In February 2023, a large-scale DDoS attack took down the websites of seven German airports. The coordinated attack, executed by “Anonymous Russia”, targeted several major Airlines, lasting for four hours. The attack caused an hour-long shutdown of services in seven airports across Germany, including Dortmund, Nuremberg, and Dusseldorf. Considering the damages inflicted by an hour of a service shutdown in seven airports, this attack is considered a major incident. “Anonymous Russia” took responsibility for the attack, using the bot-traffic “Tsunami” to shut down the airports for an hour, and bragged on Telegram that “Germany has non-flying weather again”.
This attack follows a massive DDoS attack that targeted US airports in October 2022. No flights were canceled in October’s US attack. However, in the attack on German airlines, at least 250 flights were canceled due to the one-hour downtime during an overall four hours of the attack. The first and major conclusion from this attack is that like all successful DDoS attacks, this one managed to shut down services due to an unknown vulnerability in airlines’ DDoS protection mechanisms. There are several reasons for the existence of unknown DDoS vulnerabilities and organizations’ lack of visibility to them, but before we analyze the cause, we must first talk about the elephant in the room: the implications.
The Immediate Damages
With a coordinated attack such as this, we must first look at the immediate damage, which is, obviously, the disruption of services on the airlines’ websites. In one hour of shut down of seven airports, millions of customers were not able to access critical services. Following that, around 250 flights had to be immediately canceled. Passengers were forced to either wait, in the best-case scenario, or make alternative plans that cost them money they never planned on spending, in the worst case. So, right off the bat, there are significant monetary damages all around – for the airports themselves, through the airlines, and down to the passengers. Everyone fell victim to this coordinated DDoS attack. When taking into account that DDoS attacks are considered to be rather simple to execute, this makes the entire ordeal even more frustrating to everyone involved.
When we try to understand the damage a DDoS attack causes, we must look at many different factors, the victim’s industry (government services, transport, e-commerce, gaming, banking, etc.), the type of service attacked, organization size, the long tail, i.e., other organizations affected (partners, vendors, customers, etc.) and more. The numbers will vary greatly, pending each of the factors above.
In a conservative and rough calculation, an average flight will cost an airline around 40,000 USD. This includes the costs of staff (both ground and in-air), fuel, landing permissions, taxes, etc. This amount is the average of Cross-Atlantic and In-Continent flights, with an average duration of five hours. When multiplying 250 flights by 40,000 per flight, the conservative estimation of monetary damage for the airlines inflicted alone, is 10 million USD. If we add the monetary damages to the airports themselves and the passengers, we might end up with 20 million USD in damages. As mentioned, this attack lasted for four hours with an hour-long shutdown. It is terrifying to think about the damage when a DDoS attack will be more complex, with longer downtime and perhaps even life-threatening implications.
The Potential Damages – What Will Happen Next Time?
Ralph Beisel, the general manager of Germany’s ADV airport association, confirmed the network-flooding events in an emailed statement. “Again, today the airports fell victim to large-scale DDoS attacks,” Beisel said, adding that “As far as we know, other systems are not affected. It is unclear to what extent the situation will spread to other locations”. This is true, and yet, it is also clear that this time, everyone involved got lucky. This particular DDoS attack was widespread, caused major disruption, and also caused severe monetary damages, although none of the airlines confirmed the actual damages yet. The question remains – what will happen next time? Who’s to say that the next attack will not bring down major services, or be a diversion for a more malicious and dangerous cyber-attack, as many DDoS attacks turn out to be?
DDoS attacks on Gaming companies or financial institutions are notorious for the damage they cause and even the ransom they cost the organizations who fell victim to them. But when it comes to DDoS attacks on airlines, airports, and even healthcare institutions, organizations and governments must take into account that these attacks may inflict more than just monetary damages in the form of ransom or disrupted services. In these types of DDoS attacks, lives may be at risk, and in the case of a successful DDoS attack that brought down entire airports, or several at once, the reputational damages are also severe. Who would want to board a plane if the company operating it is exposed to DDoS attacks?
Why Did This DDoS Attack Happen?
When we ask why this attack happened, we are not pretending to know what the attackers thought or felt. Threat actors carry out DDoS attacks for various reasons, from political ideology to plain greed. But we can say for sure that this DDoS attack was successful because the airlines and the airports’ DDoS attack surface was exposed. It only takes one unknown DDoS vulnerability to bring the network down, and in fact, there is no other explanation. It is that simple. Organizations do not test their attack surface and their networks’ vulnerability on a regular basis because DDoS testing is disruptive and carries with it a lot of expenses. From staff, through downtime and network shutdown, and up to remediation, that also carries its own baggage of costs. The disruption to services associated with DDoS testing (for example, red team tests) causes organizations to think twice before approving such measures. In addition, organizations purchase to top-of-line DDoS mitigation services, believing these services will protect them in case of a DDoS attack. The fact of the matter is DDoS protection systems are not Plug & Play and do not provide 100% protection out of the box. These systems must be configured correctly pending the type of services they protect, and the policies required.
Organizations must take a proactive approach to their DDoS resilience, as DDoS attackers are getting more aggressive with their attacks. The average DDoS vulnerability gap for organizations with mitigation systems is anywhere between 30-75% and 2023 will most likely see a rise from the average 23,000 DDoS attacks per day. A solution like RADAR™ is critical for organizations that wish to strengthen their DDoS resilience, no matter which mitigation solution they use. RADAR is the only solution that uncovers blind spots in existing mitigation layers in a non-disruptive way, through continuous DDoS testing, with zero downtime and zero disruption to services. Performing continuous DDoS testing on live environments to uncover hidden vulnerabilities, following prioritized remediation reports, and validating said remediation is the only way to remain DDoS resilient and be protected against the next devastating DDoS attack.