do to prevent his. And some hints at manufacturers and researchers.

[A extended list of recommendations for customers and manufacturers is available in German: “Weg vom Internet der (unsicheren) Dinge”.]


The three main IT security aspects are C-I-A:

Cryptographic mechanisms and access control can protect the first two aspects. Software developers and system administrators, together with building security, can often maintain them completely on-site, without relying on external help.

Availability, however, is different: The service provider itself can only go a short step to ensure it. In the old days, you just closed the door of your office building so noone could enter. In the Internet-connected world, you want to keep your (virtual) doors open at all costs. To ensure that your services to your customers, partners, and employees are available, the entire Internet needs to be secure and operable.

Even if you think you’re just visiting your favorite web site, your browser is also connecting to dozen other sites, providing graphics, fonts, tools, ads, usage analysis, and much more. If only some of these are unreachable, the web page feels sluggish, looks outright garish, or does not load at all.

DoS and DDoS

Denial of Service (DoS) attacks try to reduce the availability of a service. For example, you can ask a web server to perform a complex operation. So with every short query of your browser, several seconds of computing power will be used on the server. Fire those requests fast enough, and they are hogging most of the resources, making the service unresponsive for everyone (including the attacker, but they don’t mind). This is easy to defend against: Just stop accepting requests from this machine.

Enter DDoS: Now, it’s not a single attacker, but hundreds of thousands to many millions. You could still identify them and blacklist them, but their sheer volume will overwhelm your Internet connection. But attackers add another trick of the trade: They do not send the requests labeled with their correct sender address, but with a randomly chosen one. So everyone seems to attack the poor victim. This was the big change that made DDoS first successful in 2000.

Recent attacks go even further. They do not attack the victim, but they claim to be the victim by spoofing their IP address and ask random servers around the ‘net to send them some data. Because of the spoofed address, this data will not go to the millions of attackers, but to the victim. This is considered an amplification attack, as the traffic of the attackers is amplified by these third-party servers. As an additional benefit, the attacker’s whereabouts are even better hidden through these innocent intermediaries.

The attacks from the last week use an interesting twist: Instead of using computers and laptops as the members of the Botnet, they mainly used Internet-connected devices, such as surveillance cameras. IoT devices seem to currently be the least secured devices.

Lessons learned

The entire Internet needs to be secured, ranging from your WiFi-capable lightbulb over servers to the Internet routers at home and with your ISP. What does that mean to me? I’m a …



…System Administrator




If we all work together, and each add just a tiny little bit of their time, we can massively reduce the impact of the next DDoS attack and reduce the privacy and security risks of the devices used as part of a botnet or reflectors.

Together we can fight the DDoS tragedy of the commons!

[Updated 2016-10-02 to include local routing thanks to Fredy Künzler]


Let’s stay in touch!

Receive a mail whenever I publish a new post.

About 1-2 Mails per month, no Spam.

Web apps

3 responses to “DDoS: What we can do to prevent it”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.