Elon Musk’s claim that the DDoS attack on X (formerly Twitter) originated from Ukraine drew skepticism from cybersecurity experts, who argue that attributing attacks based on IP addresses is unreliable.
Attackers frequently use virtual private networks (VPNs) and other methods to obfuscate their origins, making pinpointing a specific geographic source difficult.
On Monday, X was the target of a distributed denial-of-service attack that intermittently shut down the popular social media site for users worldwide. The X DDoS attack was linked to Dark Storm Team, a notorious hackivist group known for launching similar large-scale cyber disruptions.
Hours after the attack, Musk claimed during an interview with Fox Business that the IP addresses associated with the attack originated in the Ukraine area.
Tech-savvy users on X quickly pointed out that IP addresses can be masked or spoofed, making them appear to originate from one region when they actually originate from another.
Dear Elon:
You can't attribute an attack to any geographic location by IP address alone.
See: VPN, location spoofing, etc.
Also See: How botnets are controlled remotely
Also Also See: Ask a cybersecurity person to help you.— MikeTalonNYC (@MikeTalonNYC) March 10, 2025
Cybersecurity professionals also cautioned against drawing conclusions based solely on IP address data.
“Attackers use strategies like IP Spoofing, VPNs and servers infected with malware to perform these attacks,” Siri Vegiraju, Software Development Engineer at Microsoft Azure told Decrypt. “Specifically, with IP spoofing attackers create packets with false source IP addresses to basically impersonate other systems.”
Adding to the difficulty of stopping DDoS attacks is that they are inherently decentralized, making them difficult to trace.
“If one were conducting a DDoS attack you wouldn't necessarily see each connection originating from an IP address from a specific nation or netblock,” Scott Renna, Senior Solutions Architect with blockchain security firm Halborn, told Decrypt. “By definition, the attack would have to come from multiple IP addresses.”
Renna pointed out that attackers distribute their traffic across numerous locations to avoid detection and mitigation efforts.
“From an optics perspective and a blocking and prevention standpoint, it's just not how it's typically done,” he said.
While the origins of the X attack remain a mystery, DDoS-as-a-Service websites are popping up to facilitate the launch of large-scale attacks. These websites let customers pay to launch DDoS attacks.
There are two main types of DaaS.
"Stresser" services, which are legitimate tools companies use to test and strengthen their IT infrastructure. Then there are "Booter" services, which are malicious platforms designed to disrupt or take down targeted systems.
Cybersecurity teams can use DDoS blackhole routing and geo-blocking to minimize the impact of DDoS attacks, which could have prevented the type of attack that disrupted X this week.
Blackhole routing is an emergency measure that instantly blocks all traffic to a targeted IP during an attack, but it also affects legitimate users, making it a temporary solution.
Geo-blocking limits access from high-risk regions, reducing cyber threats without disrupting most users.
In April 2022, internet security provider Cloudflare successfully mitigated a massive DDoS attack targeting an unidentified cryptocurrency website that attempted to overwhelm the service with 15.3 million requests per second.
While services like Cloudflare excel at defending against cyber threats, Renna emphasized the importance of preparing for potential failures.
"Services like Cloudflare do a good job for businesses," Renna said. "But it comes down to what happens when those fail."
Edited by Sebastian Sinclair
Editor's note: Adds additional comments from Microsoft Software Development Engineer at Azure Siri Vegiraju