Attacks on government agencies are rising exponentially in the last few years, from xx attacks per year to 32 already in 2023. Sweden was hit hard during the last few months presumably because it applied for NATO membership and actually there were some warnings regarding it. DDoS is a weapon of choice because it is accessible even as a service and easy to deploy. Having a good AI powered DDoS mitigation solution in place can reduce or diminish the impact of an attack on systems and networks. Here are key recommendations.
Latest DDoS in Sweden
On May 3, 2023, Sweden’s parliament was hit by a DDoS attack that disrupted access to its web site. The web page was partially down on Tuesday and appeared slow on Wednesday. The website of the Swedish parliament is used by Swedish citizens to access an array of public services, as well as to find information about the workings of the government. Services have been disrupted by the attack, which came at the same time that Swedish politicians met Ukraine’s president. “The analysis shows that it is a denial-of-service attack,” a parliament spokesperson said.
This was not fully unexpected since Sweden recently applied for NATO membership and authorities have warned of increased cyber attacks against Swedish interests. In addition, there were some announcements / rumors on social networks that such an attack could happen very soon.
Government Cyber Attacks on Rise
Research released today shows that cyberattacks on government agencies are on the increase. Cybersecurity company Surfshark says that since 2006, there have been at least 722 cyberattacks on government agencies, 15% of which were reportedly carried out as part of a cyber espionage campaign.
With the rising political tensions across the global arena, strong cybersecurity remains one of the core pillars of a country’s security. Over the past two decades, government agencies have become prime targets for cyberattacks, with perpetrators ranging from criminal organizations to state-sponsored hackers conducting cyber espionage.
Before 2020, around 29 cyberattacks on government agencies were reported every year, and this number rose to a yearly average of 96 with the start of a new decade. The year 2023 has already seen 32 significant cyberattacks on government agencies, out of which 9 were cyber espionage. To name just a few the most recent incidents:
- March 2023. Hackers brought down the French National Assembly’s website for several hours using a DDoS attack. In a Telegram post, hackers cited the French government’s support for Ukraine as the reason for the attack.
- March 2023. Hackers launched an unsuccessful DDoS attack against a German defense firm, Rheinmetall.
- March 2023. CISA and FBI reported that a U.S. federal agency was targeted by multiple attackers, including a Vietnamese espionage group, in a cyberespionage campaign between November 2022 and January 2023. Hackers used a vulnerability in the agency’s Microsoft Internet Information Services (IIS) server to install malware.
DDoS Mitigation Solutions and Services – What you can do to protect your systems
A DDoS attack works by flooding a server or network with fake internet traffic. This is often achieved by launching multiple requests at once and overwhelming the target, therefore preventing legitimate requests from being processed.
Cybercriminals can take business offline for minutes, hours, or weeks. DDoS attacks can cost enterprises even several € millions, depending on corporate necessity for online presence.
The purpose of a DDoS mitigation solution is reducing or diminishing the impact of an attack on systems and networks. Such solutions are designed to maintain the availability of resources (servers, networks), which attackers target to disrupt. The success of the DDoS protection is when an resource that was targeted in an attack is protected and kept up and running.
Typical DDoS solution mitigation steps
The first step in countering a DDoS attack is to absorb the attack, so the server doesn’t go down. Important feature is the number of testing on requests per minute and concurrent IPs.
The next step is to detect that it is a valid DDoS attack. The solution should be able to determine the volume of requests:
• coming at a URI level,
• from each IP,
• at a session/host level,
• in the overall domain.
For example, an image file usually accessed once a minute is suddenly accessed 100 times a minute. Overall, at a site level, it is a small increment in requests. The AI can decide whether to alert the services team and the application owner.
Solution than identifies attack vectors and blocks requests made with those attack vectors. Solution also detects diverse multi-vector attacks.
AI plays a big part in DDoS attack prevention. The solution should use past data and predict site behavior.
The solution should also be able to recommend and apply “rate limits” as granularly as possible. These include URI, session/host, IP, and domain rate limits.
While AI can recommend rate limits and even apply “blocking rules,” having a DDoS mitigation solution will reduce false positives to a great extent. After analyzing all trends, the services team should be able to add surgical rate-limiting rules. Other mitigating mechanisms should also be added, including tarpitting, CAPTCHAs, and more.
Here are some of highly recommended features for an efficient DDoS mitigation solution.
1. Rate Limiting
It enables you to limit the traffic coming from certain IPs. It helps block the apps, users, or bots from overusing your resources.
In addition to static rate limiting, the AI powered solution should be able to configure policies based on the behavior of the application. In case of an anomaly, the solution should be able to trigger an alert.
2. Granular Level Controls
They prevent attacks with custom policies. Users can define policies based on Geo, URI, IP headers, and source and destination IP.
The threshold for these policies should ideally be auto-configured via AI behavior-based traffic profiling.
3. Global Controls
IP whitelisting and blacklisting play a critical role in managing internal server requests and requests that come from actual users. Blacklisting and whitelisting specific IP addresses or even countries is very important for the following reasons:
Some parts of application will work for specific countries only,
Some parts of application will not be available for public access,
Allow only “good bots” to access your application,
There may exist internal servers that make extremely high volume requests to your production server; they should not be blocked by WAF, nor should they alter the behavioral DDoS rate limiting policy.
4. Auto Scalability
Most DDoS attacks create a large traffic volume to exhaust the resource capacity. Sometimes when the traffic and network size expand, the prevention goes out of control. The DDoS protection solution should leverage highly scalable infrastructure. So that they can ramp up in line with the traffic that must be handled. It could leverage cloud infrastructure to block large attack traffic. While auto scaling is enabled, you can spot DDoS attacks of couple TBps originating from over thousands concurrent IP addresses.
5. Monitoring and Alerting
Solution should be able to constantly monitor for potential attacks that target your resources. It should be able to send out real-time alerts to the application owners to take any corrective action if needed.
The alert should highlight the domain being attacked, the attack’s protocol, session details, user agents, geography, IP, and any other information that can help differentiate valid from invalid requests. This feature limits the time it takes to detect and block a DDoS attack.
6. Content Delivery Network
The DDoS protection should take the load off your origin server by enabling CDN. When a request is received, the CDN server will respond with the cached version of the requested page.
In the case of a DDoS attack, the CDN can be used to absorb and distribute the attack traffic by redirecting it to multiple servers. This can help to prevent the attack traffic from overwhelming the original server and causing the website to become unavailable.
7. BOT Protection
Hackers often create bot armies to launch DDoS attacks. The advanced DDoS protection should be equipped with bot protection policies.
Today bots are using crafty techniques to masquerade as Googlebot. Hackers know Googlebot is a bot that every business is going to whitelist. The bot Pretender Policies, for instance, help detect and block malicious bots which pretend to be helpful bots.
8. Broader Visibility
DDoS protection is not just for blocking attacks. The solution must provide users with important insights and analytics about the attacks. You should be able to view the attack statistics categorized by IP and URLs. The mitigation reports should also include traffic statistics, top IPs, top countries, and top URI. The in-depth visibility simplifies forensics and ensures accurate DDoS mitigation.
It is obvious that state sponsored attacks are on the rise and that they target mostly government institutions. But corporate systems are also being hit.
Regardless of working at the government institution or corporation if you are responsible for the cybersecurity you should take into account the rising risk of DDoS attack. While doing this you should reassess your current cybersecurity defense and evaluate AI powered solutions for improvement of DDoS resilience.