Disruptive DDoS attacks against critical infrastructure and government targets have been increasingly prevalent since the beginning of Russia's invasion of Ukraine.
Infosec experts have observed a surge in global DDoS activity in recent months. The Cybersecurity and Infrastructure and Security Agency (CISA) issued a warning about these types of attacks from Russian threat groups in April.
From Russian supporters attacking the opposition to pro-Ukraine actors targeting Russia and its allies in retaliation, DDoS attacks have disrupted a growing number of networks across the world.
The first attacks began in the weeks and days before the invasion was launched in late February, as government websites and financial institutions were hit with DDoS attacks by nation-state actors in Russia.
NetBlocks, a global internet monitor, has kept track of service attacks on Ukraine's internet over the last three months, identifying certain regions that have been heavily targeted and publishing the most significant outages.
The group provides charts with dates and connectivity percentages for different areas of the country as well as for internet service providers for Ukraine. The connectivity issues limited communication both within the country and to outside contacts and caused blackouts in key government areas like nuclear power plants and military bases.
NetBlocks tracked DDoS attacks that took down connectivity by 15-20%, but also ones that completely took down services, dropping connectivity in certain areas to zero on multiple occasions.
Some of the largest disruptions identified were in key cities like Kyiv, Luhansk and Mariupol. Threat actors targeted not just local internet providers but also the national telecom provider Ukrtelecom, which saw its connectivity drop to just 13% in late March.
While much of the disruption occurred in February and March, these DDoS attacks continue to hit Ukraine, with outages appearing nearly every day in areas of heavy contention. But Ukraine is not the only country facing DDoS attacks since the start of the invasion.
Rate of attacks
In separate reports, Cloudflare and Kaspersky Lab analyzed the growth of DDoS attacks during the first quarter of 2022. Cloudflare's report broke down the data by type of attack and tracked the growth year over year (YoY) and quarter over quarter (QoQ), as well as which industries were most heavily targeted by each kind.
The company found that application-layer attacks went up by 164% YoY and 135% QoQ and that network-layer attacks increased 71% YoY but fell by 58% QoQ.
Cloudflare also found that the size of attacks increased. The number of attacks using over 10 million packets per second grew by more than 300% QoQ and attacks over 100 billion bits per second rose by 645% QoQ.
Kaspersky's report found that overall, there was a 450% increase in DDoS attacks from Q1 2021 to Q1 2022. The report also found that the duration of these attacks grew, with the average DDoS attack duration in Q1 2022 being nearly 8000% higher than the same figure for 2021.
However, Kaspersky did note that there was a far lower number of attacks prior to Russia's invasion, which began Feb. 24.
"The reason for this growth is obvious: the crisis in Ukraine led to a cyberwar, which could hardly fail to impact the statistics," the report stated. "Looking at the distribution of DDoS attacks by week, we see that the peak of new attacks occurred in the eighth week of 2022, that is, February 21 - 27."
Kaspersky explained what may have led to the potentially skewed trend for 2022.
"There were relatively few attacks before late February, and without the spike in DDoS activity at the end of the month we would have seen a drop relative to the previous quarter," the report stated. "The hacktivist nature of the attacks was also responsible for the sharp decline in their number towards mid-March: those initially driven by emotion had calmed down, and infosec companies published warnings against taking part in such attacks. As a result, the number of hacktivists decreased."
Charts showed that prior to the spike in late February, DDoS attacks in Q1 2022 were below the number for Q4 2021.
Alexander Gutnikov, threat analyst at Kaspersky, provided context for the numbers.
"Usually, January features more attacks than December during the previous year," Gutnikov said. "The drop in attacks we witnessed in January this year is unusual. Nevertheless, in January 2022 we have seen 1.5 times more attacks than in January last year. Furthermore, last year's December attacks dynamics were anomalous in their high volume. So the drop in January is relative."
In addition to Ukraine, several allied nations have reported DDoS attacks, including the U.K., Italy, Romania and the United States. Cybersecurity vendors had warned that Russia would likely retaliate against economic sanctions with a range of cyber attacks.
Killnet is one of the key pro-Russia threat groups launching DDoS attacks on foreign nations such as Italy and Romania, as well as the U.S. The group also claimed credit for an attack on Bradley International Airport that attempted to take down the Connecticut Airport Authority website. Killnet even went so far as to declare war on 10 countries in May.
It isn't just pro-Russian threat groups that have ramped up DDoS activity; several attacks by pro-Ukraine actors have been reported against Russia and Belarus.
Cloudflare found that "Russian Online Media companies were the most targeted industries within Russia in Q1. The next most targeted was the Internet industry, then Cryptocurrency, and then Retail."
DDoS attacks haven't just targeted critical infrastructure and government services. These attacks continue to impact entities on the commercial side as well.
The largest HTTPS DDoS attack ever targeted a cryptocurrency launchpad, according to Cloudflare. The attack came from data centers that generated over 15 million requests per second on the network.
In Q1, Cloudflare found network-layer and application layer DDoS attacks targeted the telecommunications industry most, followed by gaming/gambling and then the information technology and services industry.
While DDoS attacks are often seen as a temporary nuisance, they can be costly. Columbia Wireless, a high-speed internet service provider in Canada, lost 25% of its business due to a DDoS attack at the beginning of May.