Have you ever wondered how it is possible that a major Russian state television channel falls victim to a hacking attack from Ukraine? How is it possible that a large nuclear power plant in Iran is paralyzed as a result of a cyberattack carried out by the intelligence services of Israel and the United States?¹ Can it be explained how North Korean hackers managed to break into the servers of one of the largest American film studios and paralyze the premiere of a comedy mocking the North Korean regime?²
Many countries have proven that if they want to launch a cyberattack, they will. It seems there is no escape from such an attack. But is that really true?
During Vladimir Putin’s visit to Kazakhstan in November 2024, an incident occurred in the country’s capital, Astana. On one of the large advertising screens in the city center, the Ukrainian flag was suddenly displayed, raising suspicions of a hacker attack. How is it possible that Kazakhstan, Russia, and the United States — even expecting such an attack — were unable to stop it? These are countries with vast resources, employing excellent IT specialists and cybersecurity experts.
What Is Cyberattack Protection?
Let us imagine a public facility — a potential victim of a hacker attack (for example, a bank, a tax office, or a government television station). It can be compared to a great medieval city surrounded by walls and a moat, with four gates through which people enter and exit. The guards carefully observe the movement and are able to quickly stop suspicious persons or even close the gates. So how could such a city be conquered or paralyzed?
What if a miracle happened in the city and thousands of pilgrims appeared? The city would be paralyzed in a short time. Because of the crowds, it would be impossible to close the gates, and the city would stop functioning normally.
There is a legend describing the cunning capture of the then-Czech city of Kraków by the armies of Mieszko I in the year 990. According to it, Mieszko I ordered his best warriors to hide in wagons that entered the stronghold under the pretext of delivering goods or tribute. When the wagons were inside the city walls, the hidden soldiers emerged, surprised the guards, and opened the gates for the rest of the army, allowing them to take control of Kraków.
W-MOSZCZYNSKI ps 3-25
Why Compare a City to Servers?
We can recall other stories where cities were depopulated by epidemics or famines. Every method of taking over a city described here has its counterpart in the way servers are attacked.
Why do I compare a city to servers? Because in both medieval cities and modern servers there is intense movement. Despite existing walls and barriers, there is constant exchange of goods and services with the outside world. In cities, this movement involved people, trade, and travelers. In servers, what is exchanged is information — not only emails but also system protocols and commands from the outside, which cannot be blocked or delayed at the gates.
Attacks on medieval cities and modern servers, in terms of how they work, their effects, and their characteristic features, share far-reaching similarities.
What Is a DDoS Attack?
A DDoS (Distributed Denial of Service) attack is a type of cyberattack in which many infected or hostile devices (for example, computers or bots in a botnet network) simultaneously send a massive number of requests or packets to a chosen online service (such as a website, game server, or mail server).
It’s as if, instead of 100 or 200 merchants arriving at a typical medieval city surrounded by walls, 20,000 came. The city becomes paralyzed.
The goal is to overload the server or network connection so that ordinary users cannot use it. In other words, it is about flooding the server with a gigantic number of requests. This leads to slowdowns or the complete exhaustion of the server’s resources. As a result, the server becomes paralyzed.
Two characteristic features of a DDoS attack are:
-
The attack is distributed — it comes from many sources (hundreds, thousands, or millions of devices), making it difficult to identify and block malicious traffic.
-
Such attacks use botnets — networks of infected computers, servers, or IoT devices (for example, webcams).
Examples of DDoS Attacks
Volume-Based Attack
This is a situation where an enormous number of “empty” queries or other data is sent to a server or website, blocking the entire internet connection. It’s like thousands of people calling the same phone number at once — the line is jammed, and no one else can get through.
This kind of attack often uses simple methods such as UDP or ICMP protocols³. The sheer quantity of data makes the server unable to handle it, causing it to freeze.
Protocol Attack
Imagine someone calls an emergency line and never hangs up. For some reason, the operator cannot end the call either, so the line is blocked. Hundreds or thousands of “fake clients” could be doing the same thing at once.
A typical protocol attack of this kind is the SYN Flood. To understand it, one must know how servers “talk” to each other. The communication format between devices is called the TCP protocol, which uses the “three-way handshake.”
To connect to a server, a computer first sends a SYN signal (“I want to connect”), the server responds with SYN-ACK (“Okay, I’m waiting for confirmation”), and then the client sends ACK (“Confirmed — let’s start talking”).
In a SYN Flood attack, the hacker sends out massive amounts of those first SYN signals but never finishes the connection. The server must reserve resources for each unfinished request — it “waits for the client,” but the client never responds.
If there are many such fake requests, the server becomes overloaded and paralyzed. These “protocol” attacks exploit weaknesses or specific characteristics of how computers communicate. Hackers flood the server with fake connection attempts, leading to its blockage.
Application Layer Attack (Layer 7)
This attack targets specific application functions that generate heavy server load. Imagine you run a café with one very complex coffee on the menu — it takes a long time to prepare and requires many ingredients. If many people suddenly order that one coffee, your staff will be overwhelmed, and the café will be paralyzed.
Similarly, hackers attack specific, resource-heavy functions of a server’s service. The goal is the same — to paralyze the system.
Using Machine Learning to Combat Cyberattacks
In the once-popular Polish comic Kajko i Kokosz, the robbers wanted to conquer the castle of Mirmiłowo. Each time they approached the gates, Kajko and Kokosz hung up a sign reading “inventory,” and the robbers went away. Unfortunately, we can’t apply this trick to defend servers today.⁴
1. Anomaly Detection
Instead of rigid rules (e.g., “block traffic from this IP”), a model learns what “normal” user behavior looks like. It’s like training city gate guards — they learn what ordinary citizens look like and how regular traffic flows. When something unusual appears (for example, an unusually high number of requests to a demanding page), the system recognizes it as an anomaly and can block or limit the traffic automatically.
2. Intelligent WAFs (Web Application Firewalls)
A WAF monitors and filters traffic going to a web application. It can block malicious requests (e.g., SQL injections, XSS). Traditional WAFs operate on static rules, but now many use Machine Learning to dynamically identify malicious patterns. This eliminates the need to manually define every possible threat.
3. Real-Time Streaming Analytics
In Layer 7 attacks with thousands of complex requests, reaction time is crucial. Data from servers (HTTP logs, metrics) are sent to a queue system (e.g., Apache Kafka), then processed by streaming tools (e.g., Apache Spark Streaming, Apache Flink). The ML model analyzes traffic in real time, detects anomalies, and sends signals to security systems (like WAFs or load balancers) to automatically block IPs or impose limits.
4. Request Classification Model (Good vs. Bad Traffic)
Instead of statistical anomalies, this model directly classifies incoming requests as legitimate or malicious (e.g., bots). ML algorithms such as Random Forest, XGBoost, or Neural Networks learn to recognize suspicious features like extremely short intervals between requests or strange HTTP headers.
5. Integration with Simple Rules
Machine Learning can cooperate with traditional defense mechanisms such as:
-
Rate limiting – limiting the number of requests from one IP in a short period.
-
CAPTCHA – puzzles humans can solve easily but bots cannot (e.g., selecting motorcycles in a photo grid).
-
Geolocation blocking – limiting traffic from regions where you don’t expect legitimate users.
Key Machine Learning Models for Cyber Defense
Isolation Forest
A method for detecting anomalies by randomly dividing data into subsets and finding outliers. Imagine a crowd entering a city — a few people stand out (very tall or broad). Those are anomalies.
The model measures how easily an anomaly can be isolated. If someone is very different, they can be separated in just a few “cuts.” The fewer cuts needed, the more suspicious the point is. This method works fast — crucial for real-time environments.
Local Outlier Factor (LOF)
Another unsupervised method. It examines how far a given point (e.g., a server request) is from its neighbors. If the local density around it is much lower, it’s an anomaly. LOF calculates a coefficient describing how typical a point is — higher values mean more suspicious.
Summary
Defending a server against sudden cyberattacks is not much different from defending a medieval city with walls and a moat. Clever enemies didn’t attack the walls directly — they used tricks. Today’s malicious programs also rely on cunning strategies.
Systems aiming to paralyze servers try to infiltrate through normal communication channels, where thousands of transactions occur. In medieval cities, guards regulated this movement and could close the gates at any moment. Today, that role is played by Machine Learning models trained to detect suspicious behavior.
The technology has changed, but the principle has remained the same for thousands of years.