Putin’s government lists IP addresses and domains supposed to direct DDoS traffic to Russia

Written by AJ Vicens

The Russian government on Wednesday released a list of more than 17,500 IP addresses and 174 Internet domains that it says are involved in ongoing distributed denial-of-service attacks against Russian domestic targets.

The list includes FBI and CIA homepages, as well as other sites with top-level domain (TLD) extensions indicating they are registered through countries such as Belarus, Germany, Ukraine and Georgia, as well as the European Union.

The Russian government has not released any proof or evidence to support its claims regarding the IP addresses or domains on its list. DDoS incidents can be difficult to attribute to a specific actor, and otherwise benign Internet domains can be hijacked by attackers to divert attention.

Russia’s National Computer Incident Response and Coordination Center released the data in an advisory that includes 20 recommendations to ward off attacks, such as robust logging, using Russian-based DNS servers, performing a “unplanned changing of passwords” and disabling external plugins for websites, according to a Google translation.

DDoS attacks – which render websites inaccessible by flooding them with traffic – are relatively basic in terms of cyber disruption, and generally easy to respond to and recover from. They don’t require a high level of sophistication, which is perhaps one of the reasons the Ukrainian government asked its growing legion of cybervolunteers to launch such actions against a list of Russian and Belarusian websites.

Hackers believed to be associated with President Vladimir Putin’s government have launched a series of their own DDoS attacks against Ukrainian targets on several occasions in the run-up to the military attack, coinciding with more serious attacks which in some cases , delivered malware designed to erase data and destroy computers.

Difficult times for the Russian internet

In the days following the February 24 Russian invasion, a plethora of self-proclaimed hactivists, including multiple actors operating under the Anonymous mantle, claimed successful DDoS incidents involving a range of Russian targets, including banks, news sites and various government agencies. Allegations of more serious violations against Russian targets — such as the infrastructure supporting its spy satellites and other aspects of its space program — abound.

While many claims are difficult or impossible to verify, anecdotal reports from inside Russia indicate that the flurry of activity is having an impact. Oleg Shakirov, international security expert at a Moscow-based think tank, tweeted Thursday that “the Internet is not the same” and that government websites “are often unavailable due to DDoS attacks”. Other services, such as Twitter and Facebook, have been strangled by the Russian government, he added. There is a wider debate about whether internet governance should be caught up in the war.

Independent data shows that Russia’s internet infrastructure has been heavily targeted by DDoS disruptions, said Doug Madory, director of internet analytics for Kentik, a network management company. Data available to the company shows DDoS attacks targeting the Internet infrastructure that handles the “.ru” top-level domain (TLD) starting around 6 a.m. Tuesday in Moscow.

“If the TLD were to somehow go away, you wouldn’t be able to resolve websites that end in ‘.ru,” Madory told CyberScoop, meaning sites would become inaccessible. .

Madory added that at this level of internet infrastructure, “it’s easy to develop great resilience” and “it would be very difficult to take it all down.” What is happening is more “a symbolic thing”, he said. “I’m not aware of any practical impact to this.”

Previous How to Select and Use the Best DNS on the Internet
Next Russia lists 17,576 IP addresses used in DDoS attacks