Black Hat 2007: Estonian attacks were a cyber riot, not warfare

Researcher Gadi Evron says recent attacks against Estonia weren't government-sponsored warfare, but the U.S. and other large countries could learn from Estonia's successful response.

LAS VEGAS -- Security researcher Gadi Evron helped investigate massive cyberattacks that sent the Web-dependent nation of Estonia reeling last April. While plenty of questions remain as to what happened and why, he's confident the culprit was not the Russian government as many assumed from the outset.

Instead, he said this was a mob riot in the streets of cyberspace, sparked by anger over the Estonian government's decision to move a revered WW II memorial from the Soviet era. Evron, a security evangelist with McLean, Va.-based Beyond Security, told attendees at the Black Hat USA 2007 Briefings Thursday.

He said the good news is that Estonia's CERT (Computer Emergency Response Team) and IT professionals from the private sector were well-coordinated and the Baltic nation quickly bounced back following the incident. The bad news is that cyber riots like this will probably happen more in the future, engineered by people in command of botnets and inspired by what happened in Estonia.

More on Estonia attack

Black Hat 2007: Lessons of the Estonian attacks

Experts doubt Russian government launched DDoS attacks

Can service providers prevent DDoS attacks?
"The Estonians held the line, practiced online mob control and focused on getting things back up and running," Evron said. "[But] the concept of an online mob has proven itself and this will likely receive more attention in the future."

While the attacks hardly broke records in terms of size or sophistication, Evron said they still managed to cause serious short-term disruptions in Estonia, a nation of 1.3 million people that has become almost entirely dependent on the Internet. He noted that the country built its infrastructure from scratch after the collapse of the Soviet Union, with the Internet forming much of the backbone. Almost 100% of its citizens conduct their banking online, and everyone has an ID card with a PKI (public key infrastructure) chip embedded inside. Elections also take place online, with voters casting their ballots from home.

Soon after the attacks began Saturday, April 27, people were unable to buy such essentials as gas and groceries, Evron said, since credit card transactions couldn't be completed.

"Critical infrastructure proved to be [IT systems] in the private and business sectors, not things like transportation and energy," he said. "ISPs, banks and media Web sites became critical items that had to be protected."

The attackers and defenders acted in an ad hoc manner, Evron said. On the Estonian side, citizens volunteered to comb through network activity logs. Conversely, one person enraged by the relocation of the WW II statue made an online request for donations to a PayPal account for the purpose of hiring a botnet to launch attacks. In the same message thread, someone volunteered two of his botnets. In the final analysis, Evron said, the attackers used botnets the way rioters in the street might use rocks and bottles.

And though the Estonians probably weren't as prepared as they should have been, Evron pointed to the controlled, coordinated response as an example from which other governments and private sector entities can learn.

Rather than trying to respond to every individual attack, the first responders made bringing systems back online their top priority, focusing on the targets instead of the source of attack. Technical analysis was limited to cases where a difference could be made, Evron said.

Special Black Hat coverage

Check out more of SearchSecurity.com's special news coverage of Black Hat USA 2007.
He praised the Estonian CERT for staying on top of events and coordinating well with the private sector. Of course, he added, in a small, tightly knit nation, a successful comeback was easier than it might have been had the attacks been directed at the United States or another large country.

"Estonia is unique," Evron said. "Everyone knows each other and the country's online presence is concentrated. There's a networking of small groups with less burocracy, and it worked for them."

As noteworthy as the Estonian attacks were, Evron said its significance has been overblown in the media, with more FUD than warranted. He said he gets irritated when someone describes the attacks as "the first Internet war."

He said, "What happened in Estonia has happened many times over. The techniques were not new."

Dig deeper on Information Security Incident Response-Detection and Analysis

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close