Russian Hide-and-Seek with Routers

So what exactly happened with the allegedly Russian-orchestrated DDOS attack on Estonian Internet interests? Some people have been talking about the first act of “cyberwar” against a sovereign state, others about a bizarre fuss about nothing. AFOE asked Gadi Evron, a world expert on botnets who runs Israel’s CERT and who took part in the international response effort, exactly what was going on.

How large was the DDOS attack on Estonian interests? How many different sites were targeted?

The DDoS attacks themselves were relatively small compared to some
past attacks we have seen, such as those on the root servers, but it
was significant for them and their infrastructure.

2. EE-CERT was presumably the first responder. How did other CERTS and agencies get involved, and what support did you/they provide?

There were 4 CERTs from Europe (Finland, Germany and Slovenia) who
helped directly with the response outside of Estonia, serving as an
escalation point for reporting attacking sources outside of Estonia.
I was there to help in whatever was needed, and later was also asked
to write a post-mortem of the attacks and defense for the Estonians,
covering preparedness for the next time.

Inside the country what saved the day was close coordination between
the CERT, ISPs, banks, etc. who all responded in semi real-time and
helped each other out.

3. Did the attackers attempt to compromise network infrastructure, or just end hosts?

They mostly left the network infrastructure alone, however, one
misconfigured router was attacked directly and another couldn’t take
the stress.

4. How much disruption was actually caused?

Considering Estonia is more advanced than most of us (they even held
the last elections online) the impact of the attack was significant
with some down-time for the banks, government sites, etc. It could
have been more serious, but while their Internet infrastructure as a
quiet country was not prepared for such an attack, the response and
mitigation worked for them. They stood the risk of losing their
ability to buy gas, for example, and for a short time, they did.

5. How unusual were the mitigation techniques used – just BCP38 etc, or spookier?

The fascinating thing is that in Estonia BCP38 is considered best
practice and implemented widely, which likely prevented some more
mess. As to mitigation, it ranged from basics such as using mitigation
devices to extremes such as blocking connections to certain networks
from abroad. Nothing any of us haven’t done before ourselves, however
mundane or extreme.

6. What fraction of the traffic came from within Russia? Or was it typical botnet activity, globally distributed?

The botnet traffic was distributed globally, with some of the botnets
being bought. However, many of the attacks were not by a botnet, but
rather by a mass of home users using commands such as ping to manually
attack Estonian sites. As they coined in Estonia, this was a riot, and
not just in the streets. Many different Russian-speaking forums and blogs (the Russian
blogosphere?) encouraged people to attack Estonia using crude commands
or simple tools. Others used more advanced techniques.

7. What was the role of ENISA?


8. Did the attack attempt to compromise/darkout other Internet-connected systems?

What other systems? Sorry, I don’t follow.

“Other systems” here was intended to mean such things as telco networks, embedded control systems, and the like.

Telco’s were affected for sure, as they hosted or were transit. There
was no attack on control systems that I know of, but the Internet is
critical infrastructure enough. The civilian infrastructure proved to
be more critical than any SCADA system.


Will They, Won’t They?

While Latvia is still arguing with the EU Commission over the spelling of eiro (or is it euro), the FT today asks the much more pertinent question: will the other baltic states even be able to join? On the backs of the energy hike Estonia and Lithuania are struggling to comply with the entry conditions, especially those on inflation. Slovenia is, however, expected to join on target on 1 January 2007.

Estonia, Lithuania and Slovenia set themselves the target of being in the first wave of new euro members next January and of complying with most of the rules, including public debt levels, interest rates and budget deficits.

Estonia, however, is struggling to meet the inflation criterion, which is likely to be set at about 3 per cent this year, 1.5 per cent above the average inflation rates of the three countries with the lowest inflation….. Like in other former Soviet-bloc countries, energy has a bigger weighting in Estonia’s consumer price index because the country uses power less efficiently than the EU’s older members.

“We feel that it’s a shame that just when we need to qualify for euro entry, the world oil prices go up,” said Kylike Sillaste, adviser to the prime minister….

Joaquin Almunia, the EU’s monetary affairs commissioner, has said he will apply strictly the entry standards for the candidate countries, although the ultimate decision on enlarging the eurozone lies with member states.