DDoS stands for Distributed Denial of Service. In a DDoS attack, a large number of computers, often spread across many locations around the world, attempt to connect to a server. Attackers thus attempt to overload the server with traffic so that it can no longer respond: a denial of service.

Servers and the channels that connect servers to the Internet have limited capacity. Cybercriminals allow the servers and channels to ‘fill up’ by deploying ‘botnets’, for example. Botnets are networks of infected computers, controlled by a cybercriminal. By infecting a computer with malware it becomes a ‘bot’. The bots then infect other computers and so the criminal expands their network further and further into a network of bots (botnet). In a DDoS attack the cybercriminal ensures that the bots in their botnet simultaneously send Internet traffic to a server so that it is overwhelmed with access requests. The server then has insufficient capacity to process the traffic and as a result can no longer work properly or the server even crashes completely. For example, visitors can then no longer access a website, or an online service is seriously slowed down. The cybercriminal has thus achieved their objective.

Our society is rapidly becoming more digitized. Governments and financial institutions are offering their services online. In addition, a significant part of economic traffic takes place in the digital space. DDoS attacks therefore pose a serious threat to the digital society. By shutting down servers, cybercriminals cause great economic and social damage. Customers can no longer reach a web shop, citizens can no longer use digital government services, and individuals can no longer access their saving accounts. This causes major disruption. What also makes DDoS attacks particularly dangerous is the relative ease with which malicious parties can carry out attacks. Malicious parties also offer DDoS attacks on demand (“DDoS-as-a-service”). In that case, technical prior knowledge is not required by the person wishing to launch a DDoS attack.

The motivation behind a DDoS attack is highly dependent on the attacker. Nevertheless, a number of main motivations can generally be distinguished. The motivation may be personal. Examples include young people who attack a popular website out of boredom, or a former employee who goes after a former employer out of spite. In such cases, the attackers are usually not hardened criminals. This is different in the case of a DDoS attack with a financial motive. For example, cybercriminals can extort companies by threatening to launch a DDoS attack. Or cybercriminals can be hired to attack a competitor. DDoS attacks can also occur for political or ideological reasons. Websites of political rivals, critical media or activist groups can be targets for malicious attackers.

A DDoS attack cannot be prevented, though it can be deflected. There are several ways to repel a DDoS attack. For example, it is possible to block Internet traffic from a certain geographical region. Or even all traffic towards a server. However, many organizations choose to use a so-called “scrubbing center”. In this case, data traffic is routed through specialized equipment and “scrubbed clean”. Only legitimate data traffic goes from the scrubbing center to the destination. A well-known Dutch example is the ‘Nationale Wasstraat’, operated by the non-profit foundation Nationale Beheersorganisatie Internet Providers (NBIP).

Deflecting DDoS attacks requires a collaborative approach, as the only way to prevent DDoS attacks is by proactively addressing them in a collaborative manner.

The DDoS Clearing House is a system developed in the EU research project CONCORDIA that the National Anti-DDoS Coalition will use to proactively combat DDoS attacks. The system consists of several components, namely the Dissector, the Converter and the DDoS-DB. The purpose of the system is to share real-time information about DDoS attacks (the metadata) in the form of DDoS fingerprints with all parties member to the coalition.

The DDoS Dissector, together with the DDoS-DB and the Converter, form the core components of the Clearing House system. The Dissector converts DDoS traffic (in pcap or flow format) into DDoS fingerprints.

A DDoS fingerprint describes the characteristics of a DDoS attack (the metadata), such as what protocol was used, what IP addresses the attack came from, how large the attack was, and how long the attack lasted. It is generated by the organization that faces the DDoS attack. They generate the fingerprint by applying the DDoS Dissector to a pcap or flow file of the attack they logged or captured. DDoS fingerprints are centrally shared by all connected parties in the DDoS-DB. A DDoS fingerprint is stored in JSON file format.

The Converter extracts DDoS fingerprints from DDoS-DB and converts them into mitigation rules that can be applied to network devices. Currently, IPTables and Snort are supported, but other types of rules are planned for the future.

The DDoS-DB stores the DDoS fingerprints of connected coalition parties and acts as a distribution point. Coalition parties can retrieve fingerprints automatically via an API. A front-end also allows them to read the DDoS-DB manually via their browser and search for specific DDoS fingerprints.

The DDoS Grid is a module of the DDoS Clearing House developed by the University of Zurich and compatible with the DDoS-DB. By integrating with this module, it is possible to visualize DDoS data from the DDoS-DB.

The IP Address Analyzer is a module of the DDoS Clearing House developed by the University of Twente and can also be linked to the DDoS-DB as a module. The IP Address Analyzer can then enrich raw DDoS fingerprints with additional data from semi-local and external datasets.

CONCORDIA is an EU research project consisting of universities, government organizations, and companies with the aim of increasing the EU’s cyber resilience. As part of the CONCORDIA project, coalition partners SIDN Labs, SURF and the University of Twente are collaborating to create a DDoS Clearing House for the EU that will then also be used in the Dutch Anti-DDoS Coalition. SIDN Labs is leading the development of the Clearing House and the pilots with the system in the CONCORDIA project.

In a Ransom-DDoS, an organization is attacked via a Distributed Denial of Service and the attackers then demand a ransom to stop the DDoS attack. In some cases, an organization receives an email with a threat even before the actual DDoS attack has taken place.

Criminals offer individuals and organizations DDoS attacks under the name ‘DDoS-as-a-service’. This involves an organization or individual paying to take another organization offline with a DDoS attack. These types of services are also known as ‘booters’.

A Botnet is a network of so-called ‘bots’. These are systems that cybercriminals have infected with malware. Among other things, criminals use the bots to carry out DDoS attacks, usually without the original owner of the system being aware of this. Botnets may vary in size, ranging up to several hundred thousand machines.