The political situation in Europe has escalated. This has affected the nature, intensity, and geography of DDoS attacks: They have become actively used for political purposes.
New industry trends due to the conflict in Europe
The situation in Eastern Europe has affected the entire DDoS attacks and protection industry. Now, states are becoming active participants in this market while the attacks themselves are becoming more sophisticated and powerful.
Geopolitical situation changing the objectives, nature, and intensity of attacks
During the first and second quarters of 2022, a number of countries reported attacks on government and financial institutions:
- “This cyberattack aimed at disabling banks and government websites was the worst in the history of Ukraine. It started on Tuesday, February 15, and lasted until Wednesday, with the goal of causing widespread confusion,” according to the government of Ukraine. “This attack was prepared in advance to destabilize and sow panic and chaos in our country.” The attack targeted the website of the Ministry of Defense and the Ukrainian state services digital portal, Diia, as well as the ATM networks and mobile applications of Oschadbank and PrivatBank.
- On March 11, the Chinese state agency Xinhua announced that cyberattacks were tracked to the United States, Germany, and the Netherlands. These attacks were carried out via computers in China and targeted Ukrainian, Belarusian, and Russian resources. Despite the state agency naming the sources of detected cyberattacks, it did not attribute them to any particular country. The attacks could be orchestrated by hackers who have acquired IP addresses in these countries.
- On April 8, the Finnish Ministry of Defense and Foreign Affairs websites were subject to cyberattacks. “We are investigating the matter and will provide information when we know more about the incident,” said the ministry. The suspects behind the attack haven’t been revealed.
States becoming official participants in the DDoS mitigation market
The DDoS market is often called spontaneous. Attacks that are powerful and costly for customers are not uncommon, but governments used to be more restrained when protecting against them. Now, rumors about the actions of state structures in this segment are more often confirmed by the officials. For example, at the end of February 2022, the U.S. Attorney General publicly confirmed that the FBI conducted a secret operation to eliminate Russian malware and prevent a large-scale DDoS attack.
It is also known about the emergence of cyber troops in Ukraine—their creation last year was confirmed by the country’s government. In February 2022, they started the recruitment process. The tasks of the recruits will include ensuring information security and protecting critical infrastructure.
Active government intervention in the industry can fundamentally change the market.
How have the DDoS attack complexity, power, and duration changed?
The power, geography, and duration of DDoS attacks have been affected. According to Andrey Slastenov, Head of Web Security at Gcore, the list of the main DDoS attack victims—countries and industries—has undergone significant changes in recent months. The company shared its data.
Attacks are becoming more complex and multivectored
There are several distinctive types of DDoS attacks:
- Ransom DDoS attacks are carried out for extortion: The attackers promise to stop their actions upon receiving the ransom.
- Application-layer DDoS attacks interfere with or even completely paralyze the operation of business applications, which causes material and reputational losses for the targets.
- Network-layer DDoS attacks sap networks’ bandwidth and disrupt the target’s interactions with partners and clients.
Each type of attack exploits different vulnerabilities in the victim’s infrastructure. Previously, attacks were based on a particular vector, but now the share of more sophisticated malicious campaigns is growing. Rather than directly attacking the victim’s server, attackers paralyze one of its key functions and conduct combined attacks along different vectors.
According to Gcore, the number of such complex multivector attacks tripled in 2022 compared to the previous year. Bots and botnets have become the most common vectors for DDoS attacks, while HTTP flood attacks are also widely used. The company shared an example of a powerful attack that was averted by Gcore Web Application DDoS Protection:
- Example of a powerful HTTP Flood attack detected by Gcore Web Application DDoS Protection
The number of ultrashort attacks and average attack power are increasing
In recent years, the number of ultrashort DDoS attacks has been growing. In 2022, according to Gcore, their average duration is 5–10 seconds.
The longest attack was recorded by the company’s specialists on April 14–15. It lasted 24 hours with a capacity of 5 Gbps.
The average power of recorded attacks in Q1–Q2 of 2022 more than doubled: last year, it was 300 Gbps, and this year it is already 700 Gbps. Previously, the main targets of such attacks were small and medium-sized companies, but this year more and more attacks are aimed at government agencies.
Government agencies are becoming frequent targets of DDoS attacks
The beginning of 2022 was marked by some of the most powerful attacks of recent years. Most of them targeted government agencies:
- January 15—the attack on the North Korean infrastructure. It led to a complete blackout in the country for 6 hours. As a result of the attack, all transportation in the country was paralyzed.
- January 16—the attack on Ukrainian government websites. The websites of the Ministry of Education, Ministry of Foreign Affairs, State Emergency Service, Cabinet of Ministers, Ministry of Energy, and Diia were paralyzed.
- February 15—attacks on the Ukrainian Ministry of Defense and Armed Forces, PrivatBank, and Oschadbank. As a result of the simultaneous attacks, many Ukrainian banking systems were down, as well as several government websites.
- February 23—the attack on the Ukrainian Ministry of Foreign Affairs and National Parliament. As a result of large-scale attacks, several government websites were down.
- March 10—the attack on Ukrtelecom. For 40 minutes, the work of the national telecom operator of Ukraine and the operation of networks and essential communication channels throughout the country was disrupted.
- March 14—the attack on Israeli government websites. The websites of the Ministries of Interior, Defense, Health, Justice, and Social Services, as well as the Prime Minister’s Office, were under attack. The campaign was labeled the strongest cyberattack ever launched against Israel.
- March 16—the attack on the Ukrainian internet service provider Triolan. Severe internet outages for Ukrainian users of the provider.
- March 29—the attack on the Bradley Airport website. Unknown hackers launched an attack on the website of the Bradley International Airport, U.S.A.
- April 8—the attack on the Finnish Ministries of Defense and Foreign Affairs. The departments’ websites were unavailable and malfunctioned during the day.
Businesses are undergoing heavy flood attacks
According to Gcore, the most attacked business sectors in Q1–Q2 of 2022 were e-commerce, fintech, and game development. The company shared information about powerful TCP and UDP flood attacks.
- Traffic structure of TCP Flood attack on fintech company that lasted more than one day, April 14–15
- Information about UDP Flood attack on Game Developer, March 11
Increasing DDoS protection requirements
To defend against powerful and sophisticated attacks, businesses and government agencies require advanced security systems. This is not the first time that Gcore has experienced a sharp increase in the number of DDoS attacks and their complexity.
“In 2020–2021, along with increased content consumption in online games and entertainment industry, DDoS attacks also became more frequent and sophisticated. The attacks became more devious: Instead of targeting specific servers, attackers focused on web applications (L7 of the OSI network model) and tried to legitimize the traffic. One of the main targets of cybercriminals was our client, Wargaming. On February 18, 2021, the security system of Gcore detected a UDP Flood—an attack aimed at the servers of the game development company. Its volume reached 253 Gbps, and it lasted 15 minutes. We deflected it successfully. It was possible thanks to the huge bandwidth of our network and our filtering system, which detects and neutralizes attacks at a speed of hundreds of gigabits per second. Our comprehensive protection algorithms ensure that our security systems are not bypassed, even in cases where attackers try to use traffic similar to legitimate ones.”
Head of Web Security at Gcore
Gcore offers comprehensive protection against complex attacks: it works at the network (L3), transport (L4), and application (L7) layers, effectively protecting clients from all types of cyberthreats. The solution does not require pausing business processes for the duration of the attack since its intelligent real-time traffic filtering technology only cuts out specific malicious sessions.