Executive Summary

The Philippine National Police (PNP) has announced a state of 'full alert' for its cybersecurity divisions in response to credible threats of a coordinated Distributed Denial-of-Service (DDoS) campaign targeting government websites. The anticipated attacks are expected to commence on November 5, 2025. In a proactive move, the PNP is collaborating with other key government bodies, including the Department of Information and Communications Technology (DICT), to reinforce the security of critical online platforms and databases. This heightened posture aims to prevent disruption of essential public services and protect sensitive law enforcement data from being compromised or made inaccessible.

Threat Overview

The threat is a potential wave of DDoS attacks specifically aimed at the digital infrastructure of the Philippine government. While the actors behind the threat have not been publicly named, the announcement of a specific start date suggests a planned and coordinated campaign rather than random attacks. The primary goal of a DDoS attack is to overwhelm a target's servers with a flood of internet traffic, rendering websites and online services unavailable to legitimate users. This falls under the MITRE ATT&CK technique T1498 - Network Denial of Service. The PNP is particularly concerned about protecting key systems such as:

• e-Warrant System
• National Police Clearance System
• Records on firearms and vehicles

Impact Assessment

A successful large-scale DDoS campaign against Philippine government websites could have several negative impacts:

• Disruption of Public Services: Citizens could be unable to access essential online government services, leading to public frustration and operational backlogs.
• Economic Impact: If business-related government portals are affected, it could hinder commerce and administrative processes.
• Erosion of Public Trust: A visible and successful attack on government infrastructure can erode public confidence in the government's ability to secure its digital assets.
• Distraction and Diversion: A DDoS attack can sometimes be used as a smokescreen to distract security teams while a more stealthy intrusion and data theft operation is carried out in the background.

Cyber Observables for Detection

Security teams should be monitoring for the following indicators of a DDoS attack:

Detection & Response

The PNP Anti-Cybercrime Group is leading the response, in coordination with the DICT, the Cybercrime Investigation and Coordinating Center (CICC), and the National Telecommunications Commission.

1. Proactive Monitoring: The agencies are actively monitoring network traffic for any signs of an impending attack.
2. DDoS Mitigation Services: The most effective response to a large-scale DDoS attack is to use a cloud-based scrubbing service. This service filters out malicious traffic before it ever reaches the target's network.
3. Rapid Response Teams: The PNP has placed rapid response teams on standby to immediately address any successful attacks and work on restoring services.
4. Traffic Analysis: During an attack, teams will analyze the traffic to identify patterns (e.g., source countries, protocols used) to apply more specific filtering rules. This is an application of D3FEND's Inbound Traffic Filtering.

Mitigation

The PNP has stated it is implementing several preventative measures:

• System Hardening: Reducing the attack surface of servers and applications by disabling unnecessary services and applying security best practices.
• Firewall and Access Controls: Implementing multi-layered security protocols, including properly configured firewalls and strict access control lists.
• Collaboration: The close collaboration between the PNP, DICT, CICC, and NTC is a critical mitigation strategy, allowing for a coordinated national response and sharing of threat intelligence.
• Upstream Filtering: Working with Internet Service Providers (ISPs) to potentially block malicious traffic at the carrier level before it reaches government networks.