WIXLIB

Political DDoS:Estonia and BeyondJose Nazario, Ph.D.jose@arbor.netUSENIX Security, 2008

Jose Nazario, Ph.D.o Arbor 2002 - Presento ATLAS, ASERT, ATFo Research, analysis, engineeringPage 2

DDoS BackgroundExhaust resourcesOverwhelm targetDispersed originsPage 3

Page 4

DDoS BackgroundPage 5

DDoS Typeso Bandwidth exhaustion– UDP floods– ICMP floodso Server resource exhaustion– HTTP GET request floods– SYN floodso Spoofed or noto Protocol abuse (ie DNS amplification)Page 6

DDoS History25 Gbps200 FN, etcCode Red IRCNimdaBotnetsPage 7Dedicated

TrivialRequires human coordinationPage 8

Power to the PeoplePage 9

More SophisticatedPage 10

Measuring Global AttacksPage 11

Internet Attack Scaleo Unique attacks exceeding indicated BPS threshold for single ISPo Average of three 1-Gbps or larger attacks per day over 485 days of collectiono Two 25 Gbps attacks reported by a single ISP (on same day, about one hour apart,duration of 35 minutes)Page 12

21 Days Y/Yo Significant Y/Y growtho Identify additional trends: Holiday Season typically slow time forattackersPage 13

Attack Intensity2-3% Backbone TrafficPage 14

Attack Subtypes 1 year of global measured attack data 1128 attacks per day average 30 attacks per deployment per day reportingAttack SubtypeDNSIP FragmentPrivate IP SpaceIP NULL ProtocolTCP NULL FlagTCP ResetTCP SYNPercent of Total Attacks0.23%14.41%1.22%0.78%0.57%6.45%15.53Page 15

Attacks over TimePage 16

By ProtocolPage 17

24 Hours of DDoS Around the WorldPage 18

24 Hours of DDoS TargetsAP designates Asia-Pacific regionPage 19

Attack Command Victims - June 2008Page 20

Attacking Botnet C&C Locations - June 2008Page 21

DNS Attacks - When & What?Akamai attackedDuration: 4 hoursNo mitigation possiblePort 53, UDP, valid queriesMulti-millions queries per secondImpact: Global ImpactRoot Server AttackedDuration:1 hourMulti-modal: smurf, ICMP, port 53“7” Root Servers appearunreachableImpact: No noticeable user effectDDoS for hire (extortion)The golden age for worms/trojansThe perfect DNS DDoS in the wildNo protocol based defense or mitigationAttack on Bandwidth, not applications orservers - 11 Gbps Impact: Significant collateral damageG, L & M Root Servers, OtherTLDsUtilized large bogus DNS UDPqueries from many botsAggregate attacks 10 Gbps Mitigate: Special HardwareImpact: 90% Traffic droppedlocalized user impactOCT 2002 NOV 2002 JUN 2004 OCT 2004 NOV 2004 JAN-FEB 2006 NOV 2006 FEB 2007UltraDNS TLD Servers AttackedDuration: 24 hours ICMP 0,8 and then portEasily filtered -- uses pure volumeof packets to disableResults in 2-way traffic loadImpact: No noticeable user effectUUNet Attack - 2nd Level DNSUDP/53, auth servers for bank.fooSpoofed source IPs - 800 KppsImpact: End-user/customerMitigated with Cisco Guard-XTCollateral damage: 2x .gov & 27206s in network pathPage 22Root & TLD AttacksSpoofed source IPsLarge Bogus Queries10 GbpsRegionalized User ImpactJanuary-FebruarygTLD targetsUtilized open recursive serversAverage attack 7-10 GbpsTLD Operators have no successfuldefenseImpact: Considerable user impact

DDoS Motivations, GoalsPolitical, religiousExtortion, financialRetribution, competitionFun, personalNot to scalePage 23

Political Attack Arenaso Internationalo Regionalo DomesticPage 24

Political Attack Methodologieso Website defacemento E-mail bombingPopularityo Spamo Malcodeo DDoSo Site hijacking (DNS)Page 25

UN Site Hack - 2007August 12th, 2007Via Giorgio MaonePage 26

Political Attack Motivationso Anger, frustrationo Protesto Censorshipo StrategicPage 27

Political Attacks Definedo Target political visibility– Presidential websiteo Carry political message– URL arguments– Mailbomb messageso Attack national, critical infrastructureUsually inferred intent, purposeBased on attacks, “chatter”Page 28

iWar is distinct from what the United States (US) calls ‘cyberwar’ or from what China calls ‘informationalized war’ [Cyberwar] refers to attacks carried out over the internet thattarget the consumer internet infrastructure, such as thewebsites providing access to online services. iWar exploits the ubiquitous, low security infrastructure. Itrefers to attacks carried out over the internet that target theconsumer internet infrastructure, such as the websitesproviding access to online services. While nation states canengage in “cyber” and “informationalized” warfare, iWar can bewaged by individuals, corporations, and communities.“iWar”: A new threat, its convenience – and our increasing vulnerability (NATOReview, Winter, 2007), Johnny RyanPage 29

Increasing Cyber Attack Capabilitieso Chinao USo FranceFrance prepares to fight future cyber warsPeople's Daily Online, June 19, 2008Page 30

Cyber Attack Responses and Responsibilitieso NATOo EUo USPage 31

Pre-Historyo Kosovo, late 1990’so Israeli-Palestinian hacking, Fall 2000o China pilot “incident”, Spring 2001o Korea, Winter Olympics, 2002Page 32

“In late April and early May 2001 Pro-Chinese hacktivists andcyber protesters began a cyber assault on US web sites.This resulted from an incident in early April where a Chinesefighter was lost at sea after colliding wide a US navalreconnaissance airplane. It also coincided with the two-yearanniversary of the Chinese embassy bombing by the UnitedStates in Belgrade and the traditionally celebrated May Dayand Youth Day in China. Led by the Honkers Union of China(HUC), Pro-Chinese hackers defaced or crashed over 100seemingly random web sites, mainly .gov, and .com, throughDoS attacks and similar exploits. Although some of the toolsused were sophisticated, they were readily available to bothsides on the Internet.”National Infrastructure Protection Center, Cyber Protests:The Threat to the U.S. Information Infrastructure, Oct ‘01Page 33

Recent Global Politically Motivated DDoSo Estonia - April-May 2007o Delfi.EE (Estonia, January 2008)o CNN.com - April 2008o Ukraine president’s site - Fall 2007o Party of Regions (Ukraine) - Fall 2007o Dissident politicians (Russia) - Fall, Winter 2007o Radio Free Europe/Radio Liberty - April 2008o Ukraine anti-NATO protests - June 2008o Georgia President Website - July 2008o Democratic Voice of Burma - July 2008Page 34

Measuring Specific Attackso Internet statistics projecto Botnet infiltration, command trackingo Flow data, if possibleo News monitoringo Keyword triggers (ie ‘.gov’ in a command)Page 35

Estonian DDoS AttacksPage 36

The StatuePage 37

Page 38

Page 39

100 MbpsPage 40

100 %Page 41

10 hoursPage 42

Page 43

Translated CommentsRunning and . Estonian amateur server.So today in Moscow or 23.00 to 22.00 on Kiev hit on all servers. Justamong friends, the more people the more likely hang them. htmlEstonia and fascismSo straight to the point.in the light of recent events . shorter propose pomoch Ddos attack ongovernment sites Estonia.Russian Belarus has blocked sites will soon rise but not desirable.http://rusisrael.com/forum/?forum id 10425Page 44

Page 45

Our Conclusionso Widely dispersed attacks– Sources aggregate to 0.0.0/0– Could be the result of spoofing BUT sources weanalyze are legitimate– Botnets most likelyo ATLAS didn’t see all attacks– Started before May 3, lasted beyond May 11o Attribution impossible to ANYONE with our dataPage 46

Why is Estonia So Interesting?o David and Goliath storyo Estonia is a modelo Estonia was vulnerable to such attacksPage 47

Some security experts suspect that political protestorsmay have rented the services of cybercriminals, possiblya large network of infected PCs, called a “botnet,” to helpdisrupt the computer systems of the Estoniangovernment. DOD officials have also indicated thatsimilar cyberattacks from individuals and countriestargeting economic, political, and military organizationsmay increase in the future.Clay Wilson, US State Dept Analyst, Jan 2008Page 48

What Worked in EstoniaCollaborationFiltering trafficOutreachResearch, investigationsPage 49

Roles in International Cyber Attackso ISPsDefenseo CERT teams– National, internationalCoordinationo Law enforcementDomestico State departmentInternationalo MilitaryOffensiveHat tip: Bill Woodcock, Estonia LessonsPage 50

DDoS RemediationCut traffic off hereNot hereRequires global outreachPage 51

Remediation in EstoniaooooooCisco (formerly Riverhead)PanoptisArbor Peakflow SPNarus Insight ManagerLancope StealthwatchQ1 Labs Q1 Radaro All flow-based, direct measurements toolso Source-based uRPF filteringo Arbor TMS trial installedHat tip: Bill Woodcock, Estonia LessonsPage 52

Estonia - What Happened Next?o Attacks started to dwindle after Victory Dayo Multiple investigationso Estonian citizen fined for botnet activitieso Newspaper attacked during Russian trial (rioters)o No 1 year anniversary attacksPage 53

100,000via Michael Lesk, "The New Front Line: Estonia under Cyberassault,"IEEE Security and Privacy, vol. 5, no. 4, pp. 76-79, Jul/Aug, 2007Page 54

Crime and PunishmentPage 55

The Picture in Estonia - Responsibilityo Unlikely that Dmitri Galushkevich only personresponsible– 50-50 global, regional sources– Botnet vs manual toolso Blog statementso Any further investigations ongoing?Page 56

Conjecture in Estonian Attackso Russian youth groups involved– Possibly specifically encouraged by political partyNashiYoung RussiaMestniyePage 57

Global Concernso Critical infrastructureo Bankingo CommercePage 58

DisruptionvsDestructionPage 59

I think its really difficult to compare the two of those,whether a cyber 9/11 is possible — but when we look atthe death and destruction caused in a real world attack, Idon’t think we can compare the two.The way I try to answer this, is that we tend to look at cyberattacks as “disruptive,” and not “destructive.” We think ofsome regions in the world that have dependence on ICTs— whether its power systems or transport. But thesecritical system are built in a way to ensure only “disruption”and not “destruction.” We’ve come a long way in, andtoday we are able to identify attacks early, mitigate itquickly and recover from it fast as well.- Howard Schmidt, June 2006Page 60livemint.com

In the Past Year - ReactionsooooNATO - Cybercenter of Excellence, TalinnMalaysia - IMPACTUS - Defense, open discussions of offenseEU - Discussingo Big open questions– What is the shared responsibility?– Who should respond? Military? Civilian?– Who coordinates?Page 61

Other AttacksooooooDemocratic Voice of Burma, related websitesGeorgia President’s websiteUkraine President’s websiteUkraine Party of RegionsRussia - Kasparov’s siteChina - CNN websiteo Spain - Russia, Euro Cup SemisPage 62

Ukraine - NATO Protestsflood http 5.ua ?message nato go homeWeek of June 15, 2008http://www.russiatoday.ru/news/news/26316Page 63

Georgia - Unknown MotivationsJuly 18-20, 2008Machbot NetworkC&C located in USFREQDDOSDDOSDDOSDDOSDDOS18000000 59999400003 59999400002 59999400001 59999400000 ent.gov.gePage 64/ 0 win love in Rusia 80 780 780 77/ 1 win love in Rusia 80 7

Regional TensionsWithdrawal ofGeorgian troops onlyway out of Abkhaziaconflict - MedvedevJuly 19, ‘08Page 65

Similarities in Russian-tied DDoS Attackso Former Soviet Bloc nationso High population of ethnic Russians remaining– Georgia Ethnic groups (2002 census): Georgian 83.8%, Azeri 6.5%,Armenian 5.7%, Russian 1.5%, other 2.5%.– Estonia Ethnic groups: Estonians 68.6%, Russians 25.6%, Ukrainians2.1%, Belarusians 1.2%, Finns 0.8%, other 1.7%.– Ukraine Ethnic groups: Ukrainians, Russians, Belarusians, Moldovans,Hungarians, Bulgarians, Jews, Poles, Crimean Tatars, and othergroups.– Belarus Ethnic groups (1999 census): Belarusian (81.2%), Russian(11.4%), Polish (3.9%), Ukrainian (2.4%), Jewish (0.3%), other(0.8%).o Exploring relationships with NATOData via US State Dept websitePage 66

Questions - In ordero What?o How?o Where?o Who?o Why?Page 67

Response"There is a discussion over howcyber aggression should fit intocurrent law and whether aconventional attack would besuitable retaliation”Johannes Ullrich, SANS InstitutePage 68