G 0.40 — Denial of Service

Friday evening, 6:30 PM: The online shop of a mid-sized retailer suddenly becomes unreachable. Within minutes, millions of requests flood the servers. Customer service is helpless, the IT department is out for the weekend. When the shop comes back online on Monday, three days of revenue are lost — along with the trust of many long-standing customers.

Denial of service ranks among the oldest and most persistent forms of attack on the internet. The BSI lists it as elementary threat G 0.40. Attacks of this kind are technically simple to carry out but extremely costly for those affected.

What’s behind it?

DoS attacks aim to render a service, a function or an entire system unusable for legitimate users. The attacker deliberately consumes resources that should normally be available to regular users: bandwidth, CPU time, memory, connection quotas or disk capacity.

The motivation behind such attacks is broad. Disgruntled employees, competitors, extortionists and politically motivated groups all use DoS attacks. Booter services on the darknet allow even technically inexperienced perpetrators to direct massive traffic at a target.

Attack vectors

Volumetric attacks — the target’s internet connection is flooded with garbage traffic. UDP floods, DNS amplification and NTP reflection are common methods. Attack volumes of several hundred Gbit/s have been documented.
Protocol attacks — SYN floods, Ping of Death or Smurf attacks exploit weaknesses in network protocols to exhaust the connection tables of firewalls and load balancers.
Application-layer attacks — these target resource-intensive operations at the application layer (e.g. complex database queries, login pages). Such attacks require comparatively little bandwidth and are hard to distinguish from legitimate traffic.
Physical DoS attacks — availability can also be sabotaged without any IT involvement: blocked building entrances, interrupted power supply or disrupted telephone systems.

Impact

The cost of a DoS attack often exceeds pure lost revenue many times over. On top of the direct loss of business come costs for incident response, communication with customers and partners, possible SLA violations and reputational damage. In critical infrastructure, service unavailability can also endanger people’s health and safety.

Practical examples

DDoS extortion against a logistics provider. A courier service receives an email announcing an attack unless payment in cryptocurrency is made within 48 hours. When the company fails to respond, the shipment-tracking portal goes offline — customers can no longer track their deliveries, dispatchers lose oversight. The provider has no DDoS mitigation service under contract; recovery takes two days.

Application-layer attack on a job application portal. An HR services provider notices that its application portal is responding extremely slowly. The cause: thousands of automated requests simultaneously generate computationally expensive PDFs in the backend. CPU load on the application servers sits at 100%. Rate limiting would have contained the attack within seconds.

Telephone DoS against a medical practice. The phone system of a large joint medical practice is flooded with automated calls. Patients cannot arrange appointments, emergencies are not put through. The attack shows: DoS is not limited to internet services.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 14 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.8.22 — Segregation of networks: Segmentation limits the attack surface and prevents a DDoS attack on one segment from taking down all services.
A.8.20 — Networks security: Baseline network hardening, firewall rules and traffic filtering as the first line of defence.
A.8.23 — Web filtering: Blocking of known malicious sources and patterns at the application layer.
A.5.29 — Information security during disruption: Continuity planning secures the availability of critical services even under attack conditions.

Detection:

A.8.16 — Monitoring activities: Monitoring detects traffic anomalies that indicate a DDoS attack.
A.8.15 — Logging: Detailed logs enable subsequent analysis of attack patterns.

Response:

A.5.24 — Information security incident management planning and preparation: Predefined playbooks for DDoS scenarios accelerate response.
A.5.25 — Assessment and decision on information security events: Structured triage separates real attacks from traffic spikes caused by legitimate use.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.40 with the following modules:

NET.1.1 (Network architecture and design) — segmentation and redundant connections reduce the attack surface.
NET.3.1 (Routers and switches) — hardening and filtering at the network layer.
DER.1 (Detecting security-relevant events) — detection of unusual traffic patterns.
SYS.1.6 (Containerisation) — resource limits and isolation prevent an overloaded container from affecting other services.

Sources

BSI: The State of IT Security in Germany — annual report with current DDoS statistics
BSI IT-Grundschutz: Elementary Threats, G 0.40 — original description of the elementary threat
ISO/IEC 27002:2022 Section 8.22 — implementation guidance on segregation of networks

ISO 27001 Controls Covering This Threat

A.5.14 Information transfer A.5.15 Access control A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.29 Information security during disruption A.8.1 User endpoint devices A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities A.8.17 Clock synchronisation A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks A.8.23 Web filtering

Frequently asked questions

What is the difference between DoS and DDoS?

In a DoS attack (Denial of Service) the attack originates from a single source. In a DDoS attack (Distributed Denial of Service) thousands of compromised systems (a botnet) coordinate the attack simultaneously. DDoS attacks therefore reach a multiple of the available bandwidth and are far harder to defend against.

Can small companies also be the target of a DDoS attack?

Yes. DDoS-as-a-service platforms can be booked for a few euros per hour. Motives range from extortion through competitive sabotage to diversions for parallel attacks. Company size does not protect against an attack.

How long does a typical DDoS attack last?

The duration varies considerably -- from a few minutes (stress test by script kiddies) to several days for targeted extortion attacks. What matters for the impact is less the absolute duration than the time until successful mitigation.