Distributed denial of service (DDoS) attacks rose significantly in the past year, with politically motivated incidents being part of this upward trend.
For example, Sweden’s election authority was hit with three DDoS attacks in less than 24 hours on the day of the country’s general election in 2022. A month later, in the midst of the 2022 United States midterms, Mississippi state websites were temporarily taken down. And in January 2023, the Czech presidential election suffered DDoS attacks two days before voters were scheduled to go to the polls.
Election-related DDoS attacks can be aimed at overwhelming and disrupting campaign websites, voter information or registration sites, online official results reporting, the supply chain for ballots, and other publicly accessible websites.
The dynamics of elections and attacker goals create two distinct characteristics of DDoS attacks.
First, attacks are executed in a very short time frame. Unlike other attacks, we often handle – on financial organizations or gaming sites, for example, which may last a few days or weeks – election-related attacks are short. From an attacker’s point of view, there is a very narrow window for executing a DDoS attack on an election-related site. Too early or one day too late – no one will care, and it will not have the intended public effect.
Closely tied to the short attack duration, is the massive attack volume. Defenders should operate on the assumption that an attacker will throw all their resources at the selected target during a single critical day or hour. This naturally affects the way DDoS testing and preparations should be carried out.
Here are a few actions that organizations running elections can take to improve their DDoS protection.
Don’t assume the ISP fully protects the targeted sites: Typically, DDoS protection provided by an ISP can only cover network layer attacks. Moreover, most ISPs cannot stop large network DDoS attacks launched by serious hostile actors’ intent on disrupting elections, which is complicated by a poor ability to identify false positives. While the largest ISPs may be able to provide sufficient protection, the sensitivity of election integrity requires sensitivity to the limitations. This could mean adding DDoS infrastructure protection (to enable BGP-based traffic diversion) or Cloud-WAF (to enable DNS-based diversion for application-level attacks).
Run DDoS attack simulation testing: While this is our standard recommendation for any organization, in this case, you should ensure you can run massive network attacks to validate your protection infrastructure. Due to the highly sensitive and critical nature of elections, IT teams typically want to cover all bases and make sure that there are no hidden flaws, even when their protection architecture is robust. In several election-related testing projects we ran, the demand was for simulation testing to be executed in a very short time frame – within days. So, either start early or find a testing solution that can be executed quickly and efficiently.
Check protection technology setup and configuration: We often find that organizations using DDoS protection technologies never alter factory settings. While most DDoS solutions provide some out-of-the-box protection, different configurations, rules, and setup are needed for different environments and purposes. Some settings required to defend networks and resources needed for national elections are quite complex and require expertise to get right.
Maximize your CDN protection: As noted in the cases highlighted above, a CDN can be an important tool in defense against DDoS attacks – if it is configured correctly. Maximizing caching is the easiest way to reduce the attack surface with a single setting change.
Use double DNS services: First, if you are still using your own DNS server, switch to a managed DNS service. Then, use two of them. With two DNS services running simultaneously, a successful DDoS attack on one will not be sufficient to take down the targeted sites. Ensuring the sites remain available to the public, with optimal latency and no disruption, is obviously a critical challenge given the short timeframe and intensity of typical DDoS attacks targeting elections.
Train the teams: Security, network, and SOC/NOC teams must be trained to identify and respond to a DDoS attack. As we noted, especially during elections, every minute counts. The teams need to know which attack vectors will be stopped by which component, what the game plan is for different attack scenarios, and how to quickly divert traffic if needed. And keep it all written down and up to date. If the team is trained and the response procedures can be easily shared, then even a successful DDoS attack can be quickly overcome.