On Thu, May 24, 2007 at 09:25:54AM +0100, Alexander Harrowell wrote:
On 5/23/07, ge@linuxbox.org <ge@linuxbox.org> wrote:
I just now got from a 6 hours beer fest with ISP/CERT/military/etc. guys who have been working on these attacks on Estonian infrastructure for the past 3 weeks here in Tallinn.. so if I make less sense than usual, please forgive me. Beer good.
Sitting with these folks for the past week, I got so impressed with the abuse handling work they are doing that even I, who had a very negative opinion of Estonia and cyber-crime, completely changed my mind.
Their CERT is *extremely* responsive, their ISPs are all talking and cooperating on abuse and security (and drinking beer). Things are very different from what they were even just a year ago. Even their Police force is clued.
If anyone has issues in Estonia, I'd strongly urge you to contact the Estonian CERT at www.cert.ee, and you most likely won't get disappointed. A lot of good people over here.
Gadi.
How serious was the attack really? The national press reporting was either nonexistent or hysterical (Cyberwar! Woo!), but it didn't disturb anyone to post to NANOG at any point, and it does not seem to have had any measurable real-world consequences.
Was this because a) it wasn't really that serious, b) it was serious but mitigation was successful, or c) being well-mitigated (BCP38 and the like) from the word go, its seriousness or otherwise wasn't obvious?
A lot of people had information to share and emotions to get out of the way, I sent my reply off-list. Also, it was really not my place reply on this - with all the work done by the Estonians, my contributions were secondary. My discussions with Mr. Harrowell are public on his blog. Information from Bill Wodcock was also sound. As to what actually happened over there, more information should become available soon and I will send it here. I keep getting stuck when trying to write the post-mortem and attack/defense analysis as I keep hitting a stone wall I did not expect: strategy. Suggestions for the future is also a part of that document, so I will speed it up with a more down-to-Earth technical analysis (which is what I promised CERT-EE). In the past I've been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. I was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses. I keep seeing strategy for the use IN information warfare battles as I write this document on what happened in Estonia, and I believe I need more time to explore this against my previous take on the issue, as well as take a look at some classics such as Clausewitz, as posh as it may sound. Thanks, Gadi.