http://www.slate.com/id/2166749/fr/podcast/
TV
Downloading it now.
John Markoff just called me for the NYT piece. Odd that it's just hitting
the news now, two weeks later.
-Bill
>
> Downloading it now.
>
> John Markoff just called me for the NYT piece. Odd that it's just hitting
> the news now, two weeks later.
-Bill
I wonder, does this mean Estonia is now more likely to act/re-act to its own homegrown miscreants which attack systems in other countries after seeing the impact it had in their own country? Or is this going to remain a case of the "bad guys" are always in some other country, not mine.
By "bad guys" do you mean the bots, or the C&C? I think in
non-state-actor attacks, prosecution of C&C has been reasonably good.
It's the botnets that I worry about. All those people still paying
Microsoft to make their machines zombies. :-/
-Bill
I just now got from a 6 hours beer fest with ISP/CERT/military/etc. guys
who have been working on these attacks on Estonian infrastructure for the past 3 weeks here in
Tallinn.. so if I make less sense than usual, please forgive me. Beer
good.
Sitting with these folks for the past week, I got so impressed with the
abuse handling work they are doing that even I, who had a very negative opinion
of Estonia and cyber-crime, completely changed my mind.
Their CERT is *extremely* responsive, their ISPs are all talking and
cooperating on abuse and security (and drinking beer). Things are very
different from what they were even just a year ago. Even their Police
force is clued.
If anyone has issues in Estonia, I'd strongly urge you to contact the
Estonian CERT at www.cert.ee, and you most likely won't get
disappointed. A lot of good people over here.
Gadi.
How serious was the attack really? The national press reporting was
either nonexistent or hysterical (Cyberwar! Woo!), but it didn't
disturb anyone to post to NANOG at any point, and it does not seem to
have had any measurable real-world consequences.
Was this because a) it wasn't really that serious, b) it was serious
but mitigation was successful, or c) being well-mitigated (BCP38 and
the like) from the word go, its seriousness or otherwise wasn't
obvious?
Definitely (b). The EE-CERT was remarkably well-prepared and effective,
and their counterparts around the world cooperated dilligently and
professionally. It was a very large attack.
-Bill
People might be interested in a military perspective on this :
http://globalguerrillas.typepad.com/globalguerrillas/2007/05/an_internet_ebo.html
and a possible response
http://globalguerrillas.typepad.com/globalguerrillas/2007/05/journal_a_new_m.html
Regards
Marshall
Yes...definitely b. I was there.......and Bill speaks from experience as well since the RIPE meeting happened to be in Tallinn during the peak of the attack. I'm of estonian decent btw.......so I could keep up with local news (besides having personal contacts) and there were severe attacks to government sites and major banks as well as other facilities. Although nothing ended up being down for more than an hour that had been recognized ahead of time as being 'important'. Most people are not aware how much estonia relies on it's network infrastructure for government operations, banking and the daily life of ordinary people. They had the good fortune of starting 'fresh' in the early 1990's without legacy baggage 
They were prepared for the worst......technically the folks I've dealt with are some of the best.........and it's important to keep in mind that since the attack(s) were politically motivated, the timing of the worst of it was known and the banks, ISPs, police, government could coordinate a pretty tight plan of action. It is an unusual situation...or at least the first of its kind.
- merike
It is an unusual
situation...or at least the first of its kind.
Leaving aside the alleged political involvement of some government or
other, this is far from true. Back in the days, when DOS attacks were
delivered to mailboxes and USENET and IRC were the main tool of
coordinating attacks, this was commonplace. A victim was identified,
postings were made to newsgroups and IRC channels, and at the appointed
time, the attack begins.
What is fundamentally different here?
Using web forums and IM instead of USENET/IRC is not fundamentally
different.
Using botnets to amplify the attack, is different from the mailbombing
of the past, however, the botnets are often used in DDoS attacks, so I
don't think we can consider this fundamentally different.
What about the attackers? Is there something about Russians that would
explain this? Yes, I think so. Over the past 20 years, economic and
social problems have hit Russia hard and the people that lived through
this time learned how to cooperate effectively and how to change tactics
on short notice. At the same time, the Russian education system produces
people who are very good at technical subjects, like networks,
programming, etc. This has combined to create various criminal groups
who can make a good living from net abuse by building and renting
botnets or selling various spamming services or just plain phishing. The
Russian mob does have a big market share of botnet C&C(Command and
Control).
IMHO, this is not about Estonia and this is not about the Russian
government or military or intelligence agencies. This is all about free
enterprise thinking which is more deeply embedded in Russia than in most
of the developed world. Generally, these Russian hackers apply their
skills to earning money or attacking each other, but Estonia
accidentally raised the hackles of these people and they all pointed
their firehoses in unison. It could have been any other country which
does something that offends the sensibilities of ordinary Russians.
On the other hand, if this attack had been directed at the USA, it would
have had far less effect. The USA has its economic and government
infrastructure scattered across many cities with lots of network
capacity between. The target for the firehose is more diffuse and
therefore harder to hit. Estonia is a little country with all its eggs
in one basket in one city.
It was an interesting coincidence that one of the more vulnerable
countries just happened to get a large number of criminal hacker gangs
upset enough to turn from earning money to attack them. Perhaps they
haven't heard that people who live in glass houses shouldn't throw
stones.
There has been a lot of hyperbole over these incidents and little
factual information. Some people want to point the finger of blame, but
with botnets and diffuse C&C out there, this is not something that can
be easily or quickly confirmed. If it was so easy, then we would have
put the botnet operators out of business long ago. It's nice to hear
that the Estonian CERT was prepared to respond to an attack and it's
nice to hear that a lot of people helped mitigate the attack. But there
is nothing new in that. There are a lot of accusations about attacks
coming from a certain list of countries or from certain specific
computers of certain government officials, but these sound like typical
tabloid journalism explanations of any botnet-based DDoS. People say
this was a BIG deal but then we hear that sites were down for only an
hour. The Northeast blackout was a big deal, Katrina was a big deal, but
a few hours of outage for a few data centres in one city doesn't seem to
me like a big deal.
A claim was made that 4 million packets per second were sent. I would
like to hear more about this. How was it measured? Is this an aggregate
or was this directed at the largest victim? Was it ingress into the
network or packets delivered on the site's CPE router? How does this
compare to other DDoS incidents. And, most importantly, does it indicate
a growth in total DDoS capability (a bigger firehose than before) or was
it simply the usual stuff all sent to the same victim at the same time,
for a change.
What can network operators learn from this? Do we need to beef up
technical measures or will a well-run network already be prepared to
mitigate this kind of thing? Is there some fundamental technical aspect
of this attack that was different from the past? Did the mitigation of
the attack do something fundamentally different from the past?
--Michael Dillon
First of it's kind that it targeted a country.
As far as technical details I'm pulling something together for nsp-sec BoF at NANOG. I saw the spike
to 4m pps on their management station......so no 'claims' there. And yeah, OK, will need qualification.
Basically that was seen by Estonian ISPs as traffic coming in.........technically there wasn't much difference
to what people see today but the large scale coordination is unusual. Or maybe not since it's small country
As far as the important sites being down for a short time.....that was because the mitigation techniques had been
well thought out and they were prepared. And a LOT of money was spent to add equipment and enforce
mitigation in the week before the worst was expected. There was a lot of pro-active activity which I do find
to be unusual. Noone wants to spend money on security (said very tongue-in-cheek).......
I'll include answers to your last questions in my preso.......
- merike
As far as technical
First of it's kind that it targeted a country.
No, at the very least, Moonlight Maze and Titan Rain came before. But by
today's standards, Moonlight Maze would have been trivially small. I
don't have any numbers for Titan Rain. Anyone know how it compared to the
4mpps of this attack?
-Bill
First of it's kind that it targeted a country.
No, at the very least, Moonlight Maze and Titan Rain came before. But by
today's standards, Moonlight Maze would have been trivially small. I
don't have any numbers for Titan Rain. Anyone know how it compared to the
4mpps of this attack?
A data point based on some information we have from looking
at inter-domain traffic and attack attributes across ~40 ISPs
(~1 Tbps) over ~250 days now (and rolling):
Days seeing at least one attack exceeding a given threshold:
> 6 Mpps 1
> 5 Mpps 12
> 4 Mpps 33
> 3 Mpps 53
> 2 Mpps 91
> 1 Mpps 149
Total attacks exceeding a given threshold:
> 6 Mpps 1
> 5 Mpps 17
> 4 Mpps 82
> 3 Mpps 135
> 2 Mpps 352
> 1 Mpps 813
The above is from the perspective of *a single ISP*, so the aggregate
of the attack is likely to be far greater (cross-ISP correlation of targets
are NOT reflected in _this dataset). Mpps and greater attacks make
up far less than 1% of the attacks we see (we've have data for ~142k
known attacks over this period).
More on this in the near future and note that none of the above is
meant to marginalize the Estonian attacks in any way, 4 Mpps is a
lot depending on where it's directed and how it's mitigated - it's
ALL about perspective.....
-danny
Don't forget the Pakistan/India cyber-skimishes. Substantial parts of
their Internet infrastructure was successfully attacked for months at
a time.
Periodically, China, Japan and South Korea seem to have rotating grudge
matches between their hacking groups. And in wars with bullets, there was Yugoslavia and Radio B92 all-media attacks; and pro-Chinese groups
launched several attacks after the US bombed the Chincese embassy in Belgrade.
There have been so many cyber-protests of many different US policies for many years even keeping a list would be a lot of work. And even
some pro-US groups launching cyber-attacks to protest policies of
other countries.
may-day 2000? China/america hackers attack each other.
most of 2001 hamas/isreali hackers battle it out, highlight:
"www.hezbollah.org" attacked, which was hosted on inter.net.il (I
think)... funny stuff
certainly there have been other country-targetted attacks before estonia,
yes. I do find it interesting that someone pointed the finger directly at
the soverign nation instead of nationalist hacker groups or the like... I
think the washingtonpost.com article last week about this said the finger
pointed started because 'a kremlin minister's computer was identified as
an attacker!' (or was bot'd and participated in the attack(s) )
anyway, fun stuff, I'll have to listen to the podcast eventually.
-Chris
Countries and govt infrastructure has been under attack before. As an
example; The various parties in the Balkan conflict (former Yugoslavia)
were fighting their "cyber-wars" back in the 90s. Attacks were of course
at a different scale as national/regional ISPs at the time only had a
few k of transit capacity.
//per
A lot of people had information to share and emotions to get out of the
way, I sent my reply off-list. Also, it was really not my place
reply on this - with all the work done by the Estonians, my
contributions were secondary. My discussions with Mr. Harrowell are
public on his blog. Information from Bill Wodcock was also sound.
As to what actually happened over there, more information should become
available soon and I will send it here. I keep getting stuck when trying
to write the post-mortem and attack/defense analysis as I keep hitting a
stone wall I did not expect: strategy. Suggestions for the future is
also a part of that document, so I will speed it up with a more
down-to-Earth technical analysis (which is what I promised CERT-EE).
In the past I've been able to consider information warfare as a part of
a larger strategy, utilizing it as a weapon. I was able to think of
impact and tools, not to mention (mostly) disconnected attacks and defenses.
I keep seeing strategy for the use IN information warfare battles as I
write this document on what happened in Estonia, and I believe I need
more time to explore this against my previous take on the issue, as
well as take a look at some classics such as Clausewitz, as posh as
it may sound.
Thanks,
Gadi.
A lot of people had information to share and emotions to get out of the
way, I sent my reply off-list. Also, it was really not my place
reply on this - with all the work done by the Estonians, my
contributions were secondary. My discussions with Mr. Harrowell are
public on his blog. Information from Bill Wodcock was also sound.
As to what actually happened over there, more information should become
available soon and I will send it here. I keep getting stuck when trying
to write the post-mortem and attack/defense analysis as I keep hitting a
stone wall I did not expect: strategy. Suggestions for the future is
also a part of that document, so I will speed it up with a more
down-to-Earth technical analysis (which is what I promised CERT-EE).
In the past I've been able to consider information warfare as a part of
a larger strategy, utilizing it as a weapon. I was able to think of
impact and tools, not to mention (mostly) disconnected attacks and
defenses.
I keep seeing strategy for the use IN information warfare battles as I
write this document on what happened in Estonia, and I believe I need
more time to explore this against my previous take on the issue, as
well as take a look at some classics such as Clausewitz, as posh as
it may sound.
Thanks,
Gadi.