Estonia Under Russian Cyber Attack?


The Republic of Estonia is under a massive cyber onslaught
that apparently is targeting government servers in a broad-based distributed
denial of service (DDOS) attack. Quantitative data points the finger at a broadly based attack, but speculation is rampant that the Russian government is behind it.


Data from Arbor Networks Active Threat Level Analysis System (ATLAS) shows
the attack to be ongoing over at least the past two weeks, with some 128
unique DDoS attacks targeting IPs within Estonia.

ATLAS is a
globally distributed network that Arbor claims can see 80 percent
of the world’s Internet traffic. But Arbor’s view of the traffic’s source, as opposed to its destination, isn’t all that transparent.


“We don’t have directly visible info about sources so we can’t confirm or
deny that the attacks are coming from the Russian government,” Jose Nazario,
software and security engineer at Arbor Networks, told
internetnews.com.

“That said, we do have some information about the
characteristic of these attacks that show broadly scoped attacks.”


Nazario has publicly posted some of Arbor’s findings on the Estonian attack.
Over the past two weeks he noted that of the 128 attacks, most were Internet Control Message Protocol (ICMP) floods. ICMP includes ping in its implementation. An ICMP
flood attack does not typically target any particular port or service on a
target but rather the IP address as a whole.


In terms of attack duration, Navario found that many of the attacks lasted
under an hour, though some attacks were sustained for over 10 and a half
hours.


Though Nazario is unsure of the precise source of the attack, he is
convinced that it is a botnet attack, which consists of hundreds or
thousands of computers that attack targets in unison at the
direction of a third-party controller.

Identifying and tracking botnets is a
tough business, but it’s one that Nazario is familiar with, having last year helped shut down a massive botnet that was targeting sites in the Netherlands.


“We look to find sources that are pointing at the targets and then look for
traffic that appears to be suspicious,” Nazario explained. “From that we
track back to what might be the botnet involved and try and shut it down.”


In some cases, Nazario is already tracking a botnet and so is able to more
easily correlate where an attack is coming from, but that’s not the case
with the Estonian attacks.


“It’s a process that involves a lot of humans looking at a lot of data,”
Nazario said. “But ultimately by looking for common characteristics, we can
find the attacks that are destined for Estonia, and we can look back and see
what else is suspicious to try and find the botnet.”


The process so far has yielded some preliminary indications of the structure
of the botnet that is attacking Estonia.


“We have some indication of what botnet is behind the attack. It’s a
distributed botnet, so it’s harder to shut down since the controller is moved
around,” he said. “There is also evidence that there are different
attacking groups and it’s not just one botnet behind it, which makes it
harder to take down.”

News Around the Web