Are Russia's allies DDOSing them?

Last week the Russian National Coordination Center for Computer Incidents (NCCCI) released a list of IPs involved in DDOS attacks against them. I would never consider using this data in our threatfeed or otherwise use it to block anything. Yet curiosity got the best of me so I wrote a script to break the list down by country of origin. It is quite clear why Russia didn’t threaten nuclear war over this cyber attack, given the list is mostly populated by their allies including China.

While generally difficult to determine whose botnet is at work or the motivation behind the attack, you can make general and fair assumptions based on geolocation and probable language barriers. For instance, most of the top ten are Russian allies and the botnet is certainly Asian in origin based on the number of Asian countries at the top of the list. The spillover into the USA is most likely due to Americans who speak the targeted language. This just goes to show how practically impossible it is to properly determine the real origin of the attack.

Unsurprisingly, it appears that the hacker community declared war on Russia, including Anonymous, the best known hacker group in the world. It’s not difficult to find other members of team Ukraine like NB65, Belarusian Cyber-Partisans, and others. A single hacker group declared for Putin and then immediately collapsed because of internal pro-Ukraine support.

The important take away from this situation is how difficult it is to determine origin and base real threats on this information. It also goes to show that DDOS attacks are hard to propagate across long distances. Those transoceanic communication lines are saturated and pushing big DDOS traffic is probably impossible.

Big wartime decisions should not be based on these cyber attacks. After all cyber is a new warfare domain and must be treated as separate.