[faeriechangling]

I'm not sure there has been no mitigation done, the site has almost certainly been designed in a way where a DDOS attack against it won't impact the rest of the organization. Mitigation is more about causing failure to not really matter than it is about completely preventing failure. The point of a website like FSB.ru is to promote employment within the FSB, to encourage public support of the FSB, and to inform the public of the services the FSB provides. The website is useful but not critical to the FSB's mission. It's fine for this website to go down on rare occasions.

The FSB going out of their way to proactively ensure the site maintains 100% uptime even in the face of a rare, massive, and temporary DDOS campaign is expensive and a waste of resources. If you're going to focus your resources on keeping a website that hardly even matters up 100% of the time, you're going to end up having your IT organization disrupted in a far more meaningful way. The organization as a whole has limited resources and is regularly dealing with defending against the most advanced APT's in the world from infiltrating its network and disrupting its activities. Good stewardship of IT means good prioritization.