Providers' distributed hosting sites help dodge DDoS attacks, and security measures intercept application-layer threats, according to an analysis by ThousandEyes. If there’s one big lesson about internet availability, it might be coming from Ukraine, where more than a year of Russian attacks have failed to bring down the network. According to a study by ThousandEyes, which is part of Cisco, the repeated attempts to disrupt access to key Ukrainian web sites have occasionally succeeded, but only for short periods. The most effective defensive strategy proved to be hosting content on global providers’ infrastructure, which demonstrated the most resilience overall, according to ThousandEyes’ “Ukraine Internet Analysis – March 2023”. “Network-level disruptions were negligible, and the application-layer security in place for most of these sites allowed targeted blocking of traffic (e.g., Russia locations), while enabling the sites to remain largely available to legitimate users,” the study said. ThousandEyes found two other hosting options—regional providers outside Ukraine and hosting within Ukraine—to be less resilient. To gather data between February 2022 to March 2023, ThousandEyes monitored scores of Ukraine banking, government, and media web sites from vantage points in Kyiv and Kharkiv in Ukraine, Moscow and St. Petersburg in Russia, and from others around the world. Connecting to the sites’ web servers to check on their availability and how well the pages were able to load revealed the health of the sites from a network and application perspective, according to Angelique Medina, Head of Internet Intelligence, Cisco ThousandEyes. It also revealed actions Ukraine network administrators were taking to make their sites less susceptible to disruption. For example, in the weeks leading up to the war, some of these sites – the banking sites in particular – started migrating their content to global providers. Then the war started, and “we saw many more in the following weeks,” Medina said. Those global providers are difficult to overwhelm via DDoS assault at a network layer because they are very distributed, so ThousandEyes didn’t typically see behavior indicating that the sites being monitored were unavailable due to network issues, she said. The global providers also had resources to defend against application-layer attacks, which are more difficult to block. Those included filtering out illegitimate traffic using web-application firewalls and validating visitors to the sites to ensure they weren’t bots, Medina said. That wasn’t the case for sites being hosted within Ukraine, where network-related issues were more common. ThousandEyes would observe high levels of packet loss indicating that a site was using BGP to black-hole all traffic headed toward the site, sometimes for days at a time. “So there were a lot of issues with traffic loss, for example, but we didn’t really see that kind of behavior for sites that were globally hosted, or globally delivered, if you will,” Medina said. The entities in Ukraine were also blocking traffic originating in Russia at the ThousandEyes observation points in Moscow and St. Petersburg. In the case of sites hosted by regional providers that lack a global footprint, availability was greater than that of sites hosted in-country but less than that of the global providers. “Regional hosting providers can leverage a combination of application-layer and network-layer protections against cyber-attacks but may be vulnerable to high-volume attacks when a targeted site is hosted in a single data center,” the ThousandEyes analysis said. There were instances when the vantage point ThousandEyes used in Kharkiv couldn’t reach any sites at all for a few days due to infrastructure problems on the ground. “We were effectively told that was due to some shelling, but then the connection was restored, and there was no issue,” Medina said. ThousandEyes also observed efforts within Russia to block certain traffic from reaching users within the country. In one case, apparently by mistake, a network configuration at a Russian ISP resulted in hijacking traffic destined for Twitter, Medina said. That’s an example that all organizations should be mindful of, especially when political conditions might result in intentional BGP hijacking. Bad actors could steer traffic either toward sites they control or effectively make an organization unavailable to the internet. So it’s important to have an understanding of how traffic is routed across the internet and how to protect it along the way. “I think a lot of organizations don’t really think about their traffic in flight,” Medina said. Related content news Launch puts China firmly in the communications satellite game With plans to aggressively compete with SpaceX’s Starlink in place, rapid ramp-up is expected. By Paul Barker Aug 06, 2024 3 mins Internet Telecommunications analysis BGP: What is border gateway protocol, and how does it work? BGP is how the autonomous networks that make up the internet share routing information to find the best route for IP traffic. CISA describes BGP as 'the most important part of the internet you’ve probably never heard of.' By Keith Shaw May 17, 2024 11 mins Routers Internet Network Security analysis DNS explained: How the Domain Name System works The Domain Name System resolves the names of internet sites with their underlying IP addresses, adding efficiency and security in the process. By Josh Fruhlinger and Keith Shaw May 03, 2024 11 mins Internet Networking news Google unveils $1B plan for subsea cables to Japan Google and partners including KDDI will lay cables linking Japan with existing trans-Pacific cable routes to the continental US. By Prasanth Aby Thomas Apr 11, 2024 5 mins Telecommunications Industry Internet Telecommunications PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe