Arbor Networks: Security to the Core

The clashes between Russia and Georgia over the region of South Ossetia have been shadowed by attacks on the Internet. As we noted in July, the Georgia presidential website fell victim to attack during a war of words. A number of DDoS attacks have occurred in the region, and often do when tensions flare. We have been observing the attacks, making measurements, and sharing data with a select group of others to trace the origins of the attacks and monitor the situation.

While some are speculating about cyber-warfare and state sponsorship, we have no data to indicate anything of the sort at this time. We are seeing some botnets, some well known and some not so well known, take aim at Georgia websites. Note that RIA Novosti, a Russian news outlet, was apparently targeted during this fighting. Georgian hackers are accused of this event.

Compared to the May 2007 Estonian attacks, these are more intense but have lasted (so far) for less time. This could be due to a number of factors, including more sizable botnets with more bandwidth, better bandwidth at the victims, changes in our observations, or other factors.

Below are some observations of the attacks based on our Internet statistics collection. These are observed attacks, ones that triggered alarms. We know that not all attacks are accounted for here, only many of the major ones. These attacks were mostly TCP SYN floods with one TCP RST flood in the mix. No ICMP or UDP floods detected here. These attacks were all globally sourced, suggesting a botnet (or multiple botnets) were behind them.

Raw statistics of the attack traffic paint a pretty intense picture. We can discern that the attacks would cause injury to almost any common website.

At this point we haven’t seen other attacks register alarms and continue to monitor the situation. We do see continued attacks against a number of sites, including Georgia news sites. Below is a graphic summarizing the attacks, showing the C&C that issued the command and the victim of the attack command. The data here was collected over the past 3 weeks. All of these are HTTP floods (ie rapid fire GET requests).

Select links and information around the net:

• As noted by the Shadowserver folks in Georgian Websites Under Attack – DDoS and Defacement, a number of other sites are under attack and have also suffered defacements.
• The folks at Renesys have done some routing analysis of Georgia during the fighting. Great reading. Another tool to look at global BGP routing information is the RIS tool from RIPE. It’s slow but worth the wait.
• Folks who get Stratfor sitreps and daily intel saw a piece earlier this evening entitled “Georgia, Russia: The Cyberwarfare Angle”. The content is available to subscribers only, or via shared emails.
  

  Details of the parallel Russian cyberwarfare campaign against Georgia began to emerge even as Russian tanks appeared on the south side of the Roki Tunnel in South Ossetia on Aug. 8. There is little doubt at this point that a concerted assault took place alongside conventional military operations.

  A good read.

• Finally, I recently was invited to talk at USENIX Security in San Jose on political DDOS. At the time, the Georgia attacks were limited to the presidential website and no tanks had rolled into Georgia. The slides are available on my website.

We continue to monitor the situation here and will update this site with information as it becomes available.

This entry was posted on Tuesday, August 12th, 2008 at 10:16 pm and is filed under ATLAS, Attacks, Botnets. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.