Black Hat 2007: Estonian attacks were a cyber riot, not warfare

By Bill Brenner, Senior News Writer 03 Aug 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Instead, he said this was a mob riot in the streets of cyberspace, sparked by anger over the Estonian government's decision to move a revered WW II memorial from the Soviet era. Evron, a security evangelist with McLean, Va.-based Beyond Security, told attendees at the Black Hat USA 2007 Briefings Thursday.

He said the good news is that Estonia's CERT (Computer Emergency Response Team) and IT professionals from the private sector were well-coordinated and the Baltic nation quickly bounced back following the incident. The bad news is that cyber riots like this will probably happen more in the future, engineered by people in command of botnets and inspired by what happened in Estonia.

More on Estonia attack Black Hat 2007: Lessons of the Estonian attacks Experts doubt Russian government launched DDoS attacks Can service providers prevent DDoS attacks?

"The Estonians held the line, practiced online mob control and focused on getting things back up and running," Evron said. "[But] the concept of an online mob has proven itself and this will likely receive more attention in the future."

While the attacks hardly broke records in terms of size or sophistication, Evron said they still managed to cause serious short-term disruptions in Estonia, a nation of 1.3 million people that has become almost entirely dependent on the Internet. He noted that the country built its infrastructure from scratch after the collapse of the Soviet Union, with the Internet forming much of the backbone. Almost 100% of its citizens conduct their banking online, and everyone has an ID card with a PKI (public key infrastructure) chip embedded inside. Elections also take place online, with voters casting their ballots from home.

Soon after the attacks began Saturday, April 27, people were unable to buy such essentials as gas and groceries, Evron said, since credit card transactions couldn't be completed.

"Critical infrastructure proved to be [IT systems] in the private and business sectors, not things like transportation and energy," he said. "ISPs, banks and media Web sites became critical items that had to be protected."

The attackers and defenders acted in an ad hoc manner, Evron said. On the Estonian side, citizens volunteered to comb through network activity logs. Conversely, one person enraged by the relocation of the WW II statue made an online request for donations to a PayPal account for the purpose of hiring a botnet to launch attacks. In the same message thread, someone volunteered two of his botnets. In the final analysis, Evron said, the attackers used botnets the way rioters in the street might use rocks and bottles.

And though the Estonians probably weren't as prepared as they should have been, Evron pointed to the controlled, coordinated response as an example from which other governments and private sector entities can learn.

Rather than trying to respond to every individual attack, the first responders made bringing systems back online their top priority, focusing on the targets instead of the source of attack. Technical analysis was limited to cases where a difference could be made, Evron said.

Special Black Hat coverage Check out more of SearchSecurity.com's special news coverage of Black Hat USA 2007.

He praised the Estonian CERT for staying on top of events and coordinating well with the private sector. Of course, he added, in a small, tightly knit nation, a successful comeback was easier than it might have been had the attacks been directed at the United States or another large country.

"Estonia is unique," Evron said. "Everyone knows each other and the country's online presence is concentrated. There's a networking of small groups with less burocracy, and it worked for them."

As noteworthy as the Estonian attacks were, Evron said its significance has been overblown in the media, with more FUD than warranted. He said he gets irritated when someone describes the attacks as "the first Internet war."

He said, "What happened in Estonia has happened many times over. The techniques were not new."

Tags: Information Security Incident Response,  Denial of Service (DoS) Attack Prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Incident Response Data breach notification legislation: What info must be released? Incident response planning Mature SIMs do more than log aggregation and correlation New partnerships, creative thinking help security bust recession Senators hear call for federal cybersecurity restructuring Tying log management and identity management shortens incident response Tabletop exercises sharpen security and business continuity Security incident response 101 Firms muddle security breach response, expert says Microsoft Conficker worm offers attack prevention lesson Information Security Incident Response Research Denial of Service (DoS) Attack Prevention VeriSign extends DDoS attack protection service Conficker authors prepping for next stage, researcher says Latest DDoS attacks extremely unsophisticated, experts say DDoS attacks hit U.S., South Korean government websites How to prevent a denial-of-service (DoS) attack I'll be watching you: Wireless IPS How to prevent DDoS attacks on websites How to prevent network denial-of-service attacks What are 'phlashing' attacks? Could someone place a rootkit on an internal network through a router? Denial of Service (DoS) Attack Prevention Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary incident response  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary