Executive Summary

Since mid-February of 2022, the NETSCOUT Arbor Security Engineering and Response Team (ASERT) has been monitoring DDoS attacks targeting financial institutions and government ministries in Ukraine. We published an initial technical analysis of these attacks on February 16th of 2022; that assessment has been confirmed by public commentary from multiple authoritative sources. The increase in attacks against Ukraine started 9 days prior to the current conflict in the region.

While the overall incidence and severity of DDoS attacks decreased by 32% across the entire Europe, Middle East, and Africa (EMEA) region when compared to February of 2021, the frequency (number), bandwidth (bps), and throughput (pps) of DDoS attacks specifically targeting Ukraine increased significantly, year-over-year.

The vast majority of the attacks we’ve observed appear to be sourced from publicly available DDoS-for-hire services, also known as booter/stresser services. Almost all of these illicit services offer a restricted tier of free demonstration DDoS attacks to prospective customers; most of the DDoS attack vectors and attack volumes we observed during the initial stages of these attacks are achievable via the free tier of booters/stressers.

Some of the attacks we observed appeared to be launched by privately controlled botnets of both general-purpose computers and IoT devices. All the observed botnet-originated attacks utilized well-known DDoS attack vectors, and were consistent with well-known DDoS bot families such as Mirai, XOR.DDoS, Meris, and Dvinis.

It should be noted that attribution of DDoS attacks is notoriously difficult, especially when booters/stressers are utilized by attackers. Most attribution of DDoS attacks results from poor operational security of the attackers. In other cases, it is the joint work product of security researchers, law enforcement organizations and intelligence agencies who actively infiltrate the command-and-control (C2) infrastructure of both DDoS-for-hire services and private DDoS attack botnets in order to identify adversaries. NETSCOUT specializes in providing the most detailed DDoS attack analysis and mitigation recommendations in the industry, and is not focused on attack attribution.

NETSCOUT Statement About Ukraine: https://www.netscout.com/blog/netscout-statement-about-ukraine 

Key Findings

• DDoS attacks against Ukraine in February 2022 increased 134% when compared to the same period in 2021.
• While DDoS attacks targeting Ukraine increased significantly in both frequency and volume in February of 2022, attacks against the EMEA region as a whole decreased 32% when compared to the same period in 2021.
• The highest-bandwidth attack we observed targeting Ukraine in February of 2022 was measured at ~132 Gbps; the highest-throughput attack against Ukraine during the same interval was measured at ~76.7 mpps. While these attack metrics are not insignificant, they do not approach the top tier of observed attack volumes worldwide.
• It should also be noted that DDoS attacks often have a collateral damage footprint which is significantly larger and of greater significance than their direct impact on the intended target.
• See Mitigation and Recommendations for guidance on the threats outlined in this blog.

Analysis

Attack Frequency

Our Active Threat Level Analysis System (ATLAS) DDoS attack statistics reveal that Ukraine experienced a ~134% increase in DDoS attacks in February of 2022, year-over-year. This coincides with an across-the-board ~32% decrease in DDoS attacks targeting the EMEA region as a whole. A significant ramp-up in attacks beginning with the commencement of ground operations in the Ukraine theater of conflict.

Attack Duration

The operators of DDoS-for-hire booter/stresser services don’t typically have sufficient insight into their attack infrastructure in order to reliably measure and manage the volume of DDoS attacks initiated by their criminal customers. Instead, they generally use duration-based schemes as the basis of their pricing model, with five-minute blocks as the most common increment. Discounts are offered to those who purchase bundles of attack blocks.

This means that DDoS attacks launched using booters/stressers often exhibit relatively short durations when compared to attacks launched using botnets. While some botmasters do allow other criminals to leverage their botnets under specific arrangements, they typically charge higher rates than booter/stresser services because individual botnet nodes can be unmasked when launching direct-path, non-spoofed DDoS attacks.

To date, the majority of DDoS attacks observed have been five minutes or less in duration, an outlier for this region. When assessed in combination with the specific DDoS attack vectors and associated attack volumes employed by attackers (see below), this strongly indicates that standard booter/stresser services were used to launch the majority of observed attacks.

Attack Bandwidth (bps)

When the initial press reports of increased DDoS attacks targeting Ukraine emerged, we examined our attack telemetry and were able to gain detailed insight into many of the specific attacks described in the media. Contrary to some early subjective reporting, observed bandwidth for the initial wave of attacks was relatively low. Observed attack bandwidth increased significantly as the DDoS attacks continued.

During the initial rounds of attacks against Ukraine, the highest bandwidth attack we observed was ~5.3 Gbps. Over the entire course attacks targeting Ukraine, the single largest attack we’ve observed was 132 Gbps. However, the majority of attacks are typically 10 Gbps or less in size. That being said, most DDoS attacks are textbook examples of overkill, using far more bandwidth and/or throughput than required in order to negatively impact both intended targets as well as bystander services and internet traffic.

Beyond the context of attacks specifically targeting Ukraine, various ISPs, commercial DDoS mitigation service providers, and other organizations with critical public-facing properties have successfully mitigated terabit-class DDoS attacks due to their focus on preparation and situational awareness. Some of the largest attacks on record (2.5 Tbps and 3.4 Tbps) were accompanied by notes that they either had no impact or their customers didn’t need to worry about them. Many of these ISPs and organizations with critical public-facing properties leverage NETSCOUT DDoS defense solutions, scaling their intelligent DDoS mitigation capacities up to multiple terabits/second.

Attack Throughput (pps)

In addition to the volume and duration, the speed (throughput) of an attack is a key metric for measuring the power, or impact, of an attack. Power is also coincidentally the term that DDoS-for-hire platforms use to describe how much bandwidth and throughput their servers can generate. Throughput can vary a lot, generally inversely proportional to packet size; high-throughput DDoS attacks typically feature smaller packet sizes, while high-bandwidth attacks typically involve larger (and often fragmented, in the case of UDP-based attacks) packets. Remember, "power" doesn't always equal impact as we have observed many very high throughput attacks result in little impact, while attacks in the sub-mpps range resulted in taking an organization offline.

And as noted above in the section on attack bandwidth, multiple ISPs, mitigation service providers and other organizations which are adequately provisioned to protect their online properties and those of their end-customers can successfully mitigate DDoS attacks of hundreds of millions of packets-per-second (mpps).

Many DDoS attacks we’ve observed targeting Ukraine have exhibited throughput speeds ranging from ~10kpps – ~100kpps, which typically have little impact against prepared organizations, but can disrupt operations for organizations lacking organized DDoS defenses. The Ukraine State Service of Special Communications and Information Protection (SSSCIP) has publicly stated that some of the successful DDoS attacks launched against Ukrainian organizations during the first wave of attacks attained were in the ~600kpps range, emphasizing the importance of adequate DDoS defense planning and capacities.

The relative consistency of observed attack dynamics, including both observed bandwidth and throughput, support our assessment that typical DDoS-for-hire services have been heavily utilized during the attacks.

DDoS Attack Vectors

In addition to duraction, bandwidth, and throughput the DDoS Attack Vectors used in an attack have important implications for attack efficiency and efficacy. For example, various types of UDP reflection/amplification attacks can scale into extremely high bandwidth regimes but are not always optimal for attacking a given target. More skilled adversaries frequently engage in extensive pre-attack reconnaissance in order to tailor their efforts to the particulars of the targeted organization.

One of the key findings of our upcoming 2H2021 Threat Report is a significant re-balancing of attack methodologies away from a preponderance of reflection/amplification attacks powered by spoofing-capable attack infrastructure and towards direct-path attacks sourced from botnets. These direct-path attacks targeting Ukraine are largely non-spoofed, and consist of TCP- and UDP-based packet floods, along with HTTP and HTTP/S layer-4 and layer-7 attacks.

As of this writing, DDoS attack vectors observed have consisted of well-understood, routinely-used methodologies such as DNS and SNMP reflection/amplification; SYN, RST, and ACK flooding; and small-packet UDP flooding. The prevalence of direct-path DDoS attacks targeting Ukraine is consistent with our findings in the upcoming Threat Report.

Botnet-Sourced Attacks

We noted the prevalence of botnet-driven attacks in our initial post on the Ukraine DDoS attacks and reporting by security researchers at 360 Netlab about the specific involvement of Mirai and Meris botnets during the initial surge of attacks. Most Mirai and Meris botnets are incapable of launching spoofed DDoS attacks due to both platform limitations as well as the prevalence of source-address validation (SAV; otherwise known as anti-spoofing) on the broadband access networks where many of these bots reside.

We also discovered what appears to be a relatively new DDoS-capable botnet emerging on Ukrainian networks, but have so far been unable to definitively confirm a specific botnet family it belongs to.

Interestingly, overall observed botnet-driven DDoS from within Ukraine itself has declined; this perceived decrease is likely the result of several factors such as generalized intra-Ukraine Internet instability caused by ongoing attacks, some Ukrainian network segments going completely offline, and as a side-effect of geo-blocking taking place on Ukrainian networks.

Given the global nature of the internet, both reflectors/amplifiers and botnet nodes used in attacks are often both topologically and geographically distant from targeted organizations. More skilled attackers will deliberately make use of attack assets closer to their targets; this is intended to reduce the likelihood of attack detection and mitigation by minimizing the number of administrative boundaries traversed by attack traffic, while also eliminating the ability of more remote networks to provide attack mitigation support.

Source-IP Spoofing

While the continued push to implement SAV within the operational community has contributed to the significant re-balancing of direct-path vs. reflection/amplification attacks noted above, spoofing is still required to launch all reflection/amplification DDoS attacks and is also utilized in spoofed direct-path attacks like SYN, ACK, and RST floods.

Another, more complex use of source-IP spoofing is to deceive organizations into disrupting their own operations (i.e., self-DDoSing) by deliberately spoofing the source IPs of customers, extranet partners, and other correspondent networks when launching DDoS attacks against those organizations. This targeted spoofing can be intended to cause an outage for the organization directly targeted by the spoofed attack traffic, or to negatively impact the operations of customers, partners, et. al. by inducing the target to block legitimate traffic originating from their networks.

While this kind of activity can be difficult to infer, we’ve seen some indications it may be taking place during these attacks (see graph above), with Ukraine-based organizations as its ultimate target. We started looking at all attacks in the region, and collating the purported source IP addresses seemingly launching specific attacks into their source BGP Autonomous System Numbers (ASNs). Some of our findings were rather surprising.

Based on the ostensible source IPs present in specific observed attack traffic, the percentage of supposed botted IP hosts within the ASNs in question was implausibly high in almost every case. With multiple types of illicit activity apparently being sourced from these networks, we scoured publicly available IP reputation databases such as Shodan and Greynoise for any reports of illicit activity. Yet, we were unable to find much of anything corroborating reports. This lack of confirmation extended to our own ASERT-operated honeypots.

Given these observations, we urge all organizations to be cautious when validating attacks emanating from well-known customer or partner networks. NETSCOUT uses multiple mechanisms to gauge the reputation of source IP addresses, requiring multiple correlations of observed attack activity prior to inclusion in curated filter lists and policies.

Targeted Industries and Business Sectors

Several organizations have publicly cited DDoS attacks related to the ongoing attacks against Ukraine as having disrupted service to legitimate customers. Multiple governmental entities have independently reported attacks agains these same organizations, as well as others. We have been able to independently confirm many of these publicly reported attacks, and continue to closely follow attack targeting.

Analysis of 100 verified targets of DDoS attacks over the course of these attacks reveal the top 5 targeted industries and sectors within Ukraine as the following:

Mitigation and Protection

NETSCOUT Arbor DDoS defense solutions (SP/TMS, AED, and Arbor Cloud) incorporate universal countermeasures and protections which can be utilized to successfully mitigate any type of DDoS attack, including all the DDoS attack methodologies employed to date during the ongoing attacks against Ukraine. Nonetheless, we strongly recommend that organizations perform the following actions:

• Maintain a high degree of situational awareness and engage in continuous risk assessment.
• Regularly confirm that all critical public-facing servers, services, applications, content, and supporting infrastructure are adequately protected against DDoS attacks.
• Ensure their DDoS defense plans, mitigation partnerships, and communication plans are up-to-date, reflect current configurations and operational conditions, and are periodically tested in order to verify that they can be successfully implemented as required.
• Subscribe to the syndication feed for this weblog in order to receive the latest Netscout ASERT publicly-available DDoS attack analysis and broadly-applicable defensive recommendations.

Conclusion

The ongoing DDoS attacks against Ukraine preceded the initiation of ground operations by several days; since that time, observed DDoS attack activity has increased significantly. We anticipate that DDoS activity targeting Ukraine will continue over the duration of the conflict, and will continue to disrupt Internet operations not only within Ukraine, but within other polities which are not directly involved.

The DDoS attack vectors utilized so far are all well-understood; likewise, observed attack volumes are also well within historical norms. Organizations should implement industry-standard best current practices (BCPs) and up-to-date, situationally appropriate DDoS defenses in order to ensure their resilience against attack.