DDoS Attacks on Critical Infrastructure in the Geopolitical Warfare

Yuval Wollman, president of CyberProof, provides a comprehensive guide on the recent uptick of dangerous Distributed Denial of Service attacks, how it coincides with the current geopolitical conflict, and its effects on critical infrastructure organizations.

Distributed Denial of Service (DDoS) attacks are part of global cyber warfare, escalating in line with growing geopolitical tensions worldwide. Implementing actionable detection and prevention methods is key to avoiding potential danger to human life, damage to critical infrastructure, and financial loss.

The Growing Risk to Critical Infrastructure

As cyber-attacks and disinformation campaigns are unleashed in response to increased geopolitical conflicts – sophisticated hacktivist groups fueled by nationalism and other ideologies, as well as state-sponsored Advanced Persistent Threat (APT) groups, exploit the instability. For example, hacking groups have made claims publicly on Telegram, stating they have breached websites and critical infrastructure in Israel.

Attacks have taken various forms. DDoS campaigns specifically have disrupted hospitals, businesses, and a wide range of organizations (including small, medium, and large businesses). There are parallels between this behavior and the cyber-attacks we have seen in the past years by attack groups associated with Russia on Ukrainian critical infrastructure.

At present, it is important that critical infrastructure organizations take preventative measures to protect themselves, as this is unlikely to be the last such attack. Three primary ways that organizations can take action to protect themselves against DDoS attacks are through:

1. cloud security transformation,
2. risk-based incident response planning,
3. implementing GenAI into the organization’s cybersecurity strategy and implementation.

Examples of Recent DDoS Attacks

The number of DDoS attacks has increased dramatically. The increase is particularly noteworthy in the governmental and financial sectors. One particularly intense attack on a government website reached over 1 million RPS using 13,000 IP addresses. Some examples of attacks seen recently include:

• Hacker groups such as the pro-Russian Killnet pledged to attack Israeli systems in retaliation for Israel’s stance on Ukraine and NATO.
• Anonymous Sudan expressed support for Palestinians and claimed an attack on an Israeli news site.
• AnonGhost purportedly sent false missile alerts through a breached alert app.
• Russian IP addresses attacking Israeli targets have surged by 1800%, and although no Iranian group has claimed responsibility since the conflict’s start, activity from Iranian IPs also notably increased.

This surge in attacks underscores the evolving dynamics of conflict – in which cyber-attacks complement traditional warfare. Digital fronts become platforms for various forms of aggression, including propaganda and operational sabotage, perpetrated by diverse groups ranging from state-backed to independent hackers. These developments emphasize the critical need for strong cyber defense strategies as cyber threats become  prevalent in international disputes.

8 Actionable Tips for DDoS Prevention and Response

Maintaining a proactive approach to DDoS prevention and response enhances your organization’s resilience against such attacks. Regular training, testing, and review of the necessary practices ensure they remain effective over time. Here are some actionable tips:

1. Activate DDoS Mitigation Services

• Research and subscribe to a reliable DDoS mitigation service like Azure DDoS Protection, Cloudflare, or Akamai.
• Ensure these services are properly enabled and configured to suit your network architecture and traffic patterns.
• Regularly update the mitigation rules and configurations based on evolving threat landscapes.

2. Rate Limiting

• Set up rate limiting on routers and firewalls to restrict the amount of traffic that can come from a single source IP address.
• Define thresholds for normal traffic patterns and implement automatic triggers for when these thresholds are exceeded.
• Continuously monitor and adjust the rate-limiting settings to prevent blocking legitimate traffic while mitigating potential attacks.

3. Filter Traffic

• Use Intrusion Prevention Systems (IPS) and advanced firewalls to scrutinize incoming traffic.
• Set up rules to drop packets that appear to be part of an attack, such as those that are spoofed, malformed, or part of known attack signatures.
• Isolate and analyze attack patterns to update filters and prevent similar future attacks.

4. Geo-blocking

• If your services do not require global access, implement geo-blocking to deny access to traffic from certain high-risk countries or regions.
• Maintain an up-to-date list of blocked regions and ensure that these blocks do not affect legitimate users.
• Evaluate the necessity of geo-blocking regularly and modify, as needed, based on threat intelligence reports.

5. Load Balancing

• Distribute incoming traffic across multiple servers using load balancers to prevent overloading any single server.
• Ensure that load balancers are configured to recognize and handle traffic spikes without service disruption.
• Regularly test load balancer performance to ensure resilience against traffic surges.

6. Additional Temporary Measures

• If a particular service or webpage is the focus of the attack, you may need to deactivate it temporarily to stop the assault.
• Communicate with your user base about the reason for the service disruption and the expected resolution time.
• Use this downtime to strengthen the service’s defenses before bringing it back online.

7. Post-Attack Analysis

• After thwarting the DDoS attack, gather logs and evidence to analyze the event thoroughly.
• Identify which defenses were effective and which need improvement.
• Use the findings to reinforce your network defenses and to prepare a more robust response for potential future attacks.

8. Legal Action

• Consider reporting significant DDoS incidents to local law enforcement and national cyber security authorities, as they are often considered criminal acts.
• Collect and preserve detailed evidence in accordance with legal requirements, as it may be necessary for prosecution.
• Keep abreast of the cyber-attack legal landscape to ensure compliance and understand your rights and responsibilities.

See More: Securing Critical Infrastructure Amid Geopolitical Conflict 

The Cyber Sphere Mirrors Geopolitical Tensions

When critical services go down—such as electrical power, emergency services, communications, and water—this can damage the services and the infrastructure, leading to economic damage and possibly even the loss of life. DDoS attacks have the potential to severely impact human safety, cause economic destabilization, and disrupt vital services. By implementing effective, proactive measures that mitigate the risk of DDoS attacks, critical infrastructure organizations take the necessary steps to avoid escalating geopolitical tensions through the dangerous disruption of daily life.

MORE ON DDOS (DISTRIBUTED DENIAL OF SERVICE)

• Are DDoS Attacks a Hacker Goldmine for Cybercriminals?
• Web Application Firewall Goes Hybrid to Amp Up DDoS Defenses
• DDoS Attacks: A Growing Cybersecurity Problem in Remote Learning
• Why Load Balancers Should be Part of Your Security Architecture