Representative offices: 

Request callback



A10 Networks research monitors attacks on Ukrainian systems.

In the previous article in this series, we looked at data from A10 to understand the nature of recent Russian government-sponsored cybercrimes aimed at Ukrainian targets. The massive spike in attacks on Ukrainian government systems occurred on the first day of the Russian-Ukrainian war.

Recall the two main targets aimed by the Russian coordinated DDoS Amplification and Reflection Attacks:

  • Private Company "Infoservice-Link" with more than two million requested responses to AppleRemoteDesktop (ARD). This target is included in the block of IP addresses, which are tied by their geolocation to one of the largest cities of Ukraine - Kharkiv. At the same time, whois information identifies it as Severodonetsk, Lugansk region, Ukraine, Lugansk.
  • Secretariat of the Cabinet of Ministers of Ukraine – more than 600 000 requests to NetworkTimeProtocol (NTP).

Studying these attacks, we can see that they were similar, but not identical. For example, the second target was requesting Network Time Protocol (NTP) for a DDoS amplification and reflection attack on UDP port 123, which is quite common, while the first target had requests for the less common Apple Remote Desktop (ARD) protocol on UDP port 3.283.

Figure 1: Protocols directed to Ukrainian registered ASNs via UDP on February 24, 2022 to a single honeypot. Accordingly, ARD, NTP and CLDAP are the most requested. During the next six days, NTP became the largest protocol observed on the same honeypot after a spike in activity during the first day of the war

Since UDP ports have no connection (unlike connection-oriented TCP), they allow to substitute the source address, masking the requestor and, at the same time, reflecting the response to the assigned victim, which receives a large, boosted payload. This is why attackers prefer Amplification and Reflection techniques.

ARD, for example, can have an amplification factor of more than 34 times higher than the original request. For the ARD attack on the first target, A10 Networks⠀estimated that most of the requested packets were 370 bytes (70%). However, considering the large number of packets of 1,014 bytes (23%), we can calculate an average of ~500 bytes. If we multiply 500 bytes by 2,099,092 requests, we get 1049546000 bytes⠀of just over 1 gigabyte, and they were all requested from the same machine.

In the "A10 DDoS Attack Mitigation: A Threat Intelligence Report," none of these protocols are in the top five. According to the research, there are 30,622 potential DDoS weapons for ARD that A10 monitors. Using only 10 percent of them could theoretically generate 3.2 terabytes of traffic, while using 50 percent could generate 16 terabytes of traffic.

Figure 2: Top 10 ARD UDP Locations of Potential DDoS Weapons Tracked by A10 (by Country and Overall)

Comparing the ARD protocol identified against the first cyber attack target, we see that there are 30,622 weapons tracked by A10, but 18,290 (59%) are in the US. Although there are many such weapons, that clearly illustrates that IT organizations outside of the warring nations may be actively involved in cyber conflicts. These organizations can directly help minimize the damage to Ukraine. The honeypot we analyzed was based in the United States.

As mentioned above, the two examples highlighted on February 24 were extremely large-scale. However, we have seen a steady increase in the number of smaller attacks on targets in Ukraine using various UDP protocols. The mix of these protocols has varied over time. ARD dominated the first day, and NTP dominated the next six days. Thus, owners need to ensure that their systems are not used to carry out Russian cyber attacks and illegal activities aimed at Ukrainian targets.

Learn more about А10 Networks and its high-performance solutions.

More to come. Stay tuned for updates so you don't miss Part 3 of the series from iIT Distribution and A10 Networks!!


Mobile Marketing