Denial of Service: Protection against DDoS attacks

Denial of Service: Protection against DDoS attacks


Some VPN providers promise “DDoS Protection” along with their service. This can be misleading in the context of a VPN provider, we want to explain what that actually means.

What exactly is a DDoS attack?

There are various kinds of DDoS attack methods and they differ by severity. For most home connections, a simple attack will be enough to cut the Internet connectivity. More sophisticated methods like using botnets with so called amplification (using publicly available services like DNS or NTP to generate even more traffic) can bring down about any server. Last year, a DDoS attack using 150,000 IoT cameras generated over 1 terabit/s of traffic. Martin McKeay, a member of Akamai’s security intelligence team says: “You’re going to see brownouts, sections where a data center, an ISP, a region, may have so much traffic that it takes down that region.”

The gist of this is that there is no adequate defense against serious ddos attacks. However, this is not what a normal user needs to worry about. Nobody will expose a botnet to target an individual user; it is simply not necessary to go “full force” against a home Internet connection.

However, home connections are susceptible to much weaker attacks – in some cases it does not even need a distributed attack: If the attacker has access to a server with bandwidth of one gigabit or more (can be rented via Amazon for instance), he can bring down most home connections.

But to do that he obviously needs the IP address of the victim. And this is where a VPN comes into play: Since the VPN masks your IP, an attacker will only be able to find out the IP address of the VPN server.

Therefore, any VPN will protect against DDoS to some degree by definition, since VPN servers are generally much better connected than your typical home connection. And of course, even if the attacker succeeds in taking down the VPN server you are using, you can always just switch to another server. Perfect Privacy provides over 25 servers with gigabit connection and you can freely switch between servers at any time – something that is not a given with all VPN providers.

Who is at risk?

As previously mentioned, before a DDoS attack can occur, the attacker needs to know the target’s IP address. But this is only possible under certain circumstances. Some VPN providers advertise their “DDoS Protection” as an advantage for gamers. However, the vast majority of multi player games will never show your IP to other players, this applies to all big gaming platforms like Steam, EA or Ubisoft. In the gaming context a more common problem is that the game servers themselves are being attacked but then of course using a VPN will not make any difference.

There are not many services and protocols that will display IP addresses of other users and most of those were developed in the last millennium. For instance, some IRC networks (e.g. efnet) will always publish the IP addresses of all users. However, modern IRC networks usually offer an option to mask your IP address. Torrent clients will also display the IP addresses of all peers but of course if you are downloading torrents,  for obvious reasons you will want to use a VPN anyway.

The most common method to find another user’s IP address is to trick him into visiting a website which is under the control of the attacker. This can be done by email, social media or chat messages.

But in such a scenario there are much bigger risks than being targeted in a denial of service attack: For example, by exploiting security vulnerabilities an attacker can possibly take over full control of the target computer. This is also the reason why you should never click on dubious websites that were “recommended” by strangers.

So the threat of a DDoS attack is more esoteric than real for home users. And since the usage of a VPN reduces this risk by design, we at Perfect Privacy never even considered to be praising this as a “feature”.