DDoS attacks are evolving in both frequency and sophistication, and most businesses are stuck in the past with outdated cybersecurity measures. Firewalls? VPNs? Traditional DDoS mitigation? These defenses leave too many attack surfaces exposed and put you in reactive mode instead of being proactively prepared. And that’s exactly what cybercriminals are banking on.
Instead of reacting to attacks, you can move your web service onto the SCION Internet, which makes your service invisible to the public Internet and thus to cybercriminals. But let’s start by understanding what DDoS attacks are and how they impact your business’s website.
What a DDoS attack is and how it can pull down your network
The Internet is a Wild West of vulnerabilities. It was built for connectivity not security – and cybercriminals are exploiting that weakness every day to launch DDoS attacks.
According to the Swiss National Security Center, a DDoS (distributed denial-of-service) attack is a type of attack on computer systems that aims to make them unavailable – usually by overwhelming them with data. The volume of data often reaches several hundred Gbit/s. Generally, a single organization cannot cope with volumes of this size without external assistance. Unfortunately, firewalls and IPS (intrusion prevention systems) that have been configured to overcome DDoS attacks offer only limited assistance.
Globally, cybercriminals launched approximately 7.9 million DDoS attacks in the first half of 2024, representing a 12.81% change over 2H 2023 as announced by NetScout. Banking and financial services, utilities, healthcare, insurance and manufacturing are the top industry targets of DDoS attacks in the first half of 2024.
DDoS attacks come in many forms, but three stand out as the most destructive and difficult to defend against:
- Volumetric DDoS attacks: These types of attacks are one of the most widely used DDoS tactic because they’re cheap, easy to execute, and highly effective. With this approach, cybercriminals flood your bandwidth with junk traffic until your web server crashes. Traditional DDoS mitigation measures like firewalls and VPNs are not powerful enough to stop the sheer traffic volume – they simply get inundated.
- Protocol-based attacks: Unlike volumetric attacks, protocol-based attacks don’t rely on flooding a target with traffic. Instead, they exploit weaknesses in the way networks communicate, overwhelming servers with half-open connections. A common example is SYN flood attacks, where attackers initiate thousands of fake connection requests that never complete, leaving systems stuck.
- Application-based attacks: Known as ‘the silent killer of web services,’ this kind of attack goes straight for the brain of a system – its web applications, APIs, and backend services. Instead of attacking the network itself, these attacks overwhelm a website with an avalanche of seemingly legitimate requests designed to paralyze your services. During 1H of 2024, NetScout reported a +43% increase in application-layer attacks compared to 1H 2023 – demonstrating that this type of attack is growing in magnitude and ferocity.
DDoS attacks that made headlines in Switzerland
In the first semester of 2024, more than 43,000 DDoS attacks were reported in Switzerland. Here are two of the most recent DDoS attacks that targeted the government and financial sectors in Switzerland:
- January 2025: DDoS attack on Lucerne and the Cantonal Bank of Vaud during the WEF
Hacker group NoName057(16) carried out targeted attacks on financial institutions and government agencies. The problem was that the systems had public IPs (Internet Protocols) and were therefore visible to attackers.
- November 2024: DDoS attack on the Canton of Schwyz
A DDoS attack on the website of the Canton of Schwyz, plus various municipal sites in several cantons. The consequences were that public websites were unavailable for hours and the Federal Office for Cyber Security (BACS) and hosting providers had to take emergency measures to restore the websites.
Today’s DDoS mitigation solutions are not enough
Picture your network or website as a massive historic castle under siege. Your instinctive response? Build taller walls, reinforce the gates, and station more guards. The problem is, no matter how much you beef up your defenses, the castle remains visible, and attackers will keep searching for a way in.
The biggest problem is that your castle or network is on the Internet – meaning that it has a public IP. This is like a bonfire neon sign, burning bright for cybercriminals who constantly scan the Internet for exposed targets. Once they find yours? Easy – you become the victim of a DDoS attack. And by the time traditional DDoS mitigation kicks in, the attack is already underway.
Ever notice your website lagging after an attack? That’s because your traditional DDoS protection is choking your bandwidth, struggling to filter out the flood while keeping legitimate traffic flowing. It’s not prevention – it’s a last-minute scramble.
Why traditional DDoS mitigation fails
Firewalls & VPNs: Exposed, vulnerable, and even zero-days
- Firewalls & VPNs are not designed for DDoS mitigation but for access control.
- VPNs expose public endpoints, making them an easy target for volumetric and protocol-based DDoS attacks.
- Recent zero-day exploits (see Fortinet, SonicWall, Palo Alto) show that attackers can bypass authentication and gain control.
DDoS Mitigation Services: Reactive, expensive, not always effective
- Services like Cloudflare, Akamai, Arbor, or ISP scrubbing centers detect and filter DDoS traffic.
- Challenge: They act after the attack has started, meaning there is always a period of disruption before mitigation begins.
- High costs: Enterprise-level mitigation can cost thousands per month, and sophisticated attackers find ways to bypass rate limits.
BGP Redirection: Can be manipulated by attackers
- BGP can also be used to redirect traffic during a DDoS attack to scrubbing centers to filter out malicious traffic.
- However, this technique can be infiltrated by cybercriminals before you are even aware they are there.
How to prevent DDoS attacks with SCION
SCION completely changes the situation. Instead of trying to fortify an exposed network, SCION makes your infrastructure invisible to attackers, removing public entry points entirely. No exposed entry. No way in.
If attackers can’t see your castle or network, they can’t target you – and that’s exactly how SCION keeps your business secure. Instead of endlessly fortifying traditional defenses, SCION removes the castle from the battlefield entirely – no vulnerable gates. No exposed entry points. No way for attackers to even see, let alone target, what they want to destroy.
Strengthening your network security starts with minimizing the attack surface. You can secure your critical services within the SCION network – on a server or on the cloud – via Anapaya EDGE, and allow access only to selected SCIONabled ISPs and their users via Anapaya GATE.
SCION is not just stronger security – it’s a fundamental shift in how we think about protecting websites, especially across critical infrastructure:
- No exposed public IPs: SCION services operate within a secure network, hiding critical infrastructure from attackers.
- Custom traffic routing: Businesses can choose which ISPs handle their traffic, thus reducing exposure to bad actors operating on the public Internet.
- Prevents DDoS attacks: If bad actors can’t find you because your attack surface is now reduced by up to 99%, they can’t attack you.
- Proactive approach: SCION isn’t exposed to the Internet like traditional DDoS mitigation solutions. Instead, it operates within ISP networks, shielding it from direct attacks, which means that attacks occur at the ISP level, not at the web service level.
Anapaya GATE itself is not a panacea against all kinds of DDoS attacks. An attacker within the SCION network, where the protected web service is exposed, can still attempt to exploit vulnerabilities; however, identifying and legally prosecuting the culprits, as well as swiftly blocking the attack, would be easier.
If the web service needs to be visible on the public Internet beyond the reach of the selected Anapaya GATE providers, SCION Internet remains an effective solution; in the event of a DDoS attack, access from the Internet can be quickly disconnected, while the vast majority of users still retain access to the web portal through the Anapaya GATE service. This mechanism is extremely powerful in ensuring the availability of a critical service even under attack.
SCION + traditional DDoS mitigation solutions = always-on website
- SCION is not a traditional DDoS protection: SCION does not block attacks but eliminates the target by removing public exposure.
- A hybrid approach delivers the best security: Combining SCION with existing DDoS protections enhances resilience and significantly minimizes risk.
- Proactive security instead of reactive mitigation: SCION prevents threats before they happen – no need to filter attacks that never reach you.
This is game-changing cybersecurity.
Forget playing defense – SCION rewrites the rules of online security by eliminating the need for constant troubleshooting. Here’s three main reasons why it is a must-have for any organization that is serious about protecting its infrastructure:
- No attack surface means no problem. If cybercriminals can’t see your infrastructure, they can’t attack it. SCION removes your systems from the Internet, making them invisible to bad actors.
- Stops attacks before they even start! Why waste time reacting to threats when you can prevent them entirely? SCION is built for proactive security, eliminating risk instead of just managing it.
- SCION plays well with your existing security stack. SCION doesn’t replace your firewalls, VPNs, or DDoS protection – it supercharges them. Think of it as the missing layer that locks down your most critical assets.
Businesses relying on outdated, reactive DDoS defenses are falling behind. It’s time to elevate your DDoS defense with SCION.
Book a demo today and take the first step toward securing your website.
