NCSC – Technical report DDoS

I compiled a summary of the report published by NSCSC. However, I found that the report remained rather basic and there weren’t many learnings for me.

ℹ️ Update January, 2024

In January 2024, the World Economic Forum in Davos occurred. Once again, we witnessed a DDoS attack from the NoName057(16) group. Read more here: NoName057(16) DDoS January 2024

Overview of DDoS Attacks by NoName057(16) and Mobilization of “Heroes”

The DDoS attacks aimed to disrupt the availability of websites by exhausting resources, yet no productive data was compromised. The group NoName057(16) orchestrated these attacks by mobilizing cyberactivists called “heroes,” who provided their computing power in return for monetary rewards. The attacks primarily targeted the application layer (OSI layer 7). The National Cyber Security Centre (NCSC) has categorized these June 2023 DDoS attacks as acts of cyberactivism.

The Distinctive Approach of NoName057(16)

Unlike traditional botnets, NoName057(16) relies on volunteer “heroes” to execute its DDoS campaigns. These volunteers deploy a client called DDoSia on their devices and register via a Telegram bot with their ID and cryptocurrency wallet, expecting payment based on the number of attacks performed. The financial backing for these payments remains a mystery, and while “heroes” risk identification through their IP addresses, the actor advises the use of VPNs to obfuscate their identities.

Attack Strategy and System Resource Exhaustion

The June attacks mimicked legitimate user behavior to overload website capacities, rendering them unusable or inaccessible. Written in Go, the DDoSia client operates on Linux, Windows, macOS, and Android, generating dynamic web queries that strain backend infrastructure and blend with legitimate traffic. The unchanged HTTP user agent identifier Go-http-client/1.1 was a consistent feature throughout these attacks.

Identifying and Blocking Malicious Traffic

Attack patterns, such as the DDoSia client’s user agent present in log files, can help compile a list of participating “heroes.” Organizations can then proactively block this malicious traffic at their internet router level.

More details to DDoSia: Following NoName057(16) DDoSia Project’s Targets – Blog

Analysis of the April to June 2023 DDoS Attacks

The attack campaign that spanned from April 1 to June 24, 2023, was marked by high intensity but low complexity. The average data traffic was typical for application-layer attacks, with about 20,000 to 25,000 packets per second and under 200 Mbit/s. Roughly 20,000 IP addresses were involved, with 3% traced to Switzerland. Swiss targets were largely prepared, showcasing that proper security measures can significantly reduce potential damage.

The Challenge of DDoS Protection

DDoS attacks are technically less complex than sophisticated infiltrations, such as advanced persistent threats. Nevertheless, the real test lies in countering the scalability of attacks and evolving tactics that bypass standard defenses. Robust security measures and proactive strategies are essential for mitigating the effects of DDoS attacks.

Limitations of Conventional Anti-DDoS Strategies

Traditional anti-DDoS measures focused on volumetric attacks fall short against the application-layer techniques used by NoName057(16). Once attack patterns are thoroughly understood, employing common security mechanisms—such as IP range blocking, geoblocking, Web Application Firewalls (WAFs), and rate limiting—can quickly mitigate the impact of a DDoS attack.


The original published report from the NCSC in Switzerland.

The National Cyber Security Centre NCSC publishes technical reports in the area of Information Assurance. The reports will deepen actual topics related to incidents and ocurrences in the information and communication technologies (ICT) and will address the corresponding set of problems and put them in a major context.