Estonian DDoS Attacks – A summary to date
by Jose NazarioTime sure flies. I looked up from working and noticed I hadn’t blogged in a while. And I noticed that I hadn’t been analyzing the Estonian DDoS attacks in a week or two.
ATLAS gives us an amazing view into the Internet’s activities. ATLAS collects DoS attack data from around the world through sharing arrangements and even from some of our Peakflow SP deployments. As such, the recent DDoS attacks on Estonia are visible, in part, from within ATLAS. I’ve always had a soft spot in my heart for Estonia. Since the fall of the Iron Curtain, it’s become technically advanced, society has done wonders to improve itself and it’s jumped, quite successfully, into the modern world. It has a nearly model economy, based in large part on the teachings of Milton Friedman who favored free markets unfettered by state control.
As you can imagine, having development access to the ATLAS data repository allows me to build new reports and crunch the data in new and exciting ways. I analyzed about 2 weeks of DDoS attacks on Estonia this morning using internal tools and reporting systems, and here’s what I found.
We’ve seen 128 unique DDoS attacks on Estonian websites in the past two weeks through ATLAS. Of these, 115 were ICMP floods, 4 were TCP SYN floods, and 9 were generic traffic floods. Attacks were not distributed uniformly, with some sites seeing more attacks than others:
| Attacks | Destination | Address or owner |
|---|---|---|
| 35 | “195.80.105.107/32″ | pol.ee |
| 7 | “195.80.106.72/32″ | www.riigikogu.ee |
| 36 | “195.80.109.158/32″ | www.riik.ee, www.peaminister.ee, www.valitsus.ee |
| 2 | “195.80.124.53/32″ | m53.envir.ee |
| 2 | “213.184.49.171/32″ | www.sm.ee |
| 6 | “213.184.49.194/32″ | www.agri.ee |
| 4 | “213.184.50.6/32″ | |
| 35 | “213.184.50.69/32″ | www.fin.ee (Ministry of Finance) |
| 1 | “62.65.192.24/32″ |
The attacks themselves haven’t been steady, at least from the perspective given by ATLAS. If we look at how many attacks occurred on every day, we can see that they peaked a week or so ago, but they haven’t necessarily stopped.
| Attacks | Date | |
|---|---|---|
| 21 | 2007-05-03 | |
| 17 | 2007-05-04 | |
| 31 | 2007-05-08 | |
| 58 | 2007-05-09 | |
| 1 | 2007-05-11 |
As for how long the attacks have lasted, quite a number of them last under an hour. However, when you think about how many attacks have occurred for some of the targets, this translates into a very long-lived attack. The longest attacks themselves were over 10 and a half hours long sustained, dealing a truly crushing blow to the endpoints.
| Attacks | Date | |
|---|---|---|
| 17 | less than 1 minute | |
| 78 | 1 min – 1 hour | |
| 16 | 1 hour – 5 hours | |
| 8 | 5 hours to 9 hours | |
| 7 | 10 hours or more |
Finally, this is a decent sized botnet behind the attack, with aggregate bandwidth at our points of measurement maxing out at nearly 100 Mbps.
| Attacks | Bandwidth measured | |
|---|---|---|
| 42 | Less than 10 Mbps | |
| 52 | 10 Mbps – 30 Mbps | |
| 22 | 30 Mbps – 70 Mbps | |
| 12 | 70 Mbps – 95 Mbps |
Largest attacks we measured: 10 attacks measured at 90 Mbps, lasting upwards of 10 hours. All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years.
Links around the net to more information about the attacks:
- Russia accused of unleashing cyberwar to disable Estonia, The Guardian, May 17, 2007.
- Estonian and Russia: A cyber-riot, The Economist, May 10, 2007.
- Massive DDoS attacks target Estonia; Russia accused, Ars Technica, May 14, 2007.
- 9th of May on the F-Secure Weblog. Additional news from them: Update on the Estonian DDoS attacks on April 30, and Unrest in Estonia, published on April 28, 2007.
[...] Arbor Network show some interesting analysis of traffic relating to the above attacks on thier Blog. [...]