How to use Internet scans and passive measurements to analyze Russian attacks and their impact in Ukraine

Johannes Klick

Playlists: 'camp2023' videos starting here / audio

The role of the Internet in the Ukrainian war is not been fully considered yet. Currently, primary Internet based attacks are analyzed, but it is greatly neglected that with the help of the Internet measurement verifiable statements can be made about the real world. Through global Internet scans and a passive blackhole sensor network, we can identify digital and conventional attacks and their effects in this case study on the territory of Ukraine.

We will show that it is possible to detect where in Ukraine, Russian attack-related power outages occur and how long they last. For this purpose, we will also scan and analyze 2 major attack waves that occurred about 5 months apart in detail the service availability of more than 400,000 static IP addresses every 4 hours for several months. This long-term period will also allow us to determine whether and if so, how resilient the Ukrainian power supply has become against Russian missile attacks. In addition, we will also analyze other data such as ESA radar images and correlate the degree of destruction of certain regions in Ukraine with our scan data. This method could be used, for example, to support NGOs to determine the need for mobile power generators in certain regions.

Furthermore, using BGP data and media information, we will show that Russian forces in Kherson are attempting to route network traffic from local ISPs through Russian territory to gain a tactical advantage.

Finally, we will show that through a blackhole network of about 1000 IP addresses it is possible to detect certain DDOS attacks against Ukrainian infrastructures or government websites. The analysis of the temporal course of the attacks shows interesting temporal patterns that suggest some kind of campaign.