Blocking DDoS Archive

It is accepted that all states are vulnerable to cyber threats. Yet, a majority of states have yet to develop coherent cyber strategies or implement sufficient preventive measures. Despite the increase in severe cyber incidents directed at national power plants, companies and nuclear-related military equipment, the threat of cyber interference in national nuclear weapons systems is not being properly tackled. With multinational nuclear supply chains and nuclear command and control systems at risk of being compromised, this must be urgently addressed.

The more complex, the more vulnerable

Governments and legislators are struggling to keep pace with the rapid development of cyber capabilities. As military systems become more technically complex it would be easy to assume that they are more secure. The opposite is true. Increased automation and connectivity increases vulnerabilities to cyber attacks. Measures such as air-gapping a system (ie. de-connecting it from the internet) can fall short. A recent US Government Accountability Office (GAO) report assessed the cyber security of US weapons systems and found “mission critical cyber vulnerabilities in nearly all weapons systems […] under development.“ While the report does not make reference to any specific system type, one can reasonably assume that nuclear weapons systems are vulnerable to cyber attacks.

Possible kinds of cyber attacks

Cyber attacks can take many forms. Activities range from cyber espionage, data theft, infiltration of nuclear command, control and communications (NC3), denial of service/distributed denial of service (DoS/DDoS) attacks, false alarms (jamming and spoofing), sabotage and physical damage. When directed against nuclear weapons systems, in the worst possible case this may escalate to a deliberate or inadvertent exchange of nuclear weapons.

Another area of concern is the supply chain, comprised of any hardware and software components belonging to the nuclear weapons system, including NC3, platforms, delivery systems and warheads. The supply chain usually includes a string of companies and providers located in different countries with varying cyber security standards, which means there is room for manipulation and sabotage. Take, for instance, a computer chip produced in country A. If a vulnerability were inserted at the production stage it could then be remotely activated at a later point when the chip is integrated into the military system of country B. If the attacker happened to be an “insider“ with unlimited access to a military site, compromising military equipment could be easier. This could be done for instance through an infected USB drive when security standards in a military facility happen to be low, leaving the victim of the attack unaware of the manipulation up until it is too late.

Limited awareness of cyber risks to nuclear systems

There is a lack of awareness within the expert community and among decision-makers and a reluctance by states to implement measures such as common cyber security standards and the sharing of information on vulnerabilities. Among the nuclear weapons states, only in the United States have high-ranking officials, such as Gen. Robert Kehler (ret.) and Air Force Gen. John Hyten (STRATCOM), in two Senate Armed Service Committee hearings in 2013 and 2017 expressed their concerns about a potential cyber attack affecting the U.S. nuclear deterrent. One reason why decision-makers and governments are unwilling to take these steps could be that it seems too unrealistic or improbable a threat, merely belonging to the worlds of science fiction and doomsday scenarios. But there is no reason to assume that the warnings of the GAO, the U.S. 2017 Task Force on Cyber Deterrence or the Nuclear Threat Initiative (NTI) are exaggerated.

Certainly, there has not yet been a major cyber attack on a state-run nuclear weapons programme – at least none we have publicly heard of. But there are a string of examples of cyber interference in nuclear installations or parts of the supply chain related to them. These include: the Stuxnet attack in 2010 affecting over 15 Iranian nuclear facilities which slowed down the development of Iran’s alleged nuclear weapons programme; a massive cyber attack on Lockheed Martin in 2009 during which thousands of confidential files on the U.S. F35 Lightning II fighter aircraft were compromised by hackers (they were also able to see information such as the location of military aircraft in flight); the 2017 hacking of the THAAD missile defence system in South Korea; the 2009 Conficker Worm attack on the French Marine Nationale; a 2011 cyber espionage campaign on the French nuclear company Areva; and deep worries over the WannaCry virus possibly targeting parts of the UK Trident system in 2017.

What should decision-makers and policy-makers do?

Governments need to grapple with how to handle rapidly developing cyber capabilities. A critical first step is develop a better understanding of the threat, including by answering the following questions:

  • What are the possible targets within the entire supply chain, the nuclear weapons system itself and within the upgrades, modernization and maintenance processes? What kind of vulnerabilities do they have?
  • Who are the potential actors likely to carry out a serious cyber attacks? Which state, non-state actor or state-sponsored group would have (1) an interest and (2) the resources and capabilities?

All states possessing nuclear weapons, hosting NATO nuclear weapons on their soil, or running a civil nuclear programme should conduct annual assessments of the cyber resilience of all systems in question.

No less important is improved information sharing on possible and actual vulnerabilities and lessons learned with large technology companies, suppliers, vendors and manufacturers, and the implementation of common security standards. These companies are normally not keen to disclose information on vulnerabilities because of possible reputational damage or for fear of revealing details that potential hackers or competitors could exploit. Government and business must work closely together to overcome these challenges and address joint concerns.

Governments must also invest heavily in research activities in the framework of existing institutions such as the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE), the EU CBRN Centres of Excellence, or in cooperation with the European External Action service (EEAS), the United Nations (UNICRI) and, of course, within national cyber security institutions.

Governments and decision-makers of the nuclear-armed states should also publicly acknowledge that cyber security for nuclear weapons systems is a top tier priority for the safety and security of national military programmes. If the security of nuclear weapons is in question, this not only reduces their credibility and deterrent value but it also poses a massive safety and security risk. This is a risk that no government, population or company can or should manage alone.


  • A denial of service attack, which involves overwhelming computer systems with information in a bid to take them down, successfully interrupted electrical systems in Los Angeles County and Salt Lake County in March, according to the Department of Energy.
  • The incident was a rare example of as against an energy utility, particularly in a high population area.
  • Denial of service attacks are relatively rudimentary, and unlikely to be the work of a nation-state, one expert told CNBC.

Electrical grid operations in two huge U.S. population areas — Los Angeles County in California, and Salt Lake County in Utah — were interrupted by a distributed-denial-of-service attack in March, according to the Department of Energy’s Electric Emergency and Disturbance Report for March.

The attack did not disrupt electrical delivery or cause any outages, the Department of Energy confirmed, but caused “interruptions” in “electrical system operations.” In this case, “operations” does not refer to electrical delivery to consumers, but could cover any computer systems used within the utilities, including those that run office functions or operational software.

Although the attack did not interrupt service, denial-of-service attacks are easily preventable, and most large organizations no longer consider them major threats. The fact that it succeeded calls into question whether the utilities are prepared for a far more sophisticated attack, as the U.S. government has warned about.

DDoS attacks used to be common, but are easily prevented

A Department of Energy official told CNBC, “DOE received a report about a denial-of-service condition that occurred at an electric utility on March 5, 2019, related to a known vulnerability that required a previously published software update to mitigate. The incident did not impact generation, the reliability of the grid or cause any customer outages.”

The incident, which happened between 9:12 a.m. and 6:57 p.m., also interrupted electrical system operations in Kern County, California, and Converse County, Wyoming.

Distributed denial of service, or DDoS, involves delivering a heavy stream of information and internet traffic, usually with the help of a network of hacked computers, to overwhelm the systems of a target.

DDoS attacks are one of the simplest forms of cyberattack to execute. They used to be very common, but there are common practices in place to prevent them, and most large organizations have practically eliminated them as threats. The fact that such an easily preventable attack succeeded against a system serving such a large electrical distribution area is cause for concern, especially because energy is one of the U.S. government’s most important “critical infrastructure” sectors, making these utilities subject to the strongest protections.

The DOE has not released any information on the origins of the attack. Several countries, including Russia, Iran and China, have been cited by U.S. government authorities as sponsoring attacks against the U.S. electric grid, often with the goal of infiltrating the network or gathering intelligence.

But a DDoS is a relatively unsophisticated type of attack, meant to take down a computer network quickly. That means the culprit could be almost anybody, from a single individual to a larger group.

“DDoS is the low-hanging fruit in the hacker world. It’s very loud and it’s easy to detect quickly. The ones that are operating at the nation-state level don’t need to use DDoS,” said Chris Grove, director of industrial cybersecurity at Indegy, a utility and industrial systems cybersecurity company. “If this was a nation-state attack, they wouldn’t pull off a DDoS attack to take it down, they’d probably do a better job.”

This is the first reported cyberdisruption by the Department of Energy in 2019.

Last year, the DOE reported four reported cyber-events. One of them, like the March 5 incident, caused interruptions of electrical system operations in Michigan’s Midland and Genesee counties. The other three were reported as “could potentially impact electric power system adequacy or reliability.”


2018 was a big year for cyber-attacks, with movie studios, universities, and governments all being subjects to disruptions of varying sizes. Marriot hotels experienced a breech of 500 million records, exposing the travel and hospitality industries as new targets for cybercrime; the hotel guests’ information was stolen in a data breech that was detected on September 10th, 2018 though it could have started as far back as 2014. British Airways was another victim, or their customers to be more precise, when personal information from 380,000 users was stolen, alongside credit card information. It’s not just data breeches that caused troubles, cybercriminals took what they could get with many aiming for pure disruption without explicit financial benefit.

With this in mind Sungard took a closer look at the rate of airline outages in the US, uncovering shocking numbers in the process. The data looked back to 2007 to track the rate of outages across the US airline industry. The numbers started out low, with 2007 recording three outages, while 2008 and 2009 saw just one per year. Fast forward to 2011 and the number rose to five, peaking in 2015 with eleven outages overall. in 2016, nine outages were recorded; six in 2017; ten in 2018, and three so far in 2019. The trend is not linear but the presence of outages every year does confirm that airlines are the major new targets for cyber-attackers.

The most widely deployed attacks are of the DDoS style, which stands for Distributed Denial of Service. What happens during a DDoS attack is that hackers flood an organisation’s systems with so many communication requests that it overwhelms the servers, resulting in disruption of normal functions. Airlines are sensitive to these types of attacks since so many of their operations take place on line, making them vulnerable at many different points. Another possible reason is that airlines simply haven’t taken their cybersecurity as seriously as they should have from the start.

The problem is of course not isolated to the US, with attackers targeting international airlines too. When it happened to the Polish airline LOT, its chief executive Sebastian Mikosz said, “This is an industry problem on a much wider scale, and for sure we have to give it more attention.” Adding, “I expect it can happen to anyone anytime.”

Typically, the attacks don’t cause immediate danger to passengers as they don’t affect systems used by aircrafts while they’re in the air. Still, the disruptions are certainly annoying for all involved. They ground flights thanks to the knock-on effect of disruption and intricate flight schedules keeping all airports running. Some flights end up being rescheduled whilst others are altogether cancelled, causing issues for hundreds of passengers and costing airlines profits alongside reputation. While profits are recoverable, reputation is much harder to restore as passengers who experience disruption with a particular airline will view it as unreliable, choosing to avoid it for their next journey.

Airlines must wise up to the increased rates of attacks if profits and reputation are to remain intact. This can be done by targeting security, so that attackers aren’t able to cause disruptions in the first place, increasing resiliency, while also looking at recovery procedures to minimise downtime.

Travellers need to take extra precautions too. Travel insurance is a good bet when it comes to adding a layer of security to journey plans. Airlines that have undergone multiple mergers are more sensitive to cyberattacks due to merged patchwork of systems that are easier to exploit. Additionally, scheduling flights in the morning and choosing non-stop routes where possible, is safer, since afternoons and evenings see most of the server loads spike.


There is a direct correlation between cryptocurrency and DDoS attacks. As the price of cryptocurrency dropped in 2018, leading to decreased profits from cryptomining, hackers on the black market began to divert prime botnet resources to DDoS attack activities, which increased month by month.

correlation DDoS attacks cryptomining

DDoS attacks in 2018

In NSFOCUS’ 2018 DDoS Attack Landscape report, NSFOCUS analyzed the threat landscape after a landmark year of technological growth related to cloud computing, big data, artificial intelligence (AI), Internet of Things (IoT), and Industry 4.0.

Key findings include:

  • Attackers were more inclined to launch DDoS attacks when the short-term benefits from cryptomining activities declined in 2018.
  • In 2018, DDoS attacks kept expanding in size as DDoS-as-a-Service experienced a fast growth.
  • Of all internet attack types, 25% of attackers were recidivists responsible for 40% of all attack events. The proportion of recidivists in DDoS attacks decreased in 2018, making up about 7% of DDoS attackers that launched 12% of attack events.
  • Cloud services/IDCs, gaming, and e-commerce were the top three industries targeted by attackers.
  • The total number of DDoS attacks in 2018 reached 148,000, down 28.4% from 2017, driven by effective protections against reflection attacks, which decreased considerably.
  • In 2018, the most frequently seen attacks were SYN flood, UDP flood, ACK flood, HTTP flood, and HTTPS flood attacks, which all together accounted for 96% of all DDoS attacks.
  • Of all DDoS attacks, 13% used a combination of multiple attack methods. The other 87% were single-vector attacks.

correlation DDoS attacks cryptomining

“The fluctuation of Bitcoin prices has a direct bearing on DDoS attack traffic,” said Richard Zhao, COO at NSFOCUS.

“This, along with other report findings, can help us better predict and prepare for DDoS attacks. Attackers are after profits and as we watch bitcoin fluctuate, we will continue to see this correlation pop up. DDoS attacks have never stopped since making their debut – analyzing trends in this report helps companies keep up with the fluid attack and threat landscape.”


“Altogether, since February 5, there have been 17 separate instances where the volume of inbound internet traffic has exceeded the carrying capacity of our [internet service provider] for 5 minutes or longer,” said Martin Manjak, UAlbany’s chief information security officer.

Information technology systems at University of Albany have been targeted with cyber-attacks. In the space of two weeks, UA systems experienced a total of 17 distributed denial-of-service (DDoS) attacks, with threats as recent as Feb. 19.

“Altogether, since February 5, there have been 17 separate instances where the volume of inbound internet traffic has exceeded the carrying capacity of our [internet service provider] for 5 minutes or longer,” said Martin Manjak, UAlbany’s chief information security officer.

DDoS attacks flood a network with malicious requests, disrupting the normal flow of data between servers and legitimate users attempting to connect.

These attacks have impacted the availability and functionality of several UA IT systems, particularly Blackboard. According to Manjak, neither the integrity nor confidentiality of university information has been compromised.

Manjak said he believes the attacks may be related. However, no one has claimed responsibility and no motivate has been identified.

“All we know is that the resource being targeted is Blackboard,” Manjak said.

Computers on UA’s network, like those in the library, were not affected by the DDoS attack. However, students and faculty using their own devices were unable to access Blackboard.

“We’re able to maintain access to electronic resources from on-campus through a combination of firewall and filtering rules,” Manjak said, “but access from off-campus was affected because the attacker(s) filled our internet pipe.”

Members of the UA community received two information security alert emails from Manjak about the attacks, one on Feb. 5 and the other on Feb. 18.

“Communication is sent to the University community when we identify an active threat that has the potential to impact the entire campus,” Manjak said.