Denial of Service

Scheme of a DDoS attack carried out using the DDoS client barbed wire

Denial of Service ( DoS ; English for "denial of service") describes in information technology the unavailability of an Internet service that should actually be available. The most common reason is the overload of the data network . This can be caused unintentionally or through a concentrated attack on the server or other components of the data network.

In the case of a willful service blockade caused by a large number of targeted requests, one speaks of a denial-of-service attack and, if the requests are carried out from a large number of computers, of a distributed denial-of-service attack ( DDoS attack , German literally distributed denial of service attack ). Since the requests for a DDoS attack come from a large number of sources, it is not possible to block the attacker without completely cutting off communication with the network.

Intentional server overloads

If an overload is caused willfully, it is usually done with the intention of rendering one or more of the services provided inoperable . While this was originally primarily a form of protest or vandalism, denial-of-service attacks are now being offered for sale by cyber criminals in order to harm competitors. Server operators are also blackmailed into paying money so that their Internet offer can be accessed again.

The Distributed Reflected Denial of Service attack (DRDoS attack) is a special form. In this case, the attacker does not address his data packets directly to the victim, but to regular internet services, but enters the victim's sender address ( IP spoofing ). The answers to these queries then represent the actual DoS attack for the victim. This procedure means that the attacked person can no longer directly determine the origin of the attack. An example of such an attack is the DNS amplification attack , in which the domain name system is misused as a reflector .

Email backscatter is used to fill a victim's email inbox using a similar process.

• August 2008: The website of Georgian President Mikheil Saakashvili is no longer accessible.
• Beginning of July 2009: South Korean and US government websites, shopping portals and intelligence services are temporarily unavailable after attacks. The remote-controlled accesses of up to 30,000 PCs infected with malicious software are said to have been involved in the attack.
• December 6 to 8, 2010: As a reaction to the blocking of WikiLeaks accounts at PostFinance as well as the payment services MasterCard, Visa, PayPal and Amazon, their websites were attacked and - with the exception of the Amazon site - were temporarily brought to their knees.
• May 18, 2012: The website of the city of Frankfurt am Main was attacked by Anonymous as part of the Blockupy protests and was temporarily no longer accessible.
• from September 2012: attacks on American banks
• March 19, 2013: A dispute between the Spamhaus platform and presumably the anonymous host Cyberbunker led to the currently largest known DDoS attack via DNS amplification / reflection, which was reported at short notice due to clever PR by Cloudflare , the Spamhaus website proxy became that he had "noticeably slowed the Internet down". With a DNS server requesting around 300 gigabits per second, this is unlikely , compared to peaks of 2.5 terabits / s in DE-CIX alone , and the Renesys specialist service classifies it as a “local attack”.
• October 21, 2016: The Internet service provider Dyn was the target of a DDoS attack from 7 a.m., starting on the east coast of the USA , which partially disabled the offers of well-known Dyn customers such as Twitter , Netflix , Spotify , Airbnb , Reddit and others. What was new about the attack, which came in waves over the course of the day, was that it apparently relied on an infrastructure of remote controlled devices belonging to the Internet of Things .
• February 28, 2018: The online service GitHub was hit by a new form of DDoS attack, the Memcached Amplification Attack , around noon . In doing so, 1.35 terabits of data were sent to the server per second. After 8 minutes the attack could be ended by intervention of the service provider Akamai .

If the sudden increase in inquiries to a website that has so far only been underfrequently frequented leads to its overloading and thus to refusal of service due to the reporting in a medium that attracts the public , this is also called the " slash dot effect " in online jargon by local readers and is sometimes jokingly called a DDoS attack compared. Another well-known example of this in German-speaking countries is the IT news site heise online and the "Heise effect" that occurs there occasionally. In addition, tweets from popular users of the Twitter network and retweets from their followers can lead to server-side failures.

• A general protective measure is the choice of secure passwords for routers , networks and networked devices in the Internet of Things .
• It is recommended to deactivate the UPnP function on routers and to block unused services in order to prevent the devices in a local network from being misused.
• In the case of minor overloads caused by only one or a few computers / senders, a service refusal can be carried out with the help of simple blacklists (usually a list of sender addresses). These blacklists are executed by a firewall : It discards data packets from IP addresses from this blacklist (or redirects them). Often a firewall can automatically recognize simple attacks and generate these block lists dynamically, for example, rate limiting of TCP -SYN- and ICMP packets. With rate limiting, however, no distinction is made between wanted and harmful requests.
• The use of SYN cookies reduces the effects of a SYN flooding attack.
• Analysis and filtering measures can be set up both on the affected computer and on the provider's border router . The latter is especially the more effective variant when the Internet access is overloaded.
• In addition, border routers should filter invalid sender addresses according to RFC 2267 in order to prevent DoS attacks that attempt to circumvent the blacklists via IP spoofing .
• If the attacker only knows the IP address of the affected computer, it is also possible to change it (with a PC at home, restarting the router would usually suffice). Takes place, however, a DoS attack on a public DNS - hostname and not the IP address alone, these measures will help only in the short term.
• When choosing the provider, it should be taken into account whether they explicitly offer basic protection against DDoS attacks. The basic protection is a combination of multiple Internet connections in the two- to three-digit Gbit / s range and specialized hardware for data flow analysis and defense against attacks at the application level .
• Another possible - but usually more expensive - countermeasure against overloads is what is known as server load distribution . The services provided are distributed to more than one physical computer with the help of various virtualization techniques .
• Since DNS amplification attacks have already reached attack volumes of more than 200 to 300 Gbit / s in the past, the only permanent option is to use a filter service. These are offered by several commercial providers, who necessarily have to have even stronger connections up to the terabit range. Even the largest attacks can be dealt with safely without disrupting your own data center. The services differ in the quality and size of the attacks that can be intercepted. However, the data protection situation must be observed. Many US providers route the data through the USA or the United Kingdom, which is not permitted with regard to order data processing according to the BDSG .

• In Germany, participation in DoS attacks as computer sabotage is threatened with up to three years imprisonment or a fine if the data input or transmission is intended to harm someone else and thereby data processing, according to Section 303b (1) StGB , which is essential to another is significantly disrupted. According to Section 303b (3) StGB, the attempt is also punishable. In addition, the preparation of a criminal offense according to § 303b Abs. 1 StGB itself is punishable, § 303b Abs. 5 StGB i. V. m. § 202c StGB. This includes in particular the production and distribution of computer programs for DoS attacks. In addition, the injured party can claim compensation. In the relationship between the access provider and the reseller , the Gelnhausen District Court is of the opinion that the contract risk regularly lies with the reseller, so that he is also liable to pay if the line is disrupted by a DDoS attack.
• In Austria, DoS or DDoS attacks can result in criminal offenses under Section 126a StGB (data corruption) and Section 126b StGB (disruption of the functionality of a computer system). The misuse of computer programs according to § 126c StGB is to be seen as a preparatory act for these offenses and is itself a criminal offense.
• In the UK , even downloading the LOIC software used in the attacks faces a two-year prison sentence.
• In Switzerland , DoS as rendering data unusable and data corruption is punishable under Art. 144 ^bis StGB and can be punished with a fine or a prison sentence of up to three years, in the case of qualification (major damage) with a prison sentence of one year to five years .

1. ↑ Shadow economy botnets - a million dollar business for cyber criminals. In: Viruslist.com
2. ^ Background report by Brian Krebs: Who Makes the IoT Things Under Attack? In: krebsonsecurity.com . Retrieved October 5, 2016.
3. ↑ Achim Sawall: Anonymous demands legalization of DDoS attacks. In: golem.de . January 10, 2013, accessed March 28, 2013.
4. ↑ Hack attack on Georgia: Voluntary attacks. In: Spiegel Online , August 14, 2008
5. ↑ Hacker attack on South Korea: Austria under suspicion. In: DiePresse.com , July 10, 2009
6. ^ "Shame on you, Postfinance" (update). In: 20min.ch. December 7, 2010, accessed December 7, 2010 . 
7. ↑ "Wikileaks opponents" bombed by hackers (update). (No longer available online.) In: 20min.ch. December 9, 2010, archived from the original on December 11, 2010 ; Retrieved December 9, 2010 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.n24.de 
8. ↑ Anonymous attacks Frankfurt city website. ( Memento of the original from July 24, 2012 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. In: Frankfurter Blog , May 18, 2012 @1@ 2Template: Webachiv / IABot / frankfurter-blog.de
9. ^ Bank Hacking Was the Work of Iranians, Officials Say. In: nytimes.com
10. ↑ Gigantic DDoS attack: Spam dispute slows down the entire Internet. In: Spiegel Online , March 27, 2013
11. ↑ Spamhaus attack does not shake the Internet. In: golem.de , accessed on July 24, 2013.
12. ↑ Nicole Perlroth: Hackers Used New Weapons to Disrupt Major Websites Across US In: New York Times , October 21, 2016
13. ↑ "1.35 terabits per second: World's largest DDoS attack against Github" Der Standard from March 2, 2018
14. ↑ according to Sebastian Schreiber, managing director of the security specialist SySS
15. ↑ DDoS attacks are becoming more and more dangerous. In: VDInachrichten No. 20 , Technology & Economy, May 16, 2014, page 14
16. ↑ What is the "Slashdot Effect"? Section in the Slashdot FAQ, June 13, 2000
17. ↑ The curse of small pixels and inflationary commenting. In: Alles Roger , September 19, 2007
18. ↑ The HEISE effect. ( Memento of the original from August 25, 2017 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. In: jurabilis , February 20, 2008 @1@ 2Template: Webachiv / IABot / s9y.jurabilis.de
19. ↑ Twitter + Retweet = Twitter effect. In: netzwertig.com , February 6, 2009
20. ↑ ^{a b} The bot in the baby monitor. Federal Office for Information Security , October 24, 2016, accessed on October 27, 2016
21. ↑ Gröseling, Höfinger: Computer sabotage and apron criminalization - effects of the 41st StrÄndG to combat computer crime , MMR 2007, 626, 628f.
22. ↑ Ernst: Das neue Computerstrafrecht , NJW 2007, 2661, 2665.
23. ^ Stree / Hecker, in: Schönke / Schröder , 28th edition 2010, § 303b StGB margin no. 21st
24. ^ ^{A b} "Illegality" of LOIC-Tool in UK, Germany & Netherlands? In: netzpolitik.org . December 10, 2010, accessed December 10, 2010 . 
25. ^ AG Gelnhausen, ruling from October 6, 2005 - 51 C 202/05
26. ↑ DDoS investigation. In: Heise online . Retrieved February 23, 2017 .