{
	"id": "5b569b15-1361-4d83-bd04-01b68e96ba29",
	"created_at": "2026-04-06T00:19:55.482619Z",
	"updated_at": "2026-04-10T03:20:35.664878Z",
	"deleted_at": null,
	"sha1_hash": "67eee0414eb8a2775ba6482394fcf72030af2711",
	"title": "The Anatomy of the DDoS Attack Campaign Targeting Organizations in Ukraine | NETSCOUT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46017,
	"plain_text": "The Anatomy of the DDoS Attack Campaign Targeting\r\nOrganizations in Ukraine | NETSCOUT\r\nArchived: 2026-04-05 12:55:53 UTC\r\nOverview\r\nBeginning on 13 February 2022, multiple governmental, military, and financial organizations within Ukraine\r\nreported that their public-facing Web sites, applications, and ancillary supporting infrastructure were being\r\ntargeted in an orchestrated DDoS attack campaign. Significant direct impact to these organizations and their direct\r\nconstituents and customers, along with collateral impact to other organizations such as associated Web hosting\r\noperators, was noted.\r\nReports indicate that public access to online governmental services, online Web and mobile banking applications,\r\nand automated teller machines (ATMs) was disrupted by these attacks. The use of VPNs to connect ATMs across\r\nthe public Internet to their affiliated networks is commonplace; when the associated financial network\r\ninfrastructure is negatively impacted by DDoS attacks, bank patrons are often prevented from accessing funds,\r\nchecking balance information, and performing other routine operations via ATMs.\r\nNETSCOUT Arbor’s ASERT team confirmed these reports, observing multiple direct-path (non-spoofed) SYN-flooding and UDP-flooding DDoS attacks targeting these organizations, along with a smaller number of NTP\r\nreflection/amplification DDoS attacks. Observed SYN-flood attack throughput reached a maximum of ~1.2\r\nmillion packets-per-second (mpps), while large-packet UDP flooding attacks reached a maximum of ~5.3 Gbps.\r\nBy way of comparison, the largest DDoS attacks reported in 2021 were ~674 Mpps and 3.47 Tbps, respectively. \r\nThe characteristics of all observed DDoS vectors utilized in these attacks to date were well within established\r\nnorms and a trend we've observed over the course of 2021 for increases in botnet attacks; analysis of the attack\r\ndynamics indicates that standard DDoS-capable botnets were used in this attack campaign. Both DDoS-for-hire\r\nand privately-operated botnets are often used to generate DDoS attacks of the observed scale, scope, and types. \r\nThe brief spate of NTP reflection/amplification attacks observed at the beginning of the attack campaign, along\r\nwith the direct-path UDP flooding observed throughout, are out of profile for the targeted\r\nnetworks/servers/services/applications, largely directed towards destination port UDP/443. The observed SYN-floods were primarily targeting destination ports TCP/80 and TCP/443, which is consistent with standard Web\r\nservers.\r\nASERT observed botnet nodes (bots) participating in these attacks located in Ukraine, Russia, Portugal, the United\r\nKingdom, the United States, and New Zealand. Researchers at 360 Netlab reported that a Mirai botnet was used\r\nfor the attacks with its command-and-control (C2) node located in the Netherlands. Analysis of the DDoS vectors\r\nutilized in this attack campaign are consistent with capabilities typically exhibited by Mirai botnets.\r\nhttps://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine\r\nPage 1 of 4\n\nThe number of observed sources utilized in this DDoS attack campaign to date are relatively low. This is\r\nconsistent with the use of direct-path DDoS vectors and those utilized in these attacks, along with the reported\r\nattack volumes. Observed attack characteristics imply that any spoofing of source IPs which took place during\r\nthese attacks was limited in scope, which comports with reports that the botnet in question was a typical Mirai\r\nbotnet, with most of its constituent bots located on broadband access networks likely to enforce source-address\r\nvalidation (SAV; e.g., anti-spoofing).\r\nCollateral Impact\r\nSuccessful DDoS attacks against Web hosting and VPS operators can significantly impact organizations which are\r\nnot the direct targets of DDoS attacks, but which share the same network/service/application/content-delivery\r\ninfrastructure.  \r\nDisruption of online applications and services provided by governmental organizations can result in the inability\r\nto deliver critical services to their constituents.  \r\nDisruption of online financial services can result in delays in payroll deposits, bill payments, online and in-person\r\nelectronic retail payments, ready access to cash, etc.\r\nThe collateral impact of reflection/amplification DDoS attacks is potentially quite high for organizations and\r\nindividuals whose misconfigured servers/services are abused as reflectors/amplifiers. This may include partial or\r\nfull interruption of mission-critical applications and services, as well as additional service disruption due to transit\r\ncapacity consumption, state-table exhaustion of stateful firewalls and load-balancers, etc.\r\nIndividuals and organizations who’s general-purpose and/or Internet-of-Things (IoT) devices have been subsumed\r\ninto botnets can be negatively impacted when these compromised systems are utilized to launch outbound DDoS\r\nattacks. As with reflection/amplification attacks, this may include partial or full interruption of mission-critical\r\napplications and services, as well as additional service disruption due to transit capacity consumption, state-table\r\nexhaustion of stateful firewalls and load-balancers, etc.\r\nMitigating Factors\r\nDDoS attack traffic can be mitigated via the implementation of industry-standard best current practices (BCPs)\r\nsuch as situationally appropriate network access control policies; network infrastructure-based reaction\r\nmechanisms such as flowspec; and intelligent DDoS mitigation systems (IDMSes) such as NETSCOUT Arbor\r\nSightline, TMS, and AED.\r\nCollateral impact to misconfigured, abusable computers/IoT devices/servers/services leveraged as bots or\r\nreflectors/amplifiers by attackers to launch DDoS attacks can motivate network operators and/or end-customers to\r\nremove or remediate affected systems. \r\nTraceback of spoofed DDoS attack traffic to its ingress points by network operators and subsequent\r\nimplementation of source-address validation (SAV) can prevent attackers from launching both\r\nreflection/amplification and spoofed direct-path DDoS attacks.\r\nhttps://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine\r\nPage 2 of 4\n\nRecommended Actions\r\nOrganizations with business-critical public-facing internet properties should ensure that all relevant network\r\ninfrastructure, architectural and operational Best Current Practices (BCPs) have been implemented, including\r\nsituationally specific network access policies which only permit Internet traffic via required IP protocols and\r\nports. Internet access network traffic to/from internal organizational personnel should be deconflated from internet\r\ntraffic to/from public-facing internet properties and served via separate upstream internet transit links.\r\nDDoS defenses for all public-facing Internet properties and supporting infrastructure should be implemented in a\r\nsituationally appropriate manner, including periodic testing to ensure that any changes to organization’s\r\nservers/services/applications are incorporated into its DDoS defense plan. Organic, on-site intelligent DDoS\r\nmitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services to\r\nensure maximal responsiveness and flexibility during an attack.\r\nIt is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure\r\nensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack,\r\nand are included in periodic, realistic tests of the organization’s DDoS mitigation plan. In many instances, we have\r\nencountered situations in which obvious elements such as public-facing Web servers were adequately protected,\r\nbut authoritative DNS servers, application servers, and other critical service delivery elements were neglected,\r\nthus leaving them vulnerable to attack.\r\nSpecifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual\r\nnetworks/resources; the relevant NETSCOUT Arbor account teams and/or ATAC may be consulted with regards\r\nto optimal countermeasure selection and employment.\r\nflowspec can be used by network operators to mitigate UDP reflection/amplification DDoS attacks; direct-path\r\nUDP flooding DDoS attacks; and, in some circumstances, SYN-flood attacks, although intelligent DDoS\r\nmitigation systems (IDMSes) such as NETSCOUT Arbor TMS and AED provide a higher degree of mitigation\r\ngranularity and interactive source evaluation when defending against SYN-floods. It is important to ensure that\r\nreaction access-control list (ACL) stanzas propagated via flowspec are configured in such a way to minimize the\r\nrisk of overblocking.  \r\nAIF Templates providing examples DDoS countermeasure provisioning for standard server types are available to\r\nAIF-entitled Sightline/TMS operators. AIF Filter Lists of abusable reflectors/amplifiers are also available to AIF-entitled Sightline/TMS customers.\r\nAll potential DDoS attack mitigation measures described in this Summary *MUST* be tested and customized in a\r\nsituationally appropriate manner prior to deployment on production networks.\r\nApplicable NETSCOUT Arbor Solutions: NETSCOUT Arbor Sightline, TMS, and AED.\r\nAdditional References\r\nhttps://edition.cnn.com/2022/02/16/europe/ukraine-cyber-attack-denial-service-intl/index.html\r\nhttps://twitter.com/DougMadory/status/1493680334965297159\r\nhttps://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine\r\nPage 3 of 4\n\nSource: https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine\r\nhttps://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine"
	],
	"report_names": [
		"ddos-attack-campaign-targeting-multiple-organizations-ukraine"
	],
	"threat_actors": [],
	"ts_created_at": 1775434795,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67eee0414eb8a2775ba6482394fcf72030af2711.pdf",
		"text": "https://archive.orkl.eu/67eee0414eb8a2775ba6482394fcf72030af2711.txt",
		"img": "https://archive.orkl.eu/67eee0414eb8a2775ba6482394fcf72030af2711.jpg"
	}
}