DDoS risk Eurovision Song Contest 2025

This year, from Tuesday, May 13th to Saturday, May 17th, 2025, the Eurovision Song Contest will take place in Basel. This is also an event that has the potential to attract DDoS actors. I will be keeping a close eye on Noname057(16) activity as this is something that is possible. Additionally, follow the news to see if we can see signs of activity.

News articles from past years indicate that DDoS attacks around the Eurovision Song Contest were a more or less common occurrence.

If you are in charge of services in and around the ESC, don’t forget DDoS preparedness. I will be updating this blog post with public information that I see. This is also for my own curiosity regarding the impact and effectiveness of mitigations.

DDoS Activity

DDoS activity from the NoName057(16) group was happening during the Eurovision Song Contest (ESC). But against the regular website and apparently not against the voting website. Personally, I did not experience any issues during the event and I haven’t seen anything in this direction during the event. We also see public transportation and taxi companies on the list, for which I do not know if the websites were running into issues. But the main event seems to have handled the attack well.

DDoS Gantt during ESC 2025, Basel based of https://witha.name/ data. (2025-05-20)

In general, however, it seems interest in DDoS was rather low. Without knowing details of other attacks that were potentially not publicly disclosed.

Time period: From 2025-05-16T08:10 to 2025-05-17T08:25

URL	Duration (Minutes)
ebok.gkpge.pl	1454
www.gkpge.pl	1454
biznes24.pgnig.pl	1454
remit.gkpge.pl	1454
ebok.pgnig.pl	1454
polskapress.pl	1454
nominacje24.pgnig.pl	1454
samorzad.gov.pl	1454
klub-lewica.org.pl	1454
trzeciadroga.org	1454
bezpartyjnisamorzadowcy.pl	1454
kukiz15.org	1454
www.lodzkie.pl	1454
eurovision-basel.ch	1454
www.bvb.ch	1454
www.blt.ch	1454
www.swisscom.ch	1454
login.scl.swisscom.ch	1454
www.33ertaxi.ch	1454
www.taxi-zentrale.ch	1454
www.mini-cab.ch	1454
www.bis.org	1454
itd.rada.gov.ua	1154
www.rada.gov.ua	1154
zakon.rada.gov.ua	1154
www.tor.gov.ua	1154
oblradack.gov.ua	1154
www.oblradack.gov.ua	1154
www.rayrada.ck.ua	1154
ck-oda.gov.ua	1154
data.gov.ua	1154
swpp2.gkpge.pl	684
pgnig.pl	684
pho.pl	684
oneplace.marketplanet.pl	684
platforma.org	684
www.psl.pl	684

Checking the Telegram channels and x.com (Twitter). I haven’t seen any recent trophy posts around the ESC. In general, it seems not to be actively posting anymore on Telegram nor on X.com (Twitter).

Preparations

What was for sure a good decision system-wise was splitting the main domain from the voting system domain to reduce the blast radius when being hit by an attack.

https://eurovision.tv/ (2025-05-20)

Both websites used Cloudflare as a CDN and therefore likely also to mitigate DDoS attacks.

https://esc.vote/ (2025-05-20)

See reports

Azure Frontdoor

While it’s unknown if Noname057(16) will be back with a campaign during the ESC, this would be a query based on the published information over at witha.name for the user agent string to inspect your frontdoor access logs.

let userAgents = dynamic([
    "AppleCoreMedia/1.0.0.23A344 (Macintosh; U; Intel Mac OS X 14_0; da_dk)",
    "Dalvik/2.1.0 (Linux; U; Android 11; Tibuta_MasterPad-E100 Build/RP1A.201005.006)",
    "Mozilla/5.0 (Linux; Android 11; SM-A115M Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/102.0.5005.125 Mobile Safari/537.36 Instagram 306.0.0.35.109 Android (30/11; 280dpi; 720x1411; samsung; SM-A115M; a11q; qcom; pt_BR; 530130405)",
    "Mozilla/5.0 (Linux; Android 13; SAMSUNG SM-T220) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/23.0 Chrome/115.0.0.0 Mobile Safari/537.36",
    "Mozilla/5.0 (Linux; Android 13; SM-F711U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36 EdgA/114.0.1823.43",
    "Mozilla/5.0 (Linux; Android 6.0.1; SM-G532MT Build/MMB29T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/99.0.4844.88 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/436.0.0.35.101;]",
    "Mozilla/5.0 (Linux; Android 9) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/119.0.6045.66 Mobile DuckDuckGo/1 Lilo/1.2.3 Safari/537.36",
    "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050319",
    "Mozilla/5.0 (Macintosh; U; PPC; en-US; rv:0.9.3) Gecko/20010802",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.76 GLS/97.10.7399.100",
    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/102.0.5143.178 Chrome/102.0.5143.178 Safari/537.36",
    "Mozilla/5.0 (X11; Linux x86_64; SMARTEMB Build/3.12.9076) AppleWebKit/537.36 (KHTML, like Gecko) Chromium/103.0.5060.129 Chrome/103.0.5060.129 Safari/537.36",
    "Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1",
    "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021208 Debian/1.2.1-2",
    "Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/115.0.5738.217 Chrome/115.0.5738.217 Safari/537.36",
    "Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/19G82 Instagram 306.0.0.20.118 (iPhone12,1; iOS 15_6_1; en_GB; en; scale=2.00; 828x1792; 529083166) NW/3",
    "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [LinkedInApp]/9.28.7586"
	]);
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category contains "FrontDoorAccessLog"
| where TimeGenerated >= ago(30d)
| where userAgent_s in (userAgents)
| summarize count() by bin(TimeGenerated, 1h), userAgent_s
| render columnchart