Defense in Depth

One year ago, the Estonian government moved a war memorial honoring Russian-Estonians who died fighting the Nazis, a move that may have triggered what some believe is the first instance of a sustained, international cyberwar.

Now, Gadi Evron, a former Israeli Government CERT manager who was in Estonia at the time of the attacks, has revisited the events with an article in the Georgetown Journal of International Affairs and reprinted here online (PDF).

Evron said what could be described as a "flash mob" created the disturbances in the Estonian Internet during May 2007. "Not only did the cyber riot start almost simultaneously with the actual riots, fresh posts in the Russian-language blogosphere continuously appeared with new targets and instructions. These details suggest that the cyberattackers reacted to Estonian defenses," he wrote.

On the subject of who was orchestrating the events, Evron doesn't blame Russia, but he doesn't shy away from mentioning the country either. He writes: "Once bloggers started reporting their small-scale attacks, more experienced players became involved. Before long, botnets were being used. The involvement of the Russian government in the affair cannot be confirmed. What raised speculation, however, is the failure--or unwillingness--of the Russian authorities to stop the cyber riot against Estonia for over three weeks after the initial attack."

The events in Estonia began on April 27, 2007, when Estonian officials relocated the Bronze Soldier, a Soviet-era war memorial, to a park outside the nation's capital. The decision provoked rioting by ethnic Russians, who took to the streets of the capital, Tallinn, in protest. The pro-Russia protesters blockaded the Estonian Embassy in Moscow. And in a rather unique way, a few even took their ire to the Internet.

Evron previously recounted his experience at last summer's Black Hat security conference in Las Vegas.

Not everyone is buying Evron's account. Viktor Larionov, posting on Bugtraq from Tallinn, Estonia, takes issue with Evron's story, not just the political but the technical side of it, calling it one big bluff. "In general," Larionov writes, "a lot of IT experts around here are concerned that no 'cyberwar' has never happened (and) maybe 10 to 20 DDoS attacks which took place" simply caught some sleeping admins off-duty. He adds, "Tell me, how many attacks or...attack attempts does your corporate network suffer during the day?"

Several groups of Internet organizers plan to show on Saturday that they can mobilize patriotic Chinese Internet users and wield their influence worldwide against what they say is anti-Chinese media in the Western world.

The Dark Visitor, a site that tracks the activities of Chinese computer hackers, is reporting that a distributed denial-of-service (DDoS) attack on CNN.com is planned for 8 p.m. Beijing time, or 5 a.m. PT in the United States.

But the organizers themselves (Google translated page) appear to be waffling, and Jose Nazario of Arbor Networks reports that there has been little preattack activity within the last 24 hours.

Calling their action the "Revenge of the Flame," a group of computer protesters in China appears to have learned from both last year's cyberattacks on Estonia and the more recent anonymous attacks on the Church of Scientology. But Revenge of the Flame organizers stress that their attacks will not be a crime.

"We want to be patriotic," one organizer wrote, arguing that they intend to link Chinese Internet users together against one target: CNN.com. Should the attack be successful, the Revenge of the Flame planners will then consider immediately dissolving the flame of revenge ("after all, cybercrime is cybercrime," says the organizer), continue to attract more users, and "enhance the people's awareness of network security."

In the real world, a separate, perhaps unrelated, group is planning (Google translated page) for simultaneous protests on Saturday in Berlin, Amsterdam, London, and Paris.

Meanwhile, yet another Internet site, Anti-CNN.com, claims that protests in favor of China have not been published fairly by Western media in Germany, France, Canada, and the United States.

A banner on the Anti-CNN.com says (translated from the Chinese), "We are not against the Western media, but against the lies and fabricated stories in the media." The site includes example headlines from Der Spiegel, The Washington Post, and Fox News, in which it claims that photos of the police attacking the Monks are Napalese, not Tibetan.

This week we've seen two Internet events that are more alike than dissimilar. On Wednesday, an Estonian court convicted a 20-year Russian for his part in last spring's distributed denial-of-service (DDoS) attacks on that nation. On Thursday, word of mounting DDoS attacks on the Church of Scientology spread. Ultimately, both events could have larger repercussions.

The attack on the Estonian Web sites was prompted by an Estonian government plan to move a statue and grave sites honoring Russian-Estonians who died fighting the Nazis. Gadi Evron of Beyond Security said at last year's Black Hat USA that he found only one case of unique code used in the attacks which lasted from April 27 through mid-May. Evron said the attack had the appearance of an Internet flash mob, and now, with the conviction, it appears to have been loosely organized by a group of college kids. Evron cited evidence of at least one e-mail inciting Internet action on a particular date at a particular time during Estonian attacks.

A similar event is happening now. DDoS attacks against the Church of Scientology appear to be coming from a loosely organized group of individuals calling themselves Anonymous or Anon. The attacks, according to Jose Nazario of Arbor Networks, appear to use common code and early attacks originated from one IP address.

As with the events in Estonia, as news spread, more individuals may now be targeting the Church of Scientology in a sort of "me too" frenzy. A Web site called Project Chanology continues to detail present and future actions by Anonymous and others.

The idea that a handful of skilled individuals could decide to "take out" a particular group or company or government for any reason is a very disturbing one indeed.

Dr. Jose Nazario of Arbor Networks has been looking at the technical side of the distributed denial of service (DDoS) attacks upon domain registered to the Church of Scientology International. In general he finds that while there have been a lot of DDoS attacks, the early ones were mild. They were, however, stronger than the DDoS attacks upon various Estonian sites last spring. As a protective measure, the Church of Scientology has since moved its domain to a more protected space.

Prior to the move, Nazario found that on January 19, there were 488 DDoS events, all of which appear to come from one IP address, "indicating," said Nazario, "that this is not a huge, broadly sourced attack (i.e. it may not have registered on other ISPs systems)." He also notes that the types of attacks he saw on Saturday were "common, garden-variety DDoS attacks."

Nazario's other findings include:

Maximum PPS rates seen: nearly 20,000 pps (packets per second), with an average attack size of 15,000 pps.

Maximum bandwidth seen per attack: 220 Mbps, with an average attack size of 168 Mbps. This is on the high side of an attack, but significantly smaller than the largest ones we commonly see nowadays.

Maximum duration of a single attack: 1.8 hours, which is on the long end of common, but the average attack lasted just under half an hour.

On January 21, the Church of Scientology moved its domain to Prolexic Technologies, a company that protects Web sites from DDoS attacks. Attacks against the site have increased, with a major assault on Thursday night at 6 p.m. EST.

Nazario says "I went looking and was unable to detect attacks against the Scientology Web site in particular. The new IP address of the CoS Web site is located within the Prolexic DDoS service network. It's difficult for (Arbor Networks) to detect these attacks in particular from the milleiu of DDoS attacks" inside the Prolexic service.

A 20-year-old Russian has been convicted for organizing some of the attacks on Estonia's government sites during spring 2007, the Agence France-Presse reported on Thursday.

"Dmitri Galushkevich is the first hacker to be sentenced for organizing a massive cyberattack against an Estonian Web page," Gerrit Maesalu, spokesman for the regional prosecutor's office in northeast Estonia, told the AFP. Galushkevich was fined 17,500 krooni (about $1,600). He admitted his guilt, said Maesalu.

The distributed denial of service (DDoS) attacks, which some security experts have alternatively called a flash mob or the first-ever cyberwar, was prompted by an Estonian government plan to move a statue and grave sites honoring Russian-Estonians who died fighting the Nazis. From late April through mid-May 2007, various Internet-based services within Estonia were not accessible.

Estonians rely heavily on the Internet for basic services such as paying for food, water, and gas, said Gadi Evron, security evangelist for Beyond Security. Evron has studied the incident thoroughly. "The more technology there is within a country, the more dependent the country is on technology and therefore, the more vulnerable," he said.