RealTime IT News

Estonia Under Russian Cyber Attack?

The Republic of Estonia is under a massive cyber onslaught that apparently is targeting government servers in a broad-based distributed denial of service (DDOS) attack. Quantitative data points the finger at a broadly based attack, but speculation is rampant that the Russian government is behind it.

Data from Arbor Networks Active Threat Level Analysis System (ATLAS) shows the attack to be ongoing over at least the past two weeks, with some 128 unique DDoS attacks targeting IPs within Estonia.

ATLAS is a globally distributed network that Arbor claims can see 80 percent of the world's Internet traffic. But Arbor's view of the traffic's source, as opposed to its destination, isn't all that transparent.

"We don't have directly visible info about sources so we can't confirm or deny that the attacks are coming from the Russian government," Jose Nazario, software and security engineer at Arbor Networks, told internetnews.com.

"That said, we do have some information about the characteristic of these attacks that show broadly scoped attacks."

Nazario has publicly posted some of Arbor's findings on the Estonian attack. Over the past two weeks he noted that of the 128 attacks, most were Internet Control Message Protocol (ICMP) floods. ICMP includes ping in its implementation. An ICMP flood attack does not typically target any particular port or service on a target but rather the IP address as a whole.

In terms of attack duration, Navario found that many of the attacks lasted under an hour, though some attacks were sustained for over 10 and a half hours.

Though Nazario is unsure of the precise source of the attack, he is convinced that it is a botnet attack, which consists of hundreds or thousands of computers that attack targets in unison at the direction of a third-party controller.

Identifying and tracking botnets is a tough business, but it's one that Nazario is familiar with, having last year helped shut down a massive botnet that was targeting sites in the Netherlands.

"We look to find sources that are pointing at the targets and then look for traffic that appears to be suspicious," Nazario explained. "From that we track back to what might be the botnet involved and try and shut it down."

In some cases, Nazario is already tracking a botnet and so is able to more easily correlate where an attack is coming from, but that's not the case with the Estonian attacks.

"It's a process that involves a lot of humans looking at a lot of data," Nazario said. "But ultimately by looking for common characteristics, we can find the attacks that are destined for Estonia, and we can look back and see what else is suspicious to try and find the botnet."

The process so far has yielded some preliminary indications of the structure of the botnet that is attacking Estonia.

"We have some indication of what botnet is behind the attack. It's a distributed botnet, so it's harder to shut down since the controller is moved around," he said. "There is also evidence that there are different attacking groups and it's not just one botnet behind it, which makes it harder to take down."