Are airports protected from DDoS attacks?

On September 28, the largest Russian airline Aeroflot was subjected to a powerful DDoS attack, which was aimed at the Leonardo air ticket reservation system (Leonardo, developed by Sirena-Travel together with Rostec). Because of this, the airline’s website does not open to users. Due to the glitch, more than 16 flights were delayed at Moscow’s Sheremetyevo airport.

DDoS attacks began on the morning of September 28. Towards the evening, attacks on Leonardo resumed, a Rostec representative told Vedomosti. They come from the territory of several countries, including Ukraine, he specified.

“At the moment there are minor disruptions. The goal of the attackers attacking Leonardo is to stop air travel in Russia,” a representative of the state corporation noted on the evening of September 28. To repel attacks on the infrastructure of the air ticket booking system, an in-house information security team has been deployed, as well as two additional distributed teams, he added.

When entering the site from a desktop computer, the user received notifications that “access to the site is temporarily limited by the owner of the web resource.” At the same time, the mobile version of the site and the application “Aeroflot» available. The websites of Aeroflot’s subsidiary airlines Rossiya and Pobeda also worked as normal.

Since the morning, Aeroflot, Rossiya and Pobeda reported malfunctions in the air ticket booking system. As a result, airlines faced problems when checking in passengers. Later, airlines announced the restoration of all services.

Rossiya noted that due to a failure from Sheremetyevo, flights to Kaliningrad, Perm, Murmansk, Ulyanovsk, St. Petersburg and Sochi were delayed. In addition, flight departures from Sochi to Sheremetyevo and Istanbul, as well as from Kaliningrad, Yekaterinburg, Murmansk, Ufa, Khibiny to St. Petersburg, were also delayed. According to information on the online board of Sheremetyevo Airport, at least 16 flights of Pobeda and Aeroflot airlines were delayed for departure, including to Sochi, Dalaman, Antalya, Astana, etc.

Vedomosti sent inquiries toAeroflot“, UTair“Ural Airlines“(all three airlines use the Leonardo system), S7 (use the Russian Online Reservation System – ORS), Sheremetyevo and Domodedovo airports, as well as large airport holdings.

A representative of Moscow’s Vnukovo Airport said that all difficulties in the functioning of services have been eliminated, and the airport is operating as normal.

This could really be a DDoS attack on the Leonardo system, suggests the director of the company’s transport and logistics department “Reksoft» Alexander Semenov. In this case, because of it, check-in systems at all airports could not process passengers, since they did not receive information about tickets from Leonardo, he notes. The possibility that the unavailability of the reservation system was due to a DDoS attack cannot be ruled out, agrees Kaspersky DDoS protection product manager Alexander Gutnikov. It was a targeted attack of rather medium scale, estimates commercial director of Security Code Fedor Dbar.

The DDoS attack model assumes the presence of a command center and infected bots (ordinary computers), explains Ruslan Permyakov, deputy director of the NTI Competence Center “Trusted Interaction Technologies” based on TUSUR. Such attacks can last for a considerable time – up to several days, says Denis Kuvikov, director of the SafeNet regional engineering center of the National Technology Initiative (NTI). The attackers’ goal is to “overload” the system with a large number of requests to make it unavailable for interaction with other systems, Semenov says.

Depending on the level of the attack, it can lead to a failure of the service or server equipment; in addition, DDoS can lead to the acquisition of data stored on the server, warns Igor Bederov, an expert at the SafeNet NTI engineering center. One of the most dangerous scenarios is one in which an attacker manages to get to the system data, encrypt it or steal it, notes Sergei Lebedev, director of backup systems at Cyberprotecta.

When attackers carry out a DDoS attack, they can aim to block a service or try to hide traces of other types of attacks, for example, data theft, takeover of systems, etc., adds the head of expertise and analytics at Garda Technologies (part of the Group of Companies ” Garda”) Alexey Semenychev. In combined targeted attacks, DDoS is used as a distraction to draw the attention and resources of information security specialists, Gutnikov continues. According to him, attackers may try, for example, to penetrate an organization’s infrastructure, steal data, or deface a site (hacking a site and publishing an attacker’s message on it).

There is no official information about the source countries of the traffic yet, but judging by the attack capacity, this is one of the European groups, Permyakov points out. At the same time, previously the sources of attacks were mostly foreign, so blocking foreign IP addresses helped fight DDoS attacks, recalled Qrator Labs product manager Georgy Tarasov. But now the traffic patterns have changed: attackers realized that in many cases companies use the method of blocking foreign traffic (via GeoIP) to protect against attacks, and they have learned to successfully bypass this measure. A significant portion of attack traffic is now generated within Russian networks, and blocking packets from abroad has completely ceased to be effective, Tarasov says.

The success of the attack on Leonardo services indicates that their protection system against DDoS attacks does not always cope with modern security challenges and requires updating in order to quickly respond to the emergence of new types of attacks, Tarasov points out. Considering that the complaints came from fairly large airlines such as Aeroflot, Pobeda and Rossiya, it should be recognized that the system architecture and the DDoS protection tools used were not reliable enough and should be reviewed, agrees Semenychev.

Since a DDoS attack involves the exhaustion of a publicly available resource (channel width, server memory, free connections), the fact of an attack does not indicate weak protection, argues Permyakov. With sufficient resources, you can successfully attack almost any system, and the reliability of protection can be indicated by the time it takes to restore the system, as well as the speed of deployment of traffic cleaning systems, he points out.

No one is 100% insured; the probability of an attacker achieving his goal always exists, even in the most secure companies, confirms Lebedev. With a competent organization of the backup system, a company can quickly return to its usual work, “rolling back” the state of the system to the point when everything was working normally, he says.

To seriously protect yourself from DDoS attacks, you need equipment, algorithms and infrastructure to quickly detect them, a reserve of channel capacity and server power to filter spurious traffic, Tarasov recommends. In addition, to avoid becoming a victim of modern attackers, you should not use outdated methods of blocking illegitimate traffic, such as GeoIP, he concluded.