Kyrgyzstan DDoS Attacks
by Jose NazarioIt appears that the former Soviet republic of Kyrgyzstan is being DDoSed, reportedly by Russian hackers. Details have been very scarce, to be honest, aside from targets include “www.ns.kg and www.domain.kg” and dates, starting on January 18, 2009. Here’s a brief rundown of major, primary sources for all of the chatter about this that I can find:
- January 21st, 2009: In The Kyrgyzstan Cyber Attack That No One Is Talking About, the blogger at IntelFusion (a highly worthwhile blog, by the way) brought attacks in KG to light.
- January 28th, 2009: Kyrgyzstan Under DDoS Attack From Russia from the SecureWorks research blog.
- January 28th, 2009: The Kyrgyzstan DDoS Attacks of January, 2009: Assessment and Analysis, also from IntelFusion.
- The Economist: Marching off to cyberwar, posted by the Infowar Monitor site, referencing a general article from the Economist entitled Marching off to cyberwar. The site has multiple pieces on the attacks worth reading.
- January 30th, 2009: Why I believe that the Kyrgyzstan Government hired Russian hackers to launch a DDOS attack against itself, again from IntelFusion
- February 1, 2009: CyberBully from the Strategy Page blog
What I can’t find is data, however, either internally or externally. This doesn’t mean it’s not happening, it just means we don’t have data.
To understand why we lack such data right now, it’s important to understand how we analyze such attacks. We get our data from a few primary sources:
- We identify and track botnets, in a project dubbed “Blade Runner”. We collect malcode, identify which botnets they are a part of and lurk in the botnet and record the commands. We can then mine this to find the interesting bits and track back the attack origins. This is also very useful in understanding who may have been behind the attacks and what else they were up to recently.
- We gather data via the ATLAS Internet Observatory and mine the actual attack alerts we have seen around the world. This gives us a gauge for how big the attacks get and how long they last. Not all attacks that get launched (visible via the above botnet monitoring) show up here, some aren’t sizable enough. Not all attacks we see have a clear botnet of origin.
- ATLAS can also record, for some attacks, the backscatter (e.g. SYN-ACKs) in response to broadly spoofed attacks. These may show up as scans in ATLAS as they tickle lots of destination IPs quickly.
- We also mind forums and chat rooms to discover specific attack tools and collaborations.
- We mine our malware to look for non-botnet flooders, the kind that strike a target using a hardcoded format. One of the things we are seeing more of are tools that launch, flood, and then quit and have erased themselves. This can make visibility and traceback a problem, which is the attackers’ design.
In mining all of this data, we have almost nothing, nothing, on the Kyrgyzstan attacks. We have identified many ASNs in KG that would be listed: AS12764, AS12997, AS20721, AS25035, AS29061, AS34639, AS39214, AS41750, and AS8511. We also do GeoIP lookups for attacks and destinations. None of the above classifiers which has worked for previous attacks has been working here. One of the only things we’ve seen so far related to these attacks was some backscatter from a ping flood to this host on January 28, 2009:
Host: 212.42.122.118 Country: KG (Kyrgyzstan) Location: Bishkek, 01 ISP: Join Venture firm ElCat ASN: AS8449 (AS8449-ELCAT) Organization: The Ministry of Finance of the Kyrgyz Republic
We have what may be some backscatter to various hosts in the country but this is the closest data we have to an attack so far.
These sorts of attacks, politically motivated it seems, are an especially interesting subject to me. I’m very keen on the emergence of democracy in newly independent states, and cyberattacks play an important role in this process. The Internet has given great reach to many of these countries and allowed for citizens to organize and build democratic institutions. This also gives an avenue for attacks, unfortunately. As noted in a report released earlier today:
Beginning Jan. 18, Kyrgyzstan has experienced a series of cyber attacks on its Internet infrastructure that are reportedly being traced back to Russia. As in Estonia, information technology and information exchange has long been one of the stronger tools the United States has used to not only entrench a more Western economy into developing or anti-Western states, but also to counter or break those states’ totalitarian regimes. Freely-flowing information is critical in these former closed states to allow a Western-style economy to solidify. And it is a natural way for democracy to develop and a political exchange to begin.
The experience of the former Soviet Union states shows that technology has a great impact on the exchange of information. Russia understands the power that technology has on information exchange — Moscow is fully aware that the fax machine played a role in the collapse of the Soviet Union. Totalitarian regimes are successful because of their ability to control competing forms of information or power. The converse is true for democracies. So when the Soviet sphere began to crumble in the late 1980s, the West swooped in with technology that could expand information exchange in order to spread its influence. Today, this technology is the Internet.
Source: Stratfor report entitled “Kyrgyzstan: The Struggle Intensifies”.
It seems to me that this is one of the biggest areas for these attacks but may not be unrivaled for long. We have seen dissident groups that use the Internet suffer such as the DVB; we have seen nationalistic groups strike, as well, using this level playing field. This is clearly going to continue.
These topics and our data, and how we analyze it, will (we anticipate) be discussed this summer in Talinn, Estonia, at the Conference on Cyber Warfare held by the NATO CCD COE. I’m excited to get the chance to discuss this with more individuals around the world, many of whom have similar interests in the growth of democratic states.
PS: I have to include Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1 because of the cool graphic.
Additional links of interest:
- RUSSIA NOW 3 AND 0 IN CYBER WARFARE by Defense Tech
- eWMDs from he Policy Review
[...] and so it was on that cold September day with a mighty Russian winter bearing down that Olga Kyrgyzstan DDoS Attacks – asert.arbornetworks.com 02/02/2009 It appears that the former Soviet republic of Kyrgyzstan is [...]