Honigtöpfe und digitale Fingerabdrücke für mehr Cybersicherheit.

Professor Rossow, you run several honeypots as part of your cybersecurity research. How do you monitor them?

Christian Rossow: To potential attackers, our honeypots appear to be vulnerable servers, and we can trace the resulting attacks on a map. We see in real time where denial‑of‑service attacks are happening, where they originate, which technologies they use, and what’s actually going on. For us as researchers, that’s extremely interesting.

How does a distributed denial‑of‑service attack work, and what is it trying to achieve?

Attackers are essentially trying to overwhelm their target so that it can no longer respond. That might be an individual machine, but most of the attacks we observe target networks rather than single systems. When there’s too much traffic, legitimate traffic can no longer get through. Normal communication breaks down, and eventually the system goes offline.

DDoS attacks often hit companies directly. How do they become aware that something is wrong?

At the latest when people notice that emails aren’t getting through or normal communication suddenly stops working. Beyond that, if organisations are running anomaly detection and see a sudden spike in traffic on very unusual protocols, these attacks are actually relatively easy to detect. DDoS attacks are very “loud” simply because of the volume of traffic they generate.

Your research focuses on amplification attacks, which can cause a lot of damage with very little effort.

For attackers, that approach offers two clear advantages. They need very little bandwidth themselves, and they don’t send the attack traffic directly, which makes them much harder to trace.  

Because they’re using legitimate servers as an attack vector.

Exactly. For efficiency reasons, many network services automatically send a response to any incoming request. Attackers exploit this normal behaviour by redirecting those responses and taking advantage of the fact that they are often much larger than the original requests.

Are there many vulnerable protocols?

We’ve now identified around 30 protocols that can be exploited in this way. They were all developed at a time when the internet was still emerging, and security simply wasn’t a primary concern. For example, these early protocols didn’t verify the sender address at all. Systems would respond straight away, simply because it was faster. DNS is one example, NTP is another. These are all legitimate and fundamental services. Without these protocols, the internet as we know it wouldn’t work.

But there are technologies today that can block DDoS attacks quite effectively, aren’t there?

Yes – but only up to a point. Even companies that invest in protection still fall victim to attacks. That’s partly because attack techniques keep evolving, but above all because attacks are growing in scale. There’s always a residual risk.

What is the most common motivation behind this kind of cyberattack?

Sabotage. The aim is to take critical services offline – services that society depends on and that quickly become a real problem when they’re no longer available.

And who has an interest in carrying out these attacks?

That’s the key question behind the most important part of my research. It’s about attribution – who’s actually behind an attack. We’ve developed a range of different methods to determine that, but fingerprinting has proven to be the most effective. It works very much like a traditional criminal investigation: every attack leaves a unique fingerprint. When attackers touch our honeypots, they reveal characteristic patterns. And when those same patterns appear again elsewhere, we can link the attack back to what we’ve already observed – including the same source IP address.

Why is attribution so important?

On the one hand, for law enforcement. On the other, for the wider economy – and ultimately for society as a whole. If we can identify those responsible and hold them to account, they cannot go on to target other organisations.

Do DDoS attacks pose any other challenges?

Yes, absolutely. I’ve already mentioned that DDoS attacks are very “loud”. And that noise can be used to distract responders. Sometimes attackers use a DDoS attack “just” to put an organisation under pressure, while quietly preparing or carrying out a completely different attack unnoticed.

These days, DDoS attacks can even be bought as a service, can’t they?

Yes – and for very little money. Prices start at around five euros, and even larger attacks may only cost a few hundred dollars. That’s one of the main reasons we see so many of these attacks.

Does AI already play a role here?

We’re certainly seeing AI play an increasingly important role across many areas of cybersecurity – but not specifically when it comes to DDoS attacks. More broadly, AI is accelerating and scaling the cat‑and‑mouse game between attackers and defenders and taking it to a new level. Both sides benefit from that. When it comes to DDoS attacks, AI‑based anomaly detection already makes them relatively easy to identify today.

That must give you some hope.

Yes – but as a researcher, I deliberately try to step away from this constant cat‑and‑mouse dynamic of attack and response. Instead, we want to work much more systematically on the root causes, for example by eliminating software vulnerabilities in the first place.

In other words, security by design.

Exactly. And that’s an area where researchers are very much in demand right now. I’m confident that over the next few years, we’ll make significant progress in moving away from this constant arms race.

But that’s the future. From a researcher’s perspective, what can companies do today?

Preparation is everything. Companies need to know their assets. They need to understand which systems could be attacked and which ones are particularly critical. And they need some kind of playbook in place for the event of a successful attack – setting out what needs to be done, who needs to be notified and which service providers to involve. Ideally, you’re not reaching out to those partners for the first time in the middle of an incident. They should already know you, and the call shouldn’t come out of the blue. And then there’s a third point that sounds so obvious you almost hesitate to say it out loud: you need fallback plans – and not just technical ones. In some cases, that can mean going back to pen and paper and working offline for ten days if necessary.