Q1 2022 was characterized by the escalating DDoS war. The global community observed a spike in application-layer DDoS attacks. Also, the volumetric DDoS attacks surged by 645% QoQ. At the same time, the share of ransom DDoS attacks declined from 6% in February 2022 to just 3% in March 2022.
According to the recent report by F5 Labs, in 2021, DDoS attacks larger than 250 Gbps grew by a tremendous 1,300%. Volumetric (network flood) DDoS attacks are still prevalent with the share of 59% of all DDoS attacks recorded.
When speaking about the DDoS war between russia and Ukraine, the most targeted industries are online and broadcast media. The other heavily affected industries are crypto and retail. For the last few months, pro-russian actors were actively targeting Ukrainian allies. Such countries as the Czech Republic, Romania, Estonia, and Poland experienced DDoS attacks mostly targeting government websites.
At the same time, Ukrainian and pro-Ukrainian cyber armies are responding by attacking russian propaganda media, infrastructure, Kremlin’s websites, businesses, their supply chains, etc.
But what does it mean “the resource was hit by the DDoS attack”? What real damage do DDoS attacks cause to victims?
Volume-based attacks: they are focused on saturating the bandwidth of the attacked site by generating massive volumes of traffic. Its magnitude is measured in bits per second. These attacks do not allow legitimate traffic to flow into or out of the targeted resource.
Although the main purpose of volume-based attacks is to cause congestion, they may also be launched to cover up more advanced attack techniques such as penetration attempts. Such DDoS maneuvers may result in disabling firewall or intrusion prevention systems allowing attackers to install malware or steal data.
Protocol attacks: these attacks are consuming actual server resources or the capacity of intermediary equipment including firewalls and load balancers.
Protocol DDoS attacks may be used to redirect traffic from legitimate resources to fake websites or prevent the target from rendering services to its users.
Application-layer attacks: these attacks use seemingly legitimate and innocent requests to crash the web server. These are the most sophisticated attacks providing for exploiting weaknesses in the application layer.
Application-layer attacks are focused on keeping the targeted applications from carrying out the administrations they are intended for.
In the real-world environment, malicious actors may combine different types of DDoS attacks to reach maximum outcomes.
Almost every day there is news about DDoS attacks launched by pro-Ukrainian forces or russian hackers. Often such news states that the targeted resources have become unavailable. But the damage experienced by a target may be much bigger. Let’s analyze some of the examples.
On 26 February, russian Railway reported facing DDoS attacks targeting its website and informed its passengers of possible issues when buying tickets online. The company was forced to open additional ticket sale offices on railway stations to meet demand. This measure may have led to an increase in the company’s operating expenses. Since russian Railway is a state-owned company, all its expenditures automatically become the expenditures of the russian government.
At the beginning of May 2022, Ukrainian hacktivists carried out DDoS attacks disrupting alcohol shipments in russia. They were targeting EGAIS, the “Unified State Automated Alcohol Accounting Information System” in which alcohol producers and distributors are required by law to register their shipments. EGAIS site was down on 2 and 3 May. Due to the attack, the company Fort failed to upload 70% of invoices to EGAIS. Its supplies of alcohol on 4 May were disrupted. russian alcohol market serves as a significant income source to the country’s budget. In 2019, alcoholic beverages excises brought the russian budget 370B russian rubles. Thus, in 2022, russia may have lost up to 2B russian rubles ($28M) as a result of DDoS attacks targeting EGAIS. $28M is the cost of 14 main russian main battle tanks T-80.
DDoS attacks targeting russian streaming platforms, food delivery services, and other resources whose income depends on the number of people visiting their websites have affected their financial performance, namely, profit. Thus, the lower their profit, the lower the sum of taxes paid to the russian budget.
Starting from the first day of the invasion, Ukrainian hacktivists have launched hundreds of DDoS attacks targeting russian propaganda media that disseminate false information among people watching them. For example, the Ukrainian hacktivist group disBalancer has already attacked dozens of leading russian propaganda media including tvzvezda, vesti, kommersant, etc. Although these attacks do not cause any visible financial damage to russia, they may force people living in russia to look for alternative sources of information. Even if 1% of russian TV audience turns to alternative sources of information, it can make a difference.
Before russia openly invaded Ukraine on 24 February 2022, many experts and observers had suggested that russia would use cyberattacks to cause technological collapse in Ukraine and simplify the military operations of its army. According to the National Cyber Power Index by Belfer Center, russia is the 4th most powerful country in the world in terms of cyber capabilities (only USA, China, and UK are higher in this ranking). However, for the last 3 months, russia has not carried out devastating cyber attacks against Ukraine. One of the possible reasons is the proactive approach of the Ukrainian cyber forces.
Ukrainian DDoS volunteers have been actively attacking russian government websites including the kremlin one, the state-owned defense and aerospace conglomerate Rostec, payment systems, etc. As a result, russia was forced to allocate its cyber resources to defend its systems instead of attacking Ukraine. Generally, Ukraine has formed the international coalition of hackers and it is likely that russia has not expected to see such a powerful cyber resistance in Ukraine.
All powerful DDoS attacks draw the attention of the global community. As a result, the war in Ukraine is always in the public eye. The world must not forget that hundreds of people die everyday in Ukraine.
Overall, despite their simplicity, DDoS attacks have appeared to be a strong cyber tool in the hands of pro-Ukrainian forces. These attacks have made a visible contribution to disrupting russian plans to cause cyber collapse in Ukraine and, thereby, chaos. Also, they have allowed thousands of people in Ukraine to be involved in the fight against russia even without taking physical weapons in their hands.