So what exactly happened with the allegedly Russian-orchestrated DDOS attack on Estonian Internet interests? Some people have been talking about the first act of “cyberwar” against a sovereign state, others about a bizarre fuss about nothing. AFOE asked Gadi Evron, a world expert on botnets who runs Israel’s CERT and who took part in the international response effort, exactly what was going on.
How large was the DDOS attack on Estonian interests? How many different sites were targeted?
The DDoS attacks themselves were relatively small compared to some
past attacks we have seen, such as those on the root servers, but it
was significant for them and their infrastructure.
2. EE-CERT was presumably the first responder. How did other CERTS and agencies get involved, and what support did you/they provide?
There were 4 CERTs from Europe (Finland, Germany and Slovenia) who
helped directly with the response outside of Estonia, serving as an
escalation point for reporting attacking sources outside of Estonia.
I was there to help in whatever was needed, and later was also asked
to write a post-mortem of the attacks and defense for the Estonians,
covering preparedness for the next time.
Inside the country what saved the day was close coordination between
the CERT, ISPs, banks, etc. who all responded in semi real-time and
helped each other out.
3. Did the attackers attempt to compromise network infrastructure, or just end hosts?
They mostly left the network infrastructure alone, however, one
misconfigured router was attacked directly and another couldn’t take
4. How much disruption was actually caused?
Considering Estonia is more advanced than most of us (they even held
the last elections online) the impact of the attack was significant
with some down-time for the banks, government sites, etc. It could
have been more serious, but while their Internet infrastructure as a
quiet country was not prepared for such an attack, the response and
mitigation worked for them. They stood the risk of losing their
ability to buy gas, for example, and for a short time, they did.
The fascinating thing is that in Estonia BCP38 is considered best
practice and implemented widely, which likely prevented some more
mess. As to mitigation, it ranged from basics such as using mitigation
devices to extremes such as blocking connections to certain networks
from abroad. Nothing any of us haven’t done before ourselves, however
mundane or extreme.
6. What fraction of the traffic came from within Russia? Or was it typical botnet activity, globally distributed?
The botnet traffic was distributed globally, with some of the botnets
being bought. However, many of the attacks were not by a botnet, but
rather by a mass of home users using commands such as ping to manually
attack Estonian sites. As they coined in Estonia, this was a riot, and
not just in the streets. Many different Russian-speaking forums and blogs (the Russian
blogosphere?) encouraged people to attack Estonia using crude commands
or simple tools. Others used more advanced techniques.
7. What was the role of ENISA?
8. Did the attack attempt to compromise/darkout other Internet-connected systems?
What other systems? Sorry, I don’t follow.
“Other systems” here was intended to mean such things as telco networks, embedded control systems, and the like.
Telco’s were affected for sure, as they hosted or were transit. There
was no attack on control systems that I know of, but the Internet is
critical infrastructure enough. The civilian infrastructure proved to
be more critical than any SCADA system.