What happened
On June 21, 2015, at Warsaw Chopin Airport (EPWA), an airline operator experienced a major disruption to its flight operations due to severe internet bandwidth exhaustion. The incident was triggered by a Distributed Denial of Service (DDoS) attack, specifically a reflected amplification attack using the UDP protocol. This massive influx of network traffic slowed down critical systems, making it impossible to effectively prepare flight documentation or perform passenger check-in procedures.
To mitigate risks to aviation safety, the operator suspended all flights for which the necessary documentation could not be processed. The operator established a crisis management team to manage available resources and restore operational continuity. Eventually, the operator successfully restored normal bandwidth, allowing operational services to resume using the necessary flight management systems.
The investigation
The investigation focused on the IT infrastructure and the impact of the network attack on flight safety. The investigation confirmed that there was no unauthorized interference with critical flight planning, weight and balance, performance calculation, or airworthiness management systems. The event was classified as an IT-related incident.
Following the event, the government's Computer Emergency Response Team (CERT) was notified. A detailed technical analysis was conducted by the NASK (Research and Academic Computer Network) team. This analysis determined that the DDoS attack was not specifically targeted at the airline operator's infrastructure but resulted in collateral bandwidth exhaustion.
Findings
The investigation identified several indirect causes and technical failures:
- An incorrect rule in the FortiGate firewall (which had replaced a previous Checkpoint firewall) allowed external traffic to access the internal DNS server. This error occurred during the migration of rules from the old firewall to the new one.
- The operator's existing DDoS response procedures were ineffective, as the established plans did not include specific actions for identifying and mitigating the attack.
- There was a lack of qualified technical support for the FortiGate firewall during the transition period, as remote support from the vendor was insufficient.
- The operator lacked procedures to ensure connectivity for critical systems, such as maintaining redundant, independent links using different autonomous systems.
- Network monitoring during switching tests and general monitoring of internal security events—such as unauthorized login attempts, excessive load, or misconfigurations—were found to be ineffective.