[ISN] Newsmaker: Cyberattack in Estonia -- what it really means

From: InfoSec News (alerts@private)
Date: Tue May 29 2007 - 22:16:23 PDT


http://news.com.com/Cyberattack+in+Estonia-what+it+really+means/2008-7349_3-6186751.html

By Robert Vamosi
Special to CNET News.com
May 29, 2007

Newsmaker - When it comes to denial-of-service attacks, Jose Nazario has 
seen just about everything.

As senior security researcher at Arbor Networks, Nazario closely 
monitors network attacks. A denial-of-service, or DoS, attack occurs 
when someone directs a large number of requests to a target URL so 
quickly that the Web server can't respond, and the site becomes 
inaccessible.

A distributed denial-of-service, or DDoS, attack occurs when hundreds or 
thousands of compromised computers are enlisted. Arbor Networks has a 
tool called the Active Threat Level Analysis System that enables Nazario 
to collect information on DoS attacks worldwide.

On April 27, officials in Estonia relocated the "Bronze Soldier," a 
Soviet-era war memorial commemorating an unknown Russian who died 
fighting the Nazis. The move incited rioting by ethnic Russians and the 
blockading of the Estonian Embassy in Moscow. The event also marked the 
beginning of a large and sustained distributed denial-of-service attack 
on several Estonian national Web sites, including those of government 
ministries and the prime minister's Reform Party.

Nazario was one of the first to publish information about those 
cyberattacks. He spoke with CNET in the wake of the events in Estonia.


Q: Have there been any previous attacks comparable to the cyberattack 
situation in Estonia?

Nazario: Compared to larger, higher-profile attacks, it isn't 
necessarily larger than the rogue DNS (domain name system) server attack 
this past winter, no larger than the attacks resulting from the Olympics 
a few years ago with the Apolo Ohno controversy. (In 2002 at the Salt 
Lake City Games, Ohno won the gold medal in the 1,500-meter 
speed-skating race after South Korean Kim Dong-Sung was disqualified; 
soon after, several United States-based servers were hit with a DDoS 
attack from machines that appeared to be based in South Korea.

The Estonia attacks certainly are overwhelming and crippling many of 
those sites in Estonia based upon the resources that they have. But it's 
the background nature of those attacks that's novel, in comparison to 
other denial-of-service attacks.

There's no extortion going on. They're not demanding to the Ministry of 
Finance, the Ministry of Agriculture, "Pay us $50 million, or we keep 
this up." They're not trying to disrupt e-commerce--they're making a 
political statement.

So the size isn't necessarily groundbreaking. We're talking about 100 or 
200 megabits per second. Looking at our infrastructure surveys that we 
have published--and we have one going on currently for release later 
this year--we have seen that this is on the low side of an average size 
of attack on providers that we talk to, who run our products or don't 
run our products, who participate in our survey. It's kind of a 
common-size attack.


Would the Estonia event be comparable to the India-Pakistan 
cyberconflict of a few years ago? I recall volleys of nationalistic 
viruses sent between the two countries with some DoS attacks thrown in.

Nazario: Yes, definitely, though it's probably more applicable to the 
Apolo Ohno situation, where you have a nationalistic driver behind the 
DDoS attack. We saw some specific tools created (for the Olympic 
attack), as well as some botnets that were under the control of people 
who were emotionally attached to the events. Attacks were launched 
against a specific target based upon national interests or based upon 
geopolitical interests.


A recent blog of yours suggested that a variety of different DoS methods 
were used on the Estonia sites. Does that support the theory that random 
sympathetic individuals, say in Russia, may be behind the attacks, as 
opposed to an organized, coordinated attack?

Nazario: Not necessarily. While we do think the Estonian attacks are due 
to multiple, different kinds of botnets, or different tools or different 
groups, all with sort of a same angle behind them, the fact that the 
attacks are different in their nature isn't necessarily the indication 
there that comes from other kinds of analysis.

We have, in the past, seen DoS attackers interested in keeping their 
attack effective by changing the tactics as they go along. And they will 
keep on changing the attack as it goes on.

They'll change locations, if they have a big enough botnet; sources, if 
they can overwhelm the defenses that selectively look at different kinds 
of sources; or the individual traffic types or packet types to overwhelm 
protocol-based defenses on the perimeter of the network.

That said, we have seen evidence suggesting that there were multiple 
botnets and tools--both botnet-related and not botnet-related--behind 
the Estonian attacks. We have seen this based upon some analysis of 
existing botnets that we and others are tracking, as well as monitoring 
forums and software releases where people are encouraging others to show 
their displeasure with Estonia--in this case, by launching these 
attacks.


Might we see other DDoS attacks in the very near future? Or is the 
Estonian situation just a one-off, a response to a specific event?

Nazario: I don't think it's a one-off. You mentioned the India-Pakistan 
issues; I mentioned the South Korean Olympic issues from several years 
ago. We have seen this kind of thing before. You look around the globe, 
and there's basically no limit to the amount of skirmishes between 
well-connected countries that could get incredibly emotional for the 
population at large.

In this case, it has disrupted the Estonian government's ability to work 
on online, it has disrupted a lot of its resources and attention. In 
that respect, it's been effective. It hasn't brought the government to a 
crippling halt, but has essentially been effective as a protest tool.

People will probably look at this and say, "That works. I think we're 
going to continue to do this kind of thing." Depending on the target 
within the government, it could be very visible, or it could not be very 
visible.

Some countries are probably better equipped to handle this than others. 
We monitor thousands of DoS events each day in our ATLAS system that 
comes from our installations around the world and our sensors around the 
world. The bulk of them are things that are against people you wouldn't 
even know or existed--just random people, people on broadband 
lines--where someone gets upset with them online and says "I'm going to 
make your life uncomfortable for the next hour or two."

We do see attacks against big corporations and big governments, and if 
you look at those attacks, some of them are probably politically 
motivated as a way of speaking out. I don't think this is going to 
become as common as seeing people on the streets. But it's something 
that some governments have to consider much more than I think they 
needed to five years ago.


You mentioned distractions. Is it a matter of the Estonian government 
sites filtering their traffic?

Nazario: It's not just within the Estonian government but also within 
their providers. The Estonian providers are, of course, working with a 
much larger community--the European providers, the North American 
providers (and) Asian providers that give them inbound traffic as well 
as the attack traffic. They're working with people to identify the root 
cause of these attacks and shut them down, as well as push the traffic 
back even further to alleviate those problems without disrupting normal 
service. The number of people required to help them do this is rather 
high, given the size of the staff that they have and that they don't 
normally see those kinds of things.

A couple of Estonian service providers have been under denial-of-service 
attack for the past six months to a year, by a virus called Allaple, and 
we're not clear as to what the author's trying to do other than upset 
some people in Estonia. It doesn't appear to have as clear a cause or 
reason behind it as these recent attacks against the Estonian government 
sites.

We know that they're scrambling, and we're working with folks from the 
Estonian Computer Emergency Response Team and the region, as well as the 
Estonian providers, to deal with it. We know that they've been working 
on this for quite a while, a number of weeks, really reaching out, and 
it is a very high-focus, high-priority item for them.


The attacks haven't stopped, have they?

Nazario: We know they haven't stopped, but we're not seeing them with 
such intensity right now.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue May 29 2007 - 22:27:47 PDT