DDoS Protection , Incident & Breach Response , Security Operations
DDoS Attack Knocks Belgian Websites OfflineISP Belnet Targeted by Waves of Attacks
The websites of about 200 public and private entities in Belgium were knocked fully or partially offline Tuesday by a distributed denial-of-service attack against the publicly funded internet service provider Belnet.
See Also: The Critical Nature of Incident Readiness and Response
Belnet says the DDoS attack, which began at 11 a.m. local time Tuesday, affected government, academic and research institutions. The attack struck websites using the .be domain. Victims included the Belgian COVID-19 vaccine sign-up program in the city of Brussels, according to The Brussels Times, which said some affected websites were still down on Wednesday.
"Our teams have successfully implemented several mitigation rules. The effect of the attack seems to be diminishing, Belnet reported on Tuesday. "We are constantly monitoring our network to counter any new attempts."
The infrastructure and website security company Cloudflare has tracked a major increase in DDoS activity in Belgium, with large spikes taking place the day of the Belnet attack.
"DDoS attack activity is up 103% in Belgium over the last 7 days and network-level DDoS attack activity originating in Belgium surged on Monday and Tuesday, with spikes hitting nearly 45x increases on normal levels," Cloudflare says.
Dirk Haex, technical director at Belnet, said Wednesday: "Yesterday's DDoS attack was of such a scale that our entire network was saturated. "The fact that the perpetrators of the attack constantly changed tactics made it even more difficult to neutralize it."
Het Belnet-netwerk is momenteel verzadigd en de connectiviteit is ernstig verstoord. Meer info via https://t.co/6SNv65jS1B— Belnet, Belgium (@belnet_be) May 4, 2021
Belnet says there is no indication that those behind the DDoS attack infiltrated any of the affected networks.
The Belgian government has not issued a statement on the incident. The Center for Cyber Security Belgium, which is handling the investigation, did not respond to a request for additional information.
Belnet says it hasn't determined who launched the attack. But some cybersecurity officials point out that it coincided with a Belgian Parliament meeting on the plight of the Uyghur ethnic group in China.
"While the attack has not yet been attributed to specific adversaries, the fact that the DDoS attacks against Belgian government networks coincided with testimony of a Uyghur survivor to the Foreign Affairs Committee once again demonstrates the effect of geopolitics on cyber risk," says Gregory Rattray, former director of cybersecurity in the National Security Council.
Attribution of DDoS attacks is difficult because they can be waged by nation-states as well as cybercriminals, says Vyas Sekar, a professor of electrical and computer engineering at Carnegie Mellon University.
"There are 'booter' services that use compromised machines on the internet as a kind of DDoS-for-hire offering," he says. "There are enough of these zombie machines or 'bots' on the internet that are available to attackers - state-sponsored or otherwise - to overwhelm internet-connected services."
Nitzan Miron, a former member of the Israeli Defense Force's computer security unit and now vice president of application security at Barracuda, notes: "Surprisingly, anyone with $50 can launch a large-scale DDoS attack. The wide availability of services to launch a DDoS attack - billing themselves as legitimate 'load testing' services - means there is even competition on rates."
Belgium has a relatively immature national Computer Emergency Response Team, which makes the nation's public networks more vulnerable to large-scale disruptive attacks, says Rattray, who now serves as a senior adviser on cyber risk management and cyber defense for the consulting firm Oliver Wyman.
Sean Nikkel, senior cyberthreat intel analyst at the security firm Digital Shadows, points out: "The scale of a DDoS attack capable of disrupting such a large amount of the Belnet would need to be significant. By all accounts, the government has stated no indications of a breach of their systems, but it would be safe to assume that investigation into the matter is ongoing."
"A DDoS attack can be a bigger problem for the government than most organizations as many people rely on the government for meeting their daily needs," says Frank Downs, a former U.S. National Security Agency offensive threat analyst who is now a director at the security firm BlueVoyant.
Sekar of Carnegie Mellon adds: "If critical infrastructure services are down or disrupted, that can be a serious issue for citizens; e.g., imagine some critical government service not being available to citizens for significant amounts of time. For companies also, this is a key issue, since downtime leads to loss of revenue."