EC News DeskSince mid-February, the NETSCOUT Arbor Security Engineering and Response Team has been monitoring the situation in Russia and Ukraine and the ongoing high-profile DDoS attacks targeting organizations, networks, applications, and services in Ukraine.
A second, distinct surge in DDoS attacks focused on Russian targets, has also emerged, resulting in a ~236% increase in attacks against Russia, month-over-month. The increase in attacks against Russian online properties is especially notable, given that DDoS attacks on neighbouring countries, not directly involved in this conflict, dropped ~32% across the entire Europe, Middle East, and Africa region during the same interval.
While there are many similarities in both Russian and Ukrainian attacks in terms of DDoS vector selection and targeting criteria, attack volumes have differed quite significantly. To date, the highest bandwidth (bps) attack we’ve observed on Russian properties was measured at ~454 Gbps. The highest throughput (pps) attack during the same period was measured at ~173 mpps.
While these metrics do not approach the biggest DDoS attacks observed globally, attacks of this scale have the potential to not only seriously disrupt internet operations for their intended targets, but can also have a significant collateral impact footprint for bystander organizations and internet traffic.
The vast majority of the attacks appear to be sourced from publicly available DDoS-for-hire services, also known as booter, stresser services. Almost all of these illicit services offer a restricted tier of free demonstration DDoS attacks to prospective customers.
Most of the DDoS attack vectors and attack volumes observed during the initial attacks are achievable via the free tier of booters, stressers, but some of the larger attacks seen on Russia are out of profile for many of these underground services, possibly indicating some custom attack harnesses being used.
Some attacks also appeared to leverage privately controlled botnets of both personal computers (PCs) and IoT devices. All of the observed botnet-originated attacks utilized well-known DDoS attack vectors, and were consistent with DDoS bot families such as Mirai, XOR.DDoS, Meris, and Dvinis.
Most attribution of DDoS attacks results from poor operational security of the attackers. In other cases, it is the joint work product of security researchers, law enforcement organizations and intelligence agencies who actively infiltrate the command-and-control (C2) infrastructure of both DDoS-for-hire services and private DDoS attack botnets in order to identify adversaries.
Industry & Organization Targeting
Several organizations have publicly cited DDoS attacks related to the ongoing attacks against Russia as having disrupted service to legitimate customers or organizations. Multiple governmental entities in Russia also reported attacks on their external facing websites and services. We have been able to independently confirm many of these publicly reported attacks, and continue to closely follow attack targeting.
Mitigation and Protection
It’s strongly recommended that organizations perform the following actions to combat DDoS attacks:
- Maintain a high degree of situational awareness and engage in continuous risk assessment.
- Regularly confirm that all critical public-facing servers, services, applications, content, and supporting infrastructure are adequately protected against DDoS attacks.
- Ensure their DDoS defence plans, mitigation partnerships, and communication plans are up-to-date, reflect current configurations and operational conditions, and are periodically tested in order to verify that they can be successfully implemented as required.
