Kyrgyzstan DDoS Attacks

Posted on Monday, February 2nd, 2009 | Bookmark on del.icio.us

by Jose Nazario

It appears that the former Soviet republic of Kyrgyzstan is being DDoSed, reportedly by Russian hackers. Details have been very scarce, to be honest, aside from targets include “www.ns.kg and www.domain.kg” and dates, starting on January 18, 2009. Here’s a brief rundown of major, primary sources for all of the chatter about this that I can find:

January 21st, 2009: In The Kyrgyzstan Cyber Attack That No One Is Talking About, the blogger at IntelFusion (a highly worthwhile blog, by the way) brought attacks in KG to light.
January 28th, 2009: Kyrgyzstan Under DDoS Attack From Russia from the SecureWorks research blog.
January 28th, 2009: The Kyrgyzstan DDoS Attacks of January, 2009: Assessment and Analysis, also from IntelFusion.
The Economist: Marching off to cyberwar, posted by the Infowar Monitor site, referencing a general article from the Economist entitled Marching off to cyberwar. The site has multiple pieces on the attacks worth reading.
January 30th, 2009: Why I believe that the Kyrgyzstan Government hired Russian hackers to launch a DDOS attack against itself, again from IntelFusion
February 1, 2009: CyberBully from the Strategy Page blog

What I can’t find is data, however, either internally or externally. This doesn’t mean it’s not happening, it just means we don’t have data.

To understand why we lack such data right now, it’s important to understand how we analyze such attacks. We get our data from a few primary sources:

We identify and track botnets, in a project dubbed “Blade Runner”. We collect malcode, identify which botnets they are a part of and lurk in the botnet and record the commands. We can then mine this to find the interesting bits and track back the attack origins. This is also very useful in understanding who may have been behind the attacks and what else they were up to recently.
We gather data via the ATLAS Internet Observatory and mine the actual attack alerts we have seen around the world. This gives us a gauge for how big the attacks get and how long they last. Not all attacks that get launched (visible via the above botnet monitoring) show up here, some aren’t sizable enough. Not all attacks we see have a clear botnet of origin.
ATLAS can also record, for some attacks, the backscatter (e.g. SYN-ACKs) in response to broadly spoofed attacks. These may show up as scans in ATLAS as they tickle lots of destination IPs quickly.
We also mind forums and chat rooms to discover specific attack tools and collaborations.
We mine our malware to look for non-botnet flooders, the kind that strike a target using a hardcoded format. One of the things we are seeing more of are tools that launch, flood, and then quit and have erased themselves. This can make visibility and traceback a problem, which is the attackers’ design.

In mining all of this data, we have almost nothing, nothing, on the Kyrgyzstan attacks. We have identified many ASNs in KG that would be listed: AS12764, AS12997, AS20721, AS25035, AS29061, AS34639, AS39214, AS41750, and AS8511. We also do GeoIP lookups for attacks and destinations. None of the above classifiers which has worked for previous attacks has been working here. One of the only things we’ve seen so far related to these attacks was some backscatter from a ping flood to this host on January 28, 2009:

Host: 212.42.122.118
Country: KG (Kyrgyzstan)
Location: Bishkek, 01
ISP: Join Venture firm ElCat
ASN: AS8449 (AS8449-ELCAT)
Organization: The Ministry of Finance of the Kyrgyz Republic

We have what may be some backscatter to various hosts in the country but this is the closest data we have to an attack so far.

These sorts of attacks, politically motivated it seems, are an especially interesting subject to me. I’m very keen on the emergence of democracy in newly independent states, and cyberattacks play an important role in this process. The Internet has given great reach to many of these countries and allowed for citizens to organize and build democratic institutions. This also gives an avenue for attacks, unfortunately. As noted in a report released earlier today:

Beginning Jan. 18, Kyrgyzstan has experienced a series of cyber attacks on its Internet infrastructure that are reportedly being traced back to Russia. As in Estonia, information technology and information exchange has long been one of the stronger tools the United States has used to not only entrench a more Western economy into developing or anti-Western states, but also to counter or break those states’ totalitarian regimes. Freely-flowing information is critical in these former closed states to allow a Western-style economy to solidify. And it is a natural way for democracy to develop and a political exchange to begin.

The experience of the former Soviet Union states shows that technology has a great impact on the exchange of information. Russia understands the power that technology has on information exchange — Moscow is fully aware that the fax machine played a role in the collapse of the Soviet Union. Totalitarian regimes are successful because of their ability to control competing forms of information or power. The converse is true for democracies. So when the Soviet sphere began to crumble in the late 1980s, the West swooped in with technology that could expand information exchange in order to spread its influence. Today, this technology is the Internet.

Source: Stratfor report entitled “Kyrgyzstan: The Struggle Intensifies”.

It seems to me that this is one of the biggest areas for these attacks but may not be unrivaled for long. We have seen dissident groups that use the Internet suffer such as the DVB; we have seen nationalistic groups strike, as well, using this level playing field. This is clearly going to continue.

These topics and our data, and how we analyze it, will (we anticipate) be discussed this summer in Talinn, Estonia, at the Conference on Cyber Warfare held by the NATO CCD COE. I’m excited to get the chance to discuss this with more individuals around the world, many of whom have similar interests in the growth of democratic states.

PS: I have to include Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1 because of the cool graphic.

Additional links of interest:

RUSSIA NOW 3 AND 0 IN CYBER WARFARE by Defense Tech
eWMDs from he Policy Review

This entry was posted on Monday, February 2nd, 2009 at 5:32 pm and is filed under ATLAS, Attacks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses | Add your own

Comment Post by: Ладушки.Net » Blog Archive » Posts about Russia as of 03/02/2009 — February 3rd, 2009 @ 3:29 pm EST Reply

[...] and so it was on that cold September day with a mighty Russian winter bearing down that Olga Kyrgyzstan DDoS Attacks – asert.arbornetworks.com 02/02/2009 It appears that the former Soviet republic of Kyrgyzstan is [...]

Comment Post by: aisha — February 3rd, 2009 @ 11:35 pm EST Reply

i’m working at Kyrgyz Internet provider: no DDoS attacks yet. just rumours… from abroad. i wonder whose interest that serves?

Comment Post by: rye — February 4th, 2009 @ 10:43 am EST Reply

For petes sake. Its amateur hour all over again. Look, a DDOS of massive traffic size would only require a few thousand bots. Which could easily slam any, any network in a developing country. Especially one in the Caucus region. I dont believe as well that the US goverment and their military base over there would be stupid enough to actually get local ISP service in a potentially hostile country. I have been out with our soldiers and they use Satellite almost exclusively in the field. No base would get its connectivity locally.

As well. Russians are smart, if you wanted to launch a cyberwar, dont do it from you back freaking yard. Launch it from your enemys back yard. This could have been a black flag cyber op by Kyrgyzstan because they are between a rock and a hard place with both the use and Russia jockeying for influence there and throwing dollars around. By last count Russia was throwing more chedder than the USA. 2 billion plus 150 million, vs the US 65 million and change due to renting their Airbase.

And again, DDOS is not a very effective cyberwar techinique when it comes actual damage. The cyberization of that country I would think is way wayyy less than other highly dependent and highly connected countries such as Estonia. Also Nothing interesting in a DDOS, if you really want to wreak havoc and punish a country there are many more inventive ways to do it. Export all their data to P2P public networks, frag all their file systems, have trojans use secure deletion tools on all their stuff, crypto their data and destroy the key. let them waste resources to unencrypt the unencryptable. Publish personal information on all their leadership and their foilables.

attack their critical infrastructures via cyber methods.

These are the ways you launch unrestricted cyberwarfare, not BS DDOS which is one one tool and component in a cyberwar campaign of which in my opinion has not happened yet to any country. I dont think any has the balls.

This is my analysis, like it or not these are the “actual” possibilities of cyberwar which dont get talked about very much. ususally the ones that talk the least about this stuff are the best at it.

Read my blog for more cyber philosophy

Comment Post by: rye — February 4th, 2009 @ 11:55 am EST Reply

I should really learn how to self promote, They actual site is http://www.conanthedestroyer.net. I think I may have put .com

Arbor Networks: Security to the Core

Kyrgyzstan DDoS Attacks

4 Responses | Add your own

Leave a Comment