Russian Hide-and-Seek with Routers

So what exactly happened with the allegedly Russian-orchestrated DDOS attack on Estonian Internet interests? Some people have been talking about the first act of “cyberwar” against a sovereign state, others about a bizarre fuss about nothing. AFOE asked Gadi Evron, a world expert on botnets who runs Israel’s CERT and who took part in the international response effort, exactly what was going on.

How large was the DDOS attack on Estonian interests? How many different sites were targeted?

The DDoS attacks themselves were relatively small compared to some
past attacks we have seen, such as those on the root servers, but it
was significant for them and their infrastructure.

2. EE-CERT was presumably the first responder. How did other CERTS and agencies get involved, and what support did you/they provide?

There were 4 CERTs from Europe (Finland, Germany and Slovenia) who
helped directly with the response outside of Estonia, serving as an
escalation point for reporting attacking sources outside of Estonia.
I was there to help in whatever was needed, and later was also asked
to write a post-mortem of the attacks and defense for the Estonians,
covering preparedness for the next time.

Inside the country what saved the day was close coordination between
the CERT, ISPs, banks, etc. who all responded in semi real-time and
helped each other out.

3. Did the attackers attempt to compromise network infrastructure, or just end hosts?

They mostly left the network infrastructure alone, however, one
misconfigured router was attacked directly and another couldn’t take
the stress.

4. How much disruption was actually caused?

Considering Estonia is more advanced than most of us (they even held
the last elections online) the impact of the attack was significant
with some down-time for the banks, government sites, etc. It could
have been more serious, but while their Internet infrastructure as a
quiet country was not prepared for such an attack, the response and
mitigation worked for them. They stood the risk of losing their
ability to buy gas, for example, and for a short time, they did.

5. How unusual were the mitigation techniques used – just BCP38 etc, or spookier?

The fascinating thing is that in Estonia BCP38 is considered best
practice and implemented widely, which likely prevented some more
mess. As to mitigation, it ranged from basics such as using mitigation
devices to extremes such as blocking connections to certain networks
from abroad. Nothing any of us haven’t done before ourselves, however
mundane or extreme.

6. What fraction of the traffic came from within Russia? Or was it typical botnet activity, globally distributed?

The botnet traffic was distributed globally, with some of the botnets
being bought. However, many of the attacks were not by a botnet, but
rather by a mass of home users using commands such as ping to manually
attack Estonian sites. As they coined in Estonia, this was a riot, and
not just in the streets. Many different Russian-speaking forums and blogs (the Russian
blogosphere?) encouraged people to attack Estonia using crude commands
or simple tools. Others used more advanced techniques.

7. What was the role of ENISA?


8. Did the attack attempt to compromise/darkout other Internet-connected systems?

What other systems? Sorry, I don’t follow.

“Other systems” here was intended to mean such things as telco networks, embedded control systems, and the like.

Telco’s were affected for sure, as they hosted or were transit. There
was no attack on control systems that I know of, but the Internet is
critical infrastructure enough. The civilian infrastructure proved to
be more critical than any SCADA system.


200 Gigabits a Second

Todd Underwood of Internet consultants Renesys has an interesting post for the day AMSIX, the Amsterdam Internet Exchange, set the world record for Internet traffic through a single facility. At 2110 CET on Monday, the world’s biggest IX saw more than 200 gigabits a second of netty goodness hurtling through its multiple 10GB Ethernet switches. That’s a whole lotta traffic. And love, this being Amsterdam.

But what especially interests me about it is that somehow, everyone does these things differently. In North America, public IXen don’t really count for much—even the mighty Equinix sees only half AMSIX’s traffic across all its exchanges. Traditionally, ISPs and telcos have preferred to set up private interconnections, or else pay a private exchange operator like Equinix. In Europe, though, public exchanges run by their users as co-operatives, where everyone connects to shared high-capacity Ethernet switches, have been a vital part of the Internet infrastructure from the word go, with LINX in Tookey Street, London SE1 being the first. Over the years, they have grown spectacularly and continue to do so—a year ago, AMS-IX was doing half the traffic it is now, LINX has doubled since January, and DECIX in Frankfurt is up 150 per cent this year.

There’s obviously a political/cultural analogy here. The Americans prefer to set up their own private wires, and the Europeans prefer sharing a really big Ethernet ring, operated as a non-profit organisation. And the South Koreans have arrived at a sort of hybrid solution, doing private interconnection in a very big way but within a shared facility. But there doesn’t seem to be any great difference in the results.

Geek culture bleg: If multiple Linux boxes are boxen, multiple muxes are muxen, more than one VAX used to be VAXen, why aren’t more than one switch switchen?

Europe’s Digital Divide

“A digital divide has appeared among Europeans, with age, income and education determining whether the continent’s citizens use the Internet”, at least this is the conclusion of a new study conducted by Eurostat on behalf of the EU commission.The largest divide by educational level was found in Portugal, and the smallest in Lithuania, only in the Netherlands did more than half of the retired population use the internet. Only in Sweden (70%), Denmark (64%), Finland (54%) and Germany (51%) did more than half of the lower educated use the internet during the first quarter of 2004, while the proportion of the higher educated who used the internet fell below 50% only in Lithuania (38%) and Greece (48%). Now why do I not find all this particularly surprising?

In the EU25, 85% of students (aged 16 or more in school or university) used the internet during the first quarter of 2004, as did 60% of employees, 40% of the unemployed and 13% of the retired, compared to an EU25 average of 47% for individuals aged from 16 to 74. This divide by employment status is also found by educational level: only 25% of those with at most lower secondary education used the internet during the first quarter of 2004, while the proportion rose to 52% for those who had completed secondary education, and 77% for those with a tertiary education.

Bloggeurs In The News

On Thursday it was John Thornhill in the FT, then yesterday Stephen Castle of the Independent joined in. Topic du jour: the battle in cyberspace for the hearts and minds of the French voters.

Conspiracy Theory One: the US administration wants Europe to adopt the constitutional treaty because it would kill off nation states and allow Washington to deal with a more pliable Brussels.

Conspiracy Theory Two: the Bush administration is secretly financing the No campaign in France because it wants to kill off Europe’s ambitions to forge a common foreign policy and rival the US on the world stage.
Financial Times Thursday 28 April

One says that a vote for the EU constitution would please George Bush; another uses a computer game format with arrows from a “yes” vote to a “game over” box. Not only are French opponents of the EU constitution ahead in the opinion polls they are also winning the battle of the blogs.
Independent Saturday 30 April

Continue reading

Digitally Scared.

No doubt about it – revolutions are truly scary. Whether you think of the French one, the ones that freed Eastern Europe, or the digital revolution that is currently changing much of the transactional structure of our economies, and in particular the music industry. But contrary to most people, I do pity major label executives who never even stood a chance of understanding just what happened to them. After all, this is an industry where the average person?s desk had not seen a computer in 1996, as some insider once said.

Continue reading

The Last Foreign Correspondent

This is really a case of two stories in search of a common theme: a theme, that is, which goes beyond the rather random unifying factor of the work of Shanghai based ‘foreign correspondent’ Fons Tuinstra. In fact both points emerged from browsing his blog.

In the first place we have the problem with the uses and abuses of statistics – an issue which surfaced once more this week with the outrageous use of the carefully crafted 7% Japanese GDP growth number (those looking for a rather more jaundiced – not to say realistic – view on this, could do worse than consult Bloomberg’s ever intelligent William Pesek).

But Fons target this week is not the investor-seeking financial press, but rather his own compatriots, the Dutch politicians, and how they have turned the creative use of statistics into an art form, for, as he says:”Dealing with figures is an art: the Dutch call themselves the Chinese of Europe, for a good reason.”
Continue reading