An image of Earth at night with red unlocked padlock icons connected by network lines, representing cybersecurity vulnerabilities across satellite networks.

According to a study conducted by the European Union Agency for Cybersecurity (ENISA), the number of cyberattacks against satellite infrastructure has increased by 300 percent over the last five years. One attack method that poses an increased threat to satellites and the networks they operate on is the Distributed Denial of Service (DDoS) attack.

These types of attacks are increasing in frequency and severity. A report by global communications infrastructure provider, Zayo Networks, found a 106 percent increase in DDoS attack frequency from H2 2023. That same report found that average length of an attack has increased by 18 percent – with the average attack lasting approximately 45 minutes.

“A DDoS attack works by directing malicious traffic to a target via multiple computers or machines,” explained Omer Yoachimik, Cloudflare’s senior product manager of DDoS protection and security reporting. “The attacks can come from a group of compromised devices - a botnet - or they may involve multiple attackers or DDoS attack tools. The attack is executed by sending requests to the target’s IP address, which can overload the server or network and result in a denial of service to normal traffic.”

According to Sylvester Kaczmarek, chief technology officer at OrbiSky Systems, the ramifications DDoS attacks can have on satellite networks and their ground segments can be devastating. “DDoS attacks can severely disrupt satellite operations by overwhelming the communication channels and networks that satellites rely on,” he explained. “These attacks, including DNS amplification attacks, HTTP flood attacks and SYN flood attacks, can cause significant interruptions in data transmission, leading to temporary loss of control over satellite functions or inability to access critical data.”

Kaczmarek explained that the impact of DDoS attacks can be widespread, affecting not only satellite operators but also end-users who depend on satellite-based services, such as telecommunications, broadcasting, navigation and military operation services.

One prime example of the use of DDoS in an actual warfare scenario can be seen during the early days of the war in Ukraine. “When Russia invaded Ukraine, some of the very first attacks were carried out in the cyberspace by Killnet against public media, government and financial services websites to sow chaos, create fear and cause disruption,” said Richard Hummel, Director of Threat Intelligence at NETSCOUT. “Several satellite providers were offering relays and access points to Ukraine and rapidly began seeing attacks by hacktivists as a result.”

Hummel explained that DDoS attacks against satellites often have a more devastating impact than in other areas of the cybersphere. “Attacks against satellites can be even more egregious because these networks are not designed to carry large amounts of bandwidth and throughput, thus they can experience degradation and outages more often than a wireless or wired service provider.”

So, how can satellite and ground operators effectively protect their networks and space assets from the pervasive threat posed by DDoS attacks?

A satellite in space is shown being targeted by multiple red beams of light originating from various locations on Earth, representing a coordinated cyberattack from multiple directions.

Mitigating the DDoS Threat

According to Kaczmarek, mitigating the DDoS threat will require satellite operators to implement robust security measures, including traffic filtering, rate limiting, DDoS protection services and regular security audits.

“Satellite and ground operators must strengthen their network infrastructure through redundancy, robust firewalls and intrusion detection systems that can mitigate the impact of DDoS attacks,” said Kaczmarek. “Also, deploying advanced filtering techniques to distinguish between legitimate and malicious traffic ensures that DDoS traffic is identified and blocked before it can overwhelm the system.”

He also pointed to operators controlling the rate of incoming requests and managing traffic flow as a means to prevent systems from being overwhelmed during an attack. And to protect essential satellite operations and minimize the attack surface, it is crucial that operators isolate critical satellite systems from public-facing networks.

Kaczmarek also highlighted the deployment of specialized DDoS protection services that offer advanced mitigation techniques and scalability as a way to handle large-scale attacks, along with the development and regular practicing of incident response plans to effectively address DDoS attacks and minimize their impact. And Hummel echoed these statements.

Yoachimik explained that operators should ensure their infrastructure is protected with in-line automated DDoS mitigation services that can automatically detect and mitigate DDoS attacks in real-time. “Mitigation services should have sufficient global coverage and network capacity to handle peak, legitimate traffic along with attack traffic so that performance is not sacrificed for the sake of security,” he said.

“The most important thing these providers can do is understand that they are at risk and take the first steps by securing DDoS protection services,” said Hummel. “Once a solution is in place, it’s not a set and forget defense mechanism, but something that the providers should red team with real-world scenarios.”

Challenges that Satellite Operators Must Overcome

Though the solutions to protect satellite networks from DDoS are clear, there are several challenges that operators currently face in effectively securing their assets from these attacks.

“One primary challenge is the limited processing power of satellites,” said Kaczmarek. “This restricts the implementation of advanced security protocols that are common in terrestrial networks. Additionally, the global nature of satellite operations complicates the coordination and implementation of security measures across different jurisdictions and operators.”

Kaczmarek explained that DDoS attack vectors such as the exploitation of DNS resolver vulnerabilities to generate massive traffic, overwhelming web servers with excessive HTTP requests, and exhausting server resources with incomplete TCP connection requests pose unique threats to satellite systems. “These attack methods can be particularly challenging to defend against given the inherent limitations in satellite and ground station infrastructure,” he said.

Another challenge that satellite operators face is how to secure their legacy space systems. “These systems were not originally designed with cybersecurity in mind,” explained Kaczmarek. “This further exacerbates vulnerabilities, making these systems more susceptible to attacks.”

For Hummel, the greatest challenge satellite providers face is the fragility of their networks. “Because satellite networks have such a low tolerance for ‘bad’ traffic in their networks, they also must be more strenuous in their defense and mitigation strategy,” he said. “Meaning, they may need more technology and mitigation capacity than another network of a similar size so that they can detect and mitigate threats at much lower volumes to curtail any service interruptions.”

Along with the challenges that accompany the traditional means of DDoS attacks, the method is still evolving and new threats to combat and overcome are on the horizon. “Emerging threats, such as leveraging networks of compromised IoT devices and utilizing AI to automate and adapt attack strategies, present additional challenges,” said Kaczmarek. “As these threats evolve, satellite operators must continually adapt and enhance their defenses to maintain the security and integrity of their space assets.”

Explore More:

Space Industry Leverages Tabletop Wargames and ZTA to Tackle Novel Cyber Threats

Space Sector at Risk as Ransomware Groups and Nation State Actors Collaborate

Podcast: Threat Tracking, Information Sharing and the Watch Center