Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Zhadnost DDoS attacks: what misconfigured routers mean for resilience


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Three DDoS campaigns against Ukrainian government and financial sites used more than 3,000 unique IP addresses, with HTTP floods in one case and DNS amplification in the others, and most nodes were MikroTik routers with recursion enabled, according to SecurityScorecard. The lesson is that exposed, misconfigured infrastructure can be turned into globally distributed attack capacity far faster than many defenders expect.

NHIMG editorial — based on content published by SecurityScorecard: Zhadnost DDoS attacks targeting Ukrainian government and financial websites

By the numbers:

Questions worth separating out

Q: What breaks when DNS recursion is left enabled on internet-facing routers?

A: When DNS recursion is left enabled on internet-facing routers, those devices can be used as reflection and amplification nodes in DDoS attacks.

Q: Why do exposed routers and proxies make DDoS campaigns harder to stop?

A: Exposed routers and proxies expand attack capacity because the traffic originates from many unrelated devices across many networks, which makes blocking single sources ineffective.

Q: How do security teams know if their edge device exposure is becoming a resilience problem?

A: Security teams know edge device exposure is becoming a resilience problem when public-facing services are enabled without a documented business need, when recursion or similar amplifying functions are open to the internet, and when device inventories cannot quickly answer who owns the exposure.

Practitioner guidance

  • Audit router recursion settings across the internet edge Check every exposed router and resolver for recursive DNS enabled on public interfaces, then disable it unless recursion is required for a documented business case.
  • Inventory unmanaged devices that can amplify traffic Build a continuous inventory of internet-facing edge devices, including routers, proxies, and branch appliances, then flag any system with open recursion or other amplification-prone services.
  • Add layered DDoS protection for both flood types Combine upstream scrubbing, CDN or cloud-based mitigation, and local rate controls so that HTTP floods and DNS amplification are handled at different layers.

What's in the full report

SecurityScorecard's full report covers the operational detail this post intentionally leaves for the source:

  • Netflow-based attack reconstruction showing how the three campaigns differed in source population and traffic pattern
  • The device-level indicators SecurityScorecard used to identify MikroTik and other recursion-enabled routers
  • The comparative table of attack dates, IP counts, and observed DDoS techniques
  • Mitigation guidance for recursion settings and upstream DDoS protection based on the observed traffic

👉 Read SecurityScorecard's analysis of the Zhadnost DDoS attacks on Ukraine →

Zhadnost DDoS attacks: what misconfigured routers mean for resilience?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Misconfigured edge infrastructure is a governance failure, not just a network problem. The Zhadnost campaign shows that availability attacks often begin with unmanaged services at the perimeter, not with malware inside the enterprise. When routers are left with recursion enabled, the security issue is not the attack itself but the persistent exposure that makes the attack possible. Practitioners should treat exposed recursion settings as a control failure with lifecycle ownership, not an isolated operational defect.

A question worth separating out:

Q: Who is accountable for reducing DDoS exposure on routers and edge services?

A: Accountability should sit with the asset owner, the network operations team, and the security function together, because DDoS exposure is both a configuration issue and a resilience issue. Governance frameworks should require ownership for public services, validation of recursion settings, and regular review of externally reachable devices so the same exposure does not recur.

👉 Read our full editorial: Zhadnost DDoS attacks show how misconfigured routers scale disruption



   
ReplyQuote
Share: