This article was written by Andrew Faber, Head of Web Security at Gcore
The political situation in Europe and the rest of the world has degraded dramatically in 2022. This has affected the nature, intensity, and geography of DDoS attacks, which have become actively used for political purposes.
New industry trends due to the conflict in Europe
The situation in Eastern Europe has affected the entire cybersecurity industry, particularly in areas such as DDoS attacks and protection. Now, states are becoming active participants in this market while the attacks themselves are becoming more sophisticated and powerful.
Geopolitical situation changing the objectives, nature, and intensity of DDoS attacks
During the first half of 2022, several countries reported attacks on government and financial institutions:
“This cyberattack aimed at disabling banks and government websites was the worst in the history of Ukraine. It started on Tuesday, February 15, and lasted until Wednesday, with the goal of causing widespread confusion,” according to the Ukrainian government. “This attack was prepared in advance to destabilize and sow panic and chaos in our country.” The attack targeted the website of the Ministry of Defense and the Ukrainian state services digital portal, Diia, as well as the ATM networks and mobile applications of Oschadbank and PrivatBank.
On March 11, the Chinese state agency Xinhua claimed that cyberattacks were tracked to the United States, Germany, and the Netherlands. These attacks were carried out via computers in China and targeted Ukrainian, Belarusian, and Russian resources. Despite the state agency naming the sources of these detected cyberattacks, it did not attribute them to any particular country. The attacks could have been orchestrated by hackers who have acquired IP addresses in these countries.
On April 8, the Finnish Ministry of Defense and Foreign Affairs websites were subject to cyberattacks. “We are investigating the matter and will provide information when we know more about the incident,” said the ministry, the suspects behind the attack haven’t been revealed.
States becoming official participants in the DDoS mitigation market
The DDoS market can often be described as spontaneous. Attacks that are powerful and costly for customers are not uncommon, but governments used to be more restrained when protecting against them. Now, rumours about the actions of state structures in this segment are often confirmed by officials. For example, at the end of February 2022, the U.S. Attorney General publicly confirmed that the FBI conducted a secret operation to eliminate Russian malware and prevent a large-scale DDoS attack.
The emergence of cyber troops in Ukraine is also well-documented, their creation last year was confirmed by the country’s government. The recruitment process began in February 2022, and they have been tasked with ensuring information security and protecting critical infrastructure. Such active government intervention in the industry may well fundamentally change the market forever.
How has DDoS attack complexity, power, and duration changed?
This has had a marked impact on the power, geography, and duration of DDoS attacks. The list of the main DDoS attack victims, for both countries and industries, has changed significantly in recent months. The company has shared its data, which you can read below.
Attacks are becoming more complex and multi vectored
There are several distinctive types of DDoS attacks:
Ransom DDoS attacks are carried out for extortion – the attackers promise to cease their attack upon receiving the ransom.
Application-layer DDoS attacks interfere with or even completely paralyse the operation of business applications, which causes material and reputational loss for the targets.
Network-layer DDoS attacks sap networks’ bandwidth and disrupt the target’s interactions with partners and clients.
Each type of attack exploits different vulnerabilities in the victim’s infrastructure. Previously, attacks were based on a particular vector, but now the share of more sophisticated malicious campaigns is growing. Rather than directly attacking the victim’s server, attackers paralyse one of its key functions and conduct combined attacks along different vectors.
According to Gcore, the number of such complex multivector attacks tripled in 2022 compared to the previous year. Bots and botnets have become the most common vectors for DDoS attacks, while HTTP flood attacks are also widely used. The company shared an example of a powerful attack that was averted by Gcore Web Application DDoS Protection:
The number of ultrashort attacks and average attack power are increasing
In recent years, the number of ultrashort DDoS attacks has been growing. According to Gcore, in 2022 the average duration of such attacks was 5–10 seconds.
The longest attack was recorded by the company’s specialists on April 14–15. It lasted 24 hours with a capacity of 5 Gbps.
The average power of recorded attacks in Q1–Q2 of 2022 more than doubled – last year, it was 300 Gbps, and this year it is already 700 Gbps. Previously, the main targets of such attacks were small and medium-sized companies, but this year more and more attacks are aimed at government agencies.
Government agencies are becoming frequent targets of DDoS attacks
The beginning of 2022 was marked by some of the most powerful attacks of recent years. Most of them targeted government agencies:
January 15 — An attack on North Korean infrastructure. It led to a complete blackout in the country for 6 hours. As a result of the attack, all transportation in the country was paralyzed.
January 16 — An attack on Ukrainian government websites. The websites of the Ministry of Education, Ministry of Foreign Affairs, State Emergency Service, Cabinet of Ministers, Ministry of Energy, and Diia were paralysed.
February 15 — Attacks on the Ukrainian Ministry of Defense and Armed Forces, PrivatBank, and Oschadbank. As a result of the simultaneous attacks, many Ukrainian banking systems were down, as well as several government websites.
February 23 — An attack on the Ukrainian Ministry of Foreign Affairs and National Parliament. As a result of the large-scale attacks, several government websites went down.
March 10 — An attack on Ukrtelecom. For 40 minutes, the work of the national telecom operator of Ukraine and the operation of networks and essential communication channels throughout the country were disrupted.
March 11 — An attack on the Rostec website. The state aerospace and defence company said it has been under constant DDoS attacks since February.
March 14 — An attack on Israeli government websites. The websites of the Ministries of Interior, Defense, Health, Justice, and Social Services, as well as the Prime Minister’s Office, were attacked. The campaign was labelled the strongest cyberattack ever launched against Israel.
March 16 — An attack on the Ukrainian internet service provider Triolan. This resulted in severe internet outages for its Ukrainian users.
March 29 — An attack on the Bradley Airport website. Unknown hackers launched an attack on the website of the Bradley International Airport, U.S.A.
April 8 — An attack on the Finnish Ministries of Defense and Foreign Affairs. The departments’ websites were unavailable and malfunctioned throughout the day.
Businesses are undergoing heavy flood attacks
According to Gcore, the most-attacked business sectors in Q1–Q2 of 2022 were e-commerce, fintech, and game development. The company shared information about powerful TCP and UDP flood attacks.
Increasing DDoS protection requirements
To defend against such powerful and sophisticated attacks, businesses and government agencies need advanced security systems. This is not the first time that Gcore has experienced a sharp increase in the number of DDoS attacks and their complexity.
In 2020–2021, along with increased content consumption in online games and entertainment industry, DDoS attacks also became more frequent and sophisticated. The attacks became more devious – Instead of targeting specific servers, attackers focused on web applications (L7 of the OSI network model) and tried to legitimise the traffic.
One of the main targets of cybercriminals was our client, Wargaming. On February 18, 2021, the security system of Gcore detected a UDP Flood—an attack aimed at the servers of the game development company.
Its volume reached 253 Gbps, and it lasted 15 minutes – we deflected it successfully. It was possible thanks to the huge bandwidth of our network and our filtering system, which detects and neutralises attacks at a speed of hundreds of gigabits per second.
Our comprehensive protection algorithms ensure that our security systems are not bypassed, even in cases where attackers try to use traffic similar to legitimate ones.
Gcore offers comprehensive protection against complex attacks: it works at the network (L3), transport (L4), and application (L7) layers, effectively protecting clients from all types of cyberthreats. The solution does not require pausing business processes for the duration of the attack, since its intelligent, real-time traffic filtering technology only cuts out specific malicious sessions.