nanog mailing list archives
Re: Slate Podcast on Estonian DOS atatck
From: Merike Kaeo <kaeo () merike com>
Date: Thu, 24 May 2007 10:06:50 -0700
First of it's kind that it targeted a country.As far as technical details I'm pulling something together for nsp- sec BoF at NANOG. I saw the spike to 4m pps on their management station......so no 'claims' there. And yeah, OK, will need qualification. Basically that was seen by Estonian ISPs as traffic coming in.........technically there wasn't much difference to what people see today but the large scale coordination is unusual. Or maybe not since it's small country :)
As far as the important sites being down for a short time.....that was because the mitigation techniques had been well thought out and they were prepared. And a LOT of money was spent to add equipment and enforce mitigation in the week before the worst was expected. There was a lot of pro-active activity which I do find to be unusual. Noone wants to spend money on security (said very tongue-in-cheek).......
I'll include answers to your last questions in my preso....... - merike As far as technicalOn May 24, 2007, at 9:35 AM, <michael.dillon () bt com> <michael.dillon () bt com> wrote:
It is an unusual situation...or at least the first of its kind.Leaving aside the alleged political involvement of some government or other, this is far from true. Back in the days, when DOS attacks were delivered to mailboxes and USENET and IRC were the main tool of coordinating attacks, this was commonplace. A victim was identified,postings were made to newsgroups and IRC channels, and at the appointedtime, the attack begins. What is fundamentally different here? Using web forums and IM instead of USENET/IRC is not fundamentally different. Using botnets to amplify the attack, is different from the mailbombing of the past, however, the botnets are often used in DDoS attacks, so I don't think we can consider this fundamentally different. What about the attackers? Is there something about Russians that would explain this? Yes, I think so. Over the past 20 years, economic and social problems have hit Russia hard and the people that lived throughthis time learned how to cooperate effectively and how to change tactics on short notice. At the same time, the Russian education system producespeople who are very good at technical subjects, like networks, programming, etc. This has combined to create various criminal groups who can make a good living from net abuse by building and rentingbotnets or selling various spamming services or just plain phishing. TheRussian mob does have a big market share of botnet C&C(Command and Control). IMHO, this is not about Estonia and this is not about the Russiangovernment or military or intelligence agencies. This is all about free enterprise thinking which is more deeply embedded in Russia than in mostof the developed world. Generally, these Russian hackers apply their skills to earning money or attacking each other, but Estonia accidentally raised the hackles of these people and they all pointed their firehoses in unison. It could have been any other country which does something that offends the sensibilities of ordinary Russians.On the other hand, if this attack had been directed at the USA, it wouldhave had far less effect. The USA has its economic and government infrastructure scattered across many cities with lots of network capacity between. The target for the firehose is more diffuse and therefore harder to hit. Estonia is a little country with all its eggs in one basket in one city. It was an interesting coincidence that one of the more vulnerable countries just happened to get a large number of criminal hacker gangs upset enough to turn from earning money to attack them. Perhaps they haven't heard that people who live in glass houses shouldn't throw stones. There has been a lot of hyperbole over these incidents and littlefactual information. Some people want to point the finger of blame, butwith botnets and diffuse C&C out there, this is not something that can be easily or quickly confirmed. If it was so easy, then we would have put the botnet operators out of business long ago. It's nice to hear that the Estonian CERT was prepared to respond to an attack and it'snice to hear that a lot of people helped mitigate the attack. But thereis nothing new in that. There are a lot of accusations about attacks coming from a certain list of countries or from certain specificcomputers of certain government officials, but these sound like typicaltabloid journalism explanations of any botnet-based DDoS. People say this was a BIG deal but then we hear that sites were down for only anhour. The Northeast blackout was a big deal, Katrina was a big deal, but a few hours of outage for a few data centres in one city doesn't seem tome like a big deal. A claim was made that 4 million packets per second were sent. I wouldlike to hear more about this. How was it measured? Is this an aggregateor was this directed at the largest victim? Was it ingress into the network or packets delivered on the site's CPE router? How does thiscompare to other DDoS incidents. And, most importantly, does it indicate a growth in total DDoS capability (a bigger firehose than before) or was it simply the usual stuff all sent to the same victim at the same time,for a change. What can network operators learn from this? Do we need to beef up technical measures or will a well-run network already be prepared tomitigate this kind of thing? Is there some fundamental technical aspectof this attack that was different from the past? Did the mitigation of the attack do something fundamentally different from the past? --Michael Dillon
Current thread:
- Re: Slate Podcast on Estonian DOS atatck, (continued)
- Re: Slate Podcast on Estonian DOS atatck Bill Woodcock (May 23)
- Re: Slate Podcast on Estonian DOS atatck Bill Woodcock (May 23)
- Re: Slate Podcast on Estonian DOS atatck Sean Donelan (May 23)
- Re: Slate Podcast on Estonian DOS atatck Bill Woodcock (May 23)
- Re: Slate Podcast on Estonian DOS atatck ge (May 23)
- Re: Slate Podcast on Estonian DOS atatck Alexander Harrowell (May 24)
- Re: Slate Podcast on Estonian DOS atatck Bill Woodcock (May 24)
- Re: Slate Podcast on Estonian DOS atatck Marshall Eubanks (May 24)
- Re: Slate Podcast on Estonian DOS atatck Merike Kaeo (May 24)
- RE: Slate Podcast on Estonian DOS atatck michael.dillon (May 24)
- Re: Slate Podcast on Estonian DOS atatck Merike Kaeo (May 24)
- Re: Slate Podcast on Estonian DOS atatck Bill Woodcock (May 24)
- Re: Slate Podcast on Estonian DOS atatck Danny McPherson (May 24)
- Re: Slate Podcast on Estonian DOS atatck Sean Donelan (May 24)
- Re: Slate Podcast on Estonian DOS atatck Chris L. Morrow (May 24)
- Re: Slate Podcast on Estonian DOS atatck Per Heldal (May 25)
- Re: Slate Podcast on Estonian DOS atatck Bill Woodcock (May 23)