[Infowarrior] - IEEE: The Politics of DDoS Attacks

[Richard Forno]

The Politics of DDoS Attacks

Greg Goth

http://tinyurl.com/ywrm8c

For several weeks beginning in early May, critical public- and
private-sector Web sites in the Baltic nation of Estonia suffered crippling
distributed-denial-of-service attacks. The DDoS attacks weren¹t particularly
larger than anything network experts had seen before, nor were they
harbingers of new malware tactics. However, the ³soft² elements surrounding
them brought new attention to the attack vectors available to anyone with a
political chip on the shoulder and rudimentary knowledge of network
dynamics. These elements also elicited new resolution from public-sector
organizations to increase cross-border cooperation.

Initial reports tied the attacks to an ongoing feud between Estonia and
Russia. The Estonian government blamed the Russian government for the
attacks, claiming to have traced one of the attacking computers to an IP
address in one of Russian President Vladimir Putin¹s offices. The Russian
news agency, RIA Novosti, quoted government officials as denying any role in
the attacks.

Subsequent investigations revealed the difficulty of discovering the motives
and ultimate operators behind a botnet DDoS attack. Also, the very nature of
the state-versus-state scenario painted in the first reports only obscured
salient technical facts behind them.

³Ignoring any politics in the situation, from a technical point of view it
doesn¹t take a whole lot of energy to DoS a country the size of Rhode
Island,² says Marty Lindner, a senior member of the technical staff at the
Computer Emergency Response Team (CERT) Coordination Center at Carnegie
Mellon University¹s Software Engineering Institute. ³There¹s all this talk
about this enormous DDOS attack. An attack that size is hitting various
parts of the US and other countries every day.²
New level of public-sector concern

Lindner says the vast majority of attacks in the US don¹t hit the news pages
because there¹s so much unused bandwidth that only the target really feels
the pain.

³In the case of Estonia, they were only targeting 12 or 13 distinct Web
sites, but the collateral damage was the national bandwidth resources,²
Lindner says. ³In the big scheme of things, short of getting people outside
the country to filter the attack traffic, there wasn¹t much somebody in
Estonia could do but hold on for the ride.²

Lindner says the relative isolation of the Estonian network infrastructure
contributed to the attacks¹ scale and duration. By isolation, he¹s not
speaking about the actual network facilities themselves but the supporting
organizational structure between the Estonian operators and their colleagues
in other nations.

³The ISPs in Estonia hadn¹t established the relationships with their friends
and neighbors,² he says. ³If the same type of attack were to happen again, I
think the relationships have been established so more people would get
involved in a more timely manner.²

In regions where ISPs have established such relationships and organizations,
such as the North American Network Operators Group (NANOG), Lindner says
these informal, time-critical communication channels are well established.

³You wouldn¹t hear about a medium-sized company in the US that¹s bigger than
Estonia, networkwise, that gets hit with the same type of attack, because
it¹s not newsworthy unless they go bankrupt,² Lindner says. ³From a
technical point of view, this is old hat; there¹s no magic here.²

However, the initial suspicions of some sort of state-inspired (if not
orchestrated) motivation behind the attacks led to unprecedented public
reaction from government security organizations worldwide. On 22 May, Franco
Frattini, the European Commission¹s commissioner for freedom, justice, and
security, announced a new European Union policy intended to combat
cyberterrorism.

³Recent coordinated attacks oriented against the informatics systems of a
Member State reinforce the need for a coordinated action across the Union
involving the Commission and Member States,² Frattini said in announcing the
new initiative. ³There is general agreement in Europe on the need to take
action at EU-level.²

The European Network and Information Security Agency also issued a statement
regarding the Estonian attacks. However, ENISA ¹s statement made clear that
the agency itself wasn¹t taking any operational role in dealing with
cybercrime, which is the responsibility of member state law enforcement
authorities in coordination with Europol:

    DDoS attacks are hard to mitigate and demand a lot of coordination and
cooperation from various parties. CERT Estonia, established late last year,
along with many local security managers and CERTs from other countries, had
to establish such a cooperative effort quickly to subdue the attacks.
Various CERTs from Europe and beyond helped to involve the international
CERT community in mitigating attacks in Estonia.

Will politics trump policy?

After the Estonian attacks, a spate of news stories analyzed the likelihood
of continued cyberattacks. Specifically, stories considered possible attacks
that might run under the auspices of regimes bent on international
mischief‹or looked upon by them with a nod and a wink if the attacks served
their purposes.

³Estonia was a hint to people they ought to be thinking a little more
seriously about this kind of thing,² says James Lewis, director of the
technology and public policy program for the Center for Strategic and
International Studies, a Washington, D.C.-based think tank. ³It¹s just going
to be part of the normal practice.²

For example, both the New York Times and the London consultancy mi2g wrote
pieces highlighting China¹s supposed preparation for cyberwarfare. Both
stories cited a recent US Defense Department report (
www.defenselink.mil/pubs/pdfs/070523-China-Military-Power-final.pdf) on the
Chinese military¹s capabilities, quoting its passage on information warfare.
Yet, that passage occupies only about a half page in the 50-page report,
much of it boilerplate about elements of information warfare that most
advanced nations possess.

No one has yet pinpointed a connection between the Estonian attacks and the
Russian government. Nevertheless, don¹t expect politicians to be discouraged
from quickly blaming a specific adversary for a DDOS attack. Lewis says
cyber saber-rattling should be considered part of the future¹s everyday
landscape.

³It¹s one of those things that people are going to have to get used to as
part of politics,² Lewis says. ³That¹s sort of slowly dawning on people.
Estonia wasn¹t a fluke, a one-time event.²

Additionally, Lewis says the current climate of dire warnings about national
interests in the context of network accessibility and security might be
counterproductive in truly advancing knowledge about how DDoS attacks‹and
their fixes‹really work.

³In some ways, we may have talked ourselves into a box,² he says. ³If you
say, ŒIt¹s the end of the world!¹ and, guess what‹it isn¹t, then how do you
deal with this? I don¹t think it changed anybody¹s mind. It might have
changed some minds in NATO and Europe, but not in the US.²

One network security veteran says the Estonian attacks¹ aftermath was
predictable and disheartening, so much that he actually stopped following
the issue.

³The global reaction early on was the one to be expected, which was ŒOh my
God, cyberterrorism, cyberwarfare, run for the hills!¹² says Richard Forno,
principal consultant for the consultancy KRVW Associates. ³And in fact, as
soon as I saw that, I just turned off. I didn¹t even do any further looking
into the story. I figured the media was going to blow it all out of
proportion.²

Forno says much information coming from government officials about who might
be lurking in the cyberbushes and the sometimes porous state of public
sector security is the same as it was 10 years ago. At lectures Forno gave
at the National Defense University about five years ago, where he dissected
a Defense Department intranet that was billed as ³peered and
redundant²‹virtually impervious to attack. However, he demonstrated that the
supposedly separate networks used the same provider. Furthermore, they
shared several common facilities.

³So, if you knew where these central points were,² he explains, ³you could
disrupt coast-to-coast or regional communications. And people were
flabbergasted.² Essentially meaningless boilerplate warnings and often
fruitless attempts to plug vulnerabilities can't be blamed on any specific
administration, Forno says. It¹s just the nature of government IT.

CSIS¹s Lewis says these network shortcomings aren¹t exclusive to any nation,
which people should keep in mind when somebody quickly blames at another
regime. In the case of China, for instance, Lewis says, ³we also know their
network security is really bad, so if it was somebody else who wanted to
make it look like the Chinese were doing it, it wouldn¹t be that hard.²

Neither Forno nor Lewis are confident that this lesson‹or any of the more
nuanced details about botnet attacks‹has gotten through to either public
officials or the mainstream press following Estonia's crisis.

If any lesson might be gleaned from the Estonian situation, it¹s that
governments, which can prepare their own intranets and shepherd best
practices, can only do so much during crises over the wider Internet.

³At the end of the day, governments are not the guys who can fix this
problem,² Lindner says. ³It¹s the top-tier carriers‹the Level 3s, the
Qwests, the AT&Ts, and their counterparts‹who can do that. If there are
5,000 computers targeting Estonia, and 2,000 are in the US, the US operators
can help with those 2,000, but other people elsewhere have to tackle the
other 3,000. So you need to understand where the attacks are coming from,
and you have to reach out to a very broad community to start filtering
them.²

Related URLs

Russian Information Agency Novosti story denying role in Estonian attacks:
http://en.rian.ru/russia/20070517/65661919.html

European Union cyberterrorism policy announcement:
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/07/689&format=HTM
L&aged=0&language=EN&guiLanguage=en

New York Times story on China¹s cyberwarfare preparation:
www.nytimes.com/2007/06/24/weekinreview/24schwartz.html?ex=1184817600&en=18f
2e485db1066ce&ei=5070

mi2g story on China¹s cyberwarfare preparation:
www.intentblog.com/archives/2007/05/cyber_warfare_b.html

US Defense Department report on Chinese military capabilities:
www.defenselink.mil/pubs/pdfs/070523-China-Military-Power-final.pdf