By Emad Fahmy, Systems Engineering Manager, Middle East at NETSCOUT.
Since mid-February, the NETSCOUT Arbor Security Engineering and Response Team (ASERT) has been monitoring the situation in Russia and Ukraine and the ongoing high-profile DDoS attacks targeting organisations, networks, applications, and services in Ukraine.
A second, distinct surge in DDoS attacks focused on Russian targets, has also emerged, resulting in a ~236% increase in attacks against Russia, month-over-month. The increase in attacks against Russian online properties is especially notable, given that DDoS attacks on neighbouring countries, not directly involved in this conflict, dropped ~32% across the entire Europe, Middle East, and Africa (EMEA) region during the same interval.
While there are many similarities in both Russian and Ukrainian attacks in terms of DDoS vector selection and targeting criteria, attack volumes have differed quite significantly. To date, the highest bandwidth (bps) attack we’ve observed on Russian properties was measured at ~454 Gbps. The highest throughput (pps) attack during the same period was measured at ~173 mpps.
While these metrics do not approach the biggest DDoS attacks observed globally, attacks of this scale have the potential to not only seriously disrupt internet operations for their intended targets, but can also have a significant collateral impact footprint for bystander organisations and internet traffic.
The vast majority of the attacks appear to be sourced from publicly available DDoS-for-hire services, also known as booter/stresser services. Almost all of these illicit services offer a restricted tier of free demonstration DDoS attacks to prospective customers.
Most of the DDoS attack vectors and attack volumes observed during the initial attacks are achievable via the free tier of booters/stressers, but some of the larger attacks seen on Russia are out of profile for many of these underground services, possibly indicating some custom attack harnesses being used.
Some attacks also appeared to leverage privately controlled botnets of both personal computers (PCs) and IoT devices. All of the observed botnet-originated attacks utilised well-known DDoS attack vectors, and were consistent with DDoS bot families such as Mirai, XOR.DDoS, Meris, and Dvinis.
Most attribution of DDoS attacks results from poor operational security of the attackers. In other cases, it is the joint work product of security researchers, law enforcement organisations and intelligence agencies who actively infiltrate the command-and-control (C2) infrastructure of both DDoS-for-hire services and private DDoS attack botnets in order to identify adversaries.
Industry & Organisation Targeting
Several organisations have publicly cited DDoS attacks related to the ongoing attacks against Russia as having disrupted service to legitimate customers or organisations. Multiple governmental entities in Russia also reported attacks on their external facing websites and services. We have been able to independently confirm many of these publicly reported attacks, and continue to closely follow attack targeting.
Mitigation and Protection
It’s strongly recommended that organisations perform the following actions to combat DDoS attacks:
- Maintain a high degree of situational awareness and engage in continuous risk assessment.
- Regularly confirm that all critical public-facing servers, services, applications, content, and supporting infrastructure are adequately protected against DDoS attacks.
- Ensure their DDoS defence plans, mitigation partnerships, and communication plans are up-to-date, reflect current configurations and operational conditions, and are periodically tested in order to verify that they can be successfully implemented as required.
Conclusion
Contrary to popular belief, DDoS attacks are generally not surgical in nature; even relatively low-volume attacks can cause significant collateral impact to organisations, countries, and other polities which are not directly involved in this conflict. Organisations must remain especially vigilant, and should be on the lookout for either deliberate attacks predicated on business partnerships or other commercial or cultural relationships with affected entities.
The DDoS attack vectors utilised so far during these attacks are all well-understood; likewise, observed attack volumes are also well within historical norms. Organisations should implement industry-standard best current practices (BCPs) and up-to-date, situationally appropriate DDoS defences in order to ensure their resilience against attacks.
