DDOS attack
resistance audits
Protection against DDoS attacks must be provided on many levels and adapted to the individual environment of the client.
General informations

The acronyms DoS and DDoS were one of the first terms used by administrators to refer to threats posed to networks and network services offered on the Internet as early as at the end of the 20th century. Ping Of Death, Smurf and SYN Flood attacks were responsible for a number of successful attempts to stop the availability of services on the Internet. The DoS acronym means Denial-of-Service. There is also its another version implemented by multiple sources simultaneously, namely DDoS, which stands for Distributed Denial-of-Service (DDoS). Nowadays, (D)DoS attacks are more and more frequently used to disrupt the operation of the largest services and websites belonging to banks, telecommunication companies or transaction portals. They are often capable of blocking access for many hours or even days. For businesses, such unavailability means losses of financial resources valued at many millions and often damage to the image that they have been building for many years.

Therefore, the effective fight against them is not only a matter of evaluating the losses resulting from temporary unavailability but also a necessity which ensures the existence of a company.

The effective protection against DDoS attacks requires the application of various security mechanisms. Among the most popular mechanisms, we can find:

  • Specialised systems of protection against DDoS attacks – based on traffic analysis techniques and DDoS attack detection techniques. Such systems are equipped with mechanisms that enable detection of anomalies based on statistical analysis, signatures provided by producers, packet deformation analysis and behavioural analysis.
  • Systems based on BGP – consist in configuring the routing protocol BGP-4 in a manner allowing to block traffic from Autonomous Systems where traffic is generated during DDoS attack. For example, in the case of a massive DDoS attack coming mainly from foreign computers – it is possible to temporarily block traffic from foreign networks, while leaving access for the clients of Polish operators. One of the techniques that are used here is the so-called BGP Blackholing.
  • Systems based on DNS redirections – it is a method of protection used in the cloud. Instead of the target IP addresses in the DNS system, IP addresses of the anti-DDoS system "in the cloud" provider are indicated. Such a provider ensures high-bandwidth connections and dedicated tools for protection against DDoS. The attacks are redirected to the IP addresses of the service provider. The provider filters out harmful traffic and transfers to real servers only the traffic that is not related to the attack. However, we know that there are attacks that can easily pass by many cloud-based solutions offered by providers.

One of the common mistakes is the belief that a DDoS attack can be stopped using the systems such as firewall, IPS or router mechanisms. The systems based on statefull inspection mechanism are susceptible to DoS attacks – such an attack exhausts hardware resources, which results in blocking the device. Routers are often not able to process a large number of small and deformed packets – an attack that uses such packets not only exhausts the connection but in many cases it causes the crash of the router. Since most DDoS attacks exhaust the connection, it would be an optimal idea to install a part of the anti-DDoS system also on the side of the telecommunication operator so that the attack is stopped before accessing the connection with the Client.

Apius offers the following services to its Clients:

  • DDoS attack resistance audit,
  • implementation of systems of protection against DDoS attacks.

DDoS attack resistance audit The following activities are carried out as part of the resistance audit:

  • verification of effectiveness of the implemented mechanisms (if the Client has any), for example, effectiveness of services purchased from external providers,
  • verification of the correctness of the Client's security procedures, for example, the procedures for internal communication (service desk) and notification about events, escalation, management of incidents,
  • practical tests of defence effectiveness.
Practical tests

A professional traffic generator is used to carry out the volumetric tests. This device is able to generate almost any volume of traffic. The generator can simulate both classic network attacks and DDoS/DoS attacks. As in the case of Botnet, a DDoS attack can be launched from a very large number of source addresses. Apart from simulations of attacks, the device is also able to simulate the correct network traffic, for example, it can generates a very large number of active sessions or HTTP requests. The sessions can be directed to real servers, but they can also be terminated on the same device (the device can be both a generator and a receiver).

The generator described above is used to simulate real DoS/DDoS attacks on the tested server infrastructure, which is situated in the actual production infrastructure of the Client's Internet interface. The conducted tests include simulated attacks both in the network layer and in the application layer.

Usually, the tests involve 3 scenarios:

  • test of the entire interface infrastructure,
  • tests conducted without participation of the device protecting against the DDoS attacks (if it exists),
  • tests of individual interface elements – edge routers, firewalls, IPS sensors, Load Balancer, etc.

A simplified scenario of testing the entire infrastructure of the Internet interface is presented below. During the test, the device that generates traffic is connected to the Internet interface. The test of the entire infrastructure will check the reaction of the whole system to the DDoS attack.

The figure below shows a model of a possible attack on the Client's resources created with the use of the traffic generator.

In order to test the reaction of the system to a DDoS attack, that would reflect a real attack from the Internet as much as possible, the traffic generator should be installed at the Internet interface. The attack performed in such a way enables verification of the operation of the entire network infrastructure. When the attack is generated, not only the resistance of the devices but also their reaction and the manner in which they alarm about the real threat (logs, alerts, communication with other systems) is checked. It should be noted that the detailed methodology of each audit is different and is always adapted to the individual needs of each Client.


The DDoS attack resistance audits enable:

  • elimination or minimisation of the number of periods of business services unavailability in the event of DDoS attacks,
  • improvement of performance of elements to be protected against DDoS attacks,
  • elimination of errors in the architecture of Internet interface.
Check out all services we offer
Areas of activity
IP communication
Secure and user-friendly IP communication ensures effective and smart management.
Information security
The effective functioning of a company requires an efficient and secured IT system.
Interested in Our Services?
See also