Issue No.08 - August (2007 vol.8)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MDSO.2007.50
News about distributed-denial-of-service attacks on Estonian government Web sites might have represented more smoke than fire, but it also revealed a new political battlefield. Networking veterans say public officials' accusations can make ad hoc "hacktivism" seem like a state-sponsored attack. When you add porous network defenses and a credulous media, you've got the potential for a real problem.
For several weeks beginning in early May, critical public- and private-sector Web sites in the Baltic nation of Estonia suffered crippling distributed-denial-of-service attacks. The DDoS attacks weren't particularly larger than anything network experts had seen before, nor were they harbingers of new malware tactics. However, the "soft" elements surrounding them brought new attention to the attack vectors available to anyone with a political chip on the shoulder and rudimentary knowledge of network dynamics. These elements also elicited new resolution from public-sector organizations to increase cross-border cooperation.
Initial reports tied the attacks to an ongoing feud between Estonia and Russia. The Estonian government blamed the Russian government for the attacks, claiming to have traced one of the attacking computers to an IP address in one of Russian President Vladimir Putin's offices. The Russian news agency, RIA Novosti( http://en.rian.ru/russia/20070517/65661919.html), quoted government officials as denying any role in the attacks.
Subsequent investigations revealed the difficulty of discovering the motives and ultimate operators behind a botnet DDoS attack. Also, the very nature of the state-versus-state scenario painted in the first reports only obscured salient technical facts behind them.
"Ignoring any politics in the situation, from a technical point of view it doesn't take a whole lot of energy to DoS a country the size of Rhode Island," says Marty Lindner, a senior member of the technical staff at the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University's Software Engineering Institute. "There's all this talk about this enormous DDOS attack. An attack that size is hitting various parts of the US and other countries every day."
New level of public-sector concern
Lindner says the vast majority of attacks in the US don't hit the news pages because there's so much unused bandwidth that only the target really feels the pain.
"In the case of Estonia, they were only targeting 12 or 13 distinct Web sites, but the collateral damage was the national bandwidth resources," Lindner says. "In the big scheme of things, short of getting people outside the country to filter the attack traffic, there wasn't much somebody in Estonia could do but hold on for the ride."
Lindner says the relative isolation of the Estonian network infrastructure contributed to the attacks' scale and duration. By isolation, he's not speaking about the actual network facilities themselves but the supporting organizational structure between the Estonian operators and their colleagues in other nations.
"The ISPs in Estonia hadn't established the relationships with their friends and neighbors," he says. "If the same type of attack were to happen again, I think the relationships have been established so more people would get involved in a more timely manner."
In regions where ISPs have established such relationships and organizations, such as the North American Network Operators Group (NANOG), Lindner says these informal, time-critical communication channels are well established.
"You wouldn't hear about a medium-sized company in the US that's bigger than Estonia, networkwise, that gets hit with the same type of attack, because it's not newsworthy unless they go bankrupt," Lindner says. "From a technical point of view, this is old hat; there's no magic here."
However, the initial suspicions of some sort of state-inspired (if not orchestrated) motivation behind the attacks led to unprecedented public reaction from government security organizations worldwide. On 22 May, Franco Frattini, the European Commission's commissioner for freedom, justice, and security, announced a new European Union policy ( http://europa.eu/rapid/pressReleasesAction.do?reference=IP/07/689&format=HTML&aged=0&language=EN&guiLanguage=en) intended to combat cyberterrorism.
"Recent coordinated attacks oriented against the informatics systems of a Member State reinforce the need for a coordinated action across the Union involving the Commission and Member States," Frattini said in announcing the new initiative. "There is general agreement in Europe on the need to take action at EU-level."
The European Network and Information Security Agency also issued a statement regarding the Estonian attacks. However, ENISA 's statement made clear that the agency itself wasn't taking any operational role in dealing with cybercrime, which is the responsibility of member state law enforcement authorities in coordination with Europol:
DDoS attacks are hard to mitigate and demand a lot of coordination and cooperation from various parties. CERT Estonia, established late last year, along with many local security managers and CERTs from other countries, had to establish such a cooperative effort quickly to subdue the attacks. Various CERTs from Europe and beyond helped to involve the international CERT community in mitigating attacks in Estonia.
Will politics trump policy?
After the Estonian attacks, a spate of news stories analyzed the likelihood of continued cyberattacks. Specifically, stories considered possible attacks that might run under the auspices of regimes bent on international mischief—or looked upon by them with a nod and a wink if the attacks served their purposes.
"Estonia was a hint to people they ought to be thinking a little more seriously about this kind of thing," says James Lewis, director of the technology and public policy program for the Center for Strategic and International Studies, a Washington, D.C.-based think tank. "It's just going to be part of the normal practice."
For example, both the New York Times ( http://www.nytimes.com/2007/06/24/weekinreview/24schwartz.html?ex=1184817600&en=18f2e485db1066ce&ei=5070) and the London consultancy mi2g ( http://www.intentblog.com/archives/2007/05/cyber_warfare_b.html) wrote pieces highlighting China's supposed preparation for cyberwarfare. Both stories cited a recent US Defense Department report ( http://www.defenselink.mil/pubs/pdfs/070523-China-Military-Power-final.pdf) on the Chinese military's capabilities, quoting its passage on information warfare. Yet, that passage occupies only about a half page in the 50-page report, much of it boilerplate about elements of information warfare that most advanced nations possess.
No one has yet pinpointed a connection between the Estonian attacks and the Russian government. Nevertheless, don't expect politicians to be discouraged from quickly blaming a specific adversary for a DDOS attack. Lewis says cyber saber-rattling should be considered part of the future's everyday landscape.
"It's one of those things that people are going to have to get used to as part of politics," Lewis says. "That's sort of slowly dawning on people. Estonia wasn't a fluke, a one-time event."
Additionally, Lewis says the current climate of dire warnings about national interests in the context of network accessibility and security might be counterproductive in truly advancing knowledge about how DDoS attacks—and their fixes—really work.
"In some ways, we may have talked ourselves into a box," he says. "If you say, 'It's the end of the world!' and, guess what—it isn't, then how do you deal with this? I don't think it changed anybody's mind. It might have changed some minds in NATO and Europe, but not in the US."
One network security veteran says the Estonian attacks' aftermath was predictable and disheartening, so much that he actually stopped following the issue.
"The global reaction early on was the one to be expected, which was 'Oh my God, cyberterrorism, cyberwarfare, run for the hills!'" says Richard Forno, principal consultant for the consultancy KRVW Associates. "And in fact, as soon as I saw that, I just turned off. I didn't even do any further looking into the story. I figured the media was going to blow it all out of proportion."
Forno says much information coming from government officials about who might be lurking in the cyberbushes and the sometimes porous state of public sector security is the same as it was 10 years ago. At lectures Forno gave at the National Defense University about five years ago, where he dissected a Defense Department intranet that was billed as "peered and redundant"—virtually impervious to attack. However, he demonstrated that the supposedly separate networks used the same provider. Furthermore, they shared several common facilities.
"So, if you knew where these central points were," he explains, "you could disrupt coast-to-coast or regional communications. And people were flabbergasted." Essentially meaningless boilerplate warnings and often fruitless attempts to plug vulnerabilities can't be blamed on any specific administration, Forno says. It's just the nature of government IT.
CSIS's Lewis says these network shortcomings aren't exclusive to any nation, which people should keep in mind when somebody quickly blames at another regime. In the case of China, for instance, Lewis says, "we also know their network security is really bad, so if it was somebody else who wanted to make it look like the Chinese were doing it, it wouldn't be that hard."
Neither Forno nor Lewis are confident that this lesson—or any of the more nuanced details about botnet attacks—has gotten through to either public officials or the mainstream press following Estonia's crisis.
If any lesson might be gleaned from the Estonian situation, it's that governments, which can prepare their own intranets and shepherd best practices, can only do so much during crises over the wider Internet.
"At the end of the day, governments are not the guys who can fix this problem," Lindner says. "It's the top-tier carriers—the Level 3s, the Qwests, the AT&Ts, and their counterparts—who can do that. If there are 5,000 computers targeting Estonia, and 2,000 are in the US, the US operators can help with those 2,000, but other people elsewhere have to tackle the other 3,000. So you need to understand where the attacks are coming from, and you have to reach out to a very broad community to start filtering them."