The Real Impact of the Estonian Cyberattack

An anonymous reader writes "News.com offers up an interview with Arbor Networks' senior security researcher Jose Nazario. He takes stock of the denial-of-service attack against the Baltic nation of Estonia, and considers the somewhat disturbing wider implications from the event. 'You look around the globe, and there's basically no limit to the amount of skirmishes between well-connected countries that could get incredibly emotional for the population at large. In this case, it has disrupted the Estonian government's ability to work online, it has disrupted a lot of its resources and attention. In that respect, it's been effective. It hasn't brought the government to a crippling halt, but has essentially been effective as a protest tool. People will probably look at this and say, That works. I think we're going to continue to do this kind of thing. Depending on the target within the government, it could be very visible, or it could not be very visible.'"

How insightful!

[Cutie Pi (588366)]

Depending on the target within the government, it could be very visible, or it could not be very visible.

Yep, that pretty much sums up the possible outcomes.

Re:How insightful!

[iONiUM (530420)]

hey HEY! I was thinking there could be a third option, translucently visible, or like visible only on the 3rd moon of the 18th month of the 22nd year after the year of the tortoise.. this narrowed it down a lot.

Re:

[TapeCutter (624760)]

Come on, there are an infinite number of ways to hold your tounge and squint.

Re:

[by Anonymous Coward]

Come on, there are an infinite number of ways to hold your tounge and squint.

On the other hand, there are not an infinite number of ways to spell "tongue".

Re:

[HiggsBison (678319)]

Come on, there are an infinite number of ways to hold your tounge and squint.

On the other hand, there are not an infinite number of ways to spell "tongue".

Yes, but 'e was clearly spelling "tounge", then, wasn't 'e?

Praline: The cat detector van from the Ministry of Housinge.
Man: Housinge???
Praline: Yes, it was spelt that way on the van. I'm very observant.

Possible Outcomes

[Nymz (905908)]

Unless some magical solution presents itself, then cyber-warfare will most likely continue. The difference will be in how we respond. Should starting up your own cyber-attacks be an acceptable form of retaliation? or will more cyber-attacks only lead us down the path to a conventional-attack?

Re:Possible Outcomes

[cosinezero (833532)]

If impact is merely economic - how then does it differ from other games countries play to crush economic interests? I mean, where you see "Denial of Service", I see "Sanctions" and wonder, in the grand scheme of things, what's the difference?

Re:Possible Outcomes

[DerekLyons (302214)]

The key difference is that sanctions and traditional methods are (generally) open and aboveboard - you know who is doing what to who, as it is announced widely beforehand and very visible in operation. DoS attacks however, are none of these things. In addition, while Country X may impose various forms of sanctions/tariffs/etc... on Country Y - that does not effect (directly) either the internal operation of Country Y, or it's intercourse with Country Z. DoS atacks can, and do - as well as have an immediate and direct impact on individuals.

Re:How insightful!

[rs232 (849320)]

Yep, that pretty much sums up the possible outcomes

Would this distributed DOS attack be possible without a vast army of compromised desktops being used as part of a botnet. Is it tecnnically possible to design against such attacks, or at least make it more difficult to compromise the desktops and route the rogue traffic. After all the Internet is supposed to be designed to be resistant to a nuclear attack. (I know Vint Cerf remembers it different)

Re:

[Vancorps (746090)]

It would be easier to defend against these attacks if companies would standardize on techniques. Cisco and HP are two examples I know of that offer different methods for defending DDoS attacks. Cisco has a number of methods not all of which are compatible with each-other. Perhaps more importantly, Cisco's methods almost always require Cisco products for them to work effectively. HP is a little better about standards these days but their methods are still rather solitary to their Procurve platform. Lately HP

Multicast theories

[packetmon (977047)]

You know... I thought about the possibility of a Multicast worm/attack [infiltrated.net] ... Just haven't had time to document it... Would work similar to the following... For those who use IM clients that have annoying streaming advertisements... If you didn't know, those are multicasted to your machine... My theory was to re-inject packets at the router level (avoiding Reverse Path Forwarding when possible) to make your machine believe my spoofed host is a valid source to get your images from... Only thing is, the image would be corrupted forcing an infection on your machine... This would in turn replicate via broadcast from the infected hosts... It was a theory of mine while studying DoS attacks for the CCIE security exam and a lot of variables would have to be met... Anyhow, the reason for this post is, I believe those committing DoS attacks are halfclued as to what a real attack could potentially do... For instance Border Router Attack Tool [infiltrated.net] is another theoretical tool to break BGP neighboring. You of course have to know enough about a topology to even get it to work but under a unified stream, you could cause massive route flaps which lead to neighbors disconnecting. Its only a matter of time before someone takes it to the extreme and breaks connectivity between huge AS'

no reason to get overly complicated

[JeanBaptiste (537955)]

just do this [icir.org]

Re:

[packetmon (977047)]

Again, it was a theoretical based study for security labs... Its possible but highly complicated and only a matter of time before someone throws something together to do that and worse

Re:Multicast theories

[zappepcs (820751)]

While I'm not sure your idea would work or not, I do know that there are many ways to compromise the nice-play Internet that we all think it is. Some of them are being used right now and we just haven't figured it out yet. DDoS is but one of those ways and might be *ONLY* a distraction while surreptitious malware or spyware is installed in government facilities. This in fact could be a test of the new Chinese cyber-warfare units in order to demonstrate what they are capable of...

Just a thought from the 'stay in your happy place group' (TM)

Re:

[AndersOSU (873247)]

I wouldn't be surprised at all if the DOD had just such a tactic in place.

I mean think about it, one of the things a party at war always tries to do is get the civilians of the opposite side reading "subversive" material. One of the first things we did with airplanes in war was pamphleting. We still attach pamphlets with aid drops. Would it be so strange to see the US send email to every Chinese address that looked like this [wikipedia.org]? How about a flood of anti-communist text messages? Doesn't seem very far fet

mod parent down

[by Anonymous Coward]

Only thing is, the image would be corrupted forcing an infection on your machine...

Sure dude... So on, say, Linux, you'd have to exploit supposedly a buffer overflow to gain local access *then* you'd need to exploit a local root exploit to gain root privileges. Multiply this by the number of Linux distros out there and the number of different IM clients and suddenly your pet theory falls flat. Or maybe you were talking about rooting Vista boxes? Cancel or Allow?

You've posted links to this lame "infiltra

Backbone QOS?

[dattaway (3088)]

Isn't the backbone capable of metering connections to an attacked country? I haven't noticed the providers to be politically spineless (except for AT&T) but can't they help a poor country out?

Re:Backbone QOS?

[packetmon (977047)]

What would QoS do at this level except overwhelm your processor? Unicast Reverse Path Forwarding [cisco.com] would be the better solution nowadays. Cat 6500 [cisco.com] info... If networks were built correctly from the ground up, these attacks wouldn't even happen as much. If three networks were connected and all had uRPF or filtering in place, no three networks would be able to spoof addresses and cause attacks. They'd be forced to attack using a valid address on their network which would make tracking easier...

Re:

[Vancorps (746090)]

Sorry, but you have an odd definition of reality. Whitehouse.gov was completely taken out by a DDoS some years ago when it was a huge issue. Now in the last year we've had massive DDoS attacks on the root DNS systems which naturally held up because these trunk level ip filters you seem to think are impossible to implement HAVE been implemented. So in short, the only one that doesn't think this can be implemented globally is you.

I'll refer you to AT&T "Clean pipes" initiative as an example of a multinat

Implementation Failure

[RealProgrammer (723725)]

That a whole country could be DOS'd is evidence of someone doing a bad network install. The network should never be down.

Lots of companies have a root-and-branches approach to Internet connectivity, too, thinking that each site (or the whole corporate intranet) needs only one gateway to the outside. Put all your eggs in one basket, and watch the basket. For the family baked bean recipe confidentiality that's good, but for availability that's bad.

The "right" way to do it is to have multiple redundant shared trunks with neighbors. That word "shared" is scary to network administrators (or rather, to their pencil-pushing mentors). It means they'll have to carry outside traffic on their pipes (that's a metaphor, Senator), and that has risks: it costs money, and it has the potential to allow someone to see inside the network.

However, the rewards for sharing bandwidth are enormous: multiple ISPs mean allowing TCP/IP to do its job, routing traffic to avoid disasters like DOS attacks, hurricanes, and nuclear bombs. The ISPs and other bandwidth partners know they have an interest in helping to protect your network. The technical risks can be mitigated simply by routing and tunneling.

Is the above realistic? Nope. Not in a corporate environment, anyway. I'd be really surprised if anyone outside academia or pure ISP does shared trunking anymore.

But it can also happen at the leaf nodes: you and your neighbors share cable broadband and DSL connections, routing through wifi. That violates most subscriber agreements, but it's the way the protocols were designed to work. Your network should never be down.

Never.

Re:Implementation Failure

[99BottlesOfBeerInMyF (813746)]

That a whole country could be DOS'd is evidence of someone doing a bad network install. The network should never be down.

This is a DDoS attack. The first "D" stands for "Distributed." When you have thousands of remote machines located in different places sending traffic to your network, preventing an outage relies upon being able to figure out which traffic is legitimate and which is illegitimate, and then filter the illegitimate. Having more diverse pipes does not really make a huge difference. Either legitimate and illegitimate traffic can come in over a pipe or they can't. If it can, the attack is blocking things. If it can't you just DoS'd yourself.

The real trick here is the availability of clean or protected access from ISPs with the capability of detecting illegitimate traffic and filtering it, without stopping legitimate traffic. Many ISPs have this capability to one degree or another and a few have formally brought it to market as a differentiator for their service. I'm guessing the big ISPs in Estonia might be a bit behind in that regard, and are thus working with more capable peers to try and filter the attack further away in the cloud.

Thanks, Bottles.

[RealProgrammer (723725)]

The first "D" stands for "Distributed."

Thank you for your charity in not calling me stupid.

There is a huge difference between being totally shut down by a DDoS attack and being 90% shut down. If you are shut down, there is fear; if you are limping along, you become angry. In a fight, anger is better than fear.

Having multiple points of entry helps in the effort to stay up, no matter what the cause. The reason DDoS's work is that Internet connections are leveraged: a small number, usually one, address per r

Re:

[99BottlesOfBeerInMyF (813746)]

In effect, having multiple gateways changes the game from a many-on-one attack to a many-on-many attack, which makes it more likely that you will succeed at least in a limited way, which is the goal.

In the case mentioned here, it is government servers/services under attack. Regardless of how many different gateways lead to those servers and services, if the attackers use the same way of getting there as users, then either the attacks will get through or legitimate users won't. I do see where multiple gateways can be useful in two ways. One, if you have some vital service white-listed and of higher priority than anything else, you can blackhole all other traffic to keep it up and using a dedicated gat

Re:

[by Anonymous Coward]

Did you check some facts?

Estonia: population 1,324,333 (less than 1,5 mio.) http://en.wikipedia.org/wiki/Estonia [wikipedia.org]

I would like to see some municipalities in USA of the size of Estonia to withstanding such cyber-attack.

Do you realize that the number of adult inhabitants in Estonia is less than a number of employees at the biggest employer of USA? (http://www.usatoday.com/money/industries/retail/2 003-11-10-walmart_x.htm)
Estonia is like New Hampshire or Maine or Idaho population wise. And than cyber-attacks are

Government-orchestrated and encouraged

[mi (197448)]

Decent well-connected countries would not engage in this sort of things. Russia — busily turning itself back into an Evil Empire — denies "officially" organizing the attacks...

Whether it did officialy organize them, or not is irrelevant — so many things in the country happen unofficially (including the unofficial salaries — in dollars — paid to top government bureaucrats to keep them from leaving for the private sector), that the government's claims may even be nominally truthful this time.

What is important is the government's official reaction. For example, a Russian health official is on record concerning the health hazards of the Estonian sprats. Those who follow the region would recognize the tactics already applied against Georgia's major exports. Georgia's most excellent wines are now called "alcohol-containing liquids" in Russia and their import is banned "on health grounds".

Sprats are safe for now — unlike Georgia, Estonia is an EU (and NATO) member. But Russia — in sore need of something glorious in its sorry past (we liberated Estonia, not reconquered it, you see) — is still enraged. In a decent country such rage wouldn't be enough to break law and order, but Russia is another story. There is no doubt, the cyber-attacks against Estonia used Russian governmental resources, including hardware and human ones — these will most certainly not be prosecuted.

Re:

[Cyberax (705495)]

BTW, Russia's past is indeed glorious. Let's see:
1) USSR won in WWII (destroying 80% of German military manpower).
2) USSR was the first country to launch a satellite.
3) USSR was the first country to launch a man into space.
etc.

It's Estonia that is like a small dog barking at a great elephant.

Re:

[LWATCDR (28044)]

"1) USSR won in WWII (destroying 80% of German military manpower)."
After first helping train the German air force, and helping it invade Poland.
Lets not forget that the USSR received a lot of lend lease aid from the US. Thousands of aircraft and many many tons of other supplies where sent to the USSR from the US.
The USSR didn't win WWII. The allies won WWII. Of course it is nice to forget that Stalin was Hitler's friend right up till the time Hitler attacked Russia.

Estonia may be a small dog but it has big

Re:

[LWATCDR (28044)]

I think the most telling thing was that Hitler respected Stalin. I have heard that Hitler thought it was a shame that he would have to kill Stalin when he conquered Russia. He would have loved to have Stalin run it for him.

Re:

[shutdown -p now (807394)]

You forgot:

4) USSR was the first country to slaughter its own population by millions (yes, before Nazis started to implement their "Final Solution").

As for winning WWII, yeah that was quite a feat. Especially the part about replacing the Nazi totalitarian puppet regimes with Communist totalitarian puppet regimes throughout Eastern Europe. Way to establish good relations with your neighbours.

Re:

[Minwee (522556)]

The moon landing, of course, was only possible because the USA's German rocket scientists were almost as good as the USSR's German rocket scientists.

Re:

[shutdown -p now (807394)]

Indeed you are surrounded by enemies.

The saddest part to this is that the enemies are only those Russia made herself. It wasn't like that in the 90's, and, with the right choices, Russia could become a proper European country... but the imperial ambitions remaining from the Soviet days were too strong, and won the day.

Government-orchestrated? Please

[saikou (211301)]

Given how "well" Russian Government organizes things it'd be an utter failure. Please remember, there are many people and groups in the whole world that are quite capable of doing it by themselves. What, do you think the government has nothing else to do than to issue covert demands for every dial-up user to ping particular Estonian servers?
Estonia (and some mass media) simply find it useful to blame everything on Russian government now. Russian companies refuse to buy their products because customers stopp

Re:

[antv (1425)]

Well, your big mistake is assuming this sort of thing is somehow centrally organized.
Remember an incident with US spy plane and Chinese fighter jet [wikipedia.org] ?
It resulted into a hacking contest [bbc.co.uk] between US and China without any "official" guidance.

In case of Estonia an asshole named Anders (Estonian leader - my sincerest apologies to all other assholes for the comparison) referred to buried WWII veterans as "marauders" on public TV, before trying to move the statue. Quite obviously, people got pissed off. Some teenage

Re:

[shutdown -p now (807394)]

Why, exactly, is the parent modded "Informative"? There's not a single reference to back his claims, and googling mostly gives links to Russian sites - hardly unbiased.

Re:

[AndersOSU (873247)]

Ok, I know nothing about this particular drama, but less chemicals? Really, is that why Georgian wines are good? Compared to what exactly? The French, who can afford fungicides so their grapes don't rust on the vine?

Personally, I'd take the ppbs of residual chemical on the grape skin than the couple of percent of mildew infested grapes that get through in a country that doesn't use chemicals.

Russia - cybercrime capital of the world

[by Anonymous Coward]

I'm seeing a shitload of spam and SSH scanning from Russia. There's also stuff like the excellent Nginx web server, no reason to doubt the authors motives but at what point would he cave to mafia threats and insert a back door?

The situation in Russia isn't helped by the fact that the mafia are basically the state (Putins FSB). Europe will eventually rely on these villains for natural gas, what can the west do about the situation before it's too late?

Re:Russia - cybercrime capital of the world

[99BottlesOfBeerInMyF (813746)]

Russia - cybercrime capital of the world

According to the site [arbor.net] mentioned in the article, Russia comes in at #17 in the attacks by country breakdown at the bottom of the page. It covers scanning, fingerprinted attacks, and DDoS attacks (no spam). The number 1 country is the good 'ole USA. We're #1! We're #1!

Re:

[Quiet_Desperation (858215)]

what can the west do about the situation before it's too late?

Put the robber on their most productive hex, and surround them with roads?

Sorry. I was playing Catan on XBox Live, like, all weekend.

that's the biggest problem with this warfare

[circletimessquare (444983)]

say you had two countries simmering over some stupid feud: land or machismo or even a soccer game [marrder.com]. in such a situation, any cross border incursions or launched missiles can get back to a matter of accountabilty: what comes from your territory is your responsibility, and the fact that something came from your territory or not is pretty straightforward. the side where the incursions came from can even make excuses, but the other side can still say: "look, these guys came from your territory. clean it up yourself or we'll clean it up for you." that provides some straightforward safeguards right there

however, things are too nebulous on the web. no accountability. the russians that attacked estonia can not be found by russia and suppressed easily, because no one knows who they are. well, obviously there can be some intelligent detective work done (who purchased the botnets for rent, for example), but my point is, any group of teenage assholes can do this sort of thing, from any botnet in the world, and so it renders obvious lines of accountability all nebulous and unresolved

and so it is sort of like terrorism, in that there is no one easy and big to blame. no state or governmental entity. it's vague and undefined. and in the end, therefore, these sorts of wars/ crimes are really the defining characteristic of conflicts in the 21st century. for the most part, wars of nation against nation and obvious straightforward battlefields seem to be a dead era. today's conflicts are all about shadowy organizations ready to do nefarious things in the name of nebulous agendas, and finding and stopping who or what or how is simply a task without any clear goals or clear yardsticks of progress

some people would use this fact to say that therefore there is no war or conflict at all, that say, the "war on terrorism" isn't real. no, wrong. the threat is still very real. something like 9/11 is not a phantasm of a neocon's imagination

it's just that the enemy is opaque and made of fog. but because the enemy is hard to pin down, does not mean there isn't nefarious intent out there you need to protect yourself from. yes, that vagueness can be used to amp up fear and provoke overreaction. but, in a way, doing nothing is still worse than overreaction (unless overreaction consists of taking the war to targets that should not be targets)

we live in a difficult era folks. do nothing, you're damned. do something, you can be damned worse. you need to be clever and constant and precise in your efforts, and you'll still screw up and get blowback anyways, and you must still soldier on nonplussed nonetheless, against cyberenemies, against terrorism, with no real yardstick of progress, with no real verification of success or failure, with nothing but the fog for miles and for years, and then a plane in a skyscraper, or a bomb in a disco, or a flood of emails, or a DoS for seemingly no rhyme or reason... and then gone again like a fart in the wind, until the next mass murder. it's psychologically debilitating, and yet constitution and fortitude are your best character qualities needed in order to beat back these shadowy enemies

Re:

[vertinox (846076)]

what comes from your territory is your responsibility,

Seems well enough to work for the Lebanese government. Of course when you are at the brink of civil war... You really don't have control over what goes over your border.

well yeah

[circletimessquare (444983)]

not having responsibility for what goes on inside your borders is not an acceptable state of affairs. because neighbors will begin to get angry about it because of the rats and vermin making incursions from your lands, and then they will go in and clean things up themselves, and this of course is an escalation. that's why being responsible for what goes on inside your borders is the most imperative thing for a country to have. if they don't have it, there is only war and misery to be had with everyone who l

Re:that's the biggest problem with this warfare

[alexgieg (948359)]

William Lind [lewrockwell.com], a scholar on the subject of this new style of war, which he calls "4th Generation of Modern Warfare" (to distinguish it from the other 3 common types of military organization: organized battlefield; top-down order-based hierarchic army; and blitzkrieg) as a shortcut for something that is fast-paced, non-centralized, stateless, guerrilla-based, multi-polar and simultaneously global, international and local, says that the best way for one to defend himself from it is by doing two things:

a) Focus inwardly, trying to be on the smallest possible number of 4GW organization target lists. The less people hate you, the better you are;

b) Focus locally, building your defensive strategy on fast deployed forces stationed where they act and, if possible, made up of residents of the area, as well as lowering the dependency each area has on resources deployed from too much away. The more centralized and distant and your military force is, the weaker you are. The more dependent you are on goods and services coming from other cities, states and countries, the weaker you are. (Note that this isn't the same as neglecting a strong and big army. It's more of the way said army is built.)

USA fails on both aspects. It fails "a" miserably by making its presence felt all over the world, thus entering the list of almost everyone. And it fails "b" by encouraging a false sense of security on its population, when it should be making local militias and weapon usage proficiency as much widespread as possible, as well as by having an absolute, complete, all-embracing dependency on foreign natural resources, goods, services and work.

On a 4GW world, this is a recipe for disaster.

anonymity

[circletimessquare (444983)]

has pluses and minuses. an internet where there is no anonymity is also the autocratic oppressive regime's best friend

Maybe it's just me...

[fahrbot-bot (874524)]

...but every time I see a story about Estonia, I always think Elbonia [wikipedia.org]. My apologies to both Scott Adams and the people of Elb^h^hstonia.

Botnet?

[Maxo-Texas (864189)]

A trivial threat compared to posting the major web addresses on Slashdot.

Re:

[Archangel Michael (180766)]

Irritated Piss is a sign of a Urinary Tract infection, or kidney stones. Please consult a physician immediately. And lay off the Viagra and Penis Enlargements.

How to stop that spam

[Nymz (905908)]

For 3 years straight I've been getting hit by Viagra and Penis enlargement e-mails/ads about 30 times a day.

If you purchase those items, then they will stop targeting your email. That's what a friend told me.

Re:

[Weedlekin (836313)]

I get lots of them, together with several daily messages telling me about how great life would be if only I lost weight. The puzzling thing about it is how all those people know that I'm morbidly obese, and have a tiny, flaccid todger...

Re:

[Mr. Underbridge (666784)]

I understand that the Russians are essentially harassing countries that used to be part of the Soviet Union, most notably they have been trying to interfere with the Ukraine. I wonder if they have anything to do with this DOS attack on Estonia's government network.

Enjoy your Polonium soup, Anonymous Comrade.

Re:

[99BottlesOfBeerInMyF (813746)]

Frankly, because of stuff like this, we need to be prepared to use a variation of the old Internet Death Sentence. Hostile nations could be removed from the routing tables (i.e. we don't route traffic to or from them). With international cooperation attacks like this *could* be stopped dead in their tracks, with the side benefit that the offending nation would have a high priority desire to clean up the attacks.

I don't think that stopping routing from a country would make much practical difference. There are millions of vulnerable and already compromised Windows boxes scattered across the world. You can rent time on them from a Web interface. A big part of the usefulness of DDoS attacks is it is easy to make it impossible to attach them to an individual or country since the actual traffic comes from all countries. Most of the compromised machines known to be attacking as part of a botnet are within the US.