The Real Impact of the Estonian Cyberattack

An anonymous reader writes "News.com offers up an interview with Arbor Networks' senior security researcher Jose Nazario. He takes stock of the denial-of-service attack against the Baltic nation of Estonia, and considers the somewhat disturbing wider implications from the event. 'You look around the globe, and there's basically no limit to the amount of skirmishes between well-connected countries that could get incredibly emotional for the population at large. In this case, it has disrupted the Estonian government's ability to work online, it has disrupted a lot of its resources and attention. In that respect, it's been effective. It hasn't brought the government to a crippling halt, but has essentially been effective as a protest tool. People will probably look at this and say, That works. I think we're going to continue to do this kind of thing. Depending on the target within the government, it could be very visible, or it could not be very visible.'"

Implementation Failure

[RealProgrammer]

That a whole country could be DOS'd is evidence of someone doing a bad network install. The network should never be down.

Lots of companies have a root-and-branches approach to Internet connectivity, too, thinking that each site (or the whole corporate intranet) needs only one gateway to the outside. Put all your eggs in one basket, and watch the basket. For the family baked bean recipe confidentiality that's good, but for availability that's bad.

The "right" way to do it is to have multiple redundant shared trunks with neighbors. That word "shared" is scary to network administrators (or rather, to their pencil-pushing mentors). It means they'll have to carry outside traffic on their pipes (that's a metaphor, Senator), and that has risks: it costs money, and it has the potential to allow someone to see inside the network.

However, the rewards for sharing bandwidth are enormous: multiple ISPs mean allowing TCP/IP to do its job, routing traffic to avoid disasters like DOS attacks, hurricanes, and nuclear bombs. The ISPs and other bandwidth partners know they have an interest in helping to protect your network. The technical risks can be mitigated simply by routing and tunneling.

Is the above realistic? Nope. Not in a corporate environment, anyway. I'd be really surprised if anyone outside academia or pure ISP does shared trunking anymore.

But it can also happen at the leaf nodes: you and your neighbors share cable broadband and DSL connections, routing through wifi. That violates most subscriber agreements, but it's the way the protocols were designed to work. Your network should never be down.

Never.

Re:Implementation Failure

[99BottlesOfBeerInMyF]

That a whole country could be DOS'd is evidence of someone doing a bad network install. The network should never be down.

This is a DDoS attack. The first "D" stands for "Distributed." When you have thousands of remote machines located in different places sending traffic to your network, preventing an outage relies upon being able to figure out which traffic is legitimate and which is illegitimate, and then filter the illegitimate. Having more diverse pipes does not really make a huge difference. Either legitimate and illegitimate traffic can come in over a pipe or they can't. If it can, the attack is blocking things. If it can't you just DoS'd yourself.

The real trick here is the availability of clean or protected access from ISPs with the capability of detecting illegitimate traffic and filtering it, without stopping legitimate traffic. Many ISPs have this capability to one degree or another and a few have formally brought it to market as a differentiator for their service. I'm guessing the big ISPs in Estonia might be a bit behind in that regard, and are thus working with more capable peers to try and filter the attack further away in the cloud.

Re:Implementation Failure

Did you check some facts?

Estonia: population 1,324,333 (less than 1,5 mio.) http://en.wikipedia.org/wiki/Estonia

I would like to see some municipalities in USA of the size of Estonia to withstanding such cyber-attack.

Do you realize that the number of adult inhabitants in Estonia is less than a number of employees at the biggest employer of USA? (http://www.usatoday.com/money/industries/retail/2 003-11-10-walmart_x.htm)
Estonia is like New Hampshire or Maine or Idaho population wise. And than cyber-attacks are lounched from IPs of Russia government institutions.

Russia once again showed who they are.

And by the way: those Soviet soldiers buried near "Bronze soldier" ware killed 3 days after Nazi army left Estonia during WWII. Hint needed? They were killed in fights with local Estonians who wanted reinstate independence. So no "liberators from Nazis" only occupation power.

The sad think EU depend so much on Russian gas and oil that little is done or said about all this.

Re:Government-orchestrated? Please

If there was a symbol for all US soldiers that died in combat, that marked their graves in another country, and that country would then decided to just move it somewhere else, because they want to put a highway on top of that last resting place...

I can't be arsed to seriously reply to your other stupid points, but here are some "minor" problems with your analogy:
The people buried near the Bronze Soldier DID NOT die there, there were no WW2 battles in Tallinn. Also the Bronze Soldier WAS NOT a mark for the graves of dead. Their graves were unmarked and there were was nothing pointing out that there were graves there. Also it was your glorious USSR that buried them right under a fucking trolley stop. BTW they were not just moved "somewhere" they were reburied at the same military cemetery where the statue was moved.

Re:Government-orchestrated? Please

[phayes]

If there was a symbol for all US soldiers that died in combat, that marked their graves in another country, and that country would then decided to just move it somewhere else, because they want to put a highway on top of that last resting place... Would Americans grin and bear it?

No, they would pay for the repatriation of the bodies so that they could be buried on US soil just as they have been doing for the past 40 years in VietNam/Cambodia/Laos. If The country where they died is willing to keep the war graves & family in the USA do not want to repatriate them, the USA pays for part of the upkeep of the cemetery as they have been doing for the last 90 years for WWI & WWII war graves in western Europe. When, as has occured in a number of instances here in France, some graves need to be deplaced (A few of the WWI war graves were small & in inconvenient spots -- the remains were moved to a larger war cemetery or once again repatriated), the US has helped pay.

Contrast that with your reaction to the deplacement of a Russian war hero statue that Russia installed in a foreign countries heart. Russia's reaction is one of revanchism where you want to reconquer the "lost" territories much like France did from 1870-1918.

Re:How insightful!

[Vancorps]

It would be easier to defend against these attacks if companies would standardize on techniques. Cisco and HP are two examples I know of that offer different methods for defending DDoS attacks. Cisco has a number of methods not all of which are compatible with each-other. Perhaps more importantly, Cisco's methods almost always require Cisco products for them to work effectively. HP is a little better about standards these days but their methods are still rather solitary to their Procurve platform. Lately HP has made a huge change dropping Cisco support from at least some of their products in favor of standards that will work with the Nortels, Adtrans, and even Netgears of the world. It is a step in the right direction.

It seems simple, if ISPs can restrict traffic so that forging addresses is impossible then filtering DDoS at the ISP level before its aggregated should be easy. Even then, once it is aggregated it would be chunks of traffic which could easily be identified and blocked either temporarily or permanently allowing others to continue as normal.

Re:Government-orchestrated and encouraged

[Vo1t]

Of course Poland exports meat to Western Countries. It's a bit weird though, that neither German nor French authorities find Polish meat bad. It is only Russian that see something inappriopriate in Polish meat.

The reason why detailed audit was refused, is because all exporting farms have EU quality certificates. Russia accepts EU certified meat from other countries, but forbids Polish meat even though it complies to the same quality standards. Such behavior smells of politics.