Interview with Markus Manzke, CTO of zeroBS
Zero Bullshit – the name says it all. Founded in 2017, zeroBS specializes exclusively in DDoS resilience. Rather than selling mitigation solutions, the company focuses on helping organizations prepare for DDoS attacks, assess their resilience through realistic testing, and identify the right technical and organizational improvements. In addition to traditional DDoS resilience assessments, zeroBS provides architecture consulting and even offers a platform that enables customers to simulate attacks themselves – essentially DDoS-as-a-Service.
In this interview, Markus Manzke, CTO of zeroBS, shares his perspective on the latest developments in the DDoS landscape, explains why these attacks remain such a significant threat, and discusses how organizations can prepare effectively.
Laura Kaltenbrunner: Let’s start with the basics. What exactly is a DDoS attack, and how does it differ from other types of cyber attacks?
Markus Manzke: Put simply, a DDoS attack is an overload attack.
The objective is to generate so much traffic towards a network or an application that legitimate traffic can no longer get through. A simple analogy is a supermarket advertising an incredible deal on high-performance computers. Everyone rushes to the entrance at the same time, creating such a crowd that nobody can actually get inside.
That’s essentially what a DDoS attack is. An overwhelming number of requests are sent to a system until it can no longer process them all, preventing legitimate users from accessing the service.
Laura Kaltenbrunner: What makes DDoS attacks so unique?
Markus Manzke: DDoS is the weapon of the little guy. Anyone can buy a DDoS attack for around ten euros—or launch one themselves. Unlike many other cyber attacks, I don’t have to break into a network or fight my way through multiple layers of security. Launching a DDoS attack is as easy as breaking a window.
In theory, it works against any organization that exposes services to the internet. Of course, unprotected systems are the easiest targets—but virtually any 16-year-old with a bit of criminal intent could carry out such an attack.
The impact, however, can be enormous. Imagine someone taking down an electronic health records system—doctors would no longer be able to access or update patient information. The consequences for society could be massive.
Laura Kaltenbrunner: How has the threat landscape changed over the past few years?
Markus Manzke: DDoS attacks, as we know them today, have existed since around 2010. Back then, groups such as Anonymous demonstrated that if thousands of people coordinated their efforts and targeted the same system simultaneously, they could successfully take it offline.
From around 2013 onwards, DDoS evolved into a real business. For roughly the past ten years, the market for these attacks has remained relatively stable—when ten providers disappear, twenty new ones emerge. What has changed, however, is the geopolitical landscape. COVID-19, Russia, Israel—all of these developments have influenced the threat landscape. State-aligned DDoS groups have become more diverse.
At the same time, smaller groups have become significantly more capable. They learn from well-known actors such as Killnet, which supported Russia’s invasion of Ukraine through hacktivist DDoS campaigns. Their success and media attention inspired many smaller groups to adopt similar tactics.
Laura Kaltenbrunner: What does the situation look like from the defenders’ perspective?
Markus Manzke: On the defensive side, we’re in a good position when it comes to traditional volumetric attacks — provided organizations have DDoS protection in place and test it regularly. Very little gets through in those cases.
Things become more challenging at the application layer. Today, a bank may expose dozens of services to the internet — and every one of them increases the attack surface. The more applications and external interfaces an organization operates, the more complex defending them becomes.
Here’s one example: During an architecture review, everything initially looked quite solid until we discovered that Jira, which was intended for internal use only, was accessible from the internet through a firewall. An attacker could have exploited this to overload the central firewall, potentially affecting multiple connected systems at the same time.
Today, the real challenge for defenders is understanding how everything is interconnected.
Laura Kaltenbrunner: What exactly happens during one of your architecture reviews?
Markus Manzke: We start by looking at what an attacker can see from the outside — and how traffic flows from the internet through the infrastructure to the application and back again.
We then assess the attack surface: Where could an attacker strike, and what would happen if they did?
A good example of an attack with unexpected consequences is an organization’s access management. Many companies have implemented two-factor authentication across all their applications. But if I take down the two-factor authentication system first, suddenly no employee can access any application anymore. At that point, the attacker has plenty of time to choose the next target because nobody can log in to respond.
Laura Kaltenbrunner: We often hear about groups like NoName057(16). What role do they play?
Markus Manzke: They’re a step above the typical ten-euro attacks you can buy online, but they’re certainly not the most sophisticated threat actors. NoName is, however, one of the most active groups - they’ve been launching attacks almost daily for the past two years. They’ve even built a dedicated infrastructure, including a bonus system. For example, participants receive cryptocurrency rewards based on the number of attacks they carry out.
Their modus operandi is simple: every week they focus on a different country. They frequently target logistics companies, airports, banks, and local public transport operators - for example, municipal railway operators in Hanover or Munich. In reality, though, almost everything has become a target - from tax authorities to the German Bundestag. In many cases, they probably don’t even fully understand the organizations they’re attacking. Roughly half of their targets are government ministries or public sector websites.
Today, the impact of NoName’s attacks is often limited because their tactics have become predictable. However, if they were to suddenly change their approach, defenders would once again have to adapt quickly and rethink their protection strategies.
The primary objective of groups like NoName is to attract attention - often as part of hybrid warfare activities.
Laura Kaltenbrunner: What does the DDoS ecosystem look like today? Who profits from it?
Markus Manzke: In the past, DDoS attacks were often accompanied by extortion attempts. Today, that’s much less common. The business now operates in two ways. On one hand, there are booter services - small botnets that can be rented by the hour. On the other hand, there are fully developed marketplaces where professionals offer their services - complete with customer reviews, rankings, and everything you’d expect from a legitimate online platform. Some of these operators are so professional that even we have to admit: hats off.
Then there are botnet operators who don’t operate booter services themselves but instead offer access to their bots on these marketplaces. You can rent botnets consisting of 20,000 to 50,000 bots. It’s a highly profitable business. We once investigated a campaign that cost around USD 20,000 per month. After deducting their expenses, the attacker still made roughly USD 10,000 in profit - tax-free. If that person is based somewhere in Asia, for example, that’s a very comfortable living. As for groups like NoName, there’s almost certainly some form of state tolerance or financial backing behind the scenes - it’s difficult to explain their level of daily activity over the past two years otherwise.
Laura Kaltenbrunner: Looking ahead - what developments do you expect over the next few years?
Markus Manzke: Right now, we’re observing two major trends.
The first is what’s known as pulse-wave attacks. These are extremely short attacks - sometimes lasting less than five seconds. Any anomaly detection system needs a certain amount of time - for example, five seconds - to recognize that an attack is taking place. By then, however, the damage has already been done and the target is offline. The attackers then stop. Fifteen seconds later the service is available again, and another fifteen seconds later they launch the next attack. This allows them to create roughly 50% downtime without it immediately being recognized as an ongoing attack.
The second trend is broad, low-volume attacks against everything that’s exposed to the internet - simply hoping that something breaks. The traffic directed at each individual target is relatively low and often stays below typical detection thresholds. However, if everything is routed through a central firewall or load balancer, the combined effect can still overload the infrastructure.
We’re also seeing AI becoming increasingly important - for example, to solve CAPTCHAs or to generate human-like interactions with websites. Overall, I’d say we’ve become reasonably good at defending against traditional IoT-based attacks, but as with almost everything in cyber security, it’s an arms race. What only highly skilled attackers can do today will be within reach of semi-professionals in a year’s time - and available through commercial booter services another year later.
