Select your language


Swiss online retailers were hit on March 14, 2016. Popular e-shops including Digitec, LeShop, Coop, Interdiscount and Microspot were cut off from the rest of the world for hours. These retailers had become the victims of a DDoS attack.

Extortion is frequently what motivates DDoS attacks: money in exchange for uninterrupted availability. That also seems to have been the case in March 2016: Ransom e-mails had been circulating in the days prior to the attack in which the cybercriminals promised to refrain from launching a DDoS attack if they were paid 25 bitcoins.

Anybody can be hit by a DDoS attack nowadays because these attacks are actually easy to pull off. Offers for multi-minute attacks can be found on the darknet for prices starting at just USD 20.00. Given the smart TVs, webcams and poorly protected IoT devices so prevalent in today’s world, attackers are finding a growing number of targets to choose from. Plus the intensity of these attacks is on the rise: The bandwidth used for the fiercest attacks has risen from 620 Gbit/s in 2016 to a record high of 1.7 Tbit/s this past spring.

Tackling the problem online

Local routers, firewalls and inline DDoS filters hardly offer any degree of protection anymore. True protection only comes through measures that stamp out the problem before it hits a business’ own connection, in other words, when it’s still online. Internet service providers offer services for their business customers which do precisely that, at Green these go by the name DDoS-Guard.

Special sensors monitor a customer’s data traffic for irregularities in the incoming data packets. Referred to as flow control, this measure not only identifies attacks based on their volume, but also their behavior. As soon as predefined parameters have been exceeded, all network traffic is redirected to a so-called scrubbing center using BGP less than a minute later. Those servers free the desired data traffic of any garbage data and route it to the recipient via a secure connection. However many of those offers are based on a provider’s local equipment with capacities in the Gbit/s range. They’re powerless in the face of these new terabit attacks.

Cloud scrubbing centers located in the vicinity of major Internet exchange points, like Frankfurt, work much better. The delay of just a few milliseconds caused by the rerouting is hardly noticeable to end users. There is also no need to worry about security-related aspects, first because these measures only concern incoming data traffic and, second, because the sensors can tell if data traffic is legitimate or not, even without having to crack data that has been encrypted.

Data traffic is normally rerouted to the scrubbing center automatically. It can also be done manually on request, or rerouting can be permanently configured. Providers offer several different scenarios to choose from. Generally, traffic is rerouted for a period of several hours in order to wait out the subsequent waves of the attack. The data stream is only routed back to the customer when the system detects that no more malicious data packets are coming in and in consultation with the customer.

An arms race for bandwidth

Depending on the provider, anti-DDoS solutions linked to a cloud scrubbing center currently work with bandwidths of over 3 terabits per second. That means they offer more than enough protection against even the strongest attacks. Of course providers are also working tirelessly to increase these bandwidths, because one thing is certain: It’s just a question of time until the next attack sets a new record high.

About the author:
Hanspeter Gehrig is responsible for the B2B services.