Cyberattack in Estonia--what it really means

Q&A Arbor Networks' Jose Nazario takes stock of the denial-of-service attack against the Baltic nation--and the wider implications.
Written by Robert Vamosi, Contributor
When it comes to denial-of-service attacks, Jose Nazario has seen just about everything.

As senior security researcher at Arbor Networks, Nazario closely monitors network attacks. A denial-of-service, or DoS, attack occurs when someone directs a large number of requests to a target URL so quickly that the Web server can't respond, and the site becomes inaccessible.

A distributed denial-of-service, or DDoS, attack occurs when hundreds or thousands of compromised computers are enlisted. Arbor Networks has a tool called the Active Threat Level Analysis System that enables Nazario to collect information on DoS attacks worldwide.

On April 27, officials in Estonia relocated the "Bronze Soldier," a Soviet-era war memorial commemorating an unknown Russian who died fighting the Nazis. The move incited rioting by ethnic Russians and the blockading of the Estonian Embassy in Moscow. The event also marked the beginning of a large and sustained distributed denial-of-service attack on several Estonian national Web sites, including those of government ministries and the prime minister's Reform Party.

Nazario was one of the first to publish information about those cyberattacks. He spoke with CNET in the wake of the events in Estonia.

Q: Have there been any previous attacks comparable to the cyberattack situation in Estonia?
Nazario: Compared to larger, higher-profile attacks, it isn't necessarily larger than the rogue DNS (domain name system) server attack this past winter, no larger than the attacks resulting from the Olympics a few years ago with the Apolo Ohno controversy. (In 2002 at the Salt Lake City Games, Ohno won the gold medal in the 1,500-meter speed-skating race after South Korean Kim Dong-Sung was disqualified; soon after, several United States-based servers were hit with a DDoS attack from machines that appeared to be based in South Korea.)

Some countries are probably better equipped to handle this than others.

The Estonia attacks certainly are overwhelming and crippling many of those sites in Estonia based upon the resources that they have. But it's the background nature of those attacks that's novel, in comparison to other denial-of-service attacks.

There's no extortion going on. They're not demanding to the Ministry of Finance, the Ministry of Agriculture, "Pay us $50 million, or we keep this up." They're not trying to disrupt e-commerce--they're making a political statement.

So the size isn't necessarily groundbreaking. We're talking about 100 or 200 megabits per second. Looking at our infrastructure surveys that we have published--and we have one going on currently for release later this year--we have seen that this is on the low side of an average size of attack on providers that we talk to, who run our products or don't run our products, who participate in our survey. It's kind of a common-size attack.

Would the Estonia event be comparable to the India-Pakistan cyberconflict of a few years ago? I recall volleys of nationalistic viruses sent between the two countries with some DoS attacks thrown in.
Nazario: Yes, definitely, though it's probably more applicable to the Apolo Ohno situation, where you have a nationalistic driver behind the DDoS attack. We saw some specific tools created (for the Olympic attack), as well as some botnets that were under the control of people who were emotionally attached to the events. Attacks were launched against a specific target based upon national interests or based upon geopolitical interests.

A recent blog of yours suggested that a variety of different DoS methods were used on the Estonia sites. Does that support the theory that random sympathetic individuals, say in Russia, may be behind the attacks, as opposed to an organized, coordinated attack?
Nazario: Not necessarily. While we do think the Estonian attacks are due to multiple, different kinds of botnets, or different tools or different groups, all with sort of a same angle behind them, the fact that the attacks are different in their nature isn't necessarily the indication there that comes from other kinds of analysis.

We have, in the past, seen DoS attackers interested in keeping their attack effective by changing the tactics as they go along. And they will keep on changing the attack as it goes on.

They'll change locations, if they have a big enough botnet; sources, if they can overwhelm the defenses that selectively look at different kinds of sources; or the individual traffic types or packet types to overwhelm protocol-based defenses on the perimeter of the network.

That said, we have seen evidence suggesting that there were multiple botnets and tools--both botnet-related and not botnet-related--behind the Estonian attacks. We have seen this based upon some analysis of existing botnets that we and others are tracking, as well as monitoring forums and software releases where people are encouraging others to show their displeasure with Estonia--in this case, by launching these attacks.

Might we see other DDoS attacks in the very near future? Or is the Estonian situation just a one-off, a response to a specific event?
Nazario: I don't think it's a one-off. You mentioned the India-Pakistan issues; I mentioned the South Korean Olympic issues from several years ago. We have seen this kind of thing before. You look around the globe, and there's basically no limit to the amount of skirmishes between well-connected countries that could get incredibly emotional for the population at large.

In this case, it has disrupted the Estonian government's ability to work on online, it has disrupted a lot of its resources and attention. In that respect, it's been effective. It hasn't brought the government to a crippling halt, but has essentially been effective as a protect tool.

People will probably look at this and say, "That works. I think we're going to continue to do this kind of thing." Depending on the target within the government, it could be very visible, or it could not be very visible.

Some countries are probably better equipped to handle this than others. We monitor thousands of DoS events each day in our ATLAS system that comes from our installations around the world and our sensors around the world. The bulk of them are things that are against people you wouldn't even know or existed--just random people, people on broadband lines--where someone gets upset with them online and says "I'm going to make your life uncomfortable for the next hour or two."

We do see attacks against big corporations and big governments, and if you look at those attacks, some of them are probably politically motivated as a way of speaking out. I don't think this is going to become as common as seeing people on the streets. But it's something that some governments have to consider much more than I think they needed to five years ago.

You mentioned distractions. Is it a matter of the Estonian government sites filtering their traffic?
Nazario: It's not just within the Estonian government but also within their providers. The Estonian providers are, of course, working with a much larger community--the European providers, the North American providers (and) Asian providers that give them inbound traffic as well as the attack traffic. They're working with people to identify the root cause of these attacks and shut them down, as well as push the traffic back even further to alleviate those problems without disrupting normal service. The number of people required to help them do this is rather high, given the size of the staff that they have and that they don't normally see those kinds of things.

A couple of Estonian service providers have been under denial-of-service attack for the past six months to a year, by a virus called Allaple, and we're not clear as to what the author's trying to do other than upset some people in Estonia. It doesn't appear to have as clear a cause or reason behind it as these recent attacks against the Estonian government sites.

We know that they're scrambling, and we're working with folks from the Estonian Computer Emergency Response Team and the region, as well as the Estonian providers, to deal with it. We know that they've been working on this for quite a while, a number of weeks, really reaching out, and it is a very high-focus, high-priority item for them.

The attacks haven't stopped, have they?
Nazario: We know they haven't stopped, but we're not seeing them with such intensity right now.

Editorial standards