With cyber attacks on the rise, consider DDoS protection

What we use your personal data for	Our reasons
Creating and managing your account with us	To perform our contract with you or to take steps at your request before entering into a contract
Providing products and/or services to you	To perform our contract with you or to take steps at your request before entering into a contract
Conducting checks to identify you and verify your identity or to help prevent and detect fraud against you or us	To comply with our legal and regulatory obligations
Enforcing legal rights or defend or undertake legal proceedings	Depending on the circumstances: — to comply with our legal and regulatory obligations — in other cases, for our legitimate interests, i.e. to protect our business, interests and rights
Customising our website and its content to your particular preferences based on a record of your selected preferences or on your use of our website	Depending on the circumstances: — your consent as gathered e.g., by the separate cookies tool on our website—see ‘Cookies and other tracking technologies’ below — where we are not required to obtain your consent and do not do so, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price If you have provided such a consent, you may withdraw it at any time by changing the setting on the cookies tool (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)
Retaining and evaluating information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive or to check our website is working as intended	Depending on the circumstances: — your consent as gathered by the separate cookies tool on our website]—see ‘Cookies and other tracking technologies’ below — where we are not required to obtain your consent and do not do so, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price If you have provided such a consent you may withdraw it at any time by clearing your cookie settings and rejecting when you revisit our website (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)
Communications with you not related to marketing, including about changes to our terms or policies or changes to the products AND/OR services or other important notices	Depending on the circumstances: — to comply with our legal and regulatory obligations — in other cases, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price
Protecting the security of systems and data used to provide the services	To comply with our legal and regulatory obligations We may also use your personal data to ensure the security of systems and data to a standard that goes beyond our legal obligations, and in those cases our reasons are for our legitimate interests, i.e., to protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us
Statistical analysis to help us understand our customer base	For our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price
Updating and enhancing customer records	Depending on the circumstances: — to perform our contract with you or to take steps at your request before entering into a contract — to comply with our legal and regulatory obligations — where neither of the above apply, for our legitimate interests, e.g., making sure that we can keep in touch with our customers about existing orders and new products
Disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our business, e.g. to record and demonstrate evidence of your consents where relevant	To comply with our legal and regulatory obligations
Marketing our services to existing and former customers	For our legitimate interests, i.e., to promote our business to existing and former customers See ‘Marketing’ below for further information
The audit of our ISO certifications (to the extent not covered by ‘activities necessary to comply with legal and regulatory obligations’ above)	For our legitimate interests, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards
To share your personal data with members of our group and third parties that will or may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency. In such cases information will be anonymised where possible and only shared where necessary	Depending on the circumstances: — to comply with our legal and regulatory obligations — in other cases, for our legitimate interests, i.e., to protect, realise or grow the value in our business and assets

Recipient	Processing operation (use) by recipient	Relevant categories of personal data transferred to recipient
Google	We use Google Analytics (GA4) cookies to collect data about the visitors to the site which includes the number of visitors, session duration, pages visited during the session etc. and whether visitors return. Google Analytics will assign a unique “ID” to a user of the boxxe website at the point they register an account with us for the purpose of tracking their activity on the boxxe website. This information is anonymous and cannot be used to identify you personally unless you end up becoming a boxxe customer. Google Analytics cannot use the ID to work out who you are.	Device’s IP address (processed during your session and stored in a de-identified form) geographic location (country only), and the preferred language used to display our website. Google Analytics stores this information on our behalf in a pseudonymized user profile.
Hotjar Ltd	We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. Hotjar is contractually forbidden to sell any of the data collected on our behalf.	This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile.
Klevu	Klevu offers a machine learning algorithm which takes several parameters into account when establishing what a customer may like and eventually buy on the store. Javascript keeps track of what customers are searching for and visiting. These products visited by these customers and any recent search queries fired by them are used as a context to the search queries fired by them. Klevu perform semantic and statistical analysis of this data to identify the intent and to build multiple, product-noun (e.g. bag, shoe, chair) specific profiles of preferences. Klevu also employs a method called collaborative filtering, which involves analyzing the history of other customers who have or had performed similar searches and visited products similar to the products visited by the current customer. Only those products that are relevant to the current search query are picked up and analyzed to identify common factors within them.	Device’s IP address (processed during your session and stored in a de-identified form) geographic location (country only), and the preferred language used to display our website. Klevu stores this information on our behalf in a pseudonymized user profile.
Dotdigital	Dotdigital is a SaaS cross-channel marketing automation platform and services provider that helps brands devise successful, personalized marketing campaigns across multiple channels (e.g. email). Paired with its Microsoft Dynamics 365 CRM integration, boxxe is able to deliver tailored marketing to its customers.	Contact data (such as email address, contact number, name or other contact details), marketing preferences, IP address and usage information (including online navigation data, location data and browser data).

Recipient country	Recipient	Processing operation (use) by recipient	Lawful safeguard
Ireland	Hotjar	Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile.	Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018 https://www.hotjar.com/legal/support/dpa/
USA	Stripe Inc	In order to facilitate online payments through boxxe’s ecommerce portal, where applicable, Stripe may Process Payment Account Details, bank account details, billing/shipping address, name, date/time/amount of transaction, device ID, email address, IP address/location, order ID, payment card details, tax ID/status, unique customer identifier, identity information including government issued documents (e.g., national IDs, driver’s licenses and passports).	UK Data Transfer Addendum https://stripe.com/gb/legal/dpa
EEA	Vaimo	Vaimo has access to certain categories of boxxe customer personal data (names, addresses, DOB, email, number, location, device and diagnostic data, connection data), by virtue of hosting the boxxe website.	Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018. Vaimo also has a legally valid intra-group agreement in place and no data is transferred to any entity who is not a party to it.
EEA	Dotdigital	Boxxe will provide certain information about its customers to Dotdigital in order for it to be able to provide automated marketing services that are tailored to its specific customer interests.	Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018. https://dotdigital.com/terms/data-processing-agreement/


Access to a copy of your personal data	The right to be provided with a copy of your personal data
Correction (also known as rectification)	The right to require us to correct any mistakes in your personal data
Erasure (also known as the right to be forgotten)	The right to require us to delete your personal data—in certain situations
Restriction of use	The right to require us to restrict use of your personal data in certain circumstances, e.g. if you contest the accuracy of the data
Data portability	The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
To object to use	The right to object: — at any time to your personal data being used for direct marketing (including profiling) — in certain other situations to our continued use of your personal data, e.g. where we use your personal data for our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims
Not to be subject to decisions without human involvement	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you We do not make any such decisions based on data collected by our website
The right to withdraw consents	If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time You may withdraw consents by emailing ecommerce@boxxe.com Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn

Home
News & Resources
Insights
It's not just enterprises that need DDoS protection

It’s not just enterprises that need DDoS protection!

With Distributed Denial of Service (DDoS) attacks on the rise, it’s time to reconsider using DDoS protection.

“I doubt we’d be a target, we’re just not big enough!’’

1.4 million organisations in the UK with under 250 users and another 8,000 in mid market (>250 - <2,500), now more than ever is the right time to consider protecting against this inherent risk.

“The tech has a price point far beyond our reach – and means.”

These are the reasons why so many of the businesses we’ve worked with aren’t using DDoS Protection. And yet, attacks do happen, regardless of size, costing them huge amounts of money and time. Fortunately, there’s a great solution available… enter Microsoft, and its latest DDoS IP Protection Plan.

Before we look at that, let’s take a moment to explore the what’s, why’s and costs of a DDoS attack on your business.

What is Distributed Denial of Service (DDoS)?

DDoS is a cyberattack which uses tens, hundreds (and sometimes even thousands) of internet connected devices to disrupt a business. It usually targets a website or other internet-connected servers, with the aim of denying legitimate users access to the services hosted there.

It sounds complicated – and that’s the problem. You can rent DDoS farms on the internet without requiring an individual’s effort or prior knowledge. The most advanced attacks use zombie machines, generally infected with malware.

Without a protection layer in your business, the outlook is pretty bleak.

Three types of DDoS attack

The volume attack

Imagine a pipe like this one:

Pipe

All of your users pass through here in order to access your website or service. It’s empty right now, so has the bandwidth to take users and allow them access to your services.

Now it’s under attack and looks like this:

The pipe has been filled using a volumetric angle to ensure there’s no space for your legitimate users. So, what do you do?

You decide to build a website for scaling. The pipe will get bigger as the site or service scales, so surely there’s still enough bandwidth for your genuine users?

If only!

Scaled up pipe under attack

The problem is, you can’t see what scale the attackers are working on. So now the attack has scaled up with you.

The protocol attack

Let’s look at the website example from a different angle.

The internet runs on ports, protocols and handshakes, which offers another avenue of exploitation within a DDoS attack.

In order for users to connect to your website, a three-way handshake is needed.

Since your website server has a port reserved just for these kinds of communications, an attacker can simply send the first part of the handshake, to reserve it. It will then await a response – which never comes through. Now the connection will be left open to exhaust the servers’ port availability, leaving no ports for your legitimate users.

Sidenote: Although this attack requires a different type of protection technology known as Web Application Firewalls, we referenced it here just to demonstrate the diverse methods that attackers use.

The application attack

When a genuine user performs an action on a website, your servers now have work to do, such as fetching data from a database or talking to another service for authentication.

So, what would happen if an attacker automated those user actions?

It would send a flood of HTTP requests mimicking the actions of these users to exhaust the resources on the server. Again, legitimate users now can’t access the services or products on your site.

MafiaBoy’s influence on DDoS

Back in 2000, MafiaBoy (Michael Calce) was paralysing e-commerce sites, eBay, Dell and Yahoo – the largest internet search provider at the time.

It’s 7th February 2000, and MafiaBoy launches Project Rivolta – using the skills learned in his early years and on hacking forums to bring Yahoo down first. It goes down for an hour, which is a successful start.

A day later Buy.com goes down… but not because of MafiaBoy. Someone else has laid down the gauntlet, and now he has to respond, setting eBay as his next target which falls faster and harder than Yahoo.

Now he’s on a roll, and fellow hackers give him an ‘impossible’ challenge: Take down CNN. He does, and then Dell and Amazon.

It’s a prime example of the potential opportunities for hackers using this type of attack. Although this was in the earliest years of the internet and protection against these attacks continue to improve, so too has the ability to perform them – they’re rentable for $30 in bitcoin, no experience needed.

Attack volumes today

In 2022, the number of DDoS attacks fluctuated but remained high. Peaking at 2,215 attacks per day, with an average of 1,435 attacks, protection is required and Microsoft protected against upwards of 520,000 individual attacks in 2022 alone.

Number of daily DDoS attacks in 2022

One last thing… before the good news!

A disruptive attack costs money and damages reputations, but there’s also the intangible cost following a cyber incident to be considered.

Just as your business takes a multifaceted approach to security, threat actors utilise multifaceted attacks to mask and divert your security team’s attention from their real intentions. The DDoS might be used to divert your team’s attention away from a more sophisticated attack launched at the same time.

So, the message is clear; protection is needed no matter the size of the business, and whilst we’ve invested time, effort and money into protecting laptops and servers with protection suites, anti-malware, anti-virus, EDR etc, DDoS protection is still considered difficult to access.

Azure DDoS IP Protection – Accessible to all markets

‘Difficult to access’ is no longer an excuse, thanks to Microsoft Azure’s DDoS IP Protection. Previously restricted to one plan per subscription for every business (a costly investment), Microsoft has scaled over time; now you can take advantage of the same level of protection but protect individual public IP Addresses… opening up an enterprise class protection to medium-sized and even smaller organisations.

Key Features

Massive mitigation capacity and scale

Defend your workloads against the largest and most sophisticated attacks with cloud scale DDoS protection backed by Azure’s global network. This ensures that we can mitigate the largest attacks reported in history and thousands of attacks daily.

Protection against attack vectors

DDoS IP Protection mitigates volume and protocol attacks. The service's intelligence can identify malicious and legitimate traffic without the need for human intervention. We also use Azure Web Application Firewalls (WAF’s) to protect against the third form of attack: application.

Adaptive tuning

Protect your apps and resources while minimising false-negatives with adaptive tuning. Applications running in Azure are inherently protected by the default infrastructure-level DDoS protection. However, it protects and safeguards infrastructure with much higher thresholds than most applications have the capacity to handle. This means certain traffic volumes might be perceived as harmless, but could have devastating effects on the application that receives it.

Adaptive tuning guarantees your applications are protected if Azure’s DDoS infrastructure-level protection doesn’t detect application-targeted attacks.

Integration with Microsoft Sentinel and Microsoft Defender for Cloud

Strengthen your security posture with rich attack analytics and telemetry integrated within Microsoft Sentinel. boxxe’s full Sentinel solution includes comprehensive analytics and alert rules to support customers in their Security Orchestration, Automation, and Response (SOAR) strategy. Customers can setup and view security alerts and recommendations provided by Defender for Cloud.

Why boxxe?

boxxe is one of Microsoft’s managed partners and is in the top 0.25% of partners globally. We hold some of their biggest and most complex UK contracts in Defence and the Public Sector space.

With our industry leading expertise around the Microsoft product set in Modern Workplace, Security and Azure, we can start with DDoS Protection and guide you through every Microsoft decision you make subsequently.

Defend your business today

Ready to defend your business from all angles?

Reach a new level of protection for your internet-facing services with boxxe.

Simply call us on the number below or complete the form and we will be in touch.

0330 236 9429

First name

Last name

Contact number

Email address

Company name

Sector

Institute

Message (optional)

I would like to receive news and updates:

by email

by SMS

Explore our bestselling computers

Explore our bestselling accessories

Latest Case Studies

Didcot Railway Centre IoT CCTV

Derbyshire Healthcare NHS Foundation Trust Data Migration

Joe Browns - Virtual Desktop Success Story

Helpful Insights

The boxxe Community

Already a customer?

Already a customer?

It’s not just enterprises that need DDoS protection!

Reach a new level of protection for your internet-facing services, whatever your business size

It’s not just enterprises that need DDoS protection!

With Distributed Denial of Service (DDoS) attacks on the rise, it’s time to reconsider using DDoS protection.