First of it's kind that it targeted a country. As far as technical details I'm pulling something together for nsp- sec BoF at NANOG. I saw the spike to 4m pps on their management station......so no 'claims' there. And yeah, OK, will need qualification. Basically that was seen by Estonian ISPs as traffic coming in.........technically there wasn't much difference to what people see today but the large scale coordination is unusual. Or maybe not since it's small country :) As far as the important sites being down for a short time.....that was because the mitigation techniques had been well thought out and they were prepared. And a LOT of money was spent to add equipment and enforce mitigation in the week before the worst was expected. There was a lot of pro-active activity which I do find to be unusual. Noone wants to spend money on security (said very tongue-in-cheek)....... I'll include answers to your last questions in my preso....... - merike As far as technical On May 24, 2007, at 9:35 AM, <michael.dillon@bt.com> <michael.dillon@bt.com> wrote:
It is an unusual situation...or at least the first of its kind.
Leaving aside the alleged political involvement of some government or other, this is far from true. Back in the days, when DOS attacks were delivered to mailboxes and USENET and IRC were the main tool of coordinating attacks, this was commonplace. A victim was identified, postings were made to newsgroups and IRC channels, and at the appointed time, the attack begins.
What is fundamentally different here?
Using web forums and IM instead of USENET/IRC is not fundamentally different. Using botnets to amplify the attack, is different from the mailbombing of the past, however, the botnets are often used in DDoS attacks, so I don't think we can consider this fundamentally different.
What about the attackers? Is there something about Russians that would explain this? Yes, I think so. Over the past 20 years, economic and social problems have hit Russia hard and the people that lived through this time learned how to cooperate effectively and how to change tactics on short notice. At the same time, the Russian education system produces people who are very good at technical subjects, like networks, programming, etc. This has combined to create various criminal groups who can make a good living from net abuse by building and renting botnets or selling various spamming services or just plain phishing. The Russian mob does have a big market share of botnet C&C(Command and Control).
IMHO, this is not about Estonia and this is not about the Russian government or military or intelligence agencies. This is all about free enterprise thinking which is more deeply embedded in Russia than in most of the developed world. Generally, these Russian hackers apply their skills to earning money or attacking each other, but Estonia accidentally raised the hackles of these people and they all pointed their firehoses in unison. It could have been any other country which does something that offends the sensibilities of ordinary Russians.
On the other hand, if this attack had been directed at the USA, it would have had far less effect. The USA has its economic and government infrastructure scattered across many cities with lots of network capacity between. The target for the firehose is more diffuse and therefore harder to hit. Estonia is a little country with all its eggs in one basket in one city.
It was an interesting coincidence that one of the more vulnerable countries just happened to get a large number of criminal hacker gangs upset enough to turn from earning money to attack them. Perhaps they haven't heard that people who live in glass houses shouldn't throw stones.
There has been a lot of hyperbole over these incidents and little factual information. Some people want to point the finger of blame, but with botnets and diffuse C&C out there, this is not something that can be easily or quickly confirmed. If it was so easy, then we would have put the botnet operators out of business long ago. It's nice to hear that the Estonian CERT was prepared to respond to an attack and it's nice to hear that a lot of people helped mitigate the attack. But there is nothing new in that. There are a lot of accusations about attacks coming from a certain list of countries or from certain specific computers of certain government officials, but these sound like typical tabloid journalism explanations of any botnet-based DDoS. People say this was a BIG deal but then we hear that sites were down for only an hour. The Northeast blackout was a big deal, Katrina was a big deal, but a few hours of outage for a few data centres in one city doesn't seem to me like a big deal.
A claim was made that 4 million packets per second were sent. I would like to hear more about this. How was it measured? Is this an aggregate or was this directed at the largest victim? Was it ingress into the network or packets delivered on the site's CPE router? How does this compare to other DDoS incidents. And, most importantly, does it indicate a growth in total DDoS capability (a bigger firehose than before) or was it simply the usual stuff all sent to the same victim at the same time, for a change.
What can network operators learn from this? Do we need to beef up technical measures or will a well-run network already be prepared to mitigate this kind of thing? Is there some fundamental technical aspect of this attack that was different from the past? Did the mitigation of the attack do something fundamentally different from the past?
--Michael Dillon