[NANOG] An account of the Estonian Internet War

About a year ago after coming back from Estonia I promised I'd send in an account of the Estonian "war". The postmortem analysis and recommendations I later wrote for the Estonian CERT are not yet public.

A few months ago I wrote an article for the Georgetown Journal of International Affairs, covering the story of what happened there, in depth. The journal owns the copyright so I had no way of sending that along either. I wasn't about to email saying "go buy a copy".

Mostly silly articles kept popping up with misguided to wrong information about what happened in Estonia, and when an Estonian student was arrested for participating, some in our community even jumped up to say "it was just some student". Ridiculous.

This is the "war" that made politicians aware of cyber security and entire countries scared, NATO to "respond" and the US to send in "help". It deserved a better understanding for that alone, whatever actually happened there.

I was there to help, but I just deliver the account. The heroes of the story are the Estonian ISP and banking security professionals and the CERT (Hillar Aarelaid and Aivar Jaakson).

Apparently the Journal made my article available in PDF form by a third party:

Battling Botnets and Online Mobs
Estonia's Defense Efforts during the Internet War

URL: http://www.ciaonet.org/journals/gjia/v9i1/0000699.pdf

It is not technical, I hope you find it useful.

Gadi Evron.


I read it. As it happens, about a year ago I plowed through a bunch of Information Operations (formerly known as Information Warfare) papers in a then-linkable bibliography on the subject. Your GJIA paper is of that genre. There wasn't enough for me to distinguish between an ad insert campaign executed by several hundred nodes injecting link and keyword payload via POST, which I've observed as multi-hour ddos on vhost targets implemented on generic webservers with no particular load planning, and whatever happened "in Estonia". Technical details may change that impression, or the general observation that the relaxation times of such events is measured in hours to a small number of days.

Note: hosts with domain names ending in .mil have been observed in ad insert campaigns.