Today I was browsing twitter and I saw a falcon feed post about NoName claiming to have DoS’d some UK government sites, and well it got me thinking (and talking to some friends) about why in 2026 we haven’t solved this problem. (DoS = Denial of Service, DDoS = Distributed Denial of Service)

NoName057(16) — Threat Actor Profile

NoName057(16) is a pro-Russian hacktivist group that emerged in March 2022, immediately following Russia’s full-scale invasion of Ukraine. They are the most prolific and persistent DDoS actor in the pro-Russia hacktivist ecosystem, having claimed responsibility for over 1,500 attacks against NATO-aligned countries between 2022 and 2025.

Tooling — DDoSia

DDoSia is the successor to an earlier botnet called Bobik. It’s deliberately built for low-skill participants: download, paste in your user hash from Telegram, run, and the client pulls encrypted target lists from C2 servers and starts hammering. The C2 communication uses AES-GCM-encrypted JSON over HTTP, with C2 servers refreshing roughly every nine days to evade takedowns.

Attack methods are unsophisticated but effective at scale: TCP SYN/ACK floods, HTTP GET floods, and Slow Loris variants (nginx_loris) targeting ports 80 and 443. The point isn’t technical elegance — it’s volume and persistence.

DDoS Claims

Now, we need to consider some things here:

1. Claims != taking a site/service down
2. There’s a Information Operations effect with just making the claim
3. Detecting from the outside might show a different story (e.g. WAFs/CDNS may be blocking traffic… but more on that later)

Thanks to https://x.com/FalconFeedsio for posting!

That being said some of the claims are legitimate and real impact is sometimes achieved. What is quite common as well is for NoName to target UK HMG. Included in the alleged victims are a bunch of UK government organisations:

• Leicestershire County Council
• Tameside Council
• Bradford Council
• Blackburn with Darwen Borough Council
• Harwich Town Council

The Impact

• The public can’t access services (reduced services/increased costs)
• Each org has to deploy resources to combat each event
• The threat actors build reputation within the criminal communities

What could we do about it?

Well each organisation could take steps to deploy clustered scale out services (database/app/web tiers) and then also have web application firewalls and content deliver networks. We live in quite a franchise like world so that would be down to each organisation to sort out.

Alternatively we could have a shared services for UK HMG services (there might need to be some diversity here but let’s think about for non CNI type services) where centrally we might have:

• Content Delivery Network (CDN)
• Web Application Firewall (WAF)

This would not only help to mitigate the threat centrally but also provide some commercial benefits (bulk purchasing, single contract, shared resources to manage etc.)

There’s always a balance here with ensuring we have appropriate divested governance alongside ensuring we do things at a country scale that make sense for the nature of activity. I think a shared service to put DDoS threat actors out of business and help our public services sounds like a good idea, what do you think? We already have UK Protective DNS (PDNS which orgs can voluntarily opt into, surely having an opt in Cloud based CDN/WAF service would also make sense.