Gadi, I read it. As it happens, about a year ago I plowed through a bunch of Information Operations (formerly known as Information Warfare) papers in a then-linkable bibliography on the subject. Your GJIA paper is of that genre. There wasn't enough for me to distinguish between an ad insert campaign executed by several hundred nodes injecting link and keyword payload via POST, which I've observed as multi-hour ddos on vhost targets implemented on generic webservers with no particular load planning, and whatever happened "in Estonia". Technical details may change that impression, or the general observation that the relaxation times of such events is measured in hours to a small number of days. Note: hosts with domain names ending in .mil have been observed in ad insert campaigns. Eric