Who is DDoSing Russia?

March 7, 2022    Article    606 words    3 mins read

Few days ago we got this piece of information (translation for non-Russian speakers):

Russian National Coordination Center for Computer Incidents (NKTsKI) releases a list of ~17k IPs that are probably DDoSing Russian infrastructure. And as bonus, another list containing attackers’ referrer domain information. Those “people” that were DDoSing the FSB website using their residential Internet connection are crème de la crème.

Referrer information can definitely be spoofed but it’s funny seeing FBI and CIA domains in there.

And since the cat’s out of the bag and the IPs are public information now, let’s do some analysis on them.

You can download the original text file with just the IPs here, mirror here (courtesy of Russia’s National Coordination Center for Computer Incidents “NKTsKI”), the processed CSV file here, the processed JSON file here and a bonus GPX file. Import the CSV file into your favorite spreadsheet editor (or use Python or R or something) and go bonkers. Bonus points if you load the CSV into assembler and plot the data using psychedelic visualizations in a 64KB demo. I’m kidding, of course.

I’ve ran across “people” asking on various websites for support in attacking Russian websites, so I have no reason to believe the list is just a bunch of random IPs someone added to a random text file. The original list contains 17,576 lines (one line for each IP address) so I did some processing to get more information about each IP (host name, country, region, city, ISP, ASN and GPS coordinates). I can assure you that every bit of info I got about the IPs is most likely already known to the NKTsKI (geolocating is such a 1990s thing to do, like hacking a Gibson), so cut it with the privacy implications. I don’t have access to referrer information, just the IP list, so stop asking “Y NO CIA OR FUBI IN URE LIST, RUZIANZ LIED”.

I was tempted to build a JSON parser so that people could search into the fields but I am lazy. Maybe a tool similar to HIBP (Have I Been Pwned) but called HIBDR (Have I Been DDoSing Russia)? As CaptainBlackbeard used to say, Yarr!.

Let’s see some numbers

Most of the records are either VPN servers or VPS instances in various cloud providers or residential IPs.

Residential Internet connections:

$ cat processed_ips.csv | grep "cellular\|static\|broadband" | wc -l

Amazon AWS instances:

$ cat processed_ips.csv | grep -i "amazonaws" | wc -l

Google Compute Cloud instances:

$ cat processed_ips.csv | grep -i "googleusercontent" | wc -l

Microsoft-related instances:

$ cat processed_ips.csv | grep -i "MICROSOFT-CORP-MSN-AS-BLOCK" | wc -l

Alibaba Cloud instances:

$ cat processed_ips.csv | grep -i "alibaba" | wc -l

Hetzner VPS:

$ cat processed_ips.csv | grep -i "Hetzner" | wc -l

DigitalOcean VPS:

$ cat processed_ips.csv | grep -i "DIGITALOCEAN" | wc -l

Let’s see some nice images

Countries with over 50 IPs in the list, click for a more detailed image:

ASNs with over 50 entries in the list (if you want to see what’s behind an AS Number, use this search), click for a more detailed image:

Overlay with the GPS coordinates on the world map (generated from OpenStreetMap.org), click for a more detailed image:

I didn’t want to include an actual map (with proper zooming and panning) because I never embed external resources by default into this site, but you can load the CSV file into GPS Visualizer and you will get that result.


There is no conclusion, I gave you the data (well, actually NKTsKI published the data) and you draw the conclusion.