Putin’s government lists IPs and domains allegedly aiming DDoS traffic at Russia
The Russian government on Wednesday published a list of more than 17,500 IP addresses and 174 internet domains it says are involved in ongoing distributed denial-of-service attacks on Russian domestic targets.
The list include the FBI and CIA’s home pages, and other sites with top-level domain (TLD) extensions denoting they are registered through countries such as Belarus, Germany, Ukraine and Georgia, as well as the European Union.
The Russian government did not publish any proof or evidence backing up its claims about the IP addresses or domains on its list. DDoS incidents can be tough to attribute to any specific actor, and otherwise benign internet domains can be hijacked by attackers to misdirect attention.
Russia’s National Computer Incident Response & Coordination Center posted the data in a notice that includes 20 recommendations to ward off attacks, such as robust logging, using Russia-based DNS servers, conducting “an unscheduled change of passwords” and disabling external plugins for websites, according to a Google translation.
DDoS attacks — which render websites inaccessible by flooding them with traffic — are relatively basic in terms of cyber disruptions, and generally easy to respond to and recover from. They don’t take a high level of sophistication, which is perhaps one of the reasons the Ukrainian government has asked its growing legion of cyber volunteers to launch such actions against a list of Russian and Belarusian websites.
Hackers believed to be associated with President Vladimir Putin’s government have launched a series of their own DDoS attacks against Ukrainian targets multiple times in the run up to the military attack, coinciding with more serious attacks that in some cases delivered malware designed to wipe data and destroy computers.
Tough times for the Russian internet
In the days since the Feb. 24 Russian invasion a plethora of self-styled hactivists, including multiple actors operating under the mantle of Anonymous, have claimed successful DDoS incidents involving a range of Russian targets, including banks, news sites and various government agencies. Claims about more serious breaches against Russian targets — such as the infrastructure supporting its spy satellites and other aspects of its space program — abound.
While many of the claims are difficult or impossible to verify, there is anecdotal reporting from within Russia that the flurry of activity is having an impact. Oleg Shakirov, an international security expert at a Moscow-based think tank, tweeted Thursday that “the Internet is not the same,” and government websites “are often not available because of DDoS attacks.” Other services, such as Twitter and Facebook, have been throttled by the Russian government, he added. There is broader debate over whether internet governance should be caught up in the war.
Independent data shows that Russian internet infrastructure has heavily targeted with DDoS disruptions, said Doug Madory, the director of internet analysis for Kentik, a network management firm. Data available to the firm shows DDoS attacks aimed at the at internet infrastructure that handles the “.ru” top level domain (TLD) starting at about 6 a.m. Tuesday in Moscow.
“If the TLD somehow were to go away then you wouldn’t be able to resolve websites that end in ‘.ru,” Madory told CyberScoop, meaning that the sites would become inaccessible.
Madory added that at this level of internet infrastructure, “it’s easy to build a lot of resiliency” and “it would be very hard to take it all out.” What’s happening is more “of a symbolic thing,” he said. “I’m not aware that there’s any practical impact to it.”
This story was featured in CyberScoop Special Report: War in Ukraine