Attacking CNI with DDoS

Distributed denial-of-service (DDoS) attacks have evolved since their emergence in the late 90s. It began with hacktivists utilising attacks to knock sites offline and attract attention. Shortly after, it was deployed by criminals as a form of cyber-extortion. Now, all manner of adversary types utilise DDoS attacks, and some have a more long-term, strategic purpose than garnering attention or extorting their victims.

 

As with DDoS attacks, the adversary type most commonly associated with them, the hacktivist, has also evolved. Rather than the Guy Fawkes mask-wearing, anti-establishment actors of the past, they have transitioned to a form of hacktivism where the primary goal is to destabilise public trust at scale. This is part of what we’ve been calling ‘escalatory hacktivism’. This has resulted in a shift from targets that favour localised causes of social justice and the defence of rights and privacy to those that favour societal-scale cognitive impact, often in line with the goals and ideologies of adversarial states. It’s likely a response to rising geopolitical tensions and a growing realisation of how cyber threat actors can manipulate global opinion.

 

Whether conducted by independent hacktivists or adversarial states, DDoS attacks have become a form of cognitive warfare, with adversaries demonstrating their abilities to influence how the public thinks and feels. 

 

Impact on Public Services and CNI

Technically speaking, the intended purpose of a DDoS attack is to disrupt normal operations by flooding the target with traffic. One of the most notorious instances of DDoS attacks occurred with hacktivist group Anonymous. Their Low Orbit Ion Cannon (LOIC) was used to attack websites like the Church of Scientology, and to target companies and organisations that opposed WikiLeaks.

 

However, there’s arguably more damage in the aftermath of a disruption. The downtime affects the organisation and its constituents directly, but the true impact is public perception, worrying people that the institutions and services supporting their daily lives are unreliable. 

 

When it comes to public services and critical national infrastructure (CNI), adversaries can destabilise and damage trust on a societal level. For example, ENISA echoes that undermining public trust is a key factor behind the increasing targeting of the public sector. The body’s latest threat report identified public administration as the most targeted sector in the EU (38.5%), with nearly all (94.8%) being low-impact DDoS attacks. In the UK, the Pro-Russia group NoName057(16) carried out a multi-day DDoS campaign against several UK public-sector websites and online services.

 

This is a significant challenge for public institutions. People are accustomed and dependent on immediate access to information, such as their health and financial records. The information is sensitive.

 

It should be clear by now that for many adversaries, infrastructure is not the final target, it’s merely a means in a larger game of cognitive influence. Enterprise defenders are now on the front lines of an ongoing, "shadow" conflict in the cognitive domain. Even just a short period of downtime inflicted by adversaries could quickly panic citizens. Moreover, AI may make this problem worse. 

 

Technical evolution, AI, botnets, and economics

While not necessarily increasing DDoS attack traffic volume, AI has reduced the level of skill required to conduct attacks. In turn, it has lowered the barrier of entry for criminals looking to deploy DDoS attacks. Tools today can assist inexperienced users with target selection, traffic tuning, and basic evasion, meaning disruption no longer needs specialist knowledge. 

 

At the centre of these DDoS attacks are botnets, where adversaries hijack things like IoT devices en masse to amplify the volume of traffic they send. Botnets can mimic legitimate traffic, making them very difficult to detect with traditional security systems. By the time an organisation is alerted and responds to the DDoS threat, the technical disruption has likely already happened. 

 

This is where AI can contribute to a new attack surface. Deploying agentic AI without operational safeguards enables adversaries to use employees’ AI against them or others. This is because agentic systems aren’t limited to answering queries; they also execute actions. As such, a single oversight can act as a gateway, allowing an adversary to take full control of often powerful functionality and compute.

 

The recent surge of vulnerable OpenClaw servers online shows just how quickly internet-facing agents appear once tools become easy to run. The outcome is cheaper, longer-lasting disruptions rather than dramatically larger floods. Public confidence can now be worn down over months rather than just days.

 

To stand a chance, company safeguards must be updated to keep up with the latest capabilities of cyber threats, or the incompetent narrative will only continue to worsen.

 

Building a strategy of resilience

Unfortunately, there is no single tool that completely stops DDoS attacks. To defend against them, organisations must focus on absorbing and diluting the traffic rather than relying solely on blocking it outright. The aim is not to perfect defence, but to make the attack ineffective, short-lived, and commercially pointless.

 

To keep adversaries away from core systems, organisations should use edge protection and distributed hosting. At the same time, caching and rate limits will make each request cheaper to handle. This way, services are designed to degrade gracefully so real users still get a basic experience even under pressure. Just as important is removing easy exposure, such as public admin panels or unprotected APIs, which often cause outages long before bandwidth is exhausted.

 

The DDoS threat also requires moving beyond mere technical resilience and toward cognitive resilience. This means understanding that transparency and rapid, factual communication are not just "PR" tasks but strategic tools used to blunt an adversary’s psychological leverage. By stabilising trust through openness and accountability, we can neutralise the cognitive impact that these disruptive incidents are intended to achieve.

 

Escalating stakes for national resilience 

DDoS attacks will continue to be a powerful tactic for all manner of adversary types. We’ll continue to see hacktivist groups align with state-backed narratives and play a pivotal role in warfare efforts. For public services and CNI, the impacts of DDoS attacks are increasingly about the minds of the citizens who rely on their services. 

 

A technologically and cognitively updated resilience strategy is now essential to preserving our economy and democracy. It ensures that trust can still be built, maintained, and defended.

 

---

 

Dr Ric Derbyshire is Principal Security Researcher at Orange Cyberdefense

 

Main image courtesy of iStockPhoto.com and Hailshadow