So-called DDoS attacks (Distributed Denial of Service) on IT infrastructures are on the rise – even authorities and critical infrastructures are affected. Can the SCION technology developed in Switzerland prevent the shutdown of Internet services in the future?
Table of contents
DDoS attacks are on everyone’s lips: according to Radware’s 2022-2023 Global Threat Analysis Report, the increase in DDoS attacks in 2022 was 150% compared to the previous year. In the Ukraine war, which has been ongoing since February 2022, DDoS is part of warfare, according to UK authorities. While in this country, a recent DDoS attack on the Swiss federal administration has caused quite a stir.
Given this threat, the inevitable question is how to protect against such attacks. New approaches in defending against DDoS attacks could be provided by an emerging internet architecture called SCION (SCION Internet Architecture). To assess the extent to which DDoS attacks can be reduced or possibly prevented by SCION, a basic understanding of DDoS is first necessary.
DDoS – Orchestrating an Internet Congestion
The attacks known as Distributed Denial of Service (DDoS) target the availability of an Internet service by having as many computers (known as bots) as possible overwhelm the service with requests at the same time. If an attacker controls enough bots, the resulting Internet congestion can shut down a website or other Internet service for an extended period of time.
DDoS attacks can be carried out in several ways. We therefore divide the attack vectors into three categories:
- Network-based (“volumetric”) attacks: As many data packets as possible are sent to the attacked server or network so that the available bandwidth is completely used up. Legitimate requests can therefore no longer be put through.
- Protocol-based attacks: Basic security deficiencies in current Internet protocols such as TCP and IP are exploited to use up the network resources of a server exposed on the Internet or to simplify volumetric attacks. An example of such attacks is SYN flooding.
- Application-based attacks: To shut down a service over the Internet, however, the Internet connection itself does not necessarily have to be attacked. If an Internet application does not restrict the requests of computationally or memory-intensive functions (e.g., database queries), the available computing power or memory of a server can quickly be depleted. In this way, even systems that are not directly accessible via the Internet (e.g., a database server) can be attacked.
However, as a closer look at SCION shows, only a portion of the DDoS attack vectors listed above can be prevented or made more difficult by the SCION Internet architecture.
SCION – Internet Security From Switzerland
The SCION Internet architecture was developed at ETH Zurich and is designed to increase the efficiency, scalability and security of the Internet. In a way, SCION brings the Internet into the 21st century, because most of the currently used Internet protocols date back to its early days. At that time, less attention was paid in particular to data security than is the case today. This is evidenced by numerous security risks on the Internet, which SCION aims to remedy: In addition to the DDoS attacks discussed here, this also applies for example to BGP hijacking (learn more).
As is well known, the Internet is a huge network of computers that are connected to each other. The way in which data packets are sent from one computer to another is redefined with SCION. Compared to the current Internet architecture, the path that a data packet takes on its journey through the Internet is no longer determined dynamically, but is chosen in advance by the sender. This paradigm shift opens up new possibilities in combating network-based DDoS attacks, such as quickly switching data transfer to Internet lines that are still functioning in the event of an attack. Network-based DDoS is thus made more difficult by the use of SCION, but not made impossible as such. SCION therefore offers optional additional measures, e.g., the reservation of a DDoS-protected minimum bandwidth between two SCION networks. However, it is questionable whether a measure like this can also be implemented for publicly accessible services such as government websites, since access to public services by definition cannot be restricted to specific authorized users. The lack of such a restriction in turn means that the bandwidth reserved for a particular network can be attacked by bots within the network using DDoS. Furthermore, the question arises as to who would bear the costs for the reserved Internet bandwidth in such a case.
By replacing some of the previous Internet protocols and replacing them with more secure protocols, SCION can also prevent some protocol-based DDoS attacks. For example, with SCION the sender address of a data packet can no longer be arbitrarily forged – this so-called address spoofing is otherwise a means of amplifying the extent of volumetric DDoS attacks. However, other protocol-based attack vectors such as the SYN flooding mentioned earlier can still not be ruled out with SCION.
While the risk from the two previous DDoS categories can be at least partially reduced by using the SCION Internet architecture, this is not the case with application-based DDoS attacks. In this respect, the application logic is independent of the network architecture used. DDoS vulnerabilities that can be traced back to the application can, however, be found with the help of technical security audits and then remedied by adapting the software.
How to Protect Against DDoS Attacks
Just as DDoS attacks can consist of a mix of different attack vectors, sustainable DDoS risk management should also consist of a mix of complementary protective measures:
- Analyze the attack surface of your IT network and the damage that a DDoS attack could do to one or more of your systems.
- Minimize your attack surface by only making absolutely necessary services accessible from the Internet.
- For your critical infrastructure, work with redundant systems that can be activated in the event of a system failure. Back up your data and practice its recovery.
- Also check the possibility of redundant Internet connections through different Internet service providers (ISPs).
- Evaluate different DDoS protection solutions (Cloudflare, Akamai, etc.) including load balancers, all the while avoiding a “cluster risk” should other companies that need the same service from the same provider or ISP become the target of a DDoS attack.
- SCION can be part of your DDoS strategy, but it does not have to be (yet). Today, SCION is most likely to offer added value in regional or global IT networks that are closed to the outside world, as is the case, for example, with the Secure Swiss Finance Network (SSFN) or with international companies. In such networks, it is ensured that all network participants have a SCION connection. In this way, communication between participants is guaranteed to be more secure than if there was only a one-way SCION connection.
- Have your externally accessible Internet services audited regularly by security experts. This will help you find not only possible DDoS vulnerabilities in your application logic, but also other vulnerabilities that are relevant to your security.
Conclusion
DDoS attacks pose a serious threat to enterprises, government agencies and critical infrastructures. SCION offers increased protection against network-based and protocol-based DDoS compared to the current Internet architecture, but it is also not a panacea against all DDoS attacks. Especially application-based DDoS attack vectors cannot be prevented by adjustments in the network architecture, but rather in the application logic.
True to its motto “together against cyberattacks”, Oneconsult welcomes every development that advances the security of its customers. If you want to protect your company more sustainably against DDoS and other cyberattacks – with or without SCION – we are happy to support and advise you. Our security experts look forward to hearing from you!