Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Real Impact of the Estonian Cyberattack

Posted by Zonk on from the mad-world-it's-a-mad-world dept.

An anonymous reader writes "News.com offers up an interview with Arbor Networks' senior security researcher Jose Nazario. He takes stock of the denial-of-service attack against the Baltic nation of Estonia, and considers the somewhat disturbing wider implications from the event. 'You look around the globe, and there's basically no limit to the amount of skirmishes between well-connected countries that could get incredibly emotional for the population at large. In this case, it has disrupted the Estonian government's ability to work online, it has disrupted a lot of its resources and attention. In that respect, it's been effective. It hasn't brought the government to a crippling halt, but has essentially been effective as a protest tool. People will probably look at this and say, That works. I think we're going to continue to do this kind of thing. Depending on the target within the government, it could be very visible, or it could not be very visible.'"

17 of 172 comments (clear)

  1. How insightful! by Cutie+Pi · · Score: 5, Funny

    Depending on the target within the government, it could be very visible, or it could not be very visible.

    Yep, that pretty much sums up the possible outcomes.

    1. Re:How insightful! by iONiUM · · Score: 3, Funny

      hey HEY! I was thinking there could be a third option, translucently visible, or like visible only on the 3rd moon of the 18th month of the 22nd year after the year of the tortoise.. this narrowed it down a lot.

    2. Re:How insightful! by rs232 · · Score: 4, Interesting

      Yep, that pretty much sums up the possible outcomes

      Would this distributed DOS attack be possible without a vast army of compromised desktops being used as part of a botnet. Is it tecnnically possible to design against such attacks, or at least make it more difficult to compromise the desktops and route the rogue traffic. After all the Internet is supposed to be designed to be resistant to a nuclear attack. (I know Vint Cerf remembers it different)

      --
      davecb5620@gmail.com
  2. Multicast theories by packetmon · · Score: 4, Interesting

    You know... I thought about the possibility of a Multicast worm/attack ... Just haven't had time to document it... Would work similar to the following... For those who use IM clients that have annoying streaming advertisements... If you didn't know, those are multicasted to your machine... My theory was to re-inject packets at the router level (avoiding Reverse Path Forwarding when possible) to make your machine believe my spoofed host is a valid source to get your images from... Only thing is, the image would be corrupted forcing an infection on your machine... This would in turn replicate via broadcast from the infected hosts... It was a theory of mine while studying DoS attacks for the CCIE security exam and a lot of variables would have to be met... Anyhow, the reason for this post is, I believe those committing DoS attacks are halfclued as to what a real attack could potentially do... For instance Border Router Attack Tool is another theoretical tool to break BGP neighboring. You of course have to know enough about a topology to even get it to work but under a unified stream, you could cause massive route flaps which lead to neighbors disconnecting. Its only a matter of time before someone takes it to the extreme and breaks connectivity between huge AS'

    --
    Infiltrated dot Net
    1. Re:Multicast theories by zappepcs · · Score: 5, Interesting

      While I'm not sure your idea would work or not, I do know that there are many ways to compromise the nice-play Internet that we all think it is. Some of them are being used right now and we just haven't figured it out yet. DDoS is but one of those ways and might be *ONLY* a distraction while surreptitious malware or spyware is installed in government facilities. This in fact could be a test of the new Chinese cyber-warfare units in order to demonstrate what they are capable of...

      Just a thought from the 'stay in your happy place group' (TM)

      --
      Support NYCountryLawyer RIAA vs People
  3. no reason to get overly complicated by JeanBaptiste · · Score: 4, Interesting

    just do this

  4. Re:Backbone QOS? by packetmon · · Score: 4, Insightful

    What would QoS do at this level except overwhelm your processor? Unicast Reverse Path Forwarding would be the better solution nowadays. Cat 6500 info... If networks were built correctly from the ground up, these attacks wouldn't even happen as much. If three networks were connected and all had uRPF or filtering in place, no three networks would be able to spoof addresses and cause attacks. They'd be forced to attack using a valid address on their network which would make tracking easier...

    --
    Infiltrated dot Net
  5. Possible Outcomes by Nymz · · Score: 3, Insightful

    Unless some magical solution presents itself, then cyber-warfare will most likely continue. The difference will be in how we respond. Should starting up your own cyber-attacks be an acceptable form of retaliation? or will more cyber-attacks only lead us down the path to a conventional-attack?

    1. Re:Possible Outcomes by cosinezero · · Score: 3, Insightful

      If impact is merely economic - how then does it differ from other games countries play to crush economic interests? I mean, where you see "Denial of Service", I see "Sanctions" and wonder, in the grand scheme of things, what's the difference?

    2. Re:Possible Outcomes by DerekLyons · · Score: 3, Insightful

      The key difference is that sanctions and traditional methods are (generally) open and aboveboard - you know who is doing what to who, as it is announced widely beforehand and very visible in operation. DoS attacks however, are none of these things. In addition, while Country X may impose various forms of sanctions/tariffs/etc... on Country Y - that does not effect (directly) either the internal operation of Country Y, or it's intercourse with Country Z. DoS atacks can, and do - as well as have an immediate and direct impact on individuals.

  6. Government-orchestrated and encouraged by mi · · Score: 4, Interesting

    Decent well-connected countries would not engage in this sort of things. Russia — busily turning itself back into an Evil Empire — denies "officially" organizing the attacks...

    Whether it did officialy organize them, or not is irrelevant — so many things in the country happen unofficially (including the unofficial salaries — in dollars — paid to top government bureaucrats to keep them from leaving for the private sector), that the government's claims may even be nominally truthful this time.

    What is important is the government's official reaction. For example, a Russian health official is on record concerning the health hazards of the Estonian sprats. Those who follow the region would recognize the tactics already applied against Georgia's major exports. Georgia's most excellent wines are now called "alcohol-containing liquids" in Russia and their import is banned "on health grounds".

    Sprats are safe for now — unlike Georgia, Estonia is an EU (and NATO) member. But Russia — in sore need of something glorious in its sorry past (we liberated Estonia, not reconquered it, you see) — is still enraged. In a decent country such rage wouldn't be enough to break law and order, but Russia is another story. There is no doubt, the cyber-attacks against Estonia used Russian governmental resources, including hardware and human ones — these will most certainly not be prosecuted.

    --
    In Soviet Washington the swamp drains you.
  7. mod parent down by Anonymous Coward · · Score: 3, Interesting

    Only thing is, the image would be corrupted forcing an infection on your machine...

    Sure dude... So on, say, Linux, you'd have to exploit supposedly a buffer overflow to gain local access *then* you'd need to exploit a local root exploit to gain root privileges. Multiply this by the number of Linux distros out there and the number of different IM clients and suddenly your pet theory falls flat. Or maybe you were talking about rooting Vista boxes? Cancel or Allow?

    You've posted links to this lame "infiltrated" website several times... This website is full of random babbling and misinformation, all the "exploits" look exactly like: "type sudo root apt-get install trojan" or "type sudo root rpm -Uvh trojan.rpm". See the flaw?

    You predicted a major Un*x worm coming in the next 9 months... As a regular Un*x user bragging about your OS of choice using "uname -a", you really should know better about how Un*x OSes are working.

    Your "tripwire on steroids" is plain laughable... But you mentionning Tripwire raise an interesting question: should people run your "Proof of Concept" [sic] backdoor using "sudo root" (how else could you execute root commands on a system you plan to attack? Wait, even without needing root, how do you plan to run your "Proof of Concept" backdoor on someone's computer?), how would you defeat people unmounting the drive and scanning it from a known clean system running an integrity tool like Tripwire?

    Methinks you *pretend* to know something about security but you're actually just at the very beginning of your long journey (your MD5 + SHA1 + ... checksum for your "poor man tripwire" is pathetic).

    It is really completely dumb to pretend to have a "Proof of Concept" backdoor for Un*x systems that needs to be installed doing "sudo root something".

    I've got here at home one Debian etch (custom-compiled kernel), one old Fedora Core 4... And one OpenBSD box. Care to explain how from here to nine months those Un*x machines will get infected by a major Un*x worm/trojan/plague whatever?

    For either you explain it or you accept you, and your website, are full of sh*t.

    To moderators: that guy has been modded as troll previously, he doesn't know jack, put him in your "-1" list.

  8. that's the biggest problem with this warfare by circletimessquare · · Score: 3, Insightful

    say you had two countries simmering over some stupid feud: land or machismo or even a soccer game. in such a situation, any cross border incursions or launched missiles can get back to a matter of accountabilty: what comes from your territory is your responsibility, and the fact that something came from your territory or not is pretty straightforward. the side where the incursions came from can even make excuses, but the other side can still say: "look, these guys came from your territory. clean it up yourself or we'll clean it up for you." that provides some straightforward safeguards right there

    however, things are too nebulous on the web. no accountability. the russians that attacked estonia can not be found by russia and suppressed easily, because no one knows who they are. well, obviously there can be some intelligent detective work done (who purchased the botnets for rent, for example), but my point is, any group of teenage assholes can do this sort of thing, from any botnet in the world, and so it renders obvious lines of accountability all nebulous and unresolved

    and so it is sort of like terrorism, in that there is no one easy and big to blame. no state or governmental entity. it's vague and undefined. and in the end, therefore, these sorts of wars/ crimes are really the defining characteristic of conflicts in the 21st century. for the most part, wars of nation against nation and obvious straightforward battlefields seem to be a dead era. today's conflicts are all about shadowy organizations ready to do nefarious things in the name of nebulous agendas, and finding and stopping who or what or how is simply a task without any clear goals or clear yardsticks of progress

    some people would use this fact to say that therefore there is no war or conflict at all, that say, the "war on terrorism" isn't real. no, wrong. the threat is still very real. something like 9/11 is not a phantasm of a neocon's imagination

    it's just that the enemy is opaque and made of fog. but because the enemy is hard to pin down, does not mean there isn't nefarious intent out there you need to protect yourself from. yes, that vagueness can be used to amp up fear and provoke overreaction. but, in a way, doing nothing is still worse than overreaction (unless overreaction consists of taking the war to targets that should not be targets)

    we live in a difficult era folks. do nothing, you're damned. do something, you can be damned worse. you need to be clever and constant and precise in your efforts, and you'll still screw up and get blowback anyways, and you must still soldier on nonplussed nonetheless, against cyberenemies, against terrorism, with no real yardstick of progress, with no real verification of success or failure, with nothing but the fog for miles and for years, and then a plane in a skyscraper, or a bomb in a disco, or a flood of emails, or a DoS for seemingly no rhyme or reason... and then gone again like a fart in the wind, until the next mass murder. it's psychologically debilitating, and yet constitution and fortitude are your best character qualities needed in order to beat back these shadowy enemies

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:that's the biggest problem with this warfare by alexgieg · · Score: 3, Interesting

      William Lind, a scholar on the subject of this new style of war, which he calls "4th Generation of Modern Warfare" (to distinguish it from the other 3 common types of military organization: organized battlefield; top-down order-based hierarchic army; and blitzkrieg) as a shortcut for something that is fast-paced, non-centralized, stateless, guerrilla-based, multi-polar and simultaneously global, international and local, says that the best way for one to defend himself from it is by doing two things:

      a) Focus inwardly, trying to be on the smallest possible number of 4GW organization target lists. The less people hate you, the better you are;

      b) Focus locally, building your defensive strategy on fast deployed forces stationed where they act and, if possible, made up of residents of the area, as well as lowering the dependency each area has on resources deployed from too much away. The more centralized and distant and your military force is, the weaker you are. The more dependent you are on goods and services coming from other cities, states and countries, the weaker you are. (Note that this isn't the same as neglecting a strong and big army. It's more of the way said army is built.)

      USA fails on both aspects. It fails "a" miserably by making its presence felt all over the world, thus entering the list of almost everyone. And it fails "b" by encouraging a false sense of security on its population, when it should be making local militias and weapon usage proficiency as much widespread as possible, as well as by having an absolute, complete, all-embracing dependency on foreign natural resources, goods, services and work.

      On a 4GW world, this is a recipe for disaster.

      --
      Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
  9. Re:Implementation Failure by 99BottlesOfBeerInMyF · · Score: 3, Informative

    That a whole country could be DOS'd is evidence of someone doing a bad network install. The network should never be down.

    This is a DDoS attack. The first "D" stands for "Distributed." When you have thousands of remote machines located in different places sending traffic to your network, preventing an outage relies upon being able to figure out which traffic is legitimate and which is illegitimate, and then filter the illegitimate. Having more diverse pipes does not really make a huge difference. Either legitimate and illegitimate traffic can come in over a pipe or they can't. If it can, the attack is blocking things. If it can't you just DoS'd yourself.

    The real trick here is the availability of clean or protected access from ISPs with the capability of detecting illegitimate traffic and filtering it, without stopping legitimate traffic. Many ISPs have this capability to one degree or another and a few have formally brought it to market as a differentiator for their service. I'm guessing the big ISPs in Estonia might be a bit behind in that regard, and are thus working with more capable peers to try and filter the attack further away in the cloud.

  10. Re:Implementation Failure by Anonymous Coward · · Score: 3, Informative

    Did you check some facts?

    Estonia: population 1,324,333 (less than 1,5 mio.) http://en.wikipedia.org/wiki/Estonia

    I would like to see some municipalities in USA of the size of Estonia to withstanding such cyber-attack.

    Do you realize that the number of adult inhabitants in Estonia is less than a number of employees at the biggest employer of USA? (http://www.usatoday.com/money/industries/retail/2 003-11-10-walmart_x.htm)
    Estonia is like New Hampshire or Maine or Idaho population wise. And than cyber-attacks are lounched from IPs of Russia government institutions.

    Russia once again showed who they are.

    And by the way: those Soviet soldiers buried near "Bronze soldier" ware killed 3 days after Nazi army left Estonia during WWII. Hint needed? They were killed in fights with local Estonians who wanted reinstate independence. So no "liberators from Nazis" only occupation power.

    The sad think EU depend so much on Russian gas and oil that little is done or said about all this.

  11. Re:Russia - cybercrime capital of the world by 99BottlesOfBeerInMyF · · Score: 4, Insightful

    Russia - cybercrime capital of the world

    According to the site mentioned in the article, Russia comes in at #17 in the attacks by country breakdown at the bottom of the page. It covers scanning, fingerprinted attacks, and DDoS attacks (no spam). The number 1 country is the good 'ole USA. We're #1! We're #1!