Recently hackers targeted the websites of several German airports, according to a Reuters report. The airports affected included Dusseldorf, Nuremberg, and Dortmund. However, that Feb. 16 attack left Germany’s larger airports in Munich, Berlin, and Frankfurt unscathed.
In a statement, Ralph Beisel, chief executive of the ADV German airport association, attributed the incident to large-scale distributed denial-of-service (DDoS) attacks and told Reuters that the attack affected the websites of seven airports. The ADV (Arbeitsgemeinschaft Deutscher Verkehrsflughäfen) was unaware if the attack spread to other locations, according to Beisel.
Details on what caused the February DDoS attack on German airport websites remain unclear.
“Mandiant does not know what caused the DDoS attack on the German websites,” says Ben Read, director of Mandiant cyber espionage analysis at Google Cloud.
Meanwhile, Scott N. Schober, president and CEO of Berkeley Varitronics Systems, doesn’t see a clear motive for the attack. “The cyberattack on German airport websites does not appear to be a coordinated effort with any real agenda,” he says.
What Are DDoS Attacks?
DDoS attacks occur when a threat actor disrupts the traffic of website or network with an overwhelming amount of internet traffic, like a traffic jam, explains Omer Yoachimik, product manager at Cloudflare. The attacker hits from multiple compromised computer systems.
“The impact of DDoS attacks can be anywhere from subtle (slower websites) to very serious (outage/unavailability),” Yoachimik says. “These attacks don’t require any compromise of the target systems and can be launched against anything connected to the internet.”
Yoachimik notes that botnets, a group of computers affected by malware, usually carry out DDoS attacks. “Historically, we have seen IoT-based botnets carrying out these attacks, but lately we have also seen virtual private server (VPS)-based botnets leveraged to launch powerful volumetric attacks,” he says.
HTTP DDoS attack traffic rose by 79% year over year in the fourth quarter of 2022, according to Cloudflare.
Schober notes how commonplace DDoS attacks have been in recent years. “This is due to the fact that DDoS attacks can be ordered and delivered almost as easily as an Uber or food delivery,” he says.
“DDoS attacks are generally carried out by thousands of ‘zombie’ devices at the same time,” Schober says. “These devices have been infected ahead of time and lie dormant as an army waiting to be used to create disruption and frustration in the communication pipeline running between a single domain and its many users.”
More Trouble for Airports?
A day before the DDoS attack, Lufthansa suffered an IT outage that brought flight delays and cancellations. Fiber-optic cables damaged during construction work caused the outage, Lufthansa told Forbes.
One day after the German airport DDoS attack and two days after the Lufthansa outage, a 24-hour labor strike by the Verdi labor union hit German airports and forced cancellation of 2,340 flights, according to CNN.
The DDoS attack on the German airports follows a system outage on Jan. 11 in which all US domestic aircraft were grounded between 7:30 a.m. and 9 a.m. ET. In a Jan. 19 statement, the Federal Aviation Administration (FAA) said contract personnel had unintentionally deleted files as they tried to fix synchronization of a live primary database and a backup database.
Although no cyberattack appears to have spawned the outage, the FAA continued to investigate the cause.
“The January 2023 FAA computer glitch was nothing more than the result of an authorized contractor who mistakenly deleted a few critical files they should not have had access to in the first place,” Schober says.
The FAA made the required repairs and is working on making the Notice to Air Missions (NOTAM) system more resilient, according to an FAA statement.
“The agency is acting quickly to adopt any other lessons learned in our efforts to ensure the continuing robustness of the nation’s air traffic control system,” The FAA said.
Meanwhile, a group called Killnet carried out cyberattacks last year that took state government websites offline, according to Bloomberg. The Oct. 10 attack led to intermittent delays on LaGuardia Airport’s website for 15 minutes. The website for Los Angeles International Airport also experienced partial disruptions and websites for Chicago’s O’Hare and Midway airport went offline.
DDoS and ransomware attacks are hitting the transportation and healthcare industries hard because those verticals lack the budget to ramp up protection, according to Pete Nicoletti, field CISO at Check Point Software Technologies.
“They typically are trying to save money, so unfortunately they're being caught in crosshairs of these political, politically motivated attacks,” Nicoletti says.
Protecting Against DDoS Attacks
Cloudflare’s Yoachimik recommends autonomous protection to protect against DDoS attacks. “The best defense against DDoS attacks is to proactively put mitigation systems in place that have the ability to automatically and autonomously detect and stop attacks in their tracks,” Yoachimik says.
He also suggests ultra-low time-to-mitigate (TTM) solutions because DDoS attacks come quick and can escape the radar of detection systems.
“Mitigation systems with slow reaction times, like those that require human intervention or rely on a scrubbing center architecture, are at a huge disadvantage because they simply cannot respond as fast as always-on, automated systems,” Yoachimik says.
Schober recommends analyzing server-hosting infrastructure as part of efforts to guard against DDoS attacks. The analysis will help IT leaders distinguish legitimate spikes in website activity with DDoS activity spikes.
“This is especially true in the case of the airline industry, which is so vulnerable to delays and the domino effect that typically follows and amplifies more problems even further,” Schober says. “Any infrastructure that relies on constant website communication with the public must have the ability to increase bandwidth substantially at any given moment. This includes both downtime from either accidental or malicious causes.”
Royal Hansen, vice president of engineering for privacy, safety and security engineering at Google, suggests using a defense-in-depth strategy to protect against DDoS attacks. Defense in depth involves deploying defenses and controls at multiple layers of a network environment to safeguard web applications, he says.
“Another consideration is to leverage large infrastructure offerings like the cloud, for instance, in those layers of defense so organizations aren't trying to go it alone building out layered protection,” Hansen says.
Check Point’s Nicoletti recommends that companies use a web application firewall (WAF) to protect web applications from attacks and unauthorized web traffic.
“The tools you have to put in place need to be able to discern authorized traffic versus unauthorized traffic,” Nicoletti says. “And one of the tricks that the DDoS [attackers] do is they try to hide as authorized traffic.”
What to Read Next:
CIO Lessons Learned from Southwest Airlines’ Winter Plight
Understanding DDoS Attacks on US Airport Websites and Escalating Critical Infrastructure Cyberattacks