There have been many DDoS attacks in conjunction with the war in Ukraine. These have been primarily directed at Ukrainian entities, but lately, we have seen hacktivists, such as Anonymous, carry out DDoS attacks against Russian entities. There is an overall increased risk of DDoS attacks against all organizations in countries that are now participating in the economic sanctions against Russia. This is particularly true if your organization provides services to either Ukraine, Belarus, or Russia. There is also currently an increase in DDoS attacks against Sweden.
Note that the situation is still very volatile and may change quickly.
Read more about what actions CERT-SE recommend organisations to take regarding phishing and DDoS.
What We Know So Far
As the wider economic sanctions against Russia begin to bite, there is an increased risk of Russian retaliation in the form of cyber attacks. For more information, see our companion blog post about the increased cyber threat to critical infrastructure. DDoS attacks are also becoming the first line of attack in the growing cyber conflict. This is because it is relatively cheap and easy to conduct such attacks. Russian cyber warfare assets combine DDoS attacks with disinformation to amplify the psychological effect of the attack to induce fear.
Hacktivists also favor DDoS attacks as they produce immediate results that satisfy individual hacktivists. DDoS attack tools are both readily available and easy to use, and the effects are directly visible, which is satisfying to a threat actor. Our partner Baffin Bay Networks has observed an increase in DDoS attacks against Sweden of almost 400% since the war in Ukraine began. So far it mostly seem to be known brands in retail and financial institutions that are hit. This suggests that it is a less sophisticated threat actor behind the attacks.
There are currently warnings that the destructive malware known as HermeticWiper also has the capacity to work as a DDoS botnet. It appears that Microsoft tracks the same malware under the name FoxBlade and claims it can function as a DDoS bot. HermeticWiper/FoxBlade currently is primarily seen inside Ukraine, but there are indications it might be spreading outside Ukraine as well.
Networks of computers infected with DDoS malware, so-called botnets, can technically strike anywhere in the world. A typical botnet has infected devices all over the world. It is, however, generally harder for DDoS protection to filter attacks from the same country or region, so in addition to destructive attacks, it appears that FoxBlade can also be used to create an infrastructure for more targeted DDoS attacks. It can also have the secondary effect of getting the victim’s IP blocked by DDoS protection services.
How To Increase Your Organization’s Resilience Against DDoS Attacks
From a readiness standpoint, we have several recommendations:
- Have a list of contacts at your ISPs and ask if they can provide regular updates on what they see.
- If you own your IP address space (Provider Independent), make sure that you use connections from different ISPs and that redundancy is working, at least for the business-critical applications.
- Apply all patches for systems that are exposed to the internet.
- Ensure that the exposed systems are logging and that these logs are readily available.
- Consider using a DDoS prevention service such as Baffin Bay, Cloudflare, or Akamai, if you currently have nothing in place.
- Monitor CPU and bandwidth usages on front firewalls, load balancer, WAF, and exposed servers, and alert when above a predefined threshold during a predefined period, for example, above 80% for 10 minutes.
- Ask your ISP to filter out traffic from any region you are not doing business with prior to routing to your network, if possible.
- Protect the links and networks between the on-premises network devices and the upstream service provider, for example, disable ping, traceroute, etc. If possible, ask the upstream ISP to do the same for the routers on their side facing the customer (often called CPE or PE).
- Configure a control plane policy for any network device that has a public IP address, that is restrict what can establish a connection to a public IP on a device.
- Make sure to analyze the data if the organization sees events consistent with a DDoS attack, with the goal to understand the attack patterns, the duration times, the attacked destinations, etc. Do not rely on the graphs shown by the DDoS protection provider or equipment. If a DDoS attack is confirmed, notify your national CERT.
- Minimize or avoid the use of NAT for public-facing services and applications as the available ports can be exhausted. Alternatively, implement the traffic restriction/prioritization if possible.
- Determine with your ISP if it is possible to implement Quality of Service (QoS) to prioritize business-critical services.
- Use null-routes, either locally or at the ISP’s, to sink traffic to unused IP networks and subnets if you own a large IP space.
- Make sure that any publicly reachable IPv6 link is configured with a /126 or /127 prefix.