Given the recent increase in the number of reported DDoS attacks against Nordic companies and authorities, Truesec assesses that the general risk of Swedish and Danish interests being exposed to more DDoS attacks is elevated. We urge all businesses to review their preparedness to protect themselves against overload attacks immediately.
What Is a DDoS Attack?
A DDoS attack is a form of overload attack whose purpose is to make a service (e.g., a website) unavailable to its users. The attacker uses a Botnet – a network consisting of a large number of devices that are all used to carry out a targeted and coordinated attack on the target. DDoS attacks are carried out by simultaneous calls in high volume; without adequate protection, the service becomes unavailable to legitimate users.
An Increase of DDoS Attacks in 2022
Truesec's Threat Intelligence notes a noticeable increase in the number of reported extortion attacks linked to DDoS in 2022 compared to 2021. In addition to the increase in the number of attacks carried out, we can also note that Russian-patriotic hacktivist groups are more systematically recruiting volunteers to use their botnets to carry out attacks against Western countries. Given the recent dramatic increase in the number of DDoS-exposed companies and authorities in Sweden, there is reason to assume that this development will continue.
It is important to understand that hacktivist DDoS attacks are usually temporary disruptions. Still, the threat actors behind the attack will always work to inflate the effects of these attacks out of proportion. Their goal is to create fear, confusion, and shame.
How To Protect Your Organisation From Being Hit
Truesec recommends publicly sharing information if a DDoS attack has hit your business. To avoid doing so is to hand over the information-sharing platform to the threat actors, who will do their utmost to create headlines with their own narrative about their attack.
We urge all businesses to prepare a plan for how to react in case of a possible DDoS attack and include a media communication plan.
In addition to a reactive plan to deal with an ongoing attack, there are both preparatory and preventive safeguards to take to significantly lower the business impact of being exposed to a DDoS attack.
11 Actions To Minimize Risk:
- Be sure to regularly map your IT environment and take inventory of mission-critical applications and systems, especially those exposed to the Internet.
- Protect mission-critical websites, applications, and systems with DDoS Protection.
- Keep your Internet Service Provider (ISP) contact lists up to date and ask for regular reporting on what they see.
- Ask your Internet Service Provider (ISP) to filter out traffic from any regions you do not do business with.
- Ask your Internet Service Provider (ISP) to implement Quality of Service (QoS) to prioritize business-critical services.
- If you own your IP address space (ISP independent), make sure you use connections from different ISPs and that redundancy works, at least for business-critical applications.
- Protect links and networks between the local devices and outgoing link (e.g., disable ping, traceroute, etc.) Ask your upstream ISP to do the same for the routers on their side facing you (often called CPE or PE).
- Monitor CPU and traffic volume on front-end firewalls, load balancers, WAFs, and exposed servers. Configure alarms with threshold values for a predefined period; for example, usage above 80% last 10 minutes.
- Apply all patches for systems exposed to the Internet.
- Ensure that exposed systems log and that these logs are easily accessible.
- Ensure that all public IPv6 links are configured with the /126 or /127 prefix.
Truesec urges every business to analyze available data and logs if the organization sees events consistent with a DDoS attack to understand attack patterns, time windows, affected targets, etc. Interpret data coming from ISPs, DDoS protection, or other equipment but do not rely on it as a single denominator - if a DDoS attack is confirmed, notify your national CERT.