Over the last few days, the Canadian Centre for Cyber Security (Cyber Centre) has had reports of several distributed denial of service (DDoS) campaigns targeting the Government of Canada, provinces and territories, as well as the financial and transportation sectors. We are working with our government partners, and supporting organizations outside the government, to help keep Canadians safe, and to protect the online services that we all rely on.
We are issuing this statement, in addition to the Cyber Centre alert to partners, to warn Canadians about this activity. There are relatively simple ways to protect against this kind of campaign, but a persistent threat actor with enough time and resources can have a visible impact on a website – and its web-based services.
A DDoS campaign uses a collection of computers operating as a botnet. This botnet floods a website’s server with internet traffic to disrupt its ability to provide services. In other words, it overloads the server until the site can’t load for users. The actors then publicize this degradation. The publicity is part of what they seek, and why we avoid referencing the malicious actor.
In most cases, this activity can be managed by standard cyber defence tools. But organizations should consider help from third-party DDoS solutions to ward off significant and focused activity. And once the actors stop the malicious activity, websites go back to normal.
What can you do if you run a website that’s targeted?
First, review and implement the preventative actions outlined within the Cyber Centre’s guidance on protecting your organization against denial of service attacks. That’s on our website, at cyber.gc.ca.
Second, review this guidance on DDoS from our U.S. partners at the Cybersecurity and Infrastructure Security Agency (CISA). These considerations to prevent DDoS attacks include ways to mitigate and respond.
Providers should also review and implement the Cyber Centre’s Top 10 IT Security Actions. The two that will most help you here are to consolidate, monitor, and defend Internet gateways, and isolate web-facing applications.
Finally, if you see any of this activity, please report it to us through our website – again, cyber.gc.ca – so we can collect information and track the activity. This helps us warn others about the trends we see and the specific indicators of compromise.