What is and how a DDoS attack works
Main article: Distributed Denial-of-Service, DDoS
Protection against DDoS attacks
Main article: Protection against DDoS attacks
DDoS attacks on banks in Russia
Main article: DDoS attacks on banks in Russia
National System for Countering DDoS Attacks
Main article: National system for countering DDoS attacks
2024
The increase in the number of DDoS attacks in Russia amounted to 53%
Qrator Labs, which specializes in ensuring the availability of Internet resources and neutralizing DDoS attacks, presented DDoS and bot attack analytics for 2024 on December 5, 2024.
DDoS attacks at the transport and network layer (L3/L4)
According to the company, the increase in the total number of Russia DDoS attacks recorded in 2024: compared to 2023, it increased by 53%. In 2024, the largest number of DDoS attacks recorded L3/L4 was in the segments "" Fintech(39.6%) and "" E-commerce(35.7%). Together, these two segments are responsible for 75% of all attacks detected by Qrator Labs at the transport and network level. Also in the five most attacked sectors were "Media" (5.6%), "Online rates" (5.1%) and "and"IT (Telecom 4.5%). The listed top 5 segments accounted for 90% of all reported attacks.
If we use more detailed segmentation, then Banks (27%), Online Retail (22.4%) and Electronic Bulletin Boards (12.2%) attacked the most often in 2024. They are followed by Microfinance Organizations (6.9%), Media, TV, Radio and Bloggers (5.2%) and Online Bookmakers (5.1%) by a wide margin.
Compared to 2023, the share of the Bank microsegment remained almost unchanged. At the same time, the number of attacks on microsegments "Online Retail," "Microfinance Organizations" and "Online Bookmakers" has grown rapidly.
The longest attack of 2024 lasted almost 464 hours, that is, more than 19 days (several times more than the record of 2023 - about 72 hours). This attack occurred in the first quarter and was aimed at the e-commerce segment. Multi-vector attacks in 2024 were responsible for 14.6% of all recorded L3/L4 DDoS attacks - this is about 8% more than in 2023.
Application-level DDoS attacks (L7)
In terms of the number of application-level DDoS attacks in 2024, as a year earlier, the Fintech segment was in the lead. Moreover, its share has grown significantly compared to 2023: from 31.6% to 51.3% - now this segment alone is responsible for more than half of L7 DDoS attacks.
E-Commerce is in second place (18.9%) - the share of this segment, on the contrary, fell by almost a third compared to 2023. This is followed by the segments "IT and Telecom" (8.9%), "Educational Technologies" and "Media" (both 5.2% each). Among microsegments, first of all, it should be emphasized the rapid growth in the number of attacks on Banks - their share has almost tripled, from 10.6% in 2023 to 31.2% in 2024.
The share of the second largest microsegment attacks, Online Retail (10.6%), has hardly changed compared to 2023. Microsegments "Payment Systems" (7.4%) and "Software" (5.7%) began to attack much less often. Closes the top five most attacked sectors "Online Insurance" (5.1%).
Countries that source DDoS attacks
In the list of countries that most often served as sources of DDoS attacks, there were slight changes in 2024 compared to 2023. Russia (32.4%) USA and (20.6%) are still in the first two places. However, China which for a long time consistently took third place, since the second quarter left the top 3. His place at the end of the year took (Brazil 5.8%).
Also in the top 10 sources of malicious traffic in 2024 were Singapore (5.2%), China (5.1%), India (4.7%), Germany (4.4%), Great Britain (4.2%), the Netherlands (3.6%) and Indonesia (2.9%).
Largest botnet
The largest botnet of 2024 was discovered in the fourth quarter. At the peak of the attack, 227 thousand devices were involved in it. This is 67% more than in the largest botnet of 2023.
This botnet attacked the Banka microsegment, and the attack took place in several stages. About 165 thousand devices took part in the first wave (November 19, 2024). A few days later (November 23, 2024) there was the second, most serious wave of attack, in which more than 227 thousand bots were involved. The third stage of the attack (November 26, 2024) was much weaker than the first two, only 69 thousand devices took part in it.
In terms of geographical distribution, this botnet consisted mainly of devices in Brazil (77.4%), Vietnam (5.7%), Argentina (1.7%), Russia (1.3%) and Ecuador (1.1%).
Anti-bot statistics
In 2024, the number of blocked requests for bots increased by 30% compared to 2023. On average, 1.69 billion such requests were blocked per month, compared to 1.3 billion in 2023.
The largest number of bot attacks in this 2024 fell on the Online Retail segments (36.2% of all bot activity), Online Bookmakers (16%), Online Pharmacies (7.3%) and Real Estate (5.1%) and Banks (1%). Collectively, these five categories are responsible for about two-thirds of all bot attacks we have recorded.
The largest bot attack of 2024 was observed on March 2, 2024 - it was aimed at the Online Bookmakers segment. During this attack, 22,258,587 bot requests were blocked.
The fastest bot attack of 2024 was also aimed at the Online Bookmakers segment. It occurred on February 19, 2024 and its speed at its peak reached 79,300 requests per second. The distribution of bots by type was as follows: the main share falls on script bots (67.5%). API bots are in second place (27.1%), browser bots are in third place (5.4%).
Forecasts for 2025:
- One of the important trends is the use by attackers of huge botnets consisting of hundreds of thousands of devices from developing countries. The power of these botnets for generating parasitic traffic will continue to grow. Both due to the increase in the number of devices included in them, and because the Internet connection to these devices becomes better from year to year.
- Increasing the duration of attacks is "infinite DDoS." In modern conditions, when devices have become quite powerful, their total number has increased, and the bandwidth has increased, attackers can save on device resources, but still achieve a serious amount of parasitic traffic due to the fact that hundreds of thousands of devices are included in the botnet. Therefore, it turns out that such a botnet is not just a free, but an endless resource.
- Hype around AI-cyber security will be replaced by skepticism: the disappointment in AI tools, on which high hopes were pinned in 2023-2024, will finally ripen.
- Hacktivists may be targeting large providers cloudy and IT solution providers, increasing the extent of the damage. Commercialization of the experience obtained is not excluded.
- In 2025, a significant increase in attacks by fraudsters and ransomware on individuals using deepfakes and other generative tools can be expected.
- The share of attacks on online retail in total bot activity will continue to grow in 2025.
- The use of AI in organizing bot attacks will remain limited for now.
- Attacks on the Online Bets segment have the nature of bursts, taking record values in individual periods. At the same time, bot activity in Online Retail and other segments is high, but a constant background. This situation will continue in 2025.
- In addition to developing bot detection and blocking algorithms, online resources will continue to remove publicly available content and hide it from unauthorized users, seeking to obtain as much information as possible about them.
Novosibirsk Internet provider Sibseti reported a hacker attack and stopped work
On November 2, 2024, the Novosibirsk Internet provider Sibseti announced a massive DDoS attack on its infrastructure. The company had to suspend work, since the servers are not able to cope with the load that fell on them. Read more here.
The IT infrastructure of the Russian Foreign Ministry was subjected to DDoS attacks: Services and sites do not work
On October 23, 2024, it became known that the IT infrastructure of the Russian Ministry of Foreign Affairs (MFA) was subjected to a massive DDoS attack. As a result, the work of sites and services of the department was disrupted. Read more here.
DDoS attacks on Roskomnadzor. Their capacity reached 579 Gbps
In October 2024, Roskomnadzor recorded massive DDoS attacks on its infrastructure. Their capacity reached 579 Gbps. Read more here.
The largest Internet provider in Novosibirsk has undergone the largest DDoS attack. Subscribers left without communication
On October 7, 2024, the largest Internet provider in Novosibirsk, Electronic City, announced the largest DDoS attack (denial of service) on its infrastructure. Subscribers of the company were left without communication. In addition, the work of a number of services was disrupted, including a personal account, the main site, as well as the Ivi online cinema. Read more here.
VGTRK was subjected to an "unprecedented hacker attack." Online broadcasting and services do not work
On October 7, 2024, it became known that the All-Russian State Television and Radio Broadcasting Company (VGTRK) was subjected to a massive hacker attack. Online broadcasting and internal services do not work, and it may take a very long time to restore systems due to data destruction. Read more here.
Rutube faces biggest DDoS attack in two years
On September 6, 2024, the Russian online service for hosting and watching videos Rutube announced a massive DDoS attack on its infrastructure. Users in various regions of the Russian Federation complain about problems with access to the platform. Read more here.
DDoS attack on regional services of the Kursk region
On August 8, 2024, a massive DDoS attack hit the regional services of the Kursk region. It was conducted from the IP addresses of Germany and Britain, and the consequences were the temporary inaccessibility of many IT systems.
According to reports, the Ministry of Digital Development Russia goal of the attackers was to disrupt the process of providing socially significant services. With a bandwidth of 1 Gb/s, the amount of malicious traffic reached 25 Gb/s. The load on services during peak periods ranged from 35 thousand to 105 thousand requests per second for each network address.
Internet resources of the Kursk region were subjected to a massive DDoS attack. As a result, many services have failed and are temporarily unavailable, the regional Ministry of Digital Development and Communications said in a statement. |
Experts are reportedly making every effort to restore the efficiency of the resources of the Kursk Region Administration as soon as possible. It is noted that cybercriminals failed to damage the e-government infrastructure and gain access to user personal data. The Ministry of Digital Development says that all information is "reliably protected," and the attacks are "quickly reflected."
Earlier, the government of the Kursk region warned local residents about the spread of fake materials on the Internet. In particular, a falsified video appeared in which the acting governor Alexei Smirnov allegedly called on men to join the militia. This video, as noted by Parlamentskaya Gazeta, was edited by Ukrainian special services, using artificial intelligence technologies to replace sound. In fact, Smirnov "informed his fellow countrymen about the situation near the border and urged to take precautions during the alarm."[1]
A DDoS attack fell on the NSPK. NWS does not work
On June 20, 2024, the National Payment Card System (NSPK, a card operator "Mir") faced a DDoS attack, due to which banks failed. In particular, users have encountered problems with use. Fast Payment Systems (FPS) More. here
Petersburg telecom operator PACT is experiencing a powerful DDoS attack for the second day. Services are not working
On June 16, 2024, the St. Petersburg telecom operator PACT announced a massive DDoS attack on its IT infrastructure, which continues for the second day. Cybercriminals disrupted the functioning of systems, some services do not work. Read more here.
MTS was subjected to the most powerful DDoS attack in a year. It was conducted from 5 countries with 20 thousand devices
On June 13, 2024, MTS announced the most powerful DDoS attack this year, which was carried out simultaneously from five countries. The attack lasted two hours, but thanks to the well-coordinated work of the MTS RED protection system, hackers failed to hack into the operator's network. Read more here.
300 companies in Russia over the past two days have undergone DDoS attacks with a capacity of 600 Gbps
In early June 2024, cyber attacks on Russian IT resources increased. According to Igor Lyapunov, General Director of the Solar Group of Companies, in two days more than 300 companies and organizations under the protection of Solar, as well as Rostelecom resources, have been subjected to massive attempts at DDoS attacks.
The power of cyber attacks reached 600 Gbps at the channel level and 700 thousand requests per second at the application level, Lyapunov cited data. This scale creates a tremendous burden on the IT infrastructure and can completely paralyze the work of Internet resources of organizations.
The number andThe Solar company pointed out the special sophistication of the new wave of cyber strikes. Attackers use combined attack methods that were not previously used at this scale. In addition, hackers constantly change vectors and targets of impact - on average every 1-1.5 hours, which makes it much more difficult to organize protective measures.
Lyapunov said that Solar has already begun to strengthen cybersecurity measures in connection with a sharp increase in hacker activity. The company has significant experience in combating DDoS attacks - in 2023 it managed to repel a series of powerful cyber strikes, including on the online broadcast of the speech of the President of Russia. Then malicious effects were carried out from hundreds of thousands of IP addresses at a time.
Lyapunov is convinced that given the aggravation of the political situation, in 2024 the confrontation with cybercriminals will be much tougher. The observed surge in attacks on significant Russian infrastructure only confirms these forecasts.
According to Rostelecom, from January to May 2024, the company recorded about 265 thousand cases of DDoS attacks on Russian organizations. This is about 90% of the figure for the entire 2023. Moscow remains the leader in the number of incidents with 107 thousand recorded attacks. A serious surge in hacker activity, according to experts, is associated with important political events in the first half of 2024, including the election of the President of the Russian Federation. In general, the current wave of cyber attacks poses a serious threat and requires organizations to pay increased attention to ensuring the security of Internet resources and IT infrastructure.[2]
FCS reported on information exchange problems with foreign economic activity participants due to DDoS attack
On June 3, 2024, the Federal Customs Service (FCS) announced a massive DDoS attack on telecom operators. Because of this, information exchange with participants in foreign economic activity (foreign economic activity) was disrupted.
As noted in the FCS Telegram channel, due to failures, specialists from the department and operators had to carry out restoration work. At the same time, the Center for Monitoring and Management of the Public Communications Network of Roskomnadzor (CMU SSOP) notified that on June 3, 2024, problems arose in the operation of a number of Russian state sites.
SMU SSOP records the partial inaccessibility of some state sites. A preliminary reason is a failure on one of the sections of the backbone communication network. An analysis is being carried out, the center said in an official statement. |
According to the Kommersant newspaper, access to the sites of the Ministry of Finance, the Government of Russia, the Ministry of the Interior, the Ministry of Justice, the Ministry of Industry and Trade, the Ministry of Information Technology and Communications, the Ministry of Education and Science, as well as the Ministry of Civil Defense, Emergency Situations and Disaster Management.
Positive Technologies experts note that against the backdrop of a deteriorating geopolitical situation, the number of cyber attacks on organizations is growing. Moreover, state institutions are leading in the number of incidents. Among all the successful attacks on organizations in 2023, 15% were in the public sector. The growth in the number of cyber attacks was also significantly affected by the expansion of the shadow market: new tools for exploiting vulnerabilities and for conducting DDoS attacks are emerging and being openly distributed. The number of information leaks from organizations increased from 47% in 2022 to 56% in 2023.[3]
A massive DDoS attack is underway on the Siberian Bear telecom company. Services are disabled, there is no Internet in Kuzbass
On May 26, 2024, several Russian telecom operators were subjected to a massive DDoS attack. In particular, the Siberian Bear company from Novosibirsk, as well as RialCom from the Moscow region, were seriously affected. Read more here.
Foreign hackers have learned to carry out DDoS attacks on Russian companies through devices in the Russian Federation
Foreign hackers have learned to commit cyber attacks on Russian state and commercial organizations through devices in the Russian Federation. This is evidenced by the data released in mid-February 2024 by Qrator Labs, a company specializing in ensuring the availability of Internet resources and neutralizing DDoS attacks.
As Kommersant writes with reference to Qrator Labs materials, attackers can now bypass GeoIP locks (blocking traffic by its geographical origin) and generate cyber attacks by local sources close to the victims' region. The attacks are still being implemented from afar, but using devices in Russia, experts explained. According to them, hackers use "gray proxy servers located in Russia." In this capacity, for example, hacked home Internet and hosting network equipment, as well as mobile gadgets, can be used.
DDoS-Guard told the publication that attacking requests in half of the cases come from Russian IP addresses, the rest from China, Indonesia or the United States. Blocking IP addresses by location helps limit access to resources that are not expected to work outside certain regions, says Dmitry Nikonov, head of web application protection at DDoS-Guard.
The ability to lease inexpensive capacities from Russian structures makes attacks cheaper for attackers, said Nikita Tsaplin, general director of the hosting provider RUVDS. The company saw an increase in demand for the most inexpensive virtual servers. According to the source of the publication in the telecommunications industry, the situation may lead to the introduction of responsibility of hosting providers for the use of their capacities for illegal purposes.[4]
2023
Reduction in the number of DDoS attacks on Russian companies by 3 times
The number of DDoS attacks on Russian organizations in 2023 decreased almost three times compared to 2022. However, in general, their number, as before, remains quite high. This is stated in a study by the Center for Strategic Research, the results of which TAdviser got acquainted with in mid-November 2024.
The report says that in 2023, against the background of the emerging geopolitical situation, intensive attacks on the IT infrastructure of Russian organizations continued. At the same time, the number of suspicions of an information security incident increased by more than 60% - to 1.5 million events.
According to StormWall, in 2023 there was a significant surge in multi-vector DDoS attacks on Russian organizations: the number of such incidents increased by 78% compared to the previous year. Such attacks are aimed at several different network layers and elements of the enterprise infrastructure, which allows attackers to achieve maximum efficiency. One of the trends of 2023 in Russia was the use of mixed botnets consisting of several malicious programs. In addition, more DDoS attacks have been recorded to cover up other malicious activities. The number of DDoS attacks by politically motivated hacktivists on key industries in Russia continued to grow.
According to Roskomnadzor, the longest DDoS attack recorded by the department in 2023 lasted 23 hours 58 minutes. In general, as noted, after the start of a special operation, the intensity of DDoS attacks on the resources of Russian organizations increased significantly. In response to these challenges, Roskomnadzor created the National System for Countering DDoS Attacks. It provides additional protection of the resources of the Russian segment of the Internet using the capabilities of technical means of countering threats (TSPU). The system is capable of repelling attacks with a capacity of 133.5 Tb/s.[5]
Almost half of large companies are vulnerable to DDoS attacks at the L7 level
StormWall conducted another study on the availability of professional protection against DDoS attacks among Russian companies. StormWall experts analyzed data from companies that are included in the revenue TOP-100 for 2023. StormWall announced this on April 9, 2024. As a result of the study, it turned out that all organizations from this list use any solutions to repel DDoS attacks at the L3-L4 level (network and transport levels of the OSI model), for example, use protection from the provider or from hosting, but the situation with protection at other levels has become even worse than before. Read more here.
37% of DDoS attacks occurred in the financial sector
About 37% of DDoS attacks in Russia in 2023 fell on the financial sector. This was reported on February 14, 2024 by the information security company Qrator Labs. According to her, the five industries that faced the most DDoS attacks also included:
- e-commerce (24.95% of total cyber attacks in 2023);
- educational technology (9.86%);
- online gaming (7.34%);
- IT and telecom (6.01%).
Among the segments, the main target of the attackers in 2023 was banks - 28.31%. Credit institutions are traditionally attacked during periods of active promotion of seasonal banking products - loans and deposits. The top 5 also included electronic bulletin boards (15.04%), educational platforms (9.57%), online stores (8%) and payment systems (7.05%).
According to experts, throughout 2023, the share of online retail in the total number of bots increased, increasing from 16% to almost 30%. This is primarily due to the growing interest of bots in this area and an increase in the overall background of bot activity. In addition, AI bots are most actively sorting out the retail sector, since most of the interesting content for them is concentrated there, according to a study by Qrator Labs.
It also follows from it that the average duration of DDoS attacks at the end of 2023 was 1.3 hours. In the fourth quarter of 2023, 22.3 million IP addresses from which DDoS attacks were carried out were blocked in Russia, which corresponds to 42% of the total number in the world. The top three again included the United States and China with 6.23 (11.76%) and 2.65 (5%) million locks, respectively.
According to Dmitry Tkachev, CEO of Qrator Labs, 2023 has become a landmark year in terms of application-level attacks. The attacks have become more targeted and well-prepared, he said.
Top trends in DDoS attacks
In January 2024, DDoS-Guard presented the main trends in DDoS attacks.
DDoS-Guard experts distinguish a multiple increase in peak values, a smooth transition from hacktivism to "commercial" attacks, target distribution and focus on subdomains.
We also studied the data shared by industry colleagues, and DDoS-Guard proposes to create a picture of the world of cybersecurity for 2023 using a detailed review and related information.
The number of attacks, their power continues to grow, and by the end of 2023, the maximum influx was recorded, it fell on November-December. This is associated with an increase in the seasonal activity of cybercriminals during the period of large sales. In addition, the volume of client traffic that passes through the DDoS-Guard filtering network has grown in the fall. More clients under protection - more attacks are observed and successfully reflected.
In the first half of 2023, attackers faced a crisis: many providers defenses allow resource owners to enable geolocking and completely cut all requests from any country except. Russia The attackers quickly found a solution in the form of a lease virtual servers on the territory from RUSSIAN FEDERATION which attacks can be made, since requests from the Russian Federation are not blocked. But in order to collect enough resources for an impressive wave of malicious traffic, you will have to rent many servers, and this entails serious financial costs for which not all attackers will be ready.
However, more devices have steadily become involved in attacks. Some of them, as the analysis shows, relate to the Internet of Things (IoT): TVs, access points, surveillance cameras. Here, the tendency to involve such devices in botnets has been steadily maintained over the past years.
Predominate DDoS-attacks at the application level. The number of attacks by protocols/is HTTPHTTPS 4 times higher than the rest. At the same time, such types as NTP amplification, DNS amplification almost completely disappeared from radar.
Politically motivated attacks are leaving as a trend. The renaissance has begun for "commercial" attacks - DDoS is used as one of the most affordable tools to quickly take a competitor out of the game. This does not necessarily mean an order within the framework of the competition between the giants of the industry - the victim of a powerful attack of 22.9 million requests per second (rps), was a small regional food delivery company, - said Dmitry Nikonov, head of web application protection at DDoS-Guard. |
Attackers began to avoid sites using DDoS protection services. Finding that the attack is ineffective, they redirect their efforts to web resources without protection. However, as soon as the site owner decides that nothing else threatens him, the attackers resume malicious activity. The trend of repeated attacks with a break of 1-2 months is visible. Such a "lull" can mean careful preparation for a powerful attack on a protected site in order to maximize the chances of damage.
Almost from the very beginning of the year, there have been bursts of traffic, reaching millions of requests per second at the peak. The average power has become equal to the peak attacks of 2022 and continues to grow. It is curious that earlier the duration of such bursts was calculated in minutes, and now they differ in short-term - no more than a few seconds.
10 years ago, the largest attacks reached 2-3 million requests per second. If then only such giants as Youtube became victims, now these volumes are sent to ordinary sites.
In February 2023, a DDoS attack was neutralized with a peak capacity of 2.8 million requests per second for a small web resource dedicated to video games. The duration of the attack was about 10 minutes, 2,500 unique IP addresses participated in the flow of malicious traffic.
From the point of view of volumetric indicators, the volume is small - only 6 Gbps. But in terms of the number of requests, this is a colossal load that the site would not have coped with without protection on its own. The DDoS-Guard filtering system suppressed the attack, thanks to which the client's site continued to work normally.
The upper graph shows that the number of attack requests (Blocked requests max=2.82 mrps) is so much higher than the share of legitimate traffic that even at its peak, legitimate requests are almost invisible (Requests max=1.7 krps).
The bottom graph shows that a burst of incoming traffic (Rx) with a peak of 6.3 Gbps does not affect the legitimate users of the protected resource. The amount of outgoing traffic (Tx) is kept at 240 Mbps, and the peak value is only 286 Mbps.
From 2022 to 2023, the trend towards attacks on service (corporate) services passed in order to paralyze the real work of companies. There are no prerequisites for changing the situation - the company expects that the popularity of this trend will continue throughout 2024.
Cases have become more frequent when not a specific domain-two acts as the target of the attack, but all subdomains of the web resource. As an example, here we can cite a situation when the site has divisions by city: zelenograd.example.com, podolsk.example.com, and so on. Usually the calculation is made that all domains in reality are served in one place, and it can be difficult to filter an attack on many subdomains for their owners and administrators.
Another pattern is an attack on resources within the same subnet. Probably the goal here is to massively disable the entire infrastructure of the victim. Basically, such attacks are directed at large companies with a large number of sites and networks.
Short-term bursts of traffic still prevail - up to 20 minutes. However, the "pearl" is found precisely among long-term attacks: During a continuous 19-hour period, 13.8 billion malicious requests were made to the attacked resource. At the end of 2023, this is a record value.
For comparison, in 2022, the maximum number of requests within one attack barely exceeded 2 billion. In the first quarter of 2023 - amounted to less than 1 billion.
In the fall, there was a slight shift in focus in favor of attacks lasting more than 24 hours - their number increased 2.5 times compared to the second quarter of the 2023. Let's show the dynamics of a continuous attack lasting 48 hours 36 minutes, which was recorded by the DDoS-Guard protection system.
At the beginning, a bright picture is visible: flood over TCP and UDP protocols, combined with an attack with fragmented IP packets. The attack is continuous, and fragmented IP packets make up its bulk - 70%. On the second day, the volume of malicious traffic reaches 1.9 Gbps. This is far from a record value, but given the overall duration of the attack, such bursts can finally drain the victim's resources.
In the first quarter of 2023, small regional media, online cinemas and game servers suffered the most. For several months, media sites were the leader in popularity among attackers, but in the end they lost the championship to entertainment services. Compared to 2022, such online resources received twice as many attacks.
Increased attack activity has hit IT companies that provide information security services and develop digital products. Telecom operators took third place in the "hit parade" of the most attacked projects.
There is a tendency for malicious activity to increase during the quarterly reporting period, when the main goal of attackers is to make it difficult or impossible to carry out predicted bureaucratic procedures. Organizations that support companies in the accounting sector were hit. Attacks on the financial sector have been particularly prominent during important public economic announcements, such as a key rate hike.
Of particular interest to the attackers was the field of travel: the number of attacks on ticket purchase services, hotel reservations, etc. is three times higher than in 2022.
Also, the number of attacks on the sites of pharmacies, medical centers, laboratories and other organizations working in the field of health has more than tripled. DDoS attacks on such resources often become a cover for trying to get confidential patient data and other information.
The company monitors reports issued by other security providers and compares them with its observations - this is how a more complete picture of events in the environment of protection against cyber attacks is obtained.
Q1
Stormwall noted a sharp increase in DDoS attacks on the industry sector. In the first quarter of 2023, financial services suffered the most - they accounted for 32% of attacks, and over the year the number increased by 62%.
Positive Technologies experts believe that the number of successful cyber attacks on the financial sector is growing every year: for example, in the first three quarters of 2023, the share of malicious impacts amounted to 9% of the total number of successful attacks on organizations. There are also twice as many unique cyber incidents compared to 2022. Analysts' forecasts suggest that criminals remain closely focused on the economic industry.
Q2
In the second quarter of 2023, attack vectors changed, and attackers concentrated on exploiting vulnerabilities. The trend was recorded in Rostelecom-Solar: it is associated with the massive transition of companies to domestic software, which began to be actively attacked by hackers. Experts noticed that the actions of the attackers have become more highly professional and targeted.
Q3
For the third year in a row, Qrator Labs has noted a dynamic increase in DDoS attacks on the UDP protocol. The dynamics for the period 2021-2023 shows changes in average indicators from 29.31% to 51.45%. Experts believe that this may be due to the summer season in a number of business segments.
In the third quarter, the number and power of targeted DDoS attacks on specific organizations decreased. The attackers focused on mass attacks, - follows from the data of the reports of the Rostelecom-Solar service. Also, experts recorded the longest attack, which lasted 9 months.
According to the results of an analytical study by the Garda Group of Companies, spheres and were most often attacked in the third quarter telecom. transport The largest amount of attacks fell on the networks of telecom operators, followed by the resources of air carriers and the F/D booking system.
In 2023, a trend was clearly traced, which moved from 2022 - an increase in the number of attacks with a decrease in their duration. According to Qrator Labs, the average duration of attacks decreased by 29.15% compared to 2022.
Another global trend in 2023 is the increase in the number of multi-vector attacks. According to the Stormwall report, they rose 108% at once. Most of it comes from hacker groups that sponsor states. They are distinguished by a more professional approach and access to high-tech tools.
DDoS attacks have become more thoughtful, hackers choose their victims more carefully. Previously, they directed mass attacks on sites of a certain topic, for example, the media, without analyzing security. Now they are checking the presence of protection and its stability. This repeatedly increases the chances of disabling the site and not wasting resources.
Attackers are trying different approaches, developing new attack mechanisms. Not all of them are effective, but individual practices fall into the organization of new threats. There is no unambiguous dedicated source of attacks - the infrastructure around the world is used quite evenly, botnets are growing due to smart devices and inexpensive servers.
DDoS-Guard closely monitors trends and develops its technologies so that protection tools always remain relevant.
Experts predict that in 2024 the world will face a wave of major data breaches, as well as an increase in the activity of ransomware and hacktivists. More complex attacks, multi-vector and increased power are expected. The trend of attacks on industries, which are especially important for the stable operation of resources over a certain period of time, is highly likely to continue.
The center of Roskomnadzor for the year blocked 185 massive DDoS attacks
During 2023, specialists from the Public Communications Network Monitoring and Management Center (CMU SSOP) subordinate to Roskomnadzor repelled 185 massive DDoS attacks. In addition, 4222 phishing resources and 48 sites through which malware spread were blocked. This is stated in the report of the CMU SSOP, published on January 24, 2024.
In 2023, 9598 traffic routing violations were identified and eliminated. Experts sent 808 security bulletins to telecom operators about the identified vulnerabilities in the software with recommendations for their elimination.
As of the end of 2023, more than 500 telecom operators have connected to the Antifrod system, which is designed to collect data on all calls and SMS in order to combat fraudsters. During this year, this system checked 90 billion calls, and the number of prevented calls with number substitution reached 622 million. In order for all calls from replacement numbers to be blocked in Russia, all operators whose number exceeds 1.3 thousand must join the platform.
According to Kaspersky Lab, in 2023 the number of blocked phishing links in Russia increased fivefold compared to the previous year. One of the most common targets of phishers is user accounts in instant messengers. Attackers use them during multi-stage telephone fraud schemes and to carry out attacks on people from the list of contacts of victims. In addition, in 2023, the number of malicious links increased 2.5 times in Russia. In 2023, the volume of telephone fraud remained at a high level: 94% of subscribers faced various spam calls. Attackers continue to develop their tactics and develop complex schemes for luring data, for example, referring to the scope of the victim.[6]
Russian companies are faced with a new type of DDoS attacks - they are being carried out continuously
In 2023, Russian companies faced a new type of DDoS attacks - they are carried out continuously in the background. Daniil Shcherbakov, deputy general director of Servicepipe, spoke about this in January 2024.
In some cases, continuous DDoS attacks have been going on for nearly two years, he said. Moreover, such attacks do not always occur for political reasons, Shcherbakov emphasized. For example, two structures from the top 5 suffered as a result of unfair competition.
The top 5 longest DDoS attacks included attacks on a state resource - the attack began on February 28, 2022, the Internet portal of regional authorities - from March 3, 2022, the site associated with the gas station - from May 26, 2022, the online marketplace - from July 14, 2022, the gaming portal - from February 26, 2023.
According to information security experts, long-term DDoS attacks have maximum power only at the beginning of the incident. After they become weaker.
Such an attack can be a kind of monitoring of the effectiveness of protection, and in some cases an attempt to kill the service if it is turned off, "said Daniil Shcherbakov. |
Daniil Bobryshev, head of the development of network and IT infrastructure protection products against DDoS attacks at Servicepipe, also said that hackers changed the tactics of attacking Russian banks, began to attack all the resources of credit institutions at the same time. In addition, according to the expert, the attackers began to look for the most vulnerable Internet services of credit institutions, for example, VPN entry points or remote service services, and it was on them to direct the main volumes of attacks.
Servicepipe analysts also noted among the trends a large number of "orders" for attacks for a fixed period of time, as well as for DDoS attacks through a specific vulnerability.
This suggests that attackers save resources and prefer to attack only those goals where they can achieve results by "putting down" the service, the company said.[7] |
Rosvodokanal reported a cyber attack on its IT systems
On December 21, 2023, Rosvodokanal announced a cyber attack on its IT infrastructure. The company made a statement in response to information that appeared in the media about significant damage to technological systems that hackers allegedly caused. Read more here.
The number of DDoS attacks on telecom companies in Russia has grown 4 times
In mid-December 2023, the company's analytical center StormWall reported a 4-fold increase in DDoS attacks on the Russian telecommunication sector compared to 2022. Basically, the attacks are aimed at Internet providers in the southern regions of the Russian Federation - in, Krasnodar Stavropol, Rostov-on-Don as well as in. To the Crimea Also, several attacks were recorded in the central region of the country.
As noted in the study, hackers attack telecom companies at once at several levels and elements of infrastructure. The longest attack was carried out for three days, the shortest - 20 minutes. As a result, cybercriminals significantly affected customers of Internet providers who could not use the sites of regional telecom operators, online stores, the media, financial institutions and travel companies. Hackers have disabled the IT infrastructure of many companies.
StormWall says that professional protection is needed to repel such attacks, which many regional providers did not have. StormWall advised providers to take care of protection issues.
We have been watching DDoS attacks aimed at the telecom sector in Russia for quite some time. Most of the attacks have done a lot of damage to regional ISPs and their customers. To repel multi-vector attacks, professional protection is needed, and many regional providers did not have it, "said StormWall co-founder and CEO Ramil Hantimirov. |
Experts add that in the second half of 2023, attackers in different countries continued to use the most progressive tools to organize DDoS attacks. Hackers actively used complex attacks, as well as botnets consisting of several malicious programs. At the global level, there has been a surge in DDoS attacks on DNS servers, which has created big problems for companies.[8]
"Reg.ru" repelled a new type of massive DDoS attack
domain The name recorder Reg.ru has blocked a long-lasting DDoS-attack new type. It lasted 72 hours, and the total capacity attacks was more than 40 GB/s. Protection systems - hostingprovider recorded the participation of more than 40,000 unique IP addresses. The botnet company announced this on November 8, 2023. More. here
Recorded a decline in DDoS activity against Runet operators
The Center for Monitoring and Management of the Public Communications Network (CMU SSOP) has published data on countering threats for September 2023, from which a reduction in DDoS activity against Runet operators is visible. In just a month, only two such attacks were recorded, although the average number of attacks per month was 4, and the peak of malicious activity was in May-June this year, when about 10 attacks were recorded every month.
A decrease in the number of detected and blocked phishing domains is also recorded - a total of 152 were blocked in September, although the average monthly value is 368 servers. For this indicator, the peak value was reached in August, when 996 phishing resources of various directions were detected and removed from delegation.
At the same time, the number of attack warnings (bulletins) sent to participants in the system was at a fairly high level of 87 messages in September, with an average monthly value of 74. The number of corrections in the routing tables - this is the main task of the MSU SSOP to ensure the stability of routing in Runet - was in September close to the average level: 793 with an average monthly value of 819.
CMU SSOP was created on the basis of the Federal State Unitary Enterprise "Main Radio Frequency Center" (FSUE "GRCC") to implement the requirements of the Law "On Sovereign Runet" (dated May 1, 2019 No. 90-FZ). This law prescribed that all operators and traffic exchange points on their networks install specialized equipment that is designed to stabilize routing tables within Russia and monitor Internet stability. Within the framework of this law, the CMU SSRF provides for the search for violations in the routing tables of telecom operators and prescribes to correct the corresponding records. In addition, the Monitoring Center identifies vulnerabilities in the information systems of domestic operators and sends warnings about their correction - these are the very security bulletins.
Also, CMU SSOP collects information about phishing sites, which comes from public organizations, processes it and takes actions to remove these domains from delegation so that attackers cannot use them in the future for their malicious activities. The monitoring and control center also protects the key Runet infrastructure - domain servers and key routers - from DDoS attacks in order to ensure their constant availability to all participants in information exchange within the Internet. In general, employees of the SMU SSOP ensure coordination of the actions of all operators in order to ensure the continuous and stable functioning of the Russian segment of the Internet.
Russian Leonardo flight booking system subjected to massive DDoS attack from abroad
A global failure occurred in the Russian Leonardo flight booking system. The corresponding message was published on the Aeroflot website on September 28, 2023. As RBC specified in the state corporation "Rostec," the system was subjected to a massive DDoS attack from abroad. Read more here.
DDoS attacks with a capacity of 10 Gbps hit the Golden Crown
At the end of August 2023, the Golden Crown money transfer system (KoronaPay) was subjected to a massive DDoS attack. Information about this began to spread on shadow forums and specialized Telegram chats. Read more here.
A resident of the DPR received 2 years in prison for DDoS attacks
The Leninsky District Court of Rostov-on-Don sentenced rubles Roman Nosachev, a Ukrainian, to two years in a penal colony and a fine of 600 thousand, who staged hacker attacks on Russian resources. This was announced in mid-August 2023 by the press service of U FSB Russia on. Rostov region More. here
The details of the cyber attack on Russian Railways became known, because of which the site and mobile application did not work
In July 2023, details of a cyber attack on Russian Railways became known, due to which the company's website and mobile application did not work. According to a Vedomosti source in a company developing information security solutions, most likely we are talking about a DDoS attack. Igor Bederov, an expert at the SafeNet engineering center of the National Technology Initiative, agreed with the newspaper's interlocutor. Read more here.
Many Russian companies do not have professional protection against DDoS attacks at the L7 level
The company StormWall conducted an analytical study on the availability of professional protection from DDoS-attacks among the 100 largest the Russian companies in terms of revenue, as reported on July 4, 2023. According to to data experts, all leading companies use external solutions to protect against at attacks the L3-L4 level (network level), but the situation with protection at other levels raises concerns. Experts have revealed that 30% of companies on the TOP-100 list do not have any professional protection against attacks at the L7 level (application level). In this case, companies are either not protected at all, or are trying to fight attacks on their own, which is not always effective.
Experts also analyzed data the presence of professional protection against attacks at the L7 level in the largest companies from different and industries made interesting conclusions. As it turned out, 38% telecommunication of industry companies, 26% power of sector organizations, 18% of oil corporations, 16% financial of organizations, 12% transport of companies and 9% of production enterprises do not use professional solutions to protect against attacks at the L7 level.
Most DDoS attacks on sites are carried out precisely at the L7 level. Since many Russian companies on the TOP-100 list completely lack professional protection at the L7 level, the websites of organizations are unprotected and are at risk all the time. In the event of a DDoS attack, online resources may be disrupted, sites may stop functioning within days or even weeks. As a result, the company may face financial and reputational losses.
Fighting DDoS attacks at the L7 level is quite difficult. The fight against such attacks implies a more complex process of separating legitimate users from bots. The fact is that bots are able to establish a legitimate connection and imitate the behavior of a real user. Normal verification methods are not enough in this situation. To perform filtering at the L7 level, interactive browser validation checks are used, as well as signature and behavioral analysis, which allows you to identify how much the bot's behavior differs from the behavior of an ordinary visitor. At the same time, it is important not to slow down the work of the site. Professional DDoS protection solutions at the L7 level combine different filtering methods and use large computing resources. This allows you to create effective protection.
Roskomnadzor creates a system to counter DDoS attacks for 1.4 billion rubles
In mid-June 2023, it became known about the creation in Russia of a national system for countering DDoS attacks. The corresponding contract worth 1.43 billion rubles was concluded by the Main Radio Frequency Center (GRCC) subordinate to Roskomnadzor. Read more here.
An increase in the number of attacks by 58% to 384.8 thousand cases
In the first quarter of 2023, DDoS-Guard experts recorded 384.8 thousand. DDoS attacks in Russia, which is 58% more than a year earlier (226.1 thousand). Such data were released at the end of May 2023.
Qrator Labs confirmed the trend towards an increase in attacks. According to this company, the peak intensity occurred in February 2023. It is noted that the number of IP addresses involved in the attacks exceeded 12 million.
According to MTS RED, the volume of DDoS attacks in Russia in the first three months of 2023 increased tenfold compared to the same period in 2022. If at the beginning of 2022 the number of detected DDoS attacks was measured in hundreds, then in the first quarter of 2023 - already in the thousands. The most active in terms of implementing attacks was January 2023: this month 79% of the total number of DDoS attacks in the quarter were registered, 14% of attacks were in February, and 6% in March. January is traditionally the most active month of the first quarter in terms of implementing attacks such as a distributed denial of service, experts explain.
The largest number of DDoS attacks (40%) in the first quarter of 2023 was carried out at night, from 12 hours to 6 in the morning. Slightly less - 37% of attacks - were implemented before noon. Then the activity of attackers decreased: 13% of attacks occurred from noon to 18.00, another 10% - in the evening before midnight.
The longest DDoS attack detected in the first quarter of 2023 was directed to the Internet resources of one of the companies from St. Petersburg. The most intense attack with a capacity of 61 Gbps was registered in the Far Eastern Federal District, it was carried out on a company based in Khabarovsk. The most popular targets of DDoS attacks were the financial sector, the public sector and retail.[9]
IT specialist in Rostov received 3 years in prison for attacking state sites
On May 18, 2023, the Rostov Regional Court sentenced IT specialist Yevgeny Kotikov, who was suspected of organizing cyber attacks on Russian information resources. The person involved in the case was sentenced to imprisonment for a period of three years with serving a sentence in a penal colony. Read more here.
In February, there was a surge in DDoS attacks on the infrastructure of retailers
StormWall experts revealed a wave of DDoS attacks on the infrastructure of retailers in February 2023 in Russia. According to experts, most of the attacks were aimed at a number of services that ensure the full operation of the company: payment systems, online cash desks, goods delivery services. A surge in DDoS attacks on retailers' infrastructure was observed from February 3 to 25, and the maximum attack power was 600 Gbps. StormWall announced this on March 20, 2023.
According to experts, cyber incidents were organized by politically motivated hacktivists who used botnets to launch such powerful attacks. Most of the attacks were directed at payment systems (48% of the total number of attacks), online cash registers (26% of the total number of attacks) and goods delivery services (22% of the total number of attacks) were also badly affected. Attacks on other services accounted for 4% of all cyber incidents.
Launching attacks on the infrastructure of online retailers, politically motivated hacktivists sought not only to harm the Russian economy, but also to harm ordinary people. The attackers organized a series of attacks on the infrastructure of large online grocery retailers. In particular, such well-known food chains as Perekrestok and Pyaterochka suffered from the attacks. As a result of DDoS attacks, retailers experienced a number of difficulties related to doing business, the companies' online stores did not work for some time, customers could not issue and pay for orders, and it was also impossible to ensure the delivery of goods to customers.
At the end of 2022, there was a decline in DDoS attacks by politically motivated hacktivists on Russian companies, but in 2023 hacktivists again began to actively attack various industries in Russia. Retail is one of the most important targets for hacktivists, and they use the latest tools to launch DDoS attacks to harm Russian retailers.
We have already faced DDoS attacks on retail before, and they have always been very powerful. This time, retailers suffered especially hard, because hacktivists attacked their infrastructure, which led to a violation of work processes. Fortunately, the attacks did not cause serious harm to companies, as they used professional solutions to protect against attacks. We recommend that all retailers connect professional protection against DDoS attacks, as their number will grow in the future. According to our forecasts, the next surge in attacks on the infrastructure of retailers may occur on the May holidays, and the number of attacks may grow 2-3 times, - said Ramil Khantimirov, CEO and co-founder of StormWall. |
The FCS reported DDoS attacks. Services disabled
On February 28, 2023, the Federal Customs Service (FCS) of Russia announced DDoS attacks on its technological infrastructure, as a result, problems arose in the operation of external information services. Read more here.
DDoS attacks in Russia began to be used to cover up other malicious activities
DDoS attacks in Russia began to be used to cover up other malicious activities. This was announced at the end of February 2023 by StormWall, a company specializing in information security technologies.
According to experts, hackers use a DDoS attack to distract attention from entering the organization or outputting information already received. If the company did not have a reliable solution to repel a DDoS attack, the information security department is forced to direct all its forces to protect the IT infrastructure from the attack, weakening the protection of systems from other dangers, the study said.
To prevent incidents of hacking under the guise of a DDoS attack, we recommend that companies connect professional protection against DDoS attacks so that the information security department can focus on protecting the IT infrastructure from other more complex attacks, said StormWall co-founder Ramil Hantimirov. |
Experts revealed that the largest number of DDoS attacks to distract attention in January 2023 was carried out on the fintech sphere, retail and the gaming industry. During this month, the number of DDoS attacks serving as a cover-up increased by 83% on fintech companies, by 62% on retailers, and by 53% on gaming companies compared to January 2022. Also, the number of attacks for cover has grown on a number of other industries. The growth of such attacks in January 2023 on the educational sector amounted to 18%, on the medical industry 14% and on the telecom sector 10% compared to the same period in 2022.
According to experts, the main goal of the attackers was to disable the organization's IT infrastructure or hack the system to gain unauthorized access to user or company data. The attackers planned to use the obtained data for the purpose of extortion or blackmail.[10]
A botnet of 55 thousand infected devices was found in Russia. Through them, DDoS attacks with a capacity of 1.4 Tb/communication are carried out
Experts from StormWall, a company specializing in information security technologies, found a botnet of 55 thousand infected devices that are used for powerful DDoS attacks. StormWall told about this in mid-February 2023.
From January 5 to January 31, 2023, information security specialists recorded a large number of DDoS attacks on leading industries in Russia. The power of the attacks reached a peak of 1.4 Tbit/s, which became "a real sensation in the market," the press release said. Experts believe that the attacks on Russian companies were organized by hackers with the aim of extortion and blackmail.
The destructive botnet consisted of computers, mobile phones, servers and routers. The army of bots caused huge damage to all industries, but the entertainment sector suffered the most. As a result of attacks on game hosting, players experienced problems connecting to online games, and users were constantly thrown out of the game. This led to a loss of trust from customers and damaged the reputation of gaming companies. In addition, game server owners and hosters suffered heavy losses. Resources of other topics using the same computing power and Internet connection channels also suffered.
StormWall experts analyzed the indicators of DDoS attacks on the most attacked industries and found that in January 2023, the maximum attack power increased on the financial industry by 92%, on the telecom sector by 63%, and on game hosting by 48% compared to the same period 2022. The number of attacks has also increased. The number of attacks increased on financial organizations by 120%, on telecom - by 82%, on game hosting - by 74%.
Since these attacks have enormous power, only cloud DDoS protection services with sufficient filtering network capacity can cope with them. It is impossible to repel such attacks on your own, - said the general director and co-founder of StormWall Ramil Khantimirov.[11] |
A new record for DDoS attacks has been set - power reached 1.3 Tbit/s
In early February 2023, Qrator Labs announced a record-breaking DDoS attack in Russia. It has hit the IT infrastructure of cybersecurity solution developer Bi.Zone. At its peak, the power of the DDoS attack, which occurred on January 28, 2023, reached 1.3 Tb/s. Read more here.
An avalanche of DDoS attacks hit the e-commerce sector in Russia
In January 2023, an avalanche of DDoS attacks hit the e-commerce sphere in Russia, which came as a big surprise to companies operating in this sector. This was announced on January 26, 2023 by StormWall.
StormWall specialists have recorded a number of powerful DDoS attacks on trade equipment manufacturers, IT companies developing trade automation solutions, as well as warehouses and logistics companies. According to StormWall experts, attacks on the e-commerce sector lasted from January 10 to 20, 2023, and the maximum attack power was 400 thousand requests per second.
Since most companies in the field online retail already have good protection, attackers are looking for e-commerce services to harm. to business processes retailers Experts believe that the attacks were organized by politically motivated hacktivists who, with the latest forces, are trying to harm Russian economy. the Telegram army's channels, IT Ukraine calls were found to attack Russian companies in the e-commerce sector. In total, more than 30 e-commerce companies were attacked, including such large organizations as.,, and MyWayhouse Drimkas Azur Pos Shtrikh-M others.
As a result of attacks by cybercriminals, the sites of some companies in the e-commerce sector did not work for several hours. Online retailers have also been hit by attacks on related services. Users could not place orders, could not pay for goods, and there were also problems with the delivery of goods to customers. However, serious consequences were avoided, since most companies were ready for attacks and used professional solutions to protect against DDoS attacks.
Experts revealed that companies engaged in the production of trading equipment suffered the most from hacktivist attacks in January 2023, the share of attacks on these companies is 43% of all attacks on e-commerce. The share of attacks on other categories of companies was distributed as follows: attacks on companies developing software products for trade automation - 36%, the share of attacks on warehouses - 14%, the share of attacks on logistics companies - 7%.
As of January 2023, we are observing another trend in the organization of DDoS attacks on the Russian market. The essence of this trend is to launch DDoS attacks on different types of companies in the e-commerce sector at once - on warehouses, and on logistics organizations, and on manufacturers of trading equipment, and even on developers of trade automation solutions. Hacktivists are trying to inflict maximum harm on the entire e-commerce industry, trying to create problems in the operation of services with different types of activities. We are doing everything to help our clients repel hacktivist attacks that continue to invent new strategies for organizing attacks on business, said Ramil Khantimirov, CEO and co-founder of StormWall. |
Since January 23, 2023, StormWall experts have recorded another wave of DDoS attacks aimed at fiscal data operators (OFDs). Experts are studying the nature of these attacks. According to preliminary data, these attacks were also organized by hacktivists. According to the company's specialists, attacks on OFDs can last until the end of January 2023.
2022
DDoS attacks are increasingly occurring from Russian IP addresses
In 2022, DDoS attacks from Russian IP addresses became more frequent in the Russian Federation. Attackers use them to bypass blocking foreign traffic, Qrator Labs said in February 2023.
As the founder of Qrator Labs Alexander Lyamin told Vedomosti, in 2022 DDoS attacks using botnets created inside Russia became one of the most popular hacker scenarios. According to him, the attackers chose servers located in Russia for the attacks, which allowed them to bypass the blocking of foreign traffic.
Vadim Shelest, an expert in the MTS security analysis department, Oleg Kupreev, a leading expert in the Kaspersky Lab botnet monitoring group, and Luka Safonov, technical director of Sinclit JSC, confirmed to the publication the tendency to increase the number of attacks using "Russian" botnets. Most of the attacks using "Russian" botnets were carried out on subjects of critical information infrastructure, said Alexei Pavlov, director of business development at the Solar JSOC cyber attack center of RTK-Solar.
Rostelecom-Solar noted that against the background of a general increase in attacks in the second half of 2022, their number decreased from hacktivists - unprofessional hackers acting for political rather than commercial reasons using simple tools, for example, mass DDoS attacks or attacks on web servers. Calls to attack certain Russian organizations still appear in hacktivist Telegram channels, but the response has become weaker, said Alexei Kuznetsov, technical head of the security analysis department at MTS Cybersecurity, in a conversation with Kommersant.
If earlier, after the organizers of the attacks designated another DDoS target, we saw an attack at a speed of 20 Gbps, now it is 3 Gbps, he added.[12] |
The power of DDoS attacks has doubled
The power and duration of DDoS attacks in Russia in 2022 increased significantly. This is evidenced by the data of the RTK-Solar company, which develops information security technologies.
According to experts, the longest DDoS attack in 2022 lasted 3 months (2 thousand hours), and as a year earlier, record attacks lasted "only a few days." The most powerful DDoS attack in 2022 reached 760 Gbps, almost double the figure a year ago.
According to the study, Moscow became the most attacked region in Russia - it accounted for more than 500 thousand. DDoS attacks. The Ural Federal District (about 100 thousand attacks) and the Central Federal District (more than 50 thousand incidents) follow.
In total, in 2022, RTK-Solar experts recorded 21.5 million attacks on web resources with a high degree of criticality. Most of them (30%) were directed to the websites of authorities and state-owned companies, 25% - to the financial sector. In addition, hackers tried to hack the websites of educational institutions, IT companies, cultural and sports organizations.
It is reported that the number of DDoS attacks on the Russian public sector in 2022 relative to 2021 at some point increased 2 times. This industry has always been in the focus of the attention of hackers: the inaccessibility of state resources, when people cannot see important information or receive a service, creates a nervous tension in society, and the deface of such portals causes not only irritation and panic of users, but also image losses of state power in general, explained in the company "RTK-Solar."
During the reporting period, a record-breaking DDoS attack was recorded. However, in general, hackers conducted "carpet bombing" with simple and massive attacks. When attacking the web, attackers continued to exploit known vulnerabilities and security holes, many of which are highly critical and can lead to complete hacker control over the application and theft of user data... The end of the year compensated for the sharp surge of the first two quarters - attackers concentrated on targeted more complex attacks on specific companies and industries. At the same time, the level of network attacks remains high and exceeds the average of previous years, so the threat remains relevant, the report said. |
As the head of the Anti-DDoS and WAF department of the company Nikolai Ryzhov noted, immediately after the start of the special military operation of the Russian Federation in Ukraine, the attackers used massive DDoS and web attacks mainly for the purpose of hacktivism. They made socially significant resources inaccessible and hacked sites to post provocative messages (deface). However, by the middle of the year, attacks had become more complex and targeted, and hackers hacked sites not so much for deface as to host malware, penetrate infrastructure and access valuable data, the expert said, adding that web resources remain under threat from hackers.
In May 2022, the highest volume of DDoS attacks in Russia was recorded, which is probably due to the celebration of Victory Day. Hacktivists tried to "clog" the communication channels of resources related to festive and patriotic events with garbage traffic. In the future, DDoS activity began to gradually decline. By the third quarter of 2022, experts recorded a decline in mass attacks and a reorientation of attackers to more complex targeted strikes. DDoS rather played the abnormal growth of the first half of the year and returned to more standard values, experts explain. [13]
The number of DDoS attacks in Russia soared by 700%
The number of DDoS attacks in Russia in 2022 increased by 700% compared to a year ago. Such data are provided in a report by DDoS-Guard, a company specializing in protection services against DDoS attacks, content delivery and web hosting. The study was published in January 2023.
During 2022, experts recorded a total of 1,255,573 DDoS attacks on Runet. The average number of such cyber attacks per day increased 10 times compared to 2021, and the number of attacks per hour - 11 times. The hottest months were March and August, the report said.
Compared to 2021, the duration of attacks has decreased, but their frequency has increased 3-4 times. The fact is that powerful botnets are not used for attacks on Russian sites - this is too expensive. Instead, hacktivists unite in communities and share instructions for running malicious scripts and software to participate in attacks. Networks of this kind are capable of massive but short-lived attacks.
The vast majority of DDoS attacks took up to 20 minutes, and also took a significant number from 20 minutes to 1 hours. Attacks of a day or more accounted for less than 1% of the total number of incidents.
According to experts, it has become much easier to organize an attack. Now you don't even have to install special software to make your device part of a botnet and generate malicious traffic. Hacktivists have created a whole segment of sites designed specifically to organize DDoS attacks. The user just needs to go to such a resource, and he will take part in mass cybercrime.
The study notes a dramatic change in the nature of cyber attacks in 2022 due to geopolitical shifts. If at the beginning of the year the general trend was traced in the form of the same type of long-term attacks, then already in February the picture turned out to be completely different.
Previously, the most common causes of DDoS attacks were competition for availability in search results and seasonality - for example, before holidays, when users make the most purchases online. Attackers attack sites during peak visits and demand a ransom to stop the attack. Site owners have to make a choice between paying without guarantees of the end of the attack and watching users go to competitors due to the inaccessibility of the site.
The main motivation for DDoS attacks in 2022 was hacktivism - biased cybercrimes that are committed in support of and to demonstrate certain political ideas. In the course of their campaigns, hacktivists used all the methods and tools they knew. At first, the attack patterns were chaotic, but in the spring their organizers began to act more harmoniously, including specialized communities, the purpose of which was mass cyber attacks on the Russian segment of the Internet.
In early 2022, entertainment sites were the main target of cybercriminals. This category by a double margin exceeded the indicators for business portals, educational and telecom resources that were in our top. All these goals remained in focus, the dynamics of attacks in them increased many times - for example, entertainment sites were attacked 6 times more often - 44 thousand incidents against 7700 in 2021.
However, the main objects of interest of hackers changed in the second half of the year. As a result, news sites were most often under an avalanche of malicious traffic - the number of DDoS attacks on the media increased by a record 76 times (51,842 incidents against 670 in 2021). Web resources related to government agencies showed an increase of 55 times (20,766 incidents against 370), and the websites of banks and financial institutions accounted for 20 times more attacks than in 2021 (27,600 incidents against 1318).[14]
The Ministry of Ministry of Digital Development Science reported 35 thousand attacks on the electronic voting system
On September 11, 2022, the Ministry of Ministry of Digital Development of the Russian Federation reported many numerical hacker attacks on the electronic voting system. According to the deputy head of the department Oleg Kachanov, none of the attacks was successful. Read more here.
The collapse of cyber attacks on Russian systems
electronic document management Massive DDoS attacks hit Russian systems on September 1, 2022. Writes about this "" Kommersant with reference to the affected manufacturers of IT solutions, as well as to. Ministry of Industry and Trade More. here
Regional media subjected to DDoS attacks by hacktivists
StormWall on August 23, 2022 announced that in July 2022, attackers staged massive DDoS attacks on the websites of regional Russian publications. According to preliminary estimates of experts, DDoS attacks occurred from July 20 to 30, 2022 and were organized by hacktivists who sought to prevent regional publications from publishing information about events taking place in the world. According to the company's analysts, DDoS attacks on regional media sites in May 2022 have already been observed.
According to preliminary estimates of the company's experts, in July 2022, hacktivists attacked more than 70 regional publications in 14 cities of Russia. The attacks were aimed at the media in such large cities as Bryansk, Kaluga, Chelyabinsk, Pskov, Omsk, Tyumen, Sochi and others. Thousands of motivated users took part in the launch of destructive DDoS attacks. They used the tools available on the network to organize attacks that allow anyone who wants to launch an attack using their own or rented resources. According to experts, the average power of a DDoS attack was over 18000 requests per second, and the average duration of the attack was 20 hours.
As a result of the attacks, the sites of some regional publications were unavailable for several hours. Publications that used professional solutions to protect against DDoS attacks were able to successfully repel all hacktivist attacks. However, regional media, which tried to cope with the attacks on their own, failed and were forced to urgently seek help from specialists to connect professional protection.
In July 2022, we recorded a number of powerful attacks on media sites in the regions of Russia. This is not the first time hacktivists have tried to attack Russian publications in an effort to interfere with their work. We have already observed similar attacks on regional media sites in May 2022, but then more than 200 publication sites were attacked in 46 cities of Russia. In July 2022, fewer attacks on media sites were organized, indicating that hacktivist activity is gradually declining. However, I admit that new attacks on the media will be organized in the fall, so publications need to take care of protecting their resources, "said Ramil Khantimirov, CEO and co-founder of StormWall. |
The number of DDoS attacks on Russian companies in the first half of the year increased 15 times
StormWall reported on July 14, 2022 that experts analyzed DDoS attacks aimed at Russian companies in the first half of 2022 and revealed that the total number of attacks increased 15 times compared to the same period in 2021. The most attacked industries in the 1 half of 2022 were the financial sector (32% of the total number of attacks), retail (14% of the total number of attacks), logistics (10% of the total number of attacks), the insurance industry (8%) and the public sector (18% of the total number of attacks). Also, the educational sector (7%), the entertainment sector (5%), the tourism industry (4%) and other industries (2%) were subjected to DDoS attacks. The company's customer data was used for the analysis.
Experts compared the number of DDoS attacks in the first half of 2022 and in the first half of 2021 and revealed that the number of DDoS attacks on key industries in 2022 increased significantly. The number of DDoS attacks on the financial sector in the first half of 2022 increased 12.8 times compared to the same period in 2021, the number of attacks on retail increased 11 times, the growth of attacks on the logistics industry increased 16 times, in the insurance industry the number of attacks increased 15 times, and the number of attacks on the public sector increased 17 times.
According to experts, such a strong increase in the number of DDoS attacks on Russian companies in the 1 half of 2022 is primarily due to the unstable political situation in Russia and around the world. As a result of this situation, in February 2022, groups of so-called hacktivists arose, the purpose of which is to harm the economy and social sphere of Russia. These groups consist of several hundred thousand motivated hackers. In the first half of 2022, hacktivists attacked large Russian companies in various industries, as well as state online services. In February 2022, the group members organized a number of DDoS attacks on key Russian companies in the fuel and energy sector, the financial industry, the production sector and the telecom industry. Even such large companies as Gazprom, Lukoil, Norilsk Nickel, Sibur, Yandex, Sberbank were attacked. In June 2022, attackers tried to disrupt the admission campaign at Russian universities by attacking not only university sites, but also the Public services website.
StormWall analysts revealed that in the first half of 2022, the maximum power of the recorded attack was 700 thousand. HTTP requests per second. The duration of attacks has also increased. At the beginning of 2022, attacks lasted an average of 7 hours and then stopped, and at the end of 2021, attacks lasted an average of 3 hours. Now the company's experts are observing that some attacks last for weeks.
According to experts, for organizing cyber incidents, hackers used both standard public tools originally intended for testing, and not for conducting attacks, and specially developed utilities that are available for download to anyone on the Internet and receive updates every week to increase the effectiveness of attacks. Tools can be obtained for free, only computing resources are needed, which in most cases the attackers already have.
In the first half of 2022, hackers were especially aggressive and persistent during the launch of DDoS attacks on Russian companies. Many companies that do not use professional DDoS protection solutions have suffered greatly from the actions of cybercriminals and were forced to urgently connect protection. We recommend that you take care of protecting online resources in advance. Since hacktivists use current tools to organize the most powerful DDoS attacks, the consequences can be devastating. noted Ramil Hantimirov, CEO and co-founder of StormWall.
|
The Roscosmos website went offline after a massive DDoS attack, which began after the publication of pictures of decision centers
On June 29, 2022, the Roscosmos website stopped working after a massive DDoS attack, which began after the state corporation published images of decision centers of several NATO member countries. As noted in Roskosmos, the attack on the official resource of the company was made from Yekaterinburg. Read more here.
The number of DDoS attacks on universities from June 10 to 23 increased year-on-year by 8 times
Specialists of the StormWall company, which protects businesses from DDoS attacks, from June 10, 2022 to June 27, resist a huge avalanche of DDoS attacks aimed at Russian universities. StormWall announced this on June 27, 2022. According to experts, the number of DDoS attacks on universities from June 10 to 23, 2022 increased 8 times compared to the same period in 2021. Most attacks went via the HTTP protocol, while the attack power reached 300 thousand requests per second, which is 15 times more than the maximum attack power of the same period in 2021, which was 20 thousand requests per second. The company's customer data was used for the analysis.
As a result of large-scale DDoS attacks, for a number of universities that did not use professional protection, the consequences were quite serious: the sites of educational institutions did not work, and important services were not available, for example, a service for submitting documents for admission. Such universities had to urgently connect professional protection, and StormWall specialists managed to quickly restore the operability of online resources of educational institutions. Universities using professional protection against DDoS were able to successfully repel attacks and the work of their resources was not disrupted.
In Russia, during the work of the admissions committee, the number of DDoS attacks on universities traditionally increases. The growth of DDoS attacks on educational institutions was observed in July 2021 and July 2020, and the attacks were organized by poorly trained applicants to prevent other graduates from applying for admission to universities. However, there has never been such a targeted flow of a huge number of high-power DDoS attacks.
According to experts, 70% of DDoS attacks on universities were carried out from Europe, 20% from the United States and only 10% from Russia. According to experts, in 2022, attacks are launched by hacktivists of the IT army of Ukraine, which seeks to disrupt the admission campaign in Russian universities, which began on June 20, 2022. Only a small part of DDoS attacks on universities in 2022 were organized by applicants. Due to the actions of the IT army of Ukraine, applicants did not even have to make efforts.
In addition, on June 23, 2022, hacktivists also organized a number of DDoS attacks on the State Public services website in order to block the possibility of submitting documents for admission on this portal.
According to StormWall analysts, the attacks will last until the end of the work of the admissions offices, until mid-August 2022. Since many applicants actively use the Public services service to submit documents, it is also at risk until the end of the admission campaign in Russian universities.
We have been protecting educational institutions from DDoS attacks for many years. There are certain periods when there are bursts of attacks on universities, we are always ready for them. However, the situation that we are seeing for June 2022 is of great concern, since it is obvious that these are targeted attacks organized by hackers who use all available tools to organize destructive attacks against Russian universities. And this is just the beginning, in the future the power of attacks can be up to 1 Tbit/s. I recommend that universities urgently take care of connecting professional defense solutions in order to effectively counter attackers' attacks, "said Ramil Khantimirov, CEO and co-founder of StormWall. |
Powerful DDoS attacks hit the State Public services portal
On June 23, 2022, powerful DDoS attacks hit the State Public services portal. According to the Ministry of Digital Development of the Russian Federation, the attack was initiated by Ukraine. Read more here.
Rospotrebnadzor site shutdown due to DDoS attack
On June 9, 2022, Rospotrebnadzor announced a hacker attack on its website. As a result of the cyber attack, the official resource of the department stopped working. As of 14:00 Moscow time on June 10, 2022, the site still does not open. The TAdviser journalist was convinced of this. Read more here.
Hackers have learned to use video videos to bypass DDoS geolocation attacks
Hackers began to look for ways to bypass traffic filtering to perform DDoS-attacks on. Russia To do this, they are increasingly using, and VPN proxy services user devices with - the Russian IP addresses. This became known on May 23, 2022.
Cybercriminals are looking for new vectors of attacks on Russian information resources. In conditions when the main channels were blocked (foreign traffic is cut off by the equipment of operators at the country's border), hackers began to use Russian IP addresses.
Since February 24, 2022 the Russian information , resources governmental and sites have faced an increase in DDoS attacks. Ministry of Digital Development RUSSIAN FEDERATION The pointed out that malicious requests came from abroad - mainly from IP addresses registered in and USA on Germany. To Ukraine To counter the threat, at the end of March 2022, Ministry of Digital Development began Roskomnadzor using equipment on networks to communications filter traffic by geography at the borders. Russia
To bypass traffic filtering to carry out DDoS attacks on Russia, hackers began to use VPN and Proxy services, as well as user devices.
The mechanism of blocking by geographical handling turned out to be very fast and effective in the fight against DDoS attacks. The method turned out to be effective, but now hackers have begun to use Russian IP addresses in their attacks, which makes filtering traffic by geolocation ineffective, told cybersecurity experts interviewed by Kommersant.
|
This can be done by renting a VPN, Proxy or VPS (virtual dedicated server) from providers located in the Russian Federation, or using various botnets that combine infected devices in the Russian Federation. Most botnet networks are assembled from various infected smart devices or just personal computers, noted the director of the security expert center Positive Technologies (PT Expert Security Center ) Alexey Novikov.
|
A similar scheme for bypassing IP locks has existed before, this proves that filtering traffic by geolocation is ineffective, told the founder of Qrator LabsAlexander Lyamin.
|
Attackers are increasingly resorting to VPN and proxy services, and also use user devices (such as routers, smart cameras, video videos) located on the territory of the Russian Federation. These devices are combined into botnets ("zombie" networks consisting of infected devices), which are subsequently used to organize cyber attacks.
In April 2022, it became known that Roskomnadzor plans to modernize the equipment used to implement the law on the isolation of the Runet, and create on its basis a federal system of protection against DDoS attacks from abroad. A system of protection against DDoS attacks may appear in the fall[15] 2022[16].
A surge in DDoS attacks on key Russian industries during the May holidays was recorded
The company's experts StormWall revealed a surge - DDoSattacks on the May holidays for important ones. industries economies in Russia The company announced this on May 20, 2022. According to to data experts, from May 1 to May 10, 2022, the number of DDoS attacks on the sector e-commerce increased 2.5 times, the number of attacks on the entertainment sector increased 4 times, and the number of attacks on media resources increased 9.5 times compared to the same period in 2021. Experts also found that the increase in the number of DDoS attacks on various Russian ones on the online services May holidays increased 2 times compared to the same period in 2021. StormWall customer data was used to analyze the situation.
Such unprecedented activity of hackers is associated with the fact that online stores, entertainment sites, media and online services are incredibly in demand during the May holidays. Problems in the operation of various online resources of companies lead to the loss of customers, profits and reputation, and cybercriminals seek to disable sites in order to extort money. In addition, the unstable economic situation around the world contributes to the growth of hacker activity .
In connection with the attacks of hackers, online stores and online services had problems with the formation of orders, payments and the formation of accounting documents, and access to the functionality of entertainment sites was limited.
Experts found that the power of DDoS attacks on companies' online resources during the holidays remained at the same level as the last two months, but the attacks lasted several days in a row. According to StormWall experts, problems in the operation of a number of sites arose due to poorly built protection against DDoS attacks. Many companies that do not use professional protection were forced to urgently seek help from specialists to repel attacks.
It is quite difficult to predict which business area will become a new target for hackers, because since the end of February we have seen a massive surge in DDoS attacks on Russian companies and in 75% of cases attacks go to those companies that have never been subjected to them before. Therefore, absolutely all companies need to take care of the protection of their online resources in advance, said Ramil Khantimirov, CEO and co-founder of StormWall. |
The longest DDoS attack in Russia was registered, which lasted 29 days
On July 21, 2022, Kaspersky Lab announced the longest DDoS attack in Russia. It lasted almost 29 days and began in May 2022.
According to experts from the antivirus company, in the second quarter of 2022, the average duration of DDoS attacks increased: in April it amounted to 40 hours, in May - 57, and only in June this figure began to decline.
The total number of attacks is gradually decreasing. In June 2022, Kaspersky Lab's decisions recorded almost four times fewer such incidents compared to the peak in March, but this is still twice as much as in June last year.
The main goal of DDoS attacks in April-June 2022 was the financial sector. The share of cyber attacks on financial institutions ranged from 70% in April to 37% in June. At the beginning of summer, the share of government organizations among target companies increased sharply: in June, they accounted for 38% of all DDoS attacks in Russia.
As Alexander Gutnikov, an expert on cybersecurity at Kaspersky Lab, noted, at the beginning of 2022, a large number of so-called hacktivists took part in DDoS attacks, but then their share in the total number decreased, the company began to more often record attacks prepared by professional attackers. This is evidenced by the increased duration of attacks and the level of their execution.
Including we observe targeted attacks, during which attackers take into account the smallest details and specifics of the architecture of specific sites. Preparation of such actions usually takes a lot of time, they require a high level of technical training of the organizers, they are more difficult to prevent, identify and stop. The growing number of such attacks takes the DDoS threat to a new level, he said.[17] |
DDoS attacks on EGAIS, due to which problems arose with the supply of alcohol in Russia
Due to the DDoS attack on the Unified State Automated Alcohol Accounting Information System (EGAIS), manufacturers and suppliers cannot ship alcohol in Russia. This problem became known in early May 2022. Read more here.
Russia was continuously under DDoS attacks for 145 hours
In early April 2022, Kaspersky Lab announced a record duration of DDoS attacks in Russia. One such attack in March lasted 145 hours, just over six days.
According to experts, which were released on April 1, 2022, the average duration of attacks in the last two months exceeded a day, amounting to 29.5 hours, while in the same period of 2021 year this figure was no more than 12 minutes.
Financial institutions had the worst in March 2022 - the share of attacks on banks reaches 35%. But the media, which were not easy in February, were able to exhale - the usual 3-4% of cyber attacks fell on them in the first spring month. A third of the attacks fell on government agencies, 9% - on schools and universities.
Indirectly, we note that at the beginning of the surge in DDoS attacks, a large number of so-called hacktivists, unprofessional hackers took part in them. Over time, their share of the total number of attackers decreased. At the same time, the attacks themselves have become more powerful, prepared and prolonged, - the press service quotes the words of cybersecurity expert Alexander Gutnikov. |
From late February and early April 2022, FinCERTBANK of Russia records an increase in the number of DDoS attacks aimed at the information resources of financial organizations, the Central Bank told Izvestia, stressing that this did not lead to a significant interruption in the performance of services. The regulator continuously interacts with market participants on the issue of countering computer attacks and applies measures aimed at increasing the security and resiliency of information infrastructure facilities, including when making money transfers, they added.
The number of DDoS attacks on government agencies has increased tenfold compared to 2021, the newspaper confirmed in Ministry of Digital Development.[18]
A sharp increase in the number of DDoS attacks on business
Specialists Rostelecom-Solar"" noted a significant increase in the DDoSattacks commercial segment: from March 1 to March 10, 2022, more than 1,100 such attacks were recorded and reflected here, which already exceeds the figures for the entire February. The company announced this on March 11, 2022. The most attacked business segment is where banks over 450 attacks have been identified, which is more than 4 times higher than in February. At the same time, the main target of the attackers is still the resources of the authorities. Over the past three days alone, about 1,700 DDoS attacks have been committed on one of the state portals.
Back on February 22-23, Rostelecom-Solar experts noted increased activity on hacker forums. And already on February 25, mass attacks on the Internet resources of state power began. The number of attacks was hundreds of times higher than usual, and their power was 2-3 times higher. Along with this trend, a noticeable increase in attacks on business and primarily on the banking sector began in March. In general, DDoS is carried out continuously: one resource can attack within 12-14 hours. Geographically, most of the attacks come from US IP addresses.
In the case of DDoS, this is not about hacking a portal, but only about its availability - nothing threatens user data. It is important to remember this in order not to succumb to hacker provocations, "said Yegor Valov, head of Anti-DDoS and WAF at Rostelecom-Solar. - We continuously and in an unprecedentedly short time adapt the defense mechanisms to rapidly changing attack vectors - appropriate measures are taken within tens of minutes. During this confrontation, users may notice temporary interruptions in the operation of Internet resources, but after a short time the resources return to normal operation. |
As of March 2022, Rostelecom-Solar provides DDoS protection for more than 400 companies and organizations from the public sector, banks, fuel and energy complex, industry, retail, and other industries. Among the protected facilities is a large number of key Russian Internet resources. The Solar JSOC Cyber Attack Center (which is over 400 cybersecurity specialists) works around the clock.
Fast payment system subjected to DDoS attack
Bank of Russia On March 5, 2022, he noted a slowdown in the work of the Fast Payment System (FPS) due to an increased background DDoS-attacks on channels - telecomproviders this did not affect the safety of funds, the regulator said. here More.
Dozens of cyber attacks with a capacity of 1 TB/s hit the State Public services portal
At the end of February 2022, the Ministry of Digital Development of the Russian Federation reported large-scale DDoS attacks on the Public services portal. The failure is recorded against the background of the beginning of the Russian special operation. Read more here.
DDoS attacks on Russian media
In February 2022, hackers from Anonymous declared a "cyber war" Russia over a special operation.
The Anonymous team is officially waging cyber warfare against the Russian government, the hackers said in a statement. |
The first victim of their attack was the RT website - on February 24, 2022, the TV channel was subjected to a DDoS attack. On the same evening, the websites of the Kremlin, the government of the Russian Federation, the State Duma and the Federation Council worked with difficulties.
On February 25, 2022, the sites of RBC and other media were subjected to DDoS attacks. During such attacks, hackers send a large number of requests to the site that exceed the bandwidth of the network - this blocks the operation of the resource.[19]
The largest DDoS attack on Russian retailers was recorded
At the end of January 2022, it became known about the largest DDoS attack on Russian retailers. According to Qrator Labs, which specializes in ensuring the availability of Internet resources, a cyber attack using a botnet of more than 160 thousand devices took place at the end of 2021.
As Kommersant writes with reference to the founder and CEO of Qrator Labs Alexander Lyamin, the purpose of these massive DDoS attacks is not to disrupt the IT infrastructure, but to collect internal data from companies. The victims of the botnet were large retail chains, he said.
It is noted that the main danger of data mining for companies from the retail sector is that on the basis of the information collected, a competitive analysis can be carried out. Also, data mining is often used in fraudulent schemes with theft or cheating of bonus points, as a tool for unfair competition.
The Lenta retail chain reported that the number of cyber attacks on retail has increased, but the company was able to protect data.
CROC cybersecurity expert Dmitry Starikovich believes that network traffic analysis and process control at network endpoints will help to cope with the threat. In this way, you can identify anomalies and identify servers infected with the botnet.
The retail sector is well suited for this, since all chain stores have online versions, and analyzing the availability of goods on the site, customer reviews or price changes allows competitors to build their business more efficiently, "said Sergey Nenakhov, head of the information security audit department at Infosecurity a Softline Company. |
According to Qrator Labs, at the end of 2021, services for creating sites, organizations from the sphere and became victims of cyber attacks, including DDoS formations. Russia e-commerce[20]
2021
The Ministry of Digital Development of the Novosibirsk Region survived the most powerful DDoS attack in 2 years
The Ministry of Digital Development and Communications of the Novosibirsk Region survived the most powerful DDoS attack in 2 years, as a result of which the government's sites did not work or functioned intermittently. This was reported in the department on February 20, 2022. Read more here.
Most affected by DDoS attacks of the industry in Russia
On January 26, 2022, the company specializing information security Stormwall in published a study listing the industries in Russia that faced the most - DDoS atak. The most affected in 2021:
- financial sector (43%);
- retail (31%);
- the gaming industry (18%);
- telecom (4%);
- education sector (3%);
- the rest (1%).
According to experts, the number of DDoS attacks on the financial sector in 2021 increased by 84% compared to 2020. According to the researchers, the financial industry is always attractive to hackers, and they are constantly trying to find new tools for organizing cyber attacks. In 2021, new botnets became such tools, with the help of which attackers were able to organize attacks on financial institutions with a capacity of up to 1.2 TB/s.
Cyber attacks on online retail became 75%. The report notes that the number of DDoS attacks on retail in August 2021 increased by 62% compared to the same period the previous year, and the number of attacks in November increased by 330% compared to November 2020 due to the incredible activity of hackers during Black Friday.
Analysts note that the number of attacks on the gaming industry has also increased (by 62% compared to 2020). Here, a record power for the industry DDoS attack was recorded - 2 Tbit/s. The sphere began to worry more often formations (an increase of 36%), but most of the attacks were organized by the students themselves.
StormWall co-founder Ramil Khantimirov noted that cybercriminals have become more inventive. In particular, they learned to combine botnets, which makes the attack even more destructive. In his opinion, due to the ongoing pandemic and the difficult economic situation in 2022, DDoS attacks will be aimed at the financial sector, retail, telecom and the field of medicine.
Record DDoS attack collapsed on the State Public services portal
On November 11, 2021, a record DDoS attack hit the State Public services portal. This was reported in the Ministry of Digital Development of the Russian Federation. According to the ministry, the power of the cyber attack was 680 Gbps. Read more here.
The State Center for Communication Network Management in the Russian Federation will deal with DDoS attacks
On October 20, 2021, it became known that the Center for Monitoring and Management of Public Communications Networks (CMU), created within the framework of the law "on sovereign Runet," will be used in the fight against DDoS and other hacker attacks in addition to its main function - blocking prohibited content in Russia. Read more here.
Increase in the number of DDoS attacks on educational institutions by 118%
Analysts at the company, StormWall which specializes in protecting online resources from, on cyber attacks October 15, 2021 reported a surge DDoS in attacks on online services educational institutions in September 2021. In Russia September 2020, experts also observed a flurry of attacks on education, but this year the number of DDoS incidents has grown significantly. According to data to experts, in September 2021, the number of DDoS attacks on educational institutions increased by 118% compared to September 2020.
According to experts, increased hacker activity is associated with the beginning of the school year. Despite the fact that most educational institutions in Russia operate as usual, they continue to actively use digital platforms as part of the educational process. DDoS attacks on the online resources of schools and universities can be organized by students who seek to disable information systems and avoid homework.
Experts analyzed the nature of cyber incidents and determined that most DDoS attacks have low power (10-20 Gbps). This indicates that cheap available tools were used to organize attacks, which could be used by inexperienced hackers. However, DDoS attacks up to 300 Gbps were also recorded, in which case cybercriminals needed more expensive tools, such as botnets costing from $100-200 per day.
"Education has always been one of the most attacked industries. During the pandemic, Russian educational institutions began to more actively use innovative information systems, which significantly improves the quality of education. However, most educational digital platforms have insufficient protection against cyber threats, which makes them easy prey for hackers, "said Ramil Khantimirov, CEO and co-founder of StormWall. |
Yandex revealed the details of the "largest ever" DDoS attack Mēris
On September 9, 2021, "" Yandex revealed details of a DDoS attack that the company called "the largest in history." It is reported that the cyber attack was carried out using a new botnet Mēris ("plague" in Latvian). More. here
Yandex was subjected to the largest cyber attack in the history of Runet
On September 7, 2021, it became known that a few days earlier, Yandex"" was subjected to the largest in history. RuNet to cyber attackTo sheets A source in the company told about the incident. The information was confirmed by Yandex and an American company that Cloudflare specializes in repelling cyber attacks and cooperates with Yandex. More. here
The website of the Russian Ministry of Defense failed due to a cyber attack
On July 16, 2021, the website of the Russian Ministry of Defense faced cyber attacks, which, according to "confirmed data" of the department, were organized from abroad. Read more here.
The number of DDoS attacks on online resources of companies will increase by at least 20%
According to StormWall specialists, in 2021 the number of DDoS attacks on online resources of companies will increase by at least 20% compared to last year. DDoS attacks have been showing steady growth for several years in a row, which will be further strengthened in 2021 due to a number of factors: an increase in the number of novice cybercriminals among students and schoolchildren in connection with the organization of distance learning during a pandemic, an increase in the criticality of Internet services due to the fact that many employees work remotely, while most companies continue to actively develop online business. This was reported on March 30, 2021 in StormWall.
In addition, the Internet has become a more "DDoS-aggressive" environment: at the beginning of 2021, powerful tools for organizing DDoS attacks appeared on the Internet, available to a wide range of consumers, for example, the ability to access an attack on 400 Gbps launched from real devices, for $500 per week through Telegram. You can often organize such a powerful attack for free - introducing yourself as a potential buyer and requesting a test for several minutes, while the attack is likely to affect not only the "victim" herself, but also several Internet providers on the way to it, leaving thousands of users and online resources without access to the Internet.
Experts warn that in 2021 the power of DDoS attacks will also increase due to the development of 5G networks. Using this technology, it will be possible to launch a DDoS attack with a capacity of more than 1 Gbps from each mobile device. If an attacker has tens or hundreds of thousands of infected smartphones, tablets and IoT devices, then the attack can reach several Tbit/sec. and will be incredibly difficult to repel.
Experts note that recently hackers have begun to act more intellectually, they are increasingly launching attacks using bots that can automatically bypass common defense methods. Experts expect the emergence of new types of DDoS attacks, which are expected to be directed at the UDP protocol, since the protection of UDP applications is often not as effective as for applications using the TCP protocol. And these are, first of all, online games, voice services and the QUIC protocol, which Google and Facebook use to speed up the work of their web resources.
Due to the new threats, it is expected to integrate various types of DDoS protection solutions (AntiDDoS, WAF, anti-bots, IDS/IPS) into a single complex that can ensure the security of the Internet perimeter of customers. Also, artificial intelligence technologies will be increasingly used to protect online resources, as the attacking bot becomes more difficult to distinguish from the real user.
2020
Increase in the number of DDoS attacks on online stores in the Russian Federation by 2 times, average damage - 600 thousand rubles per day
The number of DDoS attacks on Russian online stores doubled in 2020, and about 40% of them fell on the last three months, which is associated with the activity of Russians in online purchases in preparation for the New Year holidays. Such data were collected by experts from the Cybersecurity direction of Rostelecom.
The company noted that online trading is a traditional target of hackers. But in 2020, quarantine restrictions made it especially attractive for attackers, against the background of which the demand for the industry among people sharply increased.
At the same time, cybercriminals began to look for quick and cheap methods of organizing DDoS attacks. Often they relied on their "assault" to "exhaust" the victim and disable her resources, Rostelecom said.
Against the background of a sharp increase in demand for online services, attackers began to look for quick and cheap methods of organizing DDoS "here and now," says Timur Ibragimov, head of Anti-DDoS services at Rostelecom Solar MSS. - At the same time, cybercriminals relied on the duration of attacks in order to "exhaust" the victim and probably disable her resources. The use of simple technologies for organizing DDoS as a whole distinguishes the past year. This trend can be traced in the context of attacks not only on online retail, but also on other industries. |
According to experts, if successfully implemented, the damage from DDoS attacks could average about 600 thousand rubles a day for a large online store and 50-100 thousand rubles a day for a small one.
The study says that hackers in 2020 preferred simple methods of organizing DDoS, but their tools have become more diverse. If earlier more than 80% of attacks on online retail fell on UDP-flood, then in 2020 its share decreased to a quarter. The essence of the method is that the victim server receives a huge number of UDP packets that occupy the entire bandwidth. As a result, the server channel is overloaded and cannot process other requests.[21]
StormWall: Most DDoS attacks targeted the entertainment sector, telecom and online retail
StormWall experts analyzed DDoS attacks aimed at various industries in Russia in 2020. According to an analysis published by StormWall specialists on December 23, 2020, the most attacked industries were entertainment (40.76%), telecommunications (29.27%) and online retail (11.94%). Also attacked during the year were areas of business such as construction (6.26%), finance (4.56%), education (3.61%), services (2.58%) and others (1.02%). For analysis, StormWall customer data from different industries was used.
The entertainment sector was more likely than others to be subject to DDoS attacks in 2020. The number of DDoS attacks aimed at entertainment sites has grown this year by 7% compared to 2019. The gaming sector has traditionally been the most targeted for hackers, since they have the opportunity to quickly make a profit by blackmailing the owners of an entertainment resource. The number of DDoS attacks on the telecommunications industry increased by 35% compared to last year. A significant increase in attacks on telecom companies occurred due to a noticeably increased competition in this market: with the transition to "remote," customer requirements for continuity of Internet access increased, as well as the criticality of this infrastructure, which competitors took advantage of.
The number of DDoS attacks on online retail has grown this year by 400% compared to last year, while attacks were used mainly in dishonest competition, as well as to extort money.
The share of DDoS attacks on banks and financial institutions increased by 27% in 2020 compared to last year. The main reason for the attacks on the financial sector was data theft, the greatest interest for hackers was the personal data of users and bank card data .
Based on the analysis, StormWall experts were able to highlight several main trends in the development of DDoS attacks in 2020.
- Attackers are trying to find vulnerabilities that can disable a resource with a small number of requests per second, which requires intelligent DDoS protection that can be proactively analyzed and trained.
- Attacks are becoming more powerful, so companies will have to change their defense tactics and go beyond basic security strategies to detect and fix vulnerabilities in online services and networks.
- The continued growth of DDoS attacks will force companies to think ahead of protection against such cyber threats. There has been a tendency that companies seek to connect protection against DDoS attacks most often when an attack has already happened, they need to be displayed or thought out a defense plan for the future.
Due to the pandemic and the massive use of online services in 2020, the number of attacks has increased significantly compared to 2019. This year, even the educational sector was attacked, which had hardly been attacked before. Due to the difficult economic situation and the aggravation of competition in 2021, DDoS attacks may arise on companies from those industries that were previously rarely attacked by hackers, for example, real estate, logistics, medicine, - said Ramil Khantimirov, CEO and co-founder of StormWall. |
Large-scale DDoS attack was carried out on RCTU services
On August 24, 2020, the Russian University of Chemical Technology named after D.I. Mendeleev reported that for the second day in a row, its services were subjected to a large-scale DDoS attack. The first failures of the IT infrastructure were recorded on August 23 in 15.20, when as a result of an ongoing attack, the university's server equipment was overloaded and temporarily unavailable. Because of this, online resources (the main muctr.ru site) and the university's email service became unavailable to external users. Read more here.
Rostelecom-Solar: During quarantine, the volume of DDoS attacks in Runet increased 5 times
During the period of the self-isolation regime against the background of the spread COVID-19 (March-May 2020), five times more were recorded - DDoSattacks than a year earlier. This follows from a report prepared by experts "" Rostelecom-Solar based on data attacks observed in the first five months of 2020. ROsteleko-Solar announced this on July 2, 2020.
The reporting period allows you to follow in detail how the attackers increased their activity as quarantine measures were introduced. So, in comparison with January 2020 in March, the number of attacks increased by 56%, and in April, which hit the peak of hacker activity, by 88%. At the same time, in 2019, the dynamics were not so pronounced, and the number of attacks from month to month remained approximately the same.
With a dramatic increase in the number of attacks, their power and complexity decreased markedly. In most cases, attackers resorted to simple and easily available tools, for example, DNS amplification or NTP amplification. The power of such DDoS attacks does not exceed 3 Gb/s, and unprotected servers with Internet access are used to carry them out, the operation of which is available to virtually any interested person. It is noteworthy that at the end of 2019, Rostelecom-Solar experts recorded the opposite trend: a sharp increase in the power of attacks and their technical progress. During the pandemic, the number of complex attacks did not decrease, but their share as a whole fell against the background of a sharp increase in ordinary ones. This may mean that in the reporting period, DDoS in most cases were more "amateur hackers" than professionals.
The largest volume of attacks in March-May fell on the online trading sector (31%), which is traditionally one of the main objects for DDoS. The second most popular was the public sector (21% of attacks). This is followed by the financial sector (17%), telecom (15%), education (9%) and the gaming segment (7%).
Despite the fact that online trading has become the most attacked area, education has shown the most pronounced dynamics in terms of the growth in the number of attacks. In the peak period - in April - the interest of hackers in educational resources (including various electronic diaries, sites with verification work, platforms for online lessons, etc.) increased 5.5 times in relation to March and 17 times in relation to January 2020. If we recall that the "garbage" traffic was sent mainly by "amateur hackers," we can assume that in this case, schoolchildren were behind DDoS who wanted to disrupt the educational process, Rostelecom experts say.
There was also a significant increase in attacks on government agencies and the gaming segment - in both cases, an increase of about 3 times in April compared to March. In the case of the public sector, the peak of attacks occurred during the period when platforms were launched to monitor the movement of citizens, provide benefits services, etc. The sharp increase in interest in gaming by hackers is associated with a significant increase in the audience of online games and e-sports during the period of self-isolation, which exacerbated competition between sites. Therefore, such a tool as DDoS, which allows you to disable a competing online resource, turned out to be in great demand.
DDoS attacks are becoming more and more popular among cybercriminals, primarily due to the low cost of their organization: it is enough to find vulnerable amplifying servers on the Internet. At the same time, to protect against such attacks, you need to purchase expensive computing and channel power. During the period of self-isolation, an increase in the number of DDoS was expected. In many industries, there has been a forced digitalization of income generation tools. For five months of 2020, the volume of Internet traffic on Rostelecom's network increased by about 20%, which prompted attackers to take active action. The most difficult for owners of online resources was April, when a strict self-isolation regime was in effect in Russia. In May, the intensity of DDoS gradually began to subside. This trend will continue for some time, but a return to "dock" values should most likely not be expected, since quarantine gave a powerful impetus for transferring business processes to the Internet and a proportional increase in the activity of cybercriminals, - said Ivan Miroshnichenko, head of the group for the development of web application protection services in the cybersecurity direction of Rostelecom. |
"Rostelecom-Solar" noted a sharp increase in DDoS attacks on educational institutions and telecom companies
Hackers began to be used much more often DDoS-attacks in relation to telecom-companies, educational institutions and. state structures This follows from the report prepared on the basis of the observed data and attacks neutralized on the network "" in Rostelecom 2019 and early 2020. This was announced on April 30, 2020 by "."Rostelecom-Solar
A little more than a year ago, the telecom industry accounted for only 10% of all DDoS attacks, but now this figure has grown to 31%. Most often, hackers are targeted by small regional Internetproviders ones hostings -, and, data centers which usually do not have the resources necessary to repel powerful attacks.
The share of government organizations and educational institutions in the total volume of DDoS attacks was previously 2% and 1%, respectively, but over the year increased to 5% for each of the segments. This is due to the digitalization and launch of its own Internet resources, on which the activities of such organizations increasingly depend, especially during the period of self-isolation.
The largest increase (by 153%) in the number of attacks was shown by educational resources, including electronic diaries, sites with verification work, etc. Rostelecom-Solar experts do not exclude that the initiators of such attacks may be the students themselves, which once again demonstrates how affordable the DDoS organization has become with relatively weak security of some sites.
Despite the sharp increase in DDoS in certain segments, the gaming industry is still the leader in this indicator. For 2019 and the beginning of 2020, 34% of attacks were directed to game servers (against 64% in 2018).
In general, during the reporting period, the number of DDoS attacks on Russian companies increased by 63%. At the same time, the attackers changed their tactics: they no longer "exhaust" the victim with long low-power attacks, preferring short sprints with a large amount of parasitic traffic. The most powerful DDoS attack of 2019 was 405 Gbps, which is less than the record in recent years - 450 Gbps. Despite the fact that the record has not yet been "broken," on average, DDoS capacity has increased over the year.
The increase in attack power is associated with significant technological progress that attackers demonstrate. In particular, they began to actively use IoT devices that allow you to create large botnets and intensify attacks. In 2019, a record-breaking IoT attack on Rostelecom's networks was recorded - 178 Mpps. It was aimed at a betting company and implemented using a botnet of 8,000 real devices.
As Rostelecom-Solar experts explain, when hackers hit the victim with a fast and powerful wave of requests, not all anti-DDoS services manage to determine the IP addresses of the devices involved. Then 'undisclosed' addresses can be used in the following attacks.
{{quote "Based on current trends, we predict a further increase in the number of DDoS attacks this year. Attackers will actively use existing methods and their combinations, continuing to look for new technologies. At the same time, against the background of the deployment of 5G networks and IPv6 protocols, the use of IoT devices will expand to organize more powerful attacks. With such an increase in the aggressiveness of the Internet environment, it is better for companies on the global network to realize as soon as possible that the integration of information security processes, including DDoS counteraction, into regular business processes of the organization is vital for further effective development, "said Ivan Miroshnichenko, head of the Rostelecom-Solar web application protection services development group. }}
2019
In the fourth quarter, the number of DDoS attacks almost doubled
On February 14, 2020, the company Kaspersky Lab"" reported that the number DDoS-attacks in the fourth quarter of 2019 amounted to 56% of the number of attacks blocked Kaspersky DDoS by the Protection solution during the last three months of 2019. And further botnets activity research found that about 28% of attacks occurred over the weekend. Among the countries in which a large number of botnets were registered Russia , it took fourth place (about 4%).
According to the report, the main trend of the last quarter of 2019 is an increase in botnet activity on Sundays. The share of attacks on this particular day of the week increased by two and a half percentage points - to 13%. Although such changes may seem insignificant, it should be borne in mind that the share of DDoS attacks on Sundays was about 10-11% during the other three quarters of last year. Thursday turned out to be the day of the smallest activity of DDoS attacks in the fourth quarter of 2019. At the same time, the difference between the most and least calm day of the week was only about two and a half percentage points (in the previous quarter, this figure was seven percentage points).
Although the number of DDoS attacks detected by the Kaspersky Lab solution has increased significantly compared to the same period in 2018, the increase compared to the third quarter of 2019 is insignificant (attacks in the third quarter amounted to 92% of their number in the fourth quarter). More noticeably, the number of so-called smart DDoS attacks has increased (attacks in the third quarter accounted for 73% of their number in the fourth quarter), which are carried out by very experienced cybercriminals. Such growth, according to Kaspersky Lab, is quite predictable, since November and December are traditionally the time for a large number of online sales and the heyday of retail.
"A significant surge in DDoS activity recently demonstrates that this type of attack is still very common among attackers who seek financial benefits or act on any other motive. Moreover, cybercrime is not standard office work from nine to five, so you need to continuously use a security solution to prevent DDoS attacks. All organizations must be prepared for such attacks and understand the vector of their development, " |
To protect against DDoS attacks, Kaspersky Lab recommends that organizations take the following measures:
- conduct stress tests and audits of web applications, involving its employees or third-party specialists to identify the most weak points in the company's infrastructure;
- Hire specialists responsible for maintaining web resources. Make sure that they know exactly how to act in the event of a DDoS attack and can respond to such incidents after hours;
- check third party agreements and contact information. This also applies to agreements with Internet-provider and the ability to quickly contact it in the event of an attack;
- implement professional solutions to protect your organization from such attacks.
Russian schoolchildren stage massive DDoS attacks
On November 11, 2019, Kaspersky Lab announced the results of a study that showed a 32 percent increase in the number of DDoS attacks in the world in the third quarter compared to the same period in 2018. Approximately the same surge in cyber attacks occurred in comparison with the second quarter of 2019. Read more here.
2018
The increase in the number of DDoS attacks on Russian companies has grown almost 2 times
On March 27, 2019, Rostelecom announced a study of DDoS attacks carried out on the Russian segment of the Internet in 2018. According to the report, in 2018 there was a sharp increase not only in the number of DDoS attacks, but also in their power.
Compared to 2017, the number of attacks has almost doubled - by 95%. Analysts believe that this is largely due to their cheapness and efficiency. At the same time, the power of DDoS attacks also increased sharply. The most serious attack recorded by Rostelecom in 2018 was carried out on the telecom operator Dtel.ru. Its intensity reached 450 Gbps, while the 2017 record was only 54 Gbps. The longest DDoS attack lasted 280 hours (11 days and 16 hours). By comparison, on average, such attacks last 1.5-2 hours.
Despite the intensive work of American and European law enforcement agencies to close the public services of the DDoS organization, such as the well-known Webstresser.org, there was no noticeable decrease in the number of potentially dangerous attacks on Russian companies in 2018. Therefore, we will continue to actively develop layered protection against DDoS at all levels of the Internet infrastructure of our clients - from channels to business logic of protected applications. Preventive connection to it guarantees the availability and security of our customers' business in the now aggressive Internet environment, "said Ivan Miroshnichenko, head of the development of MSSP services at Rostelecom-Solar. |
Most often, attackers attack companies related to the gaming industry and e-commerce. The share of attacks on game servers was 64%. According to analysts, this picture will not change in the coming years, and with the development of e-sports, we can expect an increase in the number of attacks on the industry. E-commerce enterprises consistently "hold" second place (16%). The share of DDoS attacks on telecom increased from 5% to 10%, and the share of educational institutions, on the contrary, decreased sharply - from 10% to 1%. The growth in the average number of attacks per client was 45% for the gaming segment, 19% for gaming commerce.
DDoS attacks peaked in 2018 in November-December. These months are considered key in terms of sales in the e-commerce segment - buying activity is growing due to the pre-holiday period and the start of major sales. DDoS allows you to temporarily block a competitor's resources or can be used by attackers as a blackmail tool for those companies that receive most of the proceeds in November-December.
The most popular DDoS method is UDP-flood - almost 38% of all attacks are carried out in this way. There is also a sharp increase in the proportion of amplification attacks and SYN flood attacks. They are united by the fact that botnet both the former do not require the presence (and, accordingly, the cost of organizing/buying it) and the latter can be carried out both using a botnet and without it.
Kommersant survived DDoS attack
The website of the Kommersant newspaper on the evening of May 30, 2018 was subjected to an intensive DDoS attack, which made the resource inaccessible for more than an hour. As the editor-in-chief of the publication Sergei Yakovlev told RNS news agency, the attack began shortly before eight in the evening and lasted about 70 minutes. By 21:10 Moscow time, the site was restored, but closer to ten in the evening, the media again noted access problems. As of May 31, the site is operating normally. Read more here.
2016
DDoS attacks on RT sites last more than seven days
Read more: RT TV (Russia Today)
Nexusguard: Russia leads in the number of targets for DDoS attacks
At the end of July 2016, Nexusguard, a company specializing in the development of cyber threat protection solutions on the Internet, published a report on DDoS attacks around the world. Most of the attacks were recorded in Russia.
According to the results of the second quarter of 2016, Nexusguard counted 182,900 DDoS attacks on a global scale, which is 83% more than a year ago. Russia ranked first in the number of such attacks. Experts did not specify how many of them were committed in our country, but noted that over 40% of the attacks were addressed to subscribers of the Starlink provider. In this case, attackers attacked DNS servers for a long time, as a result of which the average duration of DDoS attacks in the world began to be measured in hours, not minutes, as in January-March 2016.
Nexusguard says that targeted attacks on Russian companies were organized by nationalist hacker activists. At the same time, it was not about attacks commissioned by competitors.
The top three countries hit by the most DDoS attacks in the second quarter of 2016, in addition to Russia, included the United States and China. Brazil remained in the top ten, but the number of attacks in this country decreased by more than half.
We were surprised by the increase in DDoS attacks this quarter, especially when hackers experimented with ransomware, phishing schemes and other methods of obtaining money, says Nexusguard Chief Scientist Terrence Gareau. - In 2016, the frequency of attacks on organizations could continue to rise, especially with more focus on the Summer Olympics and the election of a president in the United States in November. |
As part of DDoS attacks, hackers most often used NTP and DNS servers - 85.8 thousand and 80.9 thousand cases, respectively, in the second quarter of 2016, the Nexusguard report said.[22]
2015
Qrator Labs Data
Every fourth bank of the Russian Federation faced DDoS attacks in 2015
On June 8, 2016, Qrator Labs reported an increase in the number of DDoS attacks in the world and Russia, in particular[23].
DDoS attacks in Russia are 1-1.5 years ahead of such malicious campaigns in the world in terms of quality, which is why Russian banks and financial organizations are more often victims of such "garbage" cyber attacks. |
According to the expert, there is an increase in the number of incidents using DDoS attacks in the world. In 2015, the number of such campaigns increased by 18%. In Russia, the situation is much worse. According to a study by Qrator Labs, in 2015, every fourth Russian bank faced this problem (according to Банки.ру, as of June 15, 2016, 733 banking institutions operate in the Russian Federation - approx. TAdviser).
Compared to 2014, the increase in the number of DDoS attacks on financial institutions is 50%, on enterprises of the e-commerce sector - 70%, tourism - 150%. The most attacked was the real estate market, where the number of DDoS attacks increased by 170%.
According to a report by Imperva, DDoS botnet activity intensified in the first quarter of 2016. Attackers more often use DDoS bots that mimic the work of browsers, which can bypass security systems with "default" settings.
Threats of 2015 in online retail
On December 23, 2015, Qrator Labs announced the results of a November 2015 study by 42Future commissioned by Qrator Labs, which conducted a survey of twenty major online retailers on the topic "DDoS attack and its consequences."
The document presents trends in cyber threats in the online retail industry identified by specialists from Wallarm (Valarm) Onsec (Onsec) and Qrator Labs.
As a result of a survey of representatives of 20 large online retailers of the Russian Federation in November 2015, when asked whether they had faced DDoS attacks over the past year, a quarter of the respondents confirmed that the companies' websites were subjected to DDoS attacks during 2015. At the same time, 40% of respondents admit that they were attacked, but the company did not register the attack. In particular, this can happen because the company uses external means of countering DDoS attacks, which work effectively.
Assessment of the motives of the attack
According to the survey participants, DDoS attacks pose a serious threat to their business - 65% of respondents reported this. Almost everyone used the wording "very serious" or "serious" when answering a question about the significance of a cyber threat.
Companies that were subjected To the DDoS-attacks to and did not use the means of confrontation noted the significance of financial losses for the business that they suffered as a result of the attack.
All respondents have an opinion on the reasons for organizing attacks on their business:
- the overwhelming majority consider unfair competition to be the main motive for customers of such attacks
- one fifth of the respondents noted that attacks can be initiated with the aim of causing losses for various reasons, including personal reasons (revenge, hostility, etc.).
- blackmail - this is how 45% of respondents determined the motives for the attacks
- entertainment - the opinion of 10% of respondents.
Without exception, all survey participants confirmed the presence of means of constant protection against DDoS in companies, their constant use:
- 90% of respondents use third-party solutions.
- 10% - own developments for these purposes.
Companies rarely rely on protection provided by a telecommunications service provider. Some of the respondents noted that special funds are provided by a partner, a system integrator, with whom the company cooperates on issues related to IT.
DDoS countermeasures are used by 50% of the surveyed companies, 35% - hardware. The remaining 15% did not specify what type of solution is used. At the same time, 95% declared satisfaction with the selected solutions and the level of protection.
DDoS in the segment of small and medium-sized online retail companies of the Russian Federation
According to Qrator Labs experts, the situation in the small online retail segment is the opposite: for the most part, small online stores do not use DDoS countermeasures.
As the company stated, DDoS as a tool of unfair competition is actively applied in this market sector due to its effectiveness and availability. Some small companies, having experienced a DDoS attack and lost money, are trying to develop their own countermeasures. At the same time, as a rule, outdated algorithms and ineffective filtering techniques are used, which lead to the disconnection of real clients instead of bots.
Attack regularity
Large online retailers are relatively rarely subjected to DDoS attacks, Qrator Labs noted - on average, no more than a dozen times a year. However, the increase in their number on average per Qrator Labs client in 2015 compared to 2014 was about 50%.
The exception is periods of seasonal activity and sales. At this time, the load on the network resources of retailers is growing as a result of the influx of buyers. According to Qrator Labs, live traffic on average doubles on such days.
2015 trends in DDOS and Internet security in Russia and in the world
The complexity of attacks is growing. Hackers combine different approaches, resorting simultaneously to DDoS attacks and attacks on application vulnerabilities.
The main observation of 2015 is a decrease in the peak speeds of DDoS attacks, which, however, does not give optimism - since it is compensated by an increase in their complexity.
If earlier attackers, as a rule, were limited to one type of DDoS, today attacks are multi-vector in nature (that is, they can be directed to several network layers and infrastructure elements at once), and become complex.
Hackers increase complexity and combine DDoS with 'hacking', i.e. attacks on application vulnerabilities. In 84% of cases, a DDoS attack is accompanied by attempts to hack a site. Thus, the means that provide only protection against DDoS today are insufficient to ensure the availability of the Internet resource.
Nevertheless, companies with a comprehensive approach to organizing a system for countering attacks of increased complexity manage to neutralize these risks quite successfully (see the QIWI payment service case below in the chapter'Combined Attacks').
Minimal cost and ease of implementation of attacks.
It has never been cheaper to launch a DDoS attack: this event today costs from $5 per hour. As a result, compared to 2014, the average number of attacks per site in 2015 doubled. Attackers are actively using cloud providers to quickly obtain resources, including for free, using bonus and trial programs.
A similar picture to hacker attacks. Thanks to the availability of tools for finding and exploiting vulnerabilities, successful attacks in many cases no longer require serious expertise: the attacks are increasingly not professional hackers, but 'middle peasants' who search for and exploit known vulnerabilities with ready-made tools, guided by articles and video instructions.
The main challenge in terms of DDoS protection was application-level (L7) attacks.
In 2015, attacks on the application layer (L7) increased, which often accompany DDoS attacks on the channel layer (L2). Protection against application-level DDoS attacks is the most difficult case, requiring maximum expertise and speed of response to a change in the attack vector. At the same time, hackers use intelligent automated means that exclude the possibility of countering by an individual specialist on the defense side. Today we can say that only systems based on machine learning algorithms are effectively opposed to DDoS. Systems operating under the control of a human operator are unable to cope with modern multi-vector attacks in real time without significant interruptions in servicing user traffic.
The most common vector of hacker attacks aimed at 'hacking' the site is still vulnerabilities such as' SQL injection '. Massive busing attacks have become a new challenge.
The most popular attacks are still attacks on vulnerabilities such as SQL injections (37.75% of the total number of attacks), when due to a specially formed request, an arbitrary request can be executed to the application database. Easy to implement through automated tools, they open up direct access to resource databases for attackers. To bypass security solutions, various methods of obfuscating (masking) malicious requests are increasingly being used, which is effective in the case of WAFs that do not take into account the structure and specifics of applications. Last year, the number of brute force attacks has seriously increased, including those aimed at brute force passwords (21.85%). In Russia, this was especially true for Internet retailers, where attackers in mass quantities gained access to accounts using the'login-password' databases, which leaked from other resources.
Various groups use mass Internet scanning techniques.
Mass scans of the entire Internet have ceased to be the lot of Google and other search giants, and now for various purposes are carried out by different groups of people. Attackers are trying to find web resources, routers, IoT devices with known vulnerabilities for fast and automated seizure of control. These resources are further actively used to implement powerful DDoS attacks, anonymization, cryptocurrency mining, etc.
Qrator Labs neutralized 9,347 DDoS attacks in the first half of the year
In the first half of 2015, Qrator Labs, using its own service of the same name, neutralized 9,347 DDoS attacks. In the same period in 2014, this figure was 2,715. The increase in the total number of attacks is due to both the growth of the company's client base and a significant increase in the activity of cybercriminals. The maximum number of attacks per day neutralized by the Qrator traffic filtering network increased from 38 in the first half of 2014 to 109 in 2015. The average number of DDoS per day also increased - from 15 to 51, respectively.
The maximum size of the botnet involved in the attack decreased from 420,489 to 162,528 cars, and the maximum duration of the attack increased from 91 days in 2014 to 122 days in 2015. The share of Spoofing attacks also increased - from 1,557 to 6,065. These are attacks in which a fake user is substituted instead of the IP address of a real user.
Compared to the first half of 2014, in the same period in 2015, the number of attacks at a speed of more than 1 GB/s increased from 198 to 276. The number of high-speed attacks also increased - more than 100 Gb/s - from 45 to 67, respectively.
There has been a trend towards a decrease in the number of amplifiers in the network due to the actions of telecom operators to counter this threat. However, contrary to forecasts, this is not yet enough to reduce the number of amplifier attacks. There are still too many of them and enough to organize an attack in a band of several hundred gigabits per second. An amplifier refers to a UDP server that works without authorization, which is able to send a significantly larger response to a small request. To use it, an attacker fakes the sender's address of the UDP packet, substituting the address of the attacked service. As a result, the hacker sends small packets, not very loading his channels, and the amplifier responds many times large to the attacked service.
Again, there was a tendency to increase the number of DDoS attacks on web applications at the L7 level of the OSI network model using classic botnets. Such a botnet can perform network attacks on a remote command without the knowledge of the owners of infected computers. If earlier botnets were used mainly for sending spam, mining cryptocurrencies and performing primitive DDoS attacks, today they have become a more serious security threat. According to Qrator Labs, there will be even more such attacks in the near future.
Large-scale DDoS attacks began to be carried out less and less, but sometimes they return again. A striking example is attacks using Wordpress servers.
In the first half of 2015, Wallarm (Valarm) Onsec (Onsec) registered 37.8% more attacks on the application level than in the same period in 2014.
The weighted average number of attacks per web project per day also increased from 47 to 89 attacks. This figure shows the number of automated tools (scanners) performing analysis on the Internet in continuous mode. Thus, we can talk about the increasing "aggressiveness" of the network in relation to sites.
The average number of vulnerabilities found by Wallarm in the first month after the new client was connected increased from 5 to 7. At the same time, the share of critical vulnerabilities from them, as last year, averages 2.
The share of projects where no vulnerabilities were found in the first month, as last year, did not exceed 2%.
The risk zones of hacking by industry, compared to 2014, look different. The gaming industry comes out on top, and the leader of last year - electronic banking - dropped to 4th position.
Advertising networks experienced a peak of interest from hackers in 2005-2008. In the first half of 2015, this industry shifted from 5 to 2 positions. Attackers have a special interest in the SRA due to their security. The partner network itself, being hacked, does not suffer economic losses, but, on the contrary, only wins. The hacker, having gained access to the partner network database, increases the number of impressions for his sites. Thus, the cracker increases his payments without actually providing a service for showing advertising materials for this amount. The system receives a commission, and the advertiser has to pay for everything. It turns out an interesting situation - if the network's SRA was hacked, its advertisers suffered, and the network itself only earned more. Of course, in the long term, this carries reputational damage to the network, but several years may pass before this time.
Qrator Labs analysts predict that the number of DDoS attacks will increase by 20%. Experts note that the average and maximum sizes of botnets have grown. And although the number of attacks of the DNS/NTP Amplification class (which previously occupied 50% of the attack structure) has decreased, now attackers are focusing on network infrastructure of providers.
In 2015, the company's experts predict an increase in attacks on resources using the cloud infrastructure (including Amazon Web Services), hacking and infecting Internet of Things devices, the emergence of new SSL vulnerabilities, and attacks on NoSQL databases .
Unfavorable trends in the economy will also be reflected in the statistics of DDoS attacks. DDoS can become a tool for revenge for dismissal, or the number of attacks can increase due to new employees of IT departments who do not have enough experience.
It is also expected that Russian companies will follow the course of import substitution and will purchase solutions from domestic vendors certified by FSTEC and the FSB.
2014: Kaspersky Lab: a new jump in DDoS attacks in the spring
Kaspersky Lab (Kaspersky) recorded a new jump in the power of DDoS attacks in Runet in the spring of 2014. During the spring "campaign" of attackers who chose several leading Russian banks, large companies and government agencies as their target at once, the average attack power was 70-80 Gbps. A year ago, the most powerful DDoS attack in Runet did not exceed the threshold of 60 Gbps.
The antivirus company believes that the increase in the power of DDoS attacks was the result of the spread of a new method of NTP Amplification among cyberplayers. Attacks of this type have a gain of up to 556 times. For comparison, the sensational DNS Amplification attacks a year ago have a gain 10 times less - up to 54 times.
It was attacks such as NTP Amplification, along with the widespread SYN Flood, that were used by cybercriminals during the spring wave of DDoS attacks, which affected the largest banking structures in Russia, including Alfa Bank and VTB24, federal ministries, one of the largest Russian airlines Aeroflot, Russia Today TV channel and other organizations. At peak moments, the power of attacks reached 120 Gb/s.
The victims of DDoS attacks for 2013-2014 (October-November) were 52% of Russian companies, whose online services are critical for business - among them online stores, media and financial institutions. These are the results of a study conducted by Kaspersky Lab in conjunction with B2B International. This indicates that DDoS attacks are gaining popularity and have already become a familiar phenomenon for Internet business.
The number of victims varies depending on the geographical affiliation and scope of the companies. In Russia, the list of industries most affected by DDoS attacks includes finance, e-commerce and the media. So, among financial organizations, 42% of respondents reported that they faced similar incidents over the past year.
The consequences of DDoS attacks can vary depending on their power and duration. Even if attackers fail to completely deny the user access to the company's information resources, their partial inaccessibility is also a serious problem. Almost half of respondents (43%) said that the attacked site was unavailable for several hours, and 19% of respondents noted the inaccessibility of the web resource within two days.
On March 12, 2015, Kaspersky Lab and B2B International shared the results of a loss study as a result of a DDoS attack[24] online resource[24] the[24].
% of companies facing 12 months of DDOS attacks, 2015
According to this study, in which 3.9 thousand respondents from 27 countries took part, losses can average from $52 thousand to $444 thousand, depending on the size of the company. Reputational losses and costs caused by the inaccessibility of a public online resource for partners and customers are added to the costs of eliminating the consequences of such attacks.
The amount of losses calculated by experts includes several items:
- 61% of affected companies temporarily lost access to business-critical information due to a DDoS attack,
- 38% did not have the opportunity to continue their main activities,
- 33% reported missed business opportunities and contracts.
In addition, in 29% of cases, successful attacks negatively affected the credit rating, 26% of companies increased insurance premiums.
The average amount of damage from a DDoS attack included the cost of eliminating the consequences of the incident. For example, 65% of companies were forced to use the services of information security consultants, 49% paid for work on changing their own IT infrastructure, 46% turned to lawyers, 41% - to risk management consultants. And these are only the most common items of expenditure.
"A successful DDoS attack can disable business-critical services, with serious consequences for the company. For example, we record cases when attacks on banks led not only to disruption of online services for several days, but also to interruptions in servicing bank cards and disruption of ATMs [1] Kaspersky , "Kaspersky Lab DDoS Prevention manager told Rossiyskaya Gazeta Alexei Kiselev.
According to experts, since the second half of 2014, DDoS attacks have become a means of combating competitors: "The cost of an attack is not high, the contacts of the performers can be easily found, while the customer, as a rule, remains unrecognized. So, since September 2014, the number of appeals to us from organizations subjected to such attacks has increased significantly, which has not been observed before. Also, the growth of such attacks is certainly influenced by the political situation in the country and in the world and possible attempts to save on security solutions in a crisis, "adds [2] Evgeny Vigovsky, head of Kaspersky DDoS Prevention at Kaspersky Lab.
2013
NAIRIT: The number of DDoS attacks on objects in the Russian Federation in 2013 increased by 178%
The number of DDoS attacks on state and commercial infrastructure institutions in Russia in 2013 increased by 178%, while in previous years their growth rate did not exceed an average of 15%, according to the National Association for Innovation and Information Technology Development (NAIRIT).
A report on threats to information security of infrastructure facilities in the Russian economy was prepared by experts from NAIRIT together with the Institute for System Analysis of the Russian Academy of Sciences and the Institute for Socio-Economic Modernization. The results of the study were reported at a meeting of the Commission of the State Duma of the Russian Federation for the Development of Strategic Information Systems.
As follows from the report, the total volume of losses of the domestic economy from attempts to illegal electronic interference in 2013 exceeded 1.3 trillion rubles.
The number of DDoS attacks on banks and the financial sector in 2013 increased by 112% compared to 2012. Olga Uskova, President of the National Association for Innovation and Development of Information Technologies, spoke about this during a round table in the State Duma on the topic "Problems of the development of strategic information systems in the banking and financial spheres. Legislative aspects. "
Previously, the number of DDoS attacks on the financial sector grew at a moderate pace. In 2012, the indicator grew by only 11%, in 2011 - by 8%.
Kaspersky DDoS Prevention: strengthening the power of attacks in Russia and increasing their duration
Kaspersky Lab specialists summed up the results of DDoS activity in Runet over the past 12 months in the fall of 2013. Comparing the data obtained using the Kaspersky DDoS Prevention security service and its own botnet monitoring system in the second half of 2012 and the first half of 2013, experts revealed two trends: increasing the power of attacks and increasing their duration.
So, in the second half of 2012, the average attack power was 34 Mb/s, and at the beginning of this year the bar rose to 2.3 Gb/s. At the same time, the maximum attack power in this half of the year reached 60 GB/s "thanks" to the growing popularity of DNS Amplification attacks this year. For comparison: the maximum power of a DDoS attack in the second half of 2012 was only 196 Mb/s.
The duration of DDoS attacks in Runet has also increased this year. If in the last reporting period Kaspersky Lab specialists found that the average attack on the resources protected by the Kaspersky DDoS Prevention service lasted 7 hours, then 2013 year they noted that this figure increased to 14 hours.
According to data obtained by Kaspersky Lab experts based on the Kaspersky DDoS Prevention service, most bots or hosts attacking Runet web resources are located directly in Russia (about 44%). A significant part of the attacks also "comes" to the Russian-speaking Internet space from the United States (about 7.5%) and from Ukraine (a little more than 5%). Overall, of the top 10 countries in this unlucky ranking, 7 are in Asia.
Attackers, in order to ensure the inaccessibility of the resource and earn money, use various types of attacks, often combining them. Most types of attacks affect only a specific resource. But in pursuit of profit, attackers are ready to use a tool that can make anything unavailable on the Internet: from an individual provider to a network segment. It's kind of a virtual weapon of mass destruction.
The spread of DNS Amplification attacks and the strengthening of the power and scope of DDoS incidents allows specialists to talk about a change in trend: apparently, Runet ceases to be a kind of "reserve," where powerful attacks were rare, and Internet providers and hosters could do without intelligent traffic control. The difference in indicators for DDoS activity in Runet and in the rest of the Internet world is rapidly declining.
2012
Reduce the profitability of DDoS attacks
Information security experts noted that the number of "pure" DDoS attacks as a means of cyber attack in Russia decreased in 2012. They attribute this to a decline in their direct profitability for criminals. It is assumed that in the next year or two these attacks will move into the sphere of politics, both internal and external, where they will be predominantly used in their "pure" form.
The main way to use DDoS attacks will be complex cyber attacks, among which the most dangerous for the attacked are the so-called Advanced Persistent Threats - targeted multifaceted long-term threats. Today, the varieties of such attacks prove to be destructive in the field of remote banking, where DDoS attacks are used as a "smoke screen," blocking the interaction of the bank and the victim in the process of conducting an attack and winning time for attackers to successfully complete the theft of money and take measures to notice traces.
What do they think about DDos attacks in Russia
The weekly PC Week/RE conducted a survey among its readers in the spring of 2012 to find out how much corporate computer users in Russia need protection from DDoS attacks.
More than half (56%) of those who responded believe that they need protection, and are ready to organize it on the side of their corporate data network. Approximately 25% of respondents presented even higher requirements for protection against DDoS attacks - they want to have it both on their side and on the side of the carrier serving them. About 5% of representatives of Russian companies who took part in the survey want to consume this protection in the form of a service and rely entirely on the forces of external providers in its organization.
According to the survey results, we can make an unambiguous conclusion that Russian companies need protection against DDoS attacks - after all, only 12% of those who took part in the survey are ready to abandon it (the remaining 2% of respondents have not yet decided on this). It is significant that 59% of respondents work in large (on a Russian scale) structures in which the number of computerized jobs exceeds 500; 32% of survey respondents represented firms with a number of working computers from 25 to 500; 9% of survey participants belong to the segment of small organizations with less than 25 computers. The most active in the survey were civil servants - their 63%; 29% of private sector participants; the remaining 8% of respondents work in structures with a different form of ownership.
Notes
- ↑ Cyber attack on services of the Kursk region was repelled
- ↑ Solar Group sees a significant increase in cyber attacks on IT resources of the Russian Federation
- ↑ FCS reported on information exchange problems with foreign economic activity participants due to DDoS attack
- ↑ Hackers enter from the rear
- ↑ Forecast for the development of the cybersecurity market in the Russian Federation for 2024-2028
- ↑ 24-hour threat response: 2023 results
- ↑ DDoS attacks lasting almost two years were found in Runet
- ↑ Named the sector of the Russian IT sphere, affected by record DDoS attacks in 2023
- ↑ Hackers work across the squares
- ↑ Named non-obvious danger of DDoS attacks
- ↑ Hackers in January launched a new wave of attacks on Russian companies with a record for power
- ↑ DDoS attacks are increasingly occurring from Russian IP addresses
- ↑ [https://rt-solar.ru/upload/iblock/02e/nns12uwyw3k2olfwq13o52aabrjrun2z/Otchet-ob-atakakh-na-onlayn_resursy-rossiyskikh-kompaniy.pdf Report on attacks on online resources Russian companies for 2022]
- ↑ Analytical report for 2022
- ↑ [https://www.securitylab.ru/news/531824.php of
- ↑ Hackers have learned to use video videos to bypass protection against DDoS geolocation attacks]
- ↑ Kaspersky Lab tracked the longest DDoS attack in Russia
- ↑ In March, a record 145-hour DDos attack was recorded in the Russian Federation
- ↑ Anonymous hackers hacked into Russian media sites
- ↑ recorded the largest botnet attack on retail
- ↑ Rostelecom: amid the pandemic, the number of DDoS attacks on online trading has doubled
- ↑ DDoS attacks increase 83%, Russia top victim
- ↑ Every fourth Russian bank faced DDoS attacks in 2015
- ↑ 24,0 24,1 24,2 [http://www.computerworld.ru/news/Laboratoriya-Kasperskogo-otsenila-vo-skolko-obhoditsya-ustranenie-posledstviy-DDoS-atak on Kaspersky Lab's