North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Slate Podcast on Estonian DOS atatck

  • From: Merike Kaeo
  • Date: Thu May 24 13:06:51 2007


First of it's kind that it targeted a country.


As far as technical details I'm pulling something together for nsp- sec BoF at NANOG. I saw the spike
to 4m pps on their management station......so no 'claims' there. And yeah, OK, will need qualification.
Basically that was seen by Estonian ISPs as traffic coming in.........technically there wasn't much difference
to what people see today but the large scale coordination is unusual. Or maybe not since it's small country :)


As far as the important sites being down for a short time.....that was because the mitigation techniques had been
well thought out and they were prepared. And a LOT of money was spent to add equipment and enforce
mitigation in the week before the worst was expected. There was a lot of pro-active activity which I do find
to be unusual. Noone wants to spend money on security (said very tongue-in-cheek).......


I'll include answers to your last questions in my preso.......

- merike


As far as technical
On May 24, 2007, at 9:35 AM, <[email protected]> <[email protected]> wrote:



It is an unusual
situation...or at least the first of its kind.

Leaving aside the alleged political involvement of some government or
other, this is far from true. Back in the days, when DOS attacks were
delivered to mailboxes and USENET and IRC were the main tool of
coordinating attacks, this was commonplace. A victim was identified,
postings were made to newsgroups and IRC channels, and at the appointed
time, the attack begins.


What is fundamentally different here?

Using web forums and IM instead of USENET/IRC is not fundamentally
different.
Using botnets to amplify the attack, is different from the mailbombing
of the past, however, the botnets are often used in DDoS attacks, so I
don't think we can consider this fundamentally different.

What about the attackers? Is there something about Russians that would
explain this? Yes, I think so. Over the past 20 years, economic and
social problems have hit Russia hard and the people that lived through
this time learned how to cooperate effectively and how to change tactics
on short notice. At the same time, the Russian education system produces
people who are very good at technical subjects, like networks,
programming, etc. This has combined to create various criminal groups
who can make a good living from net abuse by building and renting
botnets or selling various spamming services or just plain phishing. The
Russian mob does have a big market share of botnet C&C(Command and
Control).


IMHO, this is not about Estonia and this is not about the Russian
government or military or intelligence agencies. This is all about free
enterprise thinking which is more deeply embedded in Russia than in most
of the developed world. Generally, these Russian hackers apply their
skills to earning money or attacking each other, but Estonia
accidentally raised the hackles of these people and they all pointed
their firehoses in unison. It could have been any other country which
does something that offends the sensibilities of ordinary Russians.


On the other hand, if this attack had been directed at the USA, it would
have had far less effect. The USA has its economic and government
infrastructure scattered across many cities with lots of network
capacity between. The target for the firehose is more diffuse and
therefore harder to hit. Estonia is a little country with all its eggs
in one basket in one city.


It was an interesting coincidence that one of the more vulnerable
countries just happened to get a large number of criminal hacker gangs
upset enough to turn from earning money to attack them. Perhaps they
haven't heard that people who live in glass houses shouldn't throw
stones.

There has been a lot of hyperbole over these incidents and little
factual information. Some people want to point the finger of blame, but
with botnets and diffuse C&C out there, this is not something that can
be easily or quickly confirmed. If it was so easy, then we would have
put the botnet operators out of business long ago. It's nice to hear
that the Estonian CERT was prepared to respond to an attack and it's
nice to hear that a lot of people helped mitigate the attack. But there
is nothing new in that. There are a lot of accusations about attacks
coming from a certain list of countries or from certain specific
computers of certain government officials, but these sound like typical
tabloid journalism explanations of any botnet-based DDoS. People say
this was a BIG deal but then we hear that sites were down for only an
hour. The Northeast blackout was a big deal, Katrina was a big deal, but
a few hours of outage for a few data centres in one city doesn't seem to
me like a big deal.


A claim was made that 4 million packets per second were sent. I would
like to hear more about this. How was it measured? Is this an aggregate
or was this directed at the largest victim? Was it ingress into the
network or packets delivered on the site's CPE router? How does this
compare to other DDoS incidents. And, most importantly, does it indicate
a growth in total DDoS capability (a bigger firehose than before) or was
it simply the usual stuff all sent to the same victim at the same time,
for a change.


What can network operators learn from this? Do we need to beef up
technical measures or will a well-run network already be prepared to
mitigate this kind of thing? Is there some fundamental technical aspect
of this attack that was different from the past? Did the mitigation of
the attack do something fundamentally different from the past?


--Michael Dillon