ISPs: The Unlikely Victims of Global Warfare

Distributed Denial of Service (DDoS) attacks are increasing in both frequency and magnitude. Thanks to the growing ease of botnet acquisition, and the availability of DDoS tools on online marketplaces, it’s easier than ever to launch high-capacity DDoS attacks. The simultaneous rise in global political unrest has seen a worrying trend in which these public, disruptive attacks are used to political ends.

Internet Service Providers (ISPs) are particularly critical within modern connectivity, and their role in public and private infrastructure makes them alluring political targets. ISP security risks are being pushed to breaking point as international tensions rise.

The Rise of Political DDoS Attacks

Politically-motivated cyber attacks are dominating the DDoS landscape, with a particular rise in the last half of 2022. DDoS lends itself to the political realm, as the goal of a DDoS attack is to make a server, or a foundational piece of architecture, completely inaccessible to the wider public.

The incredibly overt nature of these attacks allows hacktivists and cyber terrorists to make their mark known to both the affected organization and the wider public: it’s very difficult to disguise a successful attack. 2022 has already seen a staggering number of these worldwide. The anti-NATO group ALtahrea, for instance, struck governmental bodies for public transportation in both the UK and Israel. At the same time, the group was launching an attack against the Turkish ministry of defense.

Of particular note were the attacks that seemed to originate from Russia’s invasion of Ukraine. Russian hacking group Killnet, having first surfaced in January of this year, has claimed responsibility for attacks targeting multiple European websites in attacks that stemmed from April to June.

Beginning with an attack on the Czech government and public transportation, they’ve since briefly taken down sites representing the Romanian government, the German Bundestag and Federal Police, and the Italian senate.

The specific mechanisms of a DDoS mean that they’re highly replicable, and the socio-financial importance of ISPs to everyday life makes these organizations a major target for political actors that wish to disrupt their target.

How DDoS Attacks Work

DDoS attacks abuse the very mechanisms that legitimate users depend on to access sites. When a user requests a website, the request travels from their browser to the server that hosts the site. This server dedicates a small amount of processing power to fulfill this request, and the correct webpage is returned to the user rapidly.

However, each server will have a finite number of resources it can dedicate to one site. Cloud computing aims to help solve this, as the technical demands of this process can be scaled up or down. The expectation is that this resource grows or shrinks with legitimate users, and so scalable cloud solutions will still impose a soft limit – namely, you get the processing power that you pay for.

Untitled design (25)

DDoS attacks are hugely dependent upon their associated botnet. The botnet is made up of thousands or millions of infected Wi-Fi-connected devices. Anything that can connect to the internet – including smart fridges – can become part of a botnet. Once in the hands of a malicious individual, these bots are targeted at a specific site they’d like to take down.

DDoS attacks aim to bring a component of a website down – that could be a server or, more often, an auxiliary component to your site. Often, volume-heavy botnets are engaged in a protocol layer attack. This occurs when the resources of critical servers and network-based devices, including operating systems or firewalls, are overwhelmed.

Whereas protocol layer attacks may succeed in overwhelming one site at a time, cybercriminals are always on the hunt for more efficient forms of chaos. Enter the application layer attack. This targets the software that provides a critical online infrastructure. One particular target includes the Apache server, which is the most popular web service on the internet. With a growing focus on targeting the underlying providers of online connectivity, ISPs have come under increasing threat.

ISPs Are The Most Alluring DDoS Victims

To lend some context to the importance of internet service providers, here are some statistics for the UK. Overall broadband connections are estimated at 27.5 million; of these almost 30 million people, the vast majority are reliant on services from one of the Big Four (BT Group, Sky, Virgin Media, and TalkTalk).

With so many individuals reliant on so few providers, the target is clear: this is reflected in real-life trends, too, as attacks on communication service providers have increased by 232% since this time last year. Over half of these focused on bringing down a specific service with high traffic volumes.

Untitled design (26)

Internet providers are already bearing the brunt of increasingly infrastructure-focused DDoS attacks. In September 2021, Voice Over Internet Protocol provider VoIP Unlimited was struck by a ferocious DDoS attack, with services becoming incredibly patchy.

The gang responsible for the attack then reached out with a “colossal ransom demand.” At the beginning of 2022, Andorra – a landlocked microstate in Europe – was bought completely offline when a DDoS attack struck Andorra Telecom, the only telecom provider in the country.

Alongside causing disruption for millions of customers, these incidents have long-lasting negative effects on the ISP providers themselves, as SLAs are broken, and customers switch in droves.

Managing the DDoS Threat

The quantity of personal data that ISPs manage – and their position as vital pieces of public infrastructure – make them alluring for cybercriminals with both political and financial motivations. A high-quality security provider with aid in protecting your cloud databases, alongside offering a suite of DDoS mitigation measures. Of particular importance is the provision of a secure proxy. In this framework, your security provider passes all traffic through its own servers. This allows for incoming traffic to be filtered while also masking your origin server’s IP address.