Executive Summary

Since mid-February of 2022, the NETSCOUT Arbor Security Engineering and Response Team (ASERT) has been monitoring the situation in Russia and Ukraine. We recently published an update to our initial technical analysis of the ongoing high-profile DDoS attacks targeting organizations, networks, applications, and services in Ukraine.

A second, distinct surge in DDoS attacks focused on Russian targets has also emerged, resulting in a ~236% increase in attacks against Russia, month-over-month. The increase in attacks against Russian online properties is especially notable, given that DDoS attacks against neighboring countries not directly involved in this conflict dropped ~32% across the entire Europe, Middle East, and Africa (EMEA) region during the same interval.

While there are many similarities in attacks against both Russia and Ukraine in terms of DDoS vector selection and targeting criteria, attack volumes have differed quite significantly. To date, the highest bandwidth (bps) attack we’ve observed against Russian properties was measured at ~454 Gbps. The highest throughput (pps) attack during the same period was measured at ~173 mpps. While these metrics do not approach the biggest DDoS attacks observed globally, attacks of this scale have the potential to not only seriously disrupt internet operations for their intended targets, but can also have a significant collateral impact footprint for bystander organizations and internet traffic.

The vast majority of the attacks appear to be sourced from publicly available DDoS-for-hire services, also known as booter/stresser services. Almost all of these illicit services offer a restricted tier of free demonstration DDoS attacks to prospective customers. Most of the DDoS attack vectors and attack volumes we observed during the initial attacks are achievable via the free tier of booters/stressers, but some of the larger attacks seen against Russia are out of profile for many of these underground services, possibly indicating some custom attack harnesses being used.

Some attacks also appeared to leverage privately controlled botnets of both personal computers (PCs) and IoT devices. All of the observed botnet-originated attacks utilized well-known DDoS attack vectors, and were consistent with DDoS bot families such as Mirai, XOR.DDoS, Meris, and Dvinis.

It should be noted that attribution of DDoS attacks is notoriously difficult, especially when booters/stressers are utilized by attackers. Most attribution of DDoS attacks results from poor operational security of the attackers. In other cases, it is the joint work product of security researchers, law enforcement organizations and intelligence agencies who actively infiltrate the command-and-control (C2) infrastructure of both DDoS-for-hire services and private DDoS attack botnets in order to identify adversaries. NETSCOUT specializes in providing the most detailed DDoS attack analysis and mitigation recommendations in the industry, and is not focused on attack attribution.

NETSCOUT Statement About Ukraine: https://www.netscout.com/blog/netscout-statement-about-ukraine 

Key Findings

• DDoS attacks against Russia have increased more than ~236%, month-over-month, since the beginning of the conflict.
• While DDoS attacks targeting both Russia and Ukraine have increased significantly in both frequency and volume, attacks against the EMEA region as a whole decreased 32% when compared to the same period in 2021.
• DDoS attacks targeting Russian online properties during this period featured peak attack volumes of 454 Gbps and 173 mpps, respectively. Attacks in this size regime can not only cause significant negative impact to their intended targets, but also inflict broad collateral disruption to organizations and polities not directly involved in this conflict.
• We have observed multiple DDoS vectors used in the attacks against Russian targets with a preponderance consisting of direct-path SYN, ACK, and RST floods as well as DNS query floods.

Analysis

Attack Frequency

Our Active Threat Level Analysis System (ATLAS) DDoS attack statistics reveal that Russia experienced a ~236% increase in DDoS attacks, month-over-month.

A significant ramp-up in attacks targeting Russian online properties coincided with the commencement of ground operations in Ukraine. This reflects similar occurrences during recent large-scale protests in Hong Kong, geopolitical disputes involving China and other nations, as well as contentious election cycles globally. Unfortunately, conflicts between countries attract many adversaries that want nothing more than personal gain or satisfaction in taking down their target.

Attack Duration Analysis

To date, many of the attacks observed against Russian properties have been shorter in duration, a likely indicator of booter/stresser services. Approximately 60% of DDoS attacks directed towards Russian targets are consistent with the use of booter/stresser services while 40% appeared to be sourced from botnets. However, adversaries can exceed the typical duration windows on booter/stresser services provided the attacker is willing to pay for it. When assessed in combination with the specific DDoS attack vectors and associated attack volumes employed by attackers, this strongly indicates that standard booter/stresser DDoS-for-hire services were used to launch the majority of observed attacks.

Attack Bandwidth (bps)

A significant uptick in DDoS attacks targeting Russian organizations, applications, services, content, and other online properties coincided with the initiation of ground operations in Ukraine. As noted above, the relatively large attacks we have observed in the Russian context are capable not only of disrupting internet operations for targeted organizations, but can also have widespread collateral impact against organizations, countries, and other polities not directly involved in this conflict.

Beyond the context of attacks specifically targeting Ukraine, various ISPs, commercial DDoS mitigation service providers, and other organizations with critical public-facing properties have successfully mitigated terabit-class DDoS attacks due to their focus on preparation and situational awareness. Some of the largest attacks on record (2.5 Tbps and 3.4 Tbps)  were successfully mitigated by the targeted organizations, with little or not adverse impact.  These incidents highlight the benefits of having a well-defined, complete, and validated DDoS defense plan. Many of these ISPs and organizations with critical public-facing properties leverage NETSCOUT DDoS defense solutions, scaling their intelligent DDoS mitigation capacities up to multiple terabits/second.

Attack Throughput (pps)

In addition to the volume and duration, the speed (throughput) of an attack is a key metric for measuring the power, or impact, of an attack. Power is also coincidentally the term that DDoS-for-hire platforms use to describe how much bandwidth and throughput their servers can generate. Throughput can very greatly, and is generally inversely proportional to packet size; high-throughput DDoS attacks typically feature smaller packet sizes, while high bandwidth attacks typically involve larger (and often fragmented, in the case of UDP-based attacks) packets. Remember, power doesn’t always equal actual impact on the target.  We’ve observed many high-throughput attacks have no impact at all on prepared organizations; we’ve also seen relatively low-pps attacks have a disproportionate negative impact on the Internet operations of organizations which lack comprehensive, up-to-date DDoS defense plans and designated response teams.

The single highest-throughput DDoS attack we’ve observed to date over the course of these attacks was measured at ~173mpps.

DDoS Attack Vector Analysis

In addition to duration, bandwidth, and throughput, the DDoS Attack Vectors used in an attack have important implications for attack efficiency and efficacy. For example, various types of UDP reflection/amplification attacks can scale into extremely high bandwidth regimes, but are not always optimal for attacking a given target. More skilled adversaries frequently engage in extensive pre-attack reconnaissance in order to tailor their efforts to the particulars of the targeted organization.

As of this writing, DDoS attack vectors observed in DDoS attacks against Russia have consisted of well-understood, routinely used methodologies such as DNS and SNMP reflection/amplification; SYN, RST, and ACK flooding; and small-packet UDP flooding. DNS query-flooding has also been observed against Russian targets, potentially indicating the involvement of more sophisticated attackers.

The most commonly-observed DDoS attack vectors used to target Russian online properties over the course of this attack campaign are various types of direct-path TCP-flooding attacks; this aligns with the global trend of increasing use of direct-path attacks which we highlight in our most recent Threat Intelligence Report where there's been a re-balancing of the scales in DDoS attack vectors. More adversaries are using direct-path, non-spoofed TCP and UDP based floods sourced from botnets.

Botnet Analysis in Russia

In our Ukraine DDoS threat overview, we discussed the emergence of a new botnet in Ukraine in mid-February of 2022.  While we haven't seen emergent botnets within Russia, we have seen an overall decrease in botnet activity sourced from Russia.

Industry & Organization Targeting

Several organizations have publicly cited DDoS attacks related to the ongoing attacks against Russia as having disrupted service to legitimate customers or organizations. Multiple governmental entities in Russia also reported attacks against their external facing websites and services. We have been able to independently confirm many of these publicly reported attacks, and continue to closely follow attack targeting.

Mitigation and Protection

NETSCOUT Arbor DDoS defense solutions (SP/TMS, AED, and Arbor Cloud) incorporate universal countermeasures and protections which can be utilized to successfully mitigate any type of DDoS attack, including all the DDoS attack methodologies employed to date during the ongoing attacks against Ukraine. Nonetheless, we strongly recommend that organizations perform the following actions:

• Maintain a high degree of situational awareness and engage in continuous risk assessment.
• Regularly confirm that all critical public-facing servers, services, applications, content, and supporting infrastructure are adequately protected against DDoS attacks.
• Ensure their DDoS defense plans, mitigation partnerships, and communication plans are up-to-date, reflect current configurations and operational conditions, and are periodically tested in order to verify that they can be successfully implemented as required.
• Subscribe to the syndication feed for this weblog in order to receive the latest Netscout ASERT publicly-available DDoS attack analysis and broadly-applicable defensive recommendations.

Conclusion

Contrary to popular belief, DDoS attacks are generally not surgical in nature; even relatively low-volume attacks can cause significant collateral impact to organizations, countries, and other polities which are not directly involved in this conflict. Organizations must remain especially vigilant, and should be on the lookout for either deliberate attacks predicated on business partnerships or other commercial or cultural relationships with affected entities.

The DDoS attack vectors utilized so far during these attacks are all well-understood; likewise, observed attack volumes are also well within historical norms. Organizations should implement industry-standard best current practices (BCPs) and up-to-date, situationally appropriate DDoS defenses in order to ensure their resilience against attack.