Background
Since 2022, the relationship between Russia and Ukraine has become increasingly tense. The two sides are at loggerheads and have deployed a large number of military personnel and equipment in the border areas of the two countries. However, since entering the 21st century, war is not limited to armed actions, but happens in other invisible ways which are even more intense.
From the afternoon of February 15, 2022, Ministry of National Defense and Armed Forces of Ukraine, as well as state-owned banks, Privatbank (the largest bank in Ukraine) and Oschadbank were reported being attacked by DDoS attacks. These attacks led to temporary paralysis of government websites. In addition, the attacks on financial websites made banks unable to provide services normally.
NSFOCUS Advanced Threat Hunter System (ATH) detected relevant DDoS attacks for the first time, which is consistent with the reports. On February 14, ATH found abnormal DDoS traffic against Ukraine. The attackers used nine DDoS related vulnerable services including CLDAP, NTP, SSDP, Memcache and ONVIF to attack. The attack is still under continuous monitoring of ATH.
The attackers first launched a reflection DDoS attack against the Ukrainian Civil Service Bureau (nads.gov.ua) and the Ukrainian Government News Website (old.kmu.gov.ua) at 4 a.m. on February 14, which lasted for a long time with large attack traffic. Two days later, ATH detected the attack against Privatbank (the largest bank in Ukraine), which lasted for 2 hours, 28 minutes and 10 seconds. The characteristics of payload used by the attackers complied with the established norms of various service protocols. The targets are clear, which are ports 80 and 443.
In addition to monitoring DDoS attacks against Ukraine, NSFOCUS Advanced Threat Hunter System (ATH) also found that an APT group, Lorec53, launched multiple rounds of attacks against Ukrainian critical information infrastructure including the Ukrainian Government and that the Botnet family Mirai launched DDoS attacks against the Ukrainian backbone network. The Mirai family leveraged the Syn Flood Attack. In terms of attack duration, the attacker gave the zombies a command of continuous attack and did not stop during the monitoring cycle. It was like a suicide attack that would not stop until the zombies were banned.
Typical attack events
In a series of DDoS attacks detected by the NSFOCUS Advanced Threat Hunter system, the Ukrainian government website and Privatbank (Ukraine’s largest bank) were attacked.
1. Attacks on Ukrainian government websites
On February 14, the system detected a reflection DDoS attack targeting two IP addresses on the same network segment, which was confirmed to belong to the Cabinet Secretariat. The attackers used the CLDAP vulnerable service to conduct reflective attacks on multiple ports of the State Civil Service of Ukraine (nads.gov.ua) and the Ukrainian government news website (old.kmu.gov.ua).
The attack on the National Civil Service of Ukraine involved two attacks. The first attack occurred at 4:25 in the morning and lasted 2 minutes, while the second attack occurred at 8:16 and lasted 30 seconds.
The attack on the Ukrainian government news website involved one attack, which took place at 8:25 and lasted 2 minutes.
2. Attack on Privatbank (the largest bank in Ukraine)
At 2:25 a.m. on February 16, the NSFOCUS Advanced Threat Hunter system detected a reflection DDoS attack against IP 217.117.65.247, which was determined to belong to Privatbank (the largest bank in Ukraine). The attacker used the CLDAP searchRequest operation to carry out reflection attacks, with 267W attacks and 290 pps in 2 hours, 28 minutes and 10 seconds.
Ukrainian DDoS attack analysis
Since February, the NSFOCUS Advanced Threat Hunter system has detected DDoS attacks on 286 IP/domains in Ukraine, the longest lasting 2 hours and 36 minutes.
1. Distribution of attacked IP
1.1 Region distribution of attacked IP
Usually, the geographical distribution of DDoS attacks is positively correlated with the level of local economic development and population. Against the 31 regions of Ukraine reflective DDoS attacks, Kiev, as the capital of Ukraine, is the country’s economic, cultural and political center, accounting for 35.47% of the attack, becoming the most concentrated area of this DDoS attack. Besides, the overall distribution of DDoS attacked areas is relatively balanced.
1.2 ISP distribution of attacked IP
In a global environment of declining economic growth and resource crunch, cyber attacks are intensifying and attack methods are becoming more and more sophisticated. Internet Service Providers (ISPs) are facing an increasing threat of DDoS attacks. In this attack, the ISPs in Ukraine under DDoS attacks were widely distributed, among which the most attacked was Ukraine’s largest telecom operator “Kyivstar PJSC”, accounting for 16.89% of the total attacks. It is a leading company in mobile communication and fixed Internet service market in Ukraine, and is also the first provider of converged solutions in Ukraine.
1.3 Industry distribution of attacked IP
Under common circumstances, DDoS attacks usually target industries with important financial or social status. According to the monitoring data of NSFOCUS Advanced Threat Hunter System, the industries to which Ukrainian IPs under reflective DDoS attacks belong show a trend of diversification, among which Internet service providers are the most distributed, accounting for 38.49%. In addition to the finance, game and other industries, there are also attacks on key facilities and government departments, such as the television communication industry, the medical industry, national research institutions, the cabinet secretariat, etc. For these industries, the reflective type DDoS attacks are highly targeted and can easily paralyze key national facilities, resulting in more serious consequences.
2. Attack duration distribution
According to the monitoring data of NSFOCUS Advanced Threat Hunter System, nearly 80% of the DDoS attacks in Ukraine lasted within 5 minutes, and the proportion of 0-day attacks was high, indicating that the attackers attach great importance to cost, efficiency and technical confrontation, and tend to launch short, multiple pulse attacks, causing the target to fail to provide normal service. In the long term, under the condition of effective cost control, high-frequency and multiple 0-day attacks will seriously affect the service quality of the target and cause great energy loss to DDoS protection personnel.
3. Attacked domain name (partial)
According to the monitoring data of NSFOCUS Advanced Threat Hunter System, the domain names attacked in Ukraine in this incident are mainly government websites and bank websites, which are important core departments in Ukraine. Large scale attacks have led to the closure of these websites. The attack ports are mainly the ports 80 and 443 of the standard web server. It can be seen that this is a targeted and long planned DDoS attack.
Summary
From the destruction of Iran’s nuclear facilities in 2012 to today’s DDoS attack in Ukraine, all the events reflect the importance of network security. It can be seen that in addition to the traditional vulnerabilities and the powerful “combat” ability of network viruses, the destructiveness of DDoS attacks cannot be underestimated, especially the reflection DDoS attacks, which are extremely harmful and difficult to trace. At least, they lead to slow service access, and at worst, the service can be directly paralyzed and inaccessible.
For this DDoS attack event:
1. Traditional vulnerabilities, worms and other attacks can be fixed in a short time, but DDoS attacks are persistent, which can easily lead to the failure of key facilities and deny of services. Although the attack this time did not cause great losses, it still caused great confusion and panic internationally.
2. It does not exclude the possibility that attackers used DDoS attacks that led to the inability of key infrastructure in Ukraine because large-scale invasion beforehand did not work. It is also possible that attackers use DDoS attacks to distract the attention of security team and the real attacks are carried out more deadly somewhere else.
3. For key infrastructure open to the public, we need to focus on protection, create specific network access strategies for key IP and ports, establish corresponding DDoS protection measures, and regularly test the DDoS protection ability of these assets. In addition, we should also organize actual combat simulation to evaluate the service affordability in the case of large traffic reflection DDoS attacks, in order to find the weaknesses and improve.