If there’s one big lesson about internet availability, it might be coming from Ukraine, where more than a year of Russian attacks have failed to bring down the network.
According to a study by ThousandEyes, which is part of Cisco, the repeated attempts to disrupt access to key Ukrainian web sites have occasionally succeeded, but only for short periods.
The most effective defensive strategy proved to be hosting content on global providers’ infrastructure, which demonstrated the most resilience overall, according to ThousandEyes’ “Ukraine Internet Analysis – March 2023”.
“Network-level disruptions were negligible, and the application-layer security in place for most of these sites allowed targeted blocking of traffic (e.g., Russia locations), while enabling the sites to remain largely available to legitimate users,” the study said.
ThousandEyes found two other hosting options—regional providers outside Ukraine and hosting within Ukraine—to be less resilient.
To gather data between February 2022 to March 2023, ThousandEyes monitored scores of Ukraine banking, government, and media web sites from vantage points in Kyiv and Kharkiv in Ukraine, Moscow and St. Petersburg in Russia, and from others around the world.
Connecting to the sites’ web servers to check on their availability and how well the pages were able to load revealed the health of the sites from a network and application perspective, according to Angelique Medina, Head of Internet Intelligence, Cisco ThousandEyes.
It also revealed actions Ukraine network administrators were taking to make their sites less susceptible to disruption. For example, in the weeks leading up to the war, some of these sites – the banking sites in particular – started migrating their content to global providers. Then the war started, and “we saw many more in the following weeks,” Medina said.
Those global providers are difficult to overwhelm via DDoS assault at a network layer because they are very distributed, so ThousandEyes didn’t typically see behavior indicating that the sites being monitored were unavailable due to network issues, she said.
The global providers also had resources to defend against application-layer attacks, which are more difficult to block. Those included filtering out illegitimate traffic using web-application firewalls and validating visitors to the sites to ensure they weren’t bots, Medina said.
That wasn’t the case for sites being hosted within Ukraine, where network-related issues were more common. ThousandEyes would observe high levels of packet loss indicating that a site was using BGP to black-hole all traffic headed toward the site, sometimes for days at a time. “So there were a lot of issues with traffic loss, for example, but we didn’t really see that kind of behavior for sites that were globally hosted, or globally delivered, if you will,” Medina said.
The entities in Ukraine were also blocking traffic originating in Russia at the ThousandEyes observation points in Moscow and St. Petersburg.
In the case of sites hosted by regional providers that lack a global footprint, availability was greater than that of sites hosted in-country but less than that of the global providers. “Regional hosting providers can leverage a combination of application-layer and network-layer protections against cyber-attacks but may be vulnerable to high-volume attacks when a targeted site is hosted in a single data center,” the ThousandEyes analysis said.
There were instances when the vantage point ThousandEyes used in Kharkiv couldn’t reach any sites at all for a few days due to infrastructure problems on the ground. “We were effectively told that was due to some shelling, but then the connection was restored, and there was no issue,” Medina said.
ThousandEyes also observed efforts within Russia to block certain traffic from reaching users within the country. In one case, apparently by mistake, a network configuration at a Russian ISP resulted in hijacking traffic destined for Twitter, Medina said. That’s an example that all organisations should be mindful of, especially when political conditions might result in intentional BGP hijacking.
Bad actors could steer traffic either toward sites they control or effectively make an organisation unavailable to the internet. So it’s important to have an understanding of how traffic is routed across the internet and how to protect it along the way. “I think a lot of organisations don’t really think about their traffic in flight,” Medina said.