The Real Impact of the Estonian Cyberattack

An anonymous reader writes "News.com offers up an interview with Arbor Networks' senior security researcher Jose Nazario. He takes stock of the denial-of-service attack against the Baltic nation of Estonia, and considers the somewhat disturbing wider implications from the event. 'You look around the globe, and there's basically no limit to the amount of skirmishes between well-connected countries that could get incredibly emotional for the population at large. In this case, it has disrupted the Estonian government's ability to work online, it has disrupted a lot of its resources and attention. In that respect, it's been effective. It hasn't brought the government to a crippling halt, but has essentially been effective as a protest tool. People will probably look at this and say, That works. I think we're going to continue to do this kind of thing. Depending on the target within the government, it could be very visible, or it could not be very visible.'"

How insightful!

[Cutie+Pi]

Depending on the target within the government, it could be very visible, or it could not be very visible.

Yep, that pretty much sums up the possible outcomes.

Re:How insightful!

[iONiUM]

hey HEY! I was thinking there could be a third option, translucently visible, or like visible only on the 3rd moon of the 18th month of the 22nd year after the year of the tortoise.. this narrowed it down a lot.

Re:How insightful!

[rs232]

Yep, that pretty much sums up the possible outcomes

Would this distributed DOS attack be possible without a vast army of compromised desktops being used as part of a botnet. Is it tecnnically possible to design against such attacks, or at least make it more difficult to compromise the desktops and route the rogue traffic. After all the Internet is supposed to be designed to be resistant to a nuclear attack. (I know Vint Cerf remembers it different)

Re:How insightful!

Come on, there are an infinite number of ways to hold your tounge and squint.

On the other hand, there are not an infinite number of ways to spell "tongue".

Re:How insightful!

[HiggsBison]

Come on, there are an infinite number of ways to hold your tounge and squint.

On the other hand, there are not an infinite number of ways to spell "tongue".

Yes, but 'e was clearly spelling "tounge", then, wasn't 'e?

Praline: The cat detector van from the Ministry of Housinge.
Man: Housinge???
Praline: Yes, it was spelt that way on the van. I'm very observant.

Re:How insightful!

[Vancorps]

It would be easier to defend against these attacks if companies would standardize on techniques. Cisco and HP are two examples I know of that offer different methods for defending DDoS attacks. Cisco has a number of methods not all of which are compatible with each-other. Perhaps more importantly, Cisco's methods almost always require Cisco products for them to work effectively. HP is a little better about standards these days but their methods are still rather solitary to their Procurve platform. Lately HP has made a huge change dropping Cisco support from at least some of their products in favor of standards that will work with the Nortels, Adtrans, and even Netgears of the world. It is a step in the right direction.

It seems simple, if ISPs can restrict traffic so that forging addresses is impossible then filtering DDoS at the ISP level before its aggregated should be easy. Even then, once it is aggregated it would be chunks of traffic which could easily be identified and blocked either temporarily or permanently allowing others to continue as normal.

Multicast theories

[packetmon]

You know... I thought about the possibility of a Multicast worm/attack ... Just haven't had time to document it... Would work similar to the following... For those who use IM clients that have annoying streaming advertisements... If you didn't know, those are multicasted to your machine... My theory was to re-inject packets at the router level (avoiding Reverse Path Forwarding when possible) to make your machine believe my spoofed host is a valid source to get your images from... Only thing is, the image would be corrupted forcing an infection on your machine... This would in turn replicate via broadcast from the infected hosts... It was a theory of mine while studying DoS attacks for the CCIE security exam and a lot of variables would have to be met... Anyhow, the reason for this post is, I believe those committing DoS attacks are halfclued as to what a real attack could potentially do... For instance Border Router Attack Tool is another theoretical tool to break BGP neighboring. You of course have to know enough about a topology to even get it to work but under a unified stream, you could cause massive route flaps which lead to neighbors disconnecting. Its only a matter of time before someone takes it to the extreme and breaks connectivity between huge AS'

Re:Multicast theories

[zappepcs]

While I'm not sure your idea would work or not, I do know that there are many ways to compromise the nice-play Internet that we all think it is. Some of them are being used right now and we just haven't figured it out yet. DDoS is but one of those ways and might be *ONLY* a distraction while surreptitious malware or spyware is installed in government facilities. This in fact could be a test of the new Chinese cyber-warfare units in order to demonstrate what they are capable of...

Just a thought from the 'stay in your happy place group' (TM)

Re:Multicast theories

[AndersOSU]

I wouldn't be surprised at all if the DOD had just such a tactic in place.

I mean think about it, one of the things a party at war always tries to do is get the civilians of the opposite side reading "subversive" material. One of the first things we did with airplanes in war was pamphleting. We still attach pamphlets with aid drops. Would it be so strange to see the US send email to every Chinese address that looked like this? How about a flood of anti-communist text messages? Doesn't seem very far fetched to me.

Backbone QOS?

[dattaway]

Isn't the backbone capable of metering connections to an attacked country? I haven't noticed the providers to be politically spineless (except for AT&T) but can't they help a poor country out?

Re:Backbone QOS?

[packetmon]

What would QoS do at this level except overwhelm your processor? Unicast Reverse Path Forwarding would be the better solution nowadays. Cat 6500 info... If networks were built correctly from the ground up, these attacks wouldn't even happen as much. If three networks were connected and all had uRPF or filtering in place, no three networks would be able to spoof addresses and cause attacks. They'd be forced to attack using a valid address on their network which would make tracking easier...

Re:Backbone QOS?

[Vancorps]

Sorry, but you have an odd definition of reality. Whitehouse.gov was completely taken out by a DDoS some years ago when it was a huge issue. Now in the last year we've had massive DDoS attacks on the root DNS systems which naturally held up because these trunk level ip filters you seem to think are impossible to implement HAVE been implemented. So in short, the only one that doesn't think this can be implemented globally is you.

I'll refer you to AT&T "Clean pipes" initiative as an example of a multinational corporation implementing this on a massive scale and using it to charge their customers more while giving their customers more value for their dollar. Face it, DDoS attacks were already a huge problem, you just never noticed because you were too busy saying everything is impossible and that countries can't work together despite that being the very nature of the Internet. AT&T is by far not the only ISP implementing this all over their backbone as well. Refer to at least a couple dozen other posts in this thread and you will see that are lots of options and many of them are deployed and the same method does not need to be deployed globally to be effective. As I said, it only really needs to happen when you peer with another provider. It saves the ISPs money on back haul charges and they can charge their customers more for the same service that they already had an interest in delivering.

I also don't understand how that proves your point and not mine when it clearly illustrates that the problem is indeed widespread and has affected people with the means to create real change. It might help your point as well as mine but it certainly discredits nothing. This is why the Whitehouse.gov is where it is today. It wasn't always distributed, why do the think they spent millions to make it that way in the first place? You think they just thought it was a good idea at the time? Perhaps you don't realize that big business is not proactive nor is big government.

no reason to get overly complicated

[JeanBaptiste]

just do this

Possible Outcomes

[Nymz]

Unless some magical solution presents itself, then cyber-warfare will most likely continue. The difference will be in how we respond. Should starting up your own cyber-attacks be an acceptable form of retaliation? or will more cyber-attacks only lead us down the path to a conventional-attack?

Re:Possible Outcomes

[cosinezero]

If impact is merely economic - how then does it differ from other games countries play to crush economic interests? I mean, where you see "Denial of Service", I see "Sanctions" and wonder, in the grand scheme of things, what's the difference?

Re:Possible Outcomes

[DerekLyons]

The key difference is that sanctions and traditional methods are (generally) open and aboveboard - you know who is doing what to who, as it is announced widely beforehand and very visible in operation. DoS attacks however, are none of these things. In addition, while Country X may impose various forms of sanctions/tariffs/etc... on Country Y - that does not effect (directly) either the internal operation of Country Y, or it's intercourse with Country Z. DoS atacks can, and do - as well as have an immediate and direct impact on individuals.

Implementation Failure

[RealProgrammer]

That a whole country could be DOS'd is evidence of someone doing a bad network install. The network should never be down.

Lots of companies have a root-and-branches approach to Internet connectivity, too, thinking that each site (or the whole corporate intranet) needs only one gateway to the outside. Put all your eggs in one basket, and watch the basket. For the family baked bean recipe confidentiality that's good, but for availability that's bad.

The "right" way to do it is to have multiple redundant shared trunks with neighbors. That word "shared" is scary to network administrators (or rather, to their pencil-pushing mentors). It means they'll have to carry outside traffic on their pipes (that's a metaphor, Senator), and that has risks: it costs money, and it has the potential to allow someone to see inside the network.

However, the rewards for sharing bandwidth are enormous: multiple ISPs mean allowing TCP/IP to do its job, routing traffic to avoid disasters like DOS attacks, hurricanes, and nuclear bombs. The ISPs and other bandwidth partners know they have an interest in helping to protect your network. The technical risks can be mitigated simply by routing and tunneling.

Is the above realistic? Nope. Not in a corporate environment, anyway. I'd be really surprised if anyone outside academia or pure ISP does shared trunking anymore.

But it can also happen at the leaf nodes: you and your neighbors share cable broadband and DSL connections, routing through wifi. That violates most subscriber agreements, but it's the way the protocols were designed to work. Your network should never be down.

Never.

Re:Implementation Failure

[99BottlesOfBeerInMyF]

That a whole country could be DOS'd is evidence of someone doing a bad network install. The network should never be down.

This is a DDoS attack. The first "D" stands for "Distributed." When you have thousands of remote machines located in different places sending traffic to your network, preventing an outage relies upon being able to figure out which traffic is legitimate and which is illegitimate, and then filter the illegitimate. Having more diverse pipes does not really make a huge difference. Either legitimate and illegitimate traffic can come in over a pipe or they can't. If it can, the attack is blocking things. If it can't you just DoS'd yourself.

The real trick here is the availability of clean or protected access from ISPs with the capability of detecting illegitimate traffic and filtering it, without stopping legitimate traffic. Many ISPs have this capability to one degree or another and a few have formally brought it to market as a differentiator for their service. I'm guessing the big ISPs in Estonia might be a bit behind in that regard, and are thus working with more capable peers to try and filter the attack further away in the cloud.

Re:Implementation Failure

Did you check some facts?

Estonia: population 1,324,333 (less than 1,5 mio.) http://en.wikipedia.org/wiki/Estonia

I would like to see some municipalities in USA of the size of Estonia to withstanding such cyber-attack.

Do you realize that the number of adult inhabitants in Estonia is less than a number of employees at the biggest employer of USA? (http://www.usatoday.com/money/industries/retail/2 003-11-10-walmart_x.htm)
Estonia is like New Hampshire or Maine or Idaho population wise. And than cyber-attacks are lounched from IPs of Russia government institutions.

Russia once again showed who they are.

And by the way: those Soviet soldiers buried near "Bronze soldier" ware killed 3 days after Nazi army left Estonia during WWII. Hint needed? They were killed in fights with local Estonians who wanted reinstate independence. So no "liberators from Nazis" only occupation power.

The sad think EU depend so much on Russian gas and oil that little is done or said about all this.

Government-orchestrated and encouraged

[mi]

Decent well-connected countries would not engage in this sort of things. Russia — busily turning itself back into an Evil Empire — denies "officially" organizing the attacks...

Whether it did officialy organize them, or not is irrelevant — so many things in the country happen unofficially (including the unofficial salaries — in dollars — paid to top government bureaucrats to keep them from leaving for the private sector), that the government's claims may even be nominally truthful this time.

What is important is the government's official reaction. For example, a Russian health official is on record concerning the health hazards of the Estonian sprats. Those who follow the region would recognize the tactics already applied against Georgia's major exports. Georgia's most excellent wines are now called "alcohol-containing liquids" in Russia and their import is banned "on health grounds".

Sprats are safe for now — unlike Georgia, Estonia is an EU (and NATO) member. But Russia — in sore need of something glorious in its sorry past (we liberated Estonia, not reconquered it, you see) — is still enraged. In a decent country such rage wouldn't be enough to break law and order, but Russia is another story. There is no doubt, the cyber-attacks against Estonia used Russian governmental resources, including hardware and human ones — these will most certainly not be prosecuted.

Re:Government-orchestrated and encouraged

[Cyberax]

BTW, Russia's past is indeed glorious. Let's see:
1) USSR won in WWII (destroying 80% of German military manpower).
2) USSR was the first country to launch a satellite.
3) USSR was the first country to launch a man into space.
etc.

It's Estonia that is like a small dog barking at a great elephant.

Re:Government-orchestrated and encouraged

[antv]

Well, your big mistake is assuming this sort of thing is somehow centrally organized.
Remember an incident with US spy plane and Chinese fighter jet ?
It resulted into a hacking contest between US and China without any "official" guidance.

In case of Estonia an asshole named Anders (Estonian leader - my sincerest apologies to all other assholes for the comparison) referred to buried WWII veterans as "marauders" on public TV, before trying to move the statue. Quite obviously, people got pissed off. Some teenagers wrote graffiti on the streets in Tallin, others threw eggs onto police cars. The more nerdy ones arranged DDOS attacks. Blaming this on Russian government is is kinda like like saying that Tony Blair is responsible for soccer fans fighting each other.

The only real question here is why the hell Estonian government doesn't have a dedicated network outside of Internet.

Re:Government-orchestrated and encouraged

[Vo1t]

Of course Poland exports meat to Western Countries. It's a bit weird though, that neither German nor French authorities find Polish meat bad. It is only Russian that see something inappriopriate in Polish meat.

The reason why detailed audit was refused, is because all exporting farms have EU quality certificates. Russia accepts EU certified meat from other countries, but forbids Polish meat even though it complies to the same quality standards. Such behavior smells of politics.

Russia - cybercrime capital of the world

I'm seeing a shitload of spam and SSH scanning from Russia. There's also stuff like the excellent Nginx web server, no reason to doubt the authors motives but at what point would he cave to mafia threats and insert a back door?

The situation in Russia isn't helped by the fact that the mafia are basically the state (Putins FSB). Europe will eventually rely on these villains for natural gas, what can the west do about the situation before it's too late?

Re:Russia - cybercrime capital of the world

[99BottlesOfBeerInMyF]

Russia - cybercrime capital of the world

According to the site mentioned in the article, Russia comes in at #17 in the attacks by country breakdown at the bottom of the page. It covers scanning, fingerprinted attacks, and DDoS attacks (no spam). The number 1 country is the good 'ole USA. We're #1! We're #1!

mod parent down

Only thing is, the image would be corrupted forcing an infection on your machine...

Sure dude... So on, say, Linux, you'd have to exploit supposedly a buffer overflow to gain local access *then* you'd need to exploit a local root exploit to gain root privileges. Multiply this by the number of Linux distros out there and the number of different IM clients and suddenly your pet theory falls flat. Or maybe you were talking about rooting Vista boxes? Cancel or Allow?

You've posted links to this lame "infiltrated" website several times... This website is full of random babbling and misinformation, all the "exploits" look exactly like: "type sudo root apt-get install trojan" or "type sudo root rpm -Uvh trojan.rpm". See the flaw?

You predicted a major Un*x worm coming in the next 9 months... As a regular Un*x user bragging about your OS of choice using "uname -a", you really should know better about how Un*x OSes are working.

Your "tripwire on steroids" is plain laughable... But you mentionning Tripwire raise an interesting question: should people run your "Proof of Concept" [sic] backdoor using "sudo root" (how else could you execute root commands on a system you plan to attack? Wait, even without needing root, how do you plan to run your "Proof of Concept" backdoor on someone's computer?), how would you defeat people unmounting the drive and scanning it from a known clean system running an integrity tool like Tripwire?

Methinks you *pretend* to know something about security but you're actually just at the very beginning of your long journey (your MD5 + SHA1 + ... checksum for your "poor man tripwire" is pathetic).

It is really completely dumb to pretend to have a "Proof of Concept" backdoor for Un*x systems that needs to be installed doing "sudo root something".

I've got here at home one Debian etch (custom-compiled kernel), one old Fedora Core 4... And one OpenBSD box. Care to explain how from here to nine months those Un*x machines will get infected by a major Un*x worm/trojan/plague whatever?

For either you explain it or you accept you, and your website, are full of sh*t.

To moderators: that guy has been modded as troll previously, he doesn't know jack, put him in your "-1" list.

that's the biggest problem with this warfare

[circletimessquare]

say you had two countries simmering over some stupid feud: land or machismo or even a soccer game. in such a situation, any cross border incursions or launched missiles can get back to a matter of accountabilty: what comes from your territory is your responsibility, and the fact that something came from your territory or not is pretty straightforward. the side where the incursions came from can even make excuses, but the other side can still say: "look, these guys came from your territory. clean it up yourself or we'll clean it up for you." that provides some straightforward safeguards right there

however, things are too nebulous on the web. no accountability. the russians that attacked estonia can not be found by russia and suppressed easily, because no one knows who they are. well, obviously there can be some intelligent detective work done (who purchased the botnets for rent, for example), but my point is, any group of teenage assholes can do this sort of thing, from any botnet in the world, and so it renders obvious lines of accountability all nebulous and unresolved

and so it is sort of like terrorism, in that there is no one easy and big to blame. no state or governmental entity. it's vague and undefined. and in the end, therefore, these sorts of wars/ crimes are really the defining characteristic of conflicts in the 21st century. for the most part, wars of nation against nation and obvious straightforward battlefields seem to be a dead era. today's conflicts are all about shadowy organizations ready to do nefarious things in the name of nebulous agendas, and finding and stopping who or what or how is simply a task without any clear goals or clear yardsticks of progress

some people would use this fact to say that therefore there is no war or conflict at all, that say, the "war on terrorism" isn't real. no, wrong. the threat is still very real. something like 9/11 is not a phantasm of a neocon's imagination

it's just that the enemy is opaque and made of fog. but because the enemy is hard to pin down, does not mean there isn't nefarious intent out there you need to protect yourself from. yes, that vagueness can be used to amp up fear and provoke overreaction. but, in a way, doing nothing is still worse than overreaction (unless overreaction consists of taking the war to targets that should not be targets)

we live in a difficult era folks. do nothing, you're damned. do something, you can be damned worse. you need to be clever and constant and precise in your efforts, and you'll still screw up and get blowback anyways, and you must still soldier on nonplussed nonetheless, against cyberenemies, against terrorism, with no real yardstick of progress, with no real verification of success or failure, with nothing but the fog for miles and for years, and then a plane in a skyscraper, or a bomb in a disco, or a flood of emails, or a DoS for seemingly no rhyme or reason... and then gone again like a fart in the wind, until the next mass murder. it's psychologically debilitating, and yet constitution and fortitude are your best character qualities needed in order to beat back these shadowy enemies

Re:that's the biggest problem with this warfare

[alexgieg]

William Lind, a scholar on the subject of this new style of war, which he calls "4th Generation of Modern Warfare" (to distinguish it from the other 3 common types of military organization: organized battlefield; top-down order-based hierarchic army; and blitzkrieg) as a shortcut for something that is fast-paced, non-centralized, stateless, guerrilla-based, multi-polar and simultaneously global, international and local, says that the best way for one to defend himself from it is by doing two things:

a) Focus inwardly, trying to be on the smallest possible number of 4GW organization target lists. The less people hate you, the better you are;

b) Focus locally, building your defensive strategy on fast deployed forces stationed where they act and, if possible, made up of residents of the area, as well as lowering the dependency each area has on resources deployed from too much away. The more centralized and distant and your military force is, the weaker you are. The more dependent you are on goods and services coming from other cities, states and countries, the weaker you are. (Note that this isn't the same as neglecting a strong and big army. It's more of the way said army is built.)

USA fails on both aspects. It fails "a" miserably by making its presence felt all over the world, thus entering the list of almost everyone. And it fails "b" by encouraging a false sense of security on its population, when it should be making local militias and weapon usage proficiency as much widespread as possible, as well as by having an absolute, complete, all-embracing dependency on foreign natural resources, goods, services and work.

On a 4GW world, this is a recipe for disaster.

Government-orchestrated? Please

[saikou]

Given how "well" Russian Government organizes things it'd be an utter failure. Please remember, there are many people and groups in the whole world that are quite capable of doing it by themselves. What, do you think the government has nothing else to do than to issue covert demands for every dial-up user to ping particular Estonian servers?
Estonia (and some mass media) simply find it useful to blame everything on Russian government now. Russian companies refuse to buy their products because customers stopped buying them? Blame Kremlin. If a giant meteor were to strike the capital right now, there'd be a couple of experts saying that "Nobody can prove it wasn't a covert Kremlin operation".

Of course you also have to think about it from the other point of view. If there was a symbol for all US soldiers that died in combat, that marked their graves in another country, and that country would then decided to just move it somewhere else, because they want to put a highway on top of that last resting place... Would Americans grin and bear it? No? Loud screams from politicians asking for sanctions? Regular people doing everything they can to protest it? Net bot herders making statement and then bragging about "squashing the embassy N servers" between themselves?
Would the US government have to encourage people to do it?

Now tell me, what's the difference?

I would think the more important thing would be Pentagon's readiness to bomb the source of cyberattacks, which means that a group of bot herders can decide which country Pentagon will be bombing next.

Re:Government-orchestrated? Please

[phayes]

If there was a symbol for all US soldiers that died in combat, that marked their graves in another country, and that country would then decided to just move it somewhere else, because they want to put a highway on top of that last resting place... Would Americans grin and bear it?

No, they would pay for the repatriation of the bodies so that they could be buried on US soil just as they have been doing for the past 40 years in VietNam/Cambodia/Laos. If The country where they died is willing to keep the war graves & family in the USA do not want to repatriate them, the USA pays for part of the upkeep of the cemetery as they have been doing for the last 90 years for WWI & WWII war graves in western Europe. When, as has occured in a number of instances here in France, some graves need to be deplaced (A few of the WWI war graves were small & in inconvenient spots -- the remains were moved to a larger war cemetery or once again repatriated), the US has helped pay.

Contrast that with your reaction to the deplacement of a Russian war hero statue that Russia installed in a foreign countries heart. Russia's reaction is one of revanchism where you want to reconquer the "lost" territories much like France did from 1870-1918.

Re:Internet Death Sentence

[99BottlesOfBeerInMyF]

Frankly, because of stuff like this, we need to be prepared to use a variation of the old Internet Death Sentence. Hostile nations could be removed from the routing tables (i.e. we don't route traffic to or from them). With international cooperation attacks like this *could* be stopped dead in their tracks, with the side benefit that the offending nation would have a high priority desire to clean up the attacks.

I don't think that stopping routing from a country would make much practical difference. There are millions of vulnerable and already compromised Windows boxes scattered across the world. You can rent time on them from a Web interface. A big part of the usefulness of DDoS attacks is it is easy to make it impossible to attach them to an individual or country since the actual traffic comes from all countries. Most of the compromised machines known to be attacking as part of a botnet are within the US.

Botnet?

[Maxo-Texas]

A trivial threat compared to posting the major web addresses on Slashdot.

well yeah

[circletimessquare]

not having responsibility for what goes on inside your borders is not an acceptable state of affairs. because neighbors will begin to get angry about it because of the rats and vermin making incursions from your lands, and then they will go in and clean things up themselves, and this of course is an escalation. that's why being responsible for what goes on inside your borders is the most imperative thing for a country to have. if they don't have it, there is only war and misery to be had with everyone who lives on the borders of such countries as assholes capitalize on the anarchy to further their mayhem