Hasso-Plattner-InstitutSDG am HPI
Hasso-Plattner-InstitutDSG am HPI



DDoS attacks: What they are and how they work

The war between Russia and Ukraine is no longer taking place only in physical space. Cyber warfare with attacks on enemy systems play an important role for both sides. To help Ukraine, the online activist group Anonymous launched a call to participate in DDoS attacks against Russia in February 2022. In this interview, Daniel Köhler, a doctoral student at Prof. Dr. Christoph Meinel's Chair of Internet Technologies and Systems, explains what DDoS attacks are, what their goal is, and whether it is possible to defend against them.

To help Ukraine, the online activist group Anonymous launched a call to participate in DDoS attacks against Russia in February 2022. In this interview, Daniel Köhler explains what DDoS attacks are, what their goal is, and whether it is possible to defend against them. (Photo: Pixabay)

What is a DoS attack and what is the most common motivation for such attacks?

A denial-of-service attack, or DoS for short, aims to impact the availability of a system or service. This can be a webpage, or even databases that are used by other services. Whether and how bad the consequences of DoS attacks are depends on who is attacking which services in what way. (more on this in the free openHPI course: Tatort: Internet (German)).

If, for example, the availability of a large online department store is restricted for a few hours so that users can no longer shop there, then thousands of euros of potential revenue will be lost.

Such attacks are usually carried out based on a simple principle: “make more requests to a server than it can answer."

Web servers, (i.e. computers on the Internet) have a limited performance capacity, just as a desktop computer or a laptop. If, for instance, a server on the Internet that offers a website can serve 1000 customers at the same time but 2000 requests are made, there is a good chance that an additional waiting customer can not be “served” because all resources are already used up.

The motives for such attacks are quite different. There are attacks based on financial motives when an attacker assumes that the failure of the service will bring him an advantage. On the other hand, the motive can also be about image loss: if a service is “offline” every other day, a user will likely look for an alternative service.

What is the difference to DDoS attacks?

The DdoS attack has basically the same goal as the DoS attack. The extra “D” here stands for “distributed”, which defines the way the attack is carried out.

Traditional servers on the Internet often have far too much computing power for an attacker to impact their availability with just one or two end devices. Therefore, the attacker seeks other threat actors with whom to distribute their attack. Each of the attackers’ devices makes individual requests to the services and the sum of these requests overloads the target.

So how does a DDoS attack work in practice?

The goal of a DDoS attack is always to disable the availability of an Internet service. Nowadays, however, this is relatively difficult to achieve - especially in the case of attacks against large cloud systems. And it is dependent on the attack technology. A group of 10, 15 or even 100 end devices is often no longer sufficient to carry out a successful attack. Attackers have therefore come up with the idea of stealing computing power from other users, other victims.

For example, if a malware infects a computer, the malware can turn the computer into a "bot" in a botnet. As part of a botnet, bots typically wait for commands from the "command server," which is in control of the attacker. When the attacker wants to carry out a DDoS attack, he instructs all his bots to request a specific service at the same time. The number of devices issuing requests to a service is then no longer 10, 15 or 100 computers, but tens of thousands, depending on how well the attack was prepared and how large the botnet was.

Many DDoS attacks are no longer carried out via hijacked computers, but via the Internet of Things (IoT), (e.g., devices in smart homes). How do attacks work via these devices?

A major problem we face with IoT devices is that they are often inadequately protected. Software is often not updated by the manufacturer or the user, or users carelessly use standard passwords. This makes it quite easy for attackers to infiltrate these devices and accounts with malware, or it makes malware particularly successful, respectively.

Compared to Windows computers, for example, which are always bothering us with updates, users of IoT devices have to ask themselves when they last updated the software on their smart refrigerator or smart light bulb. While admittedly this is a slight exaggeration, it is nevertheless shows why attacks are often made so easy for cybercriminals The so-called MiraiBotnet is a well- known botnet that was built a few years ago. In 2016–17, it already contained over 500,000 endpoints.

Can I prevent my smart home devices from being used for attacks?

There is no such thing as “100%-Secure” on the Internet. This would mean we need to disconnect all of our devices for complete security. But, as with all electronic devices, such as computers or smartphones, the same rules apply here: install updates!

If manufacturer updates are available, install them as quickly as possible. While it is laborious to schedule and perform updates for all devices at different intervals, at different times, only this helps to close vulnerabilities. Otherwise, those open vulnerabilities can be exploited by attackers.

A prerequisite for this step, however, is that a manufacturer provides updates. Unfortunately, for many manufacturers, this is not always the case. I therefore recommend that potential buyers closely consider aspect such as software and hardware support and it’s quality before buying the first product they see.

In addition to the installation of updates, the same principles apply to IoT devices as to any other devices: Secure passwords!! One of the main ways the previously mentioned Mirai botnet was able to spread so dramatically was due to abusing default accounts and default passwords that users never changed. Default accounts include "admin" or "administrator". Consequently, the “usual” recommendation applies here as well: "Use strong passwords!” What are strong passwords? Ideally, they should consist of a combination of at least 12-14 letters, numbers and special characters, and they have to be unique for each device and account.

In DDoS attacks, huge amounts of data are sent to servers in order to disable them. In 2018, a DDoS attack on GitHub was performed with a volume of 1.3 Tbit/s – how large are attacks today?

There is no generalizable answer to that. In the case of the attack mentioned in 2018, GitHub itself evaluated the logs - the event and access memories of the entire devices - after the attack and was thus able to roughly estimate the magnitude. In 2020, for example, Amazon defended against a major DDoS attack as well. Here, the attack was roughly in the size of 2.3 terabits per second.

In 2021, there was a report that Cloudflare mitigated a DDoS attack at a scale of more than 17 million HTTP requests per second to one customer. Even though that's a slightly different metric, because we're not talking about data volumes here but about the number of accesses, it still equates to an attack nearly three times as large as the largest events that had occurred previously. Again, the attacks originated from a modified Mirai botnet. The growing number of unsecured IoT devices is very problematic.

Would you like to further your education in the field of cyber security?

→  Then take a look at our education platform openHPI.


Here you will find many free online courses on the basics of IT, safety on the net and programming.


How can one defend against (D)DoS attacks?

Defending against DDoS attacks is difficult. However, many systems are now located in cloud environments, which means that when attacks occur, resources are simply added until there is enough capacity to withstand the attack. At the same time, each resource costs money and this can quickly become very expensive.

Another approach is to block attacks based on Internet Protocol (IP) addresses - the addresses of our devices on the Internet. The problem with this, however, is that not every device on the Internet today has a unique address. For example, all devices from a household that are connected to the Internet via a home connection speak to the one address of the router.

Let's assume that my washing machine, which belongs to the Mirai botnet mentioned above, attacks Amazon. Amazon then detects the attack and blocks the IP address of my device. However, since my other devices (computer, smartphone, TV) use the same address, they are also blocked. The attack has achieved exactly what it was supposed to via a roundabout way: I, as a customer, can no longer access the service.

[Translate to Englisch:] Daniel Köhler

Interview: HPI doctoral student Daniel Köhler

Daniel Köhler is doing his doctorate and teaches at Prof. Dr. Meinel's Department of Internet Technologies. He deals with the topics of IT security, security theory and danger awareness on the net. In addition to teaching at HPI, Daniel Köhler is involved in the conception and preparation of several openHPI courses.