Censys Reveals Rapid Server Rotation Behind NoName057(16) Attacks

Cybersecurity researchers at Censys have published comprehensive findings on the infrastructure powering DDoSia, the participatory distributed denial-of-service (DDoS) platform operated by pro-Russian hacktivist group NoName057(16). As we previously reported on DDoSia's attacks targeting NATO countries and Ukraine supporters, this new research provides critical insights into the technical architecture enabling these ongoing campaigns.

The research confirms DDoSia's continued focus on Ukraine, European allies, and NATO member states across government, military, transportation, public utilities, financial, and tourism sectors—despite significant law enforcement disruption in July 2025.

Security Land reported many times about DDoS attacks caused by hacktivist group NoName057(16).

Rapid Infrastructure Rotation Strategy

According to Censys analysis conducted since mid-2025, DDoSia maintains an average of six control servers active simultaneously. However, the most striking finding is the remarkably short operational lifespan of these servers—averaging just 2.53 days before rotation.

The data reveals significant variation in server persistence. Over half of identified control servers remained active for less than 24 hours, while only 10% stayed online for 10-15 days. This rapid rotation strategy significantly complicates defensive efforts, as traditional blocklisting approaches become ineffective when infrastructure changes every few days.

Censys monitoring throughout November 2025 identified consistent hosting patterns, with control infrastructure concentrated primarily on Azea—a provider sanctioned by the US Treasury Department in 2025—and AS56971 (HostVDS). The use of bulletproof hosting providers in jurisdictions with minimal law enforcement cooperation enables this rapid rotation strategy.

Multi-Layered Control Infrastructure

Building on initial findings published by Gen in 2023 and subsequent research by Team Cymru, Censys research supports the hypothesis that DDoSia operates a sophisticated multi-layered control infrastructure designed for resilience and operational security.

Tier 1: Bot-Facing Control Servers

Function: Direct communication with volunteer-operated DDoSia clients
Distribution: IP addresses provided via Telegram bots to volunteers
Lifespan: Highly volatile, averaging 2.53 days
Purpose: Distribute target lists, collect attack statistics, coordinate campaigns
Detection risk: High exposure to security researchers and defenders

Tier 2: Proxy and Relay Layer

Function: Obfuscate traffic between Tier 1 servers and core management infrastructure
Lifespan: Extremely short-lived, often under 24 hours
Technical implementation: Likely simple proxy tools relaying encrypted traffic
Purpose: Protect Tier 3 infrastructure from direct identification
Operational benefit: Enables rapid infrastructure rotation without exposing core systems

Tier 3: Core Management Infrastructure

Function: Database systems, metric tracking, attack coordination, payment processing
Access control: Restricted to Tier 2 servers via network-level restrictions
Visibility: Minimal public exposure, protected from direct researcher access
Evidence: Netflow analysis by Team Cymru identified suspected database and service queue systems

Management Interface: Research published by Gen in 2023 included a suspected screenshot of NoName057(16)'s web-based control panel for DDoSia operations, suggesting operators maintain a centralized dashboard for:

Real-time bot status monitoring
Target selection and campaign management
Volunteer performance tracking and payment calculation
Attack effectiveness metrics

This multi-layered architecture mirrors mature botnet operations, providing both redundancy and technical separation between volunteer-operated bots and core operator infrastructure. The design significantly complicates law enforcement efforts to fully dismantle the operation.

Resilience After Law Enforcement Disruption

In July 2025, Europol and Eurojust launched Operation Eastwood, resulting in two arrests, seven arrest warrants, 24 house searches, and disruption of over 100 servers worldwide. Critically, law enforcement notified over 1,000 supporters of their legal liability—providing a rare data point for estimating DDoSia's scale.

Based on this figure, Censys researchers assess with low confidence that the total number of active DDoS bots controlled by DDoSia likely remains under 10,000 systems, assuming each notified supporter operates at least one bot.

Despite the scope of Operation Eastwood, DDoSia demonstrated remarkable resilience. The operation resumed DDoS attacks within several days of the disruption. While the main Telegram channel with 45,000 subscribers was taken down, the reconstituted channel reached 14,000 subscribers by December 2025.

This rapid recovery underscores the challenges of disrupting volunteer-driven DDoS platforms where core operators remain beyond Western law enforcement reach and infrastructure can be rapidly redeployed on alternative hosting providers.

Targeting Patterns

Censys research confirms DDoSia operations focus heavily on Ukraine, European allies, and NATO member states across government, military, transportation, public utilities, financial, and tourism sectors. The tourism sector targeting appears designed to create economic pressure on countries supporting Ukraine by disrupting a key revenue source.

Attack patterns frequently correlate with geopolitical developments, including military aid announcements, NATO summit activities, and diplomatic initiatives supporting Ukraine. Organizations in these targeted sectors face sustained DDoS campaigns that can disrupt operations for hours or days at a time.

Defensive Implications

The rapid infrastructure rotation documented by Censys has significant implications for defenders. Traditional static blocklisting approaches prove ineffective when control servers change every 2.53 days on average. Organizations must instead focus on behavioral detection and real-time threat intelligence integration.

Security teams should implement robust DDoS mitigation capabilities, including cloud-based scrubbing services that can activate automatically when attacks are detected. Web application firewalls configured with rate limiting and behavioral analysis provide additional protection against the HTTP/HTTPS flood attacks favored by DDoSia.

Threat intelligence becomes critical for staying ahead of infrastructure rotation. Censys has integrated DDoSia tracking into their Threat Hunting Module since June 2025, providing continuous visibility into control server deployment patterns. Organizations should subscribe to real-time indicator feeds and automate IOC ingestion into security controls.

Given the geopolitical nature of DDoSia targeting, security teams should monitor for developments likely to trigger attack campaigns—such as military aid announcements or NATO activities—and pre-position defensive measures during high-risk periods.

Conclusion

The Censys research provides valuable visibility into one of the most persistent DDoS threats facing Ukraine and its international supporters. The documented rapid rotation of control servers demonstrates sophisticated operational security practices by NoName057(16) operators, while the quick recovery following Operation Eastwood highlights the challenges of disrupting volunteer-driven platforms.

Organizations in government, military, transportation, utilities, financial, and tourism sectors must maintain vigilant defensive postures, combining technical controls with real-time threat intelligence. As the Russo-Ukrainian conflict continues, DDoSia operations are likely to persist, requiring sustained investment in DDoS mitigation capabilities and incident response preparedness.

For complete technical details, infrastructure indicators, and comprehensive analysis of DDoSia's multi-layered architecture, security professionals should review the full Censys blog post "Investigating the Infrastructure Behind DDoSia's Attacks".