Arbor Networks: Security to the Core

The website for the President of Georgia, a former Soviet republic, has come under DDoS (hat tip: Shadowserver team). This attack appears to have a political motivation. One of the messages in the floods (HTTP, SYN, ICMP) reads “win+love+in+Rusia”. Tensions between Russia and Georgia appear to be running high lately.

While I am not positive what event or events triggered this attack, here’s some speculation based on reading around for Russia-Georgia tension:

• In an article entitled Withdrawal of Georgian troops only way out of Abkhazia conflict - Medvedev via ITAR-TASS, it appears that Georgia is entwined in a struggle in the region that Russian politicians do not like.
• Recently, Georgia hosted US Secretary of State Rice, according to The Session of National Security Council was held in President’s Administration, via NewsGeorgia.net. The meetings, according to the piece, suggest that Georgia is working on its economic development, a peaceful relationship with Russia and a democratic approach.
• In another piece, this one from western sources, Russia says Georgian troops must go, via the UPI. This mirrors the ITAR-TASS information.
• Some folks in Russia are appearantly worried about Georgia’s military involvements in the region, which I read in Russian Diplomat: Georgia Seeking War on Abkhazia, S. Ossetia, via iStockAnalyst. Maybe things with Russia aren’t so friendly?

I’ll be honest, the locations that Georgia is reportedly entangled in are unfamiliar to me. Itturns out that Abkhazia is described in Wikipedia as “a region in Georgia that is a de facto independent republic with no international recognition. Seems like there could be some tensions there. Also, Ossetia appears to be another neighbor with some relationships to Georgia, with Wikipedia offering some interesting recent history (ca 1990): “ethnic tensions between Ossetians and Georgians in Georgia’s former Autonomous Oblast of South Ossetia (abolished in 1990) and between Ossetians and the Ingush in North Ossetia evolved into violent clashes that left several hundreds of dead and wounded and created a large tide of refugees on the both sides of the border.”

I have to admit that when these sorts of attacks appear, I often have to race to learn political history and tensions and relationships. I’m no expert at geopolitics (and am actively seeking to work with folks who are), and as these sorts of attacks increase, their analysis is ever the more interesting.

I do not know who exactly is behind the attacks, if they are acting alone or if they are associated with a political outfit anywhere.. The Georgian presidential website is still inaccessible (possibly firewalled to thwart the attack, possibly still under attack by additional botnets). The C&C server is located in the US, and I’ve alerted various parties to try and get some traction on the attack to discover who it is. This botnet is somewhat recent to us in its activities, but uses a codebase we’re familiar with (Machbot).

Later this month, at Usenix Security in San Jose, I’ll be giving a talk on these sorts of attacks around the world. I’ll be discussing their activities in depth, and some additional data and attacks I haven’t blogged here. If you’re in town, be sure to stop by.

UPDATE I almost forgot, NATO’s been looking at expansion in Georgia it seems. That may also be a source of the tensions shown here.

This entry was posted on Sunday, July 20th, 2008 at 7:46 pm and is filed under ATLAS, Attacks, Botnets. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.