Experts doubt Russian government launched DDoS attacks

By Bill Brenner, Senior News Writer 18 May 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

If you were the Russian government and wanted to launch an attack against Estonian authority Web sites ... would you really use your own PCs to do it? Graham Cluley, senior technology consultant, Sophos

Some experts are dismissing speculation earlier this week that hackers sponsored by the Russian government were behind a series of blistering distributed denial-of-service (DDoS) attacks in the Baltic country of Estonia.

The attacks left Web sites for Estonia's prime minister, banks and schools in disarray and some observers pointed fingers at Russia, given its apparent anger over Estonia's decision to remove a bronze statue of a Soviet-era soldier that was part of a World War II memorial.

But information security experts now say it's very unlikely this was a case of one government launching a coordinated cyberattack against another. It was more likely the work of smaller organized groups in control of hijacked computers from around the world, they said.

"Attributing a distributed denial-of-service attack like this to a government is hard," Johannes Ullrich, chief research officer of the Bethesda, Md.-based SANS Internet Storm Center (ISC), said in an email exchange. "It may as well be a group of bot herders showing 'patriotism,' kind of like what we had with Web defacements during the US-China spy-plane crisis [in 2001]."

Hillar Aarelaid, chief security officer for Estonia's Computer Emergency Response Team (CERT), said in published reports Thursday that most of the affected Web sites have been restored to normal service. He also expressed skepticism that the attacks were from the Russian government, noting that Estonians were also divided on whether it was right to remove the statue. And since the attacks began, investigators have found evidence that while Russian hackers may be involved, malicious activity also originated from computers in the U.S., Brazil, Canada and Vietnam.

DDoS attacks: Can service providers prevent DDoS attacks? The results of a DDoS attack can be crippling, but what are service providers doing about the threat? In this SearchSecurity.com Q&A, Ed Skoudis explains how innovative ISPs are raising the bar -- and malicious hackers are jumping right over it. Network-based attacks: he second tip in our series, "How to assess and mitigate information security threats," excerpted from Chapter 3: The Life Cycle of Internet Access Protection Systems of the book The Shortcut Guide to Protecting Business Internet Usage. Will the botnet threat continue? Is the botnet threat here to stay? In this SearchSecurity.com Q&A, information security threat expert Ed Skoudis explains how these money-making machines will become a greater threat in 2007.

"I think it is extremely unlikely that the attacks are being sponsored by the Russian government," Graham Cluley, senior technology consultant for UK-based security software company Sophos, said in an email exchange. "The fact that DDoS attacks may be coming from Russian authority computers does not necessarily mean that the Russian authorities have endorsed the attacks. Indeed, it's quite possible that these are PCs which have been taken over by remote hackers."

There have been many instances in the past where hackers have gained access to poorly-defended government and military computers in order to cause mischief, Cluley added.

"If you were the Russian government and wanted to launch an attack against Estonian authority Web sites -- knowing that the world would take a keen interest -- would you really use your own PCs to do it?" Cluley said. "It is quite possible that this is a small group of politically motivated hackers who have a grievance against the Estonian authorities who have taken remote control of PCs to attack Estonian Web sites."

While that may be the case, industry experts said the incident is yet another example of what can happen if governments don't do more to secure their IT infrastructure. The U.S., for example, has come under scrutiny for not doing more to harden its systems.

When a White House ID theft task force released recommendations to better protect people from online fraud last month, for example, the Cyber Security Industry Alliance (CSIA) said the document was short on guidelines to help federal agencies address their own security shortcomings.

The U.S. government learned how vulnerable its systems can be two years ago when it learned of ongoing attacks that were eventually dubbed Titan Rain. In those attacks, Chinese Web sites targeted computer networks in the Defense Department and other U.S. agencies, compromising hundreds of unclassified networks. Though classified information wasn't taken, officials worried that even small, seemingly insignificant bits of information can paint a valuable picture of an adversary's strengths and weaknesses when pulled together.

Ullrich doesn't believe government networks are being defended well enough, given the steady stream of news reports about compromised networks. But, he added, defending against the kind of attack Estonia suffered is no easy task.

"Defending against a DDoS is very hard if you are running a large government network across globally-shared media," he said. "The best defense against a DDoS is a contingency plan. [Governments] have to plan for widespread network disruption. Once the attack is under way, critical records such as phone lists may no longer be reachable." Any good disaster recovery plan should cover these scenarios, he said.

John LaCour, a CISSP and director of product management for San Francisco-based security firm MarkMonitor Inc., said it's equally important for private enterprises to prepare for these kinds of attacks. After all, he said, companies remain a bigger target than government systems.

"Virtually all American businesses are connected to the Internet so there's an endless opportunity to go after private companies," he said. "But while the government is on the Internet, classified systems are more restricted and guarded. Often, cyberattacks are initiated by political groups who are not necessarily state sponsored. As part of their method of operation, it's about targeting the commercial interests."

Should there be escalating cyberattacks against first-world countries, he said, attacks against commercial entities will also be more prevalent. Therefore, enterprises need to have a response plan.

"Often, organizations won't be able to defend against it on their own so they should have a coordinated battle plan with their ISPs and others," LaCour said. "The big problem with DDoS attacks is the potential for collateral damage beyond the prime target."

Tags: Denial of Service (DoS) Attack Prevention,  Network Intrusion Detection (IDS),  Securing Productivity Applications,  Emerging Information Security Threats,  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Denial of Service (DoS) Attack Prevention VeriSign extends DDoS attack protection service Conficker authors prepping for next stage, researcher says Latest DDoS attacks extremely unsophisticated, experts say DDoS attacks hit U.S., South Korean government websites How to prevent a denial-of-service (DoS) attack I'll be watching you: Wireless IPS How to prevent DDoS attacks on websites How to prevent network denial-of-service attacks What are 'phlashing' attacks? Could someone place a rootkit on an internal network through a router? Denial of Service (DoS) Attack Prevention Research Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Electrohippies Collective  (SearchSecurity.com) packet monkey  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary