Attack Severs Burma Internet

Back in 2007, the Burmese government reportedly severed the country’s Internet links in a crackdown over growing political unrest.

Yesterday, Burma once again fell off the Internet. Over the last several days, a rapidly escalating, large-scale DDoS has targeted Burma’s main Internet provider, the Ministry of Post and Telecommunication (MPT), disrupting most network traffic in and out of the country.

While the motivation for the attack is unknown, Twitter and Blogs have been awash in speculation ranging from blaming the Burma / Myanmar government (preemptively disrupting Internet connectivity ahead of the November 7 general elections) to external attackers with still mysterious motives. The Myanmar Times reports the attack has been ongoing since October 25th (and adds the attack may impact Burma’s tourist industry).

We estimate the Burma DDoS between 10-15 Gbps (several hundred times more than enough to overwhelm the country’s 45 Mbps T3 terrestrial and satellite links). The DDoS includes dozens of individual attack components (e.g. TCP syn, rst flood) against multiple IP addresses within MPT’s address blocks (203.81.64.0/19, 203.81.72.0/24, 203.81.81.0/24 and 203.81.82.0/24). The attack also appears fairly well-distributed — ATLAS data shows attack traffic across 20 or more providers with a broad range of source addresses.

A summary of the attack statistics in the chart below:


burma ddos summary
Most Burma Internet traffic goes through IPTel AS45419 (you can see a nice graph of the connectivity using HE’s ASInfo tool). And in turn, IPTel gets connectivity from Tata AS6453 (the majority of traffic), Beyond the Network AS3491 and NTT AS2914 amongst others. More information on MPT’s network is available on their home page (but this web site — and all of Burma for that matter — is currently unreachable).

Burma also lost Internet connectivity last Spring after the accidental severing of the trans-pacific SEA-ME- WE3 cable.

The DDoS (and possibly traffic engineering to mitigate the attack) generated hundreds of routing updates throughout the course of the day. Some sample BGP flaps from ATLAS routviews below:


11/02/10 03:50:16 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 03:53:25 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 03:53:51 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:04:56 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 04:04:56 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 04:05:24 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:05:24 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:08:32 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 04:08:58 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:11:42 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 04:12:09 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:12:09 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:17:30 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 04:17:30 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988

In the last two graphs, I show traffic to Burma (AS9988) through 80 randomly selected ATLAS ISPs. The top graph shows the height of the DDoS over last two days and the bottom provides a view of the escalating traffic over the last week. Normally Burma traffic peaks around 100 Mbps. Over the course of the week, the rapidly escalating attack jumped into a sustained multi-gigabits per second. All times are EST.

A quick look at anonymous ASPath traffic data suggests a number of upstreams have begun to blackhole traffic to MPT address space in response to the attack.

burma ddos


escalating burma ddos week view

While DDoS against e-commerce and commercial sites are common (hundreds per day), large-scale geo-politically motivated attacks — especially ones targeting an entire country — remain rare with a few notable exceptions. At 10-15 Gbps, the Burma attack is also significantly larger than the 2007 Georgia (814 Mbps) and Estonia DDoS. Early this year, Burmese dissident web sites (hosted outside the country) also came under DDoS attacks.

At present I do not know the motives for this attack but our past DDoS analysis have observed the gamut from politically motivated DDoS, government censorship, extortion and stock manipulation. I’ll update this blog if I get more details.

Credit to Jose Nazario for assisting with some of this analysis.

– Craig

 

46 Responses to “Attack Severs Burma Internet”

November 03, 2010 at 2:00 pm, Myanmar PTT (Service Provider) gets punishing DDoS Attacks | DoS Attacks said:

[…] a massivs DDoS Attack. Arbor Network’s Security Engineering & Response Team (SERT) is reporting on their blog, that the country’s defacto service provider, Ministry of Post and Telecommunication was […]

November 03, 2010 at 2:17 pm, Cooper said:

Hi,

Can the above images be used with reference to Arbor Networks? Would like to expand on this topic… and your images are great.

Best Regards,
Cooper

November 03, 2010 at 8:44 pm, From the Listening Post… 11/04/2010 (a.m.) « Sean Lawson, Ph.D. said:

[…] Attack Severs Myanmar Internet | Security to the Core | Arbor Networks Security […]

November 03, 2010 at 10:00 pm, Birmânia é desconectada da internet em ataque distribuído de DoS | Pablo Ximenes said:

[…] informações: /blog/asert/2010/11/attac-severs-myanmar-internet/ http://pt.wikipedia.org/wiki/Myanmar Esta entrada foi publicada em Outros e marcada com a tag […]

November 04, 2010 at 2:15 am, Kelvin Minn Kyaw said:

Dear Craig;
maybe all of your info is correct but what we can some info from Burma about internet situation is totally difference and later will come on Burma Media soon lastly tomorrow evening.
In, My question is Under DDoS attack to their ISP, How can we send 2 or 3 MB files to/from Naypyidaw by gtalk?

November 04, 2010 at 6:53 am, Burma Taken Off-Net By Cyber Attack | eWEEK Europe UK said:

[…] to analysis by Arbor Networks the cyber-warfare attack, which centred on the main Myanmar internet provider, the state-owned […]

November 04, 2010 at 10:44 am, Enrique said:

This is a great post. Thanks Craig & Jose.

Technically, would it be possible for the Burmese authorities to self-mount such an attack to shut down their own people’s internet? (and keep it up for gov and military servers, based on The Irrawaddy article)

Also, what is the tech evidence that can support the claim of a politically motivated attack?

November 04, 2010 at 11:16 am, Craig Labovitz said:

Enrique — the prevalence / accessibility of large botnets (including infrastructure for hire), means just about anyone with money and motive can launch a large-scale DDoS. I have read lots of speculation in the press about the Burma DDoS, but I have no insight into the motives for this attack.

November 04, 2010 at 11:59 am, Enrique said:

Thanks Craig. There is some especulation indeed. e.g. The brief piece in http://thenextweb.com/asia/2010/11/04/burmas-internet-services-under-attack-pre-election-timely/ may be a bit misleading:

“Arbor Networks says that analysis of similar events were often proved to be politically motivated”

November 04, 2010 at 12:50 pm, Karl said:

I used to work for the Burmese Internet provider. These attacks were not uncommon during sensitive situations, and were a particular headache.

Funny how they hit only during office hours, isn’t it….

November 04, 2010 at 1:21 pm, DDoS-Attacken legen in Burma Internet lahm : netzpolitik.org said:

[…] dem 25. Oktober finden immer wieder DDoS-Attacken auf viele verschiedene Server in Burma statt. Vorgestern erreichten sie einen Umfang von 10-15 Gbps, tausendfach genug, um die insgesamt zu 45 […]

November 04, 2010 at 1:30 pm, John Steed said:

According to the sources close to MPT (not PTT by the way), they are using Arbor PeakFlow and engineers from Arbor Networks to mitigate the attack. Does this mean Arbor PeakFlow cannot mitigate the attack that are of 10-15gbps?

November 04, 2010 at 2:46 pm, George said:

God Help The Keren.

November 04, 2010 at 3:03 pm, Burma hit by massive net attack « Alex's World News Worth Reading said:

[…] Writing about the attack, Dr Craig Labovitz from Arbor Networks said the gigabits of traffic was “several hundred times more than enough” to swamp these links. […]

November 04, 2010 at 5:01 pm, Country of Myanmar DDoS « MadMark's Blog said:

[…] is certainly a massive DDoS attack, estimated at between 10 – 15 Gigabytes per second of bandwidth being focused on the country’s Ministry of Post and Telecommunication, the main […]

November 04, 2010 at 8:37 pm, DDoS Attack on Myanmar Takes the Country Offline | Your Shopping Resource said:

[…] Networks said in a blog post says that the attacks targeted the main Internet provider, the Ministry of Post and […]

November 04, 2010 at 8:47 pm, Burma: Netzattacke legt Internet lahm- Wahlen am 7. November | Online Presseportal said:

[…] bei Firmen ist keine Seltenheit, aber ein Angriff auf ganze Staaten ist schon außergewöhnlich. Dr. Craig Labovitz von Arbor Networks berichtet, dass das Netzwerk in Burma eine Datenübertragungsrate von 45 Mbits per Sekunde […]

November 04, 2010 at 9:32 pm, DDOS Attack on Myanmar Takes the Country Offline- The Hackers Edge said:

[…] The main Internet provider for Myanmar, the southeast Asian nation formerly known as Burma, has been under severe denial of service attack for some time now, according to the Myanmar Times. A blog post by Arbor Networks goes into technical detail about the attacks. […]

November 05, 2010 at 1:26 am, Peter said:

Which groups gain in this attack?
1. Activist groups? May not. Because they lose information from inside Burma.
If they did, they could be an idiot.

2. Government? May be. Because they don’t need more information flow to the world for incoming election? You’ll be the judge.

November 05, 2010 at 7:57 am, La Birmanie coupée de l’Internet said:

[…] Voir aussi le post d’Arbor SERT […]

November 05, 2010 at 12:24 pm, Yves said:

What is the situation today (Nov 5th) ? Has traffic in and out of Burma been restored ?
Thank you

November 05, 2010 at 2:01 pm, Bob Jones said:

Arbor Networks provides equipment that is proven to mitigate these attacks. There are numerous service providers using the equipment (Adversor.net is one example). Why aren’t those responsible to networks taking the threat seriously and investing in protection. Some services are cloud-based and don’t even require up front investment. With the potential cost of an attack being so high, I seems illogical not to be protected.

November 05, 2010 at 3:54 pm, Myanmar se queda callado por ataques de DDoS | bSecure said:

[…] acuerdo con Craig Lavobitz analista de seguridad para Arbor Networks desde finales de octubre medios de comunicación del […]

November 05, 2010 at 4:12 pm, Ataques de DDoS tiran sistemas de comunicación en Myanmar | www.Netmedia.info said:

[…] acuerdo con Craig Labovitz analista de seguridad para Arbor Networks desde finales de octubre medios de comunicación del […]

November 05, 2010 at 10:06 pm, Burma knocked out of DDoS Attack | GiXtech.org said:

[…] arbornetworks.com No related content found. Bookmark on Delicious Digg this post Recommend on Facebook Buzz it up […]

November 06, 2010 at 3:02 am, Digital Democracy | Burma/Myanmar Technology Research said:

[…] the lead up to elections in the country, information access is becoming more suspect. Arbor Networks points out that the county once again fell off the Internet. Over the course of the past several days, their […]

November 07, 2010 at 3:15 am, Cyberattack Cripples Myanmar’s Servers, Just in Time for Election | Tech News Daily said:

[…] servers seem to have fallen prey to a Distributed Denial of Service (DDoS) attack that was “several hundred times” bigger than would be necessary to take down Myanmar’s frail network. At this point, […]

November 07, 2010 at 1:31 pm, Burma hit by massive net attack | News Directory said:

[…] Writing &#1072b&#959&#965t th&#1077 attack, Dr Craig Labovitz fr&#959m Arbor Networks &#1109&#1072&#1110d th&#1077 gigabits &#959f transfer w&#1072&#1109 "numerous hundred times more th&#1072n enough" t&#959 swamp th&#1077&#1109&#1077 links. […]

November 08, 2010 at 4:59 am, Ddos-aanvallen leggen internet in Birma lam » Clippy.be said:

[…] op het netwerk van het nationale Birmese telecombedrijf zou  vele malen groter zijn. Volgens de firma Arbor Networks zouden de ddos-aanvallen tijdens pieken een dataverkeer van 10 tot 15Gbps […]

November 08, 2010 at 8:32 am, Uma série de ataques DDoS contra Burma | Coruja de TI said:

[…] arbornetworks […]

November 08, 2010 at 11:48 am, kpt said:

please help our country’s web system to improve and be a never failed one. We need to use everyday for updated information. Thanks very much for your kind help.

November 11, 2010 at 11:35 am, TheWay said:

Makes one cry to see how people are abused by stripping them from anything that can be helpful. There are people fighting against such things. Hopefully more will emerge, it’s a gruesome battle.

November 11, 2010 at 4:08 pm, Myanmar cut off the Internet ahead of elections « Axxera Inc. said:

[…] to Craig Labovitz, Burmese T3 terrestial and satellite links have a 45 Mbps throughput, and they are currently being […]

November 12, 2010 at 6:13 am, Links for week ending 12 November 2010 | The Barefoot Technologist said:

[…] Attack severs Burmese internet Distributed denial of service (DDoS) attacks targeting Burma’s main internet service provider effectively took Burma offline last week. Security specialists Arbor Networks report: “While the motivation for the attack is unknown, Twitter and Blogs have been awash in speculation ranging from blaming the Burma/Myanmar government (preemptively disrupting internet connectivity ahead of the November 7 general elections), to external attackers with still mysterious motives” […]

November 12, 2010 at 3:47 pm, jim trexler said:

I couldn’t help but notice in the top of the article (and the traffic snapshot) you give four IP ranges. Oddly, they are all allocated to Estonia. My big list has only three for Myanmar/Burma/whatever total.

November 12, 2010 at 4:28 pm, jim trexler said:

Oops, my bad – exclude the comment about the snapshot as it in Myanmar.

November 15, 2010 at 12:12 pm, Nathan Griffiths said:

I’m working on an article for the JMSC at the University of Hong Kong. Do you know if the DDoS attacks still ongoing? I’m still not able to connect to the MPT website (www.mcpt.gov.mm) & Google’s cached version is from Oct28.

I would be very interested to learn of any updates on the attacks that you are aware of.

Thanks very much,
Nathan

November 16, 2010 at 3:19 pm, Tomas Finger said:

Foreign Policy Question. Does anyone know of discussions with the State Department to help assist country’s ability to prevent DDoS attacks? Or at least a public response to the attacks? Although there are economic sanctions against Myanmar, assisting the country’s ability to handle internet traffic would aid the aid democratic elections, and allow for more intent freedom in the country. Craig, is it feasible for an outside agency to help a country’s traffic capabilities? Thoughts?

November 23, 2010 at 8:56 am, Minn Kyaw said:

you should read it too…
http://bma-ebook.googlecode.com/files/rap_birmanie-2.pdf
best;
MK

November 25, 2010 at 7:32 pm, test « study4cyberwar said:

[…] Attack Severs Burma Internet article(11/2010) […]

December 08, 2010 at 6:23 am, ace said:

It is related to political issues. the government of Burma could also use of any reason to ban the internet to be accessed by their people. so they can’t communicate to other people outside the country.

December 23, 2010 at 11:04 am, The Internet Goes to War | Data Protection and Recovery Center said:

[…] the Internet and DDoS used as means of protest, censorship, and political attack is cause for concern […]

January 28, 2011 at 5:23 pm, Egitto: Internet bloccato, ecco i dati del crollo said:

[…] Network aveva registrato lo stesso comportamento dei service provider in occasione delle rivolte in Birmania e […]

January 30, 2011 at 7:47 am, Egitto: Internet bloccato, ecco i dati del crollo « Bestiale: said:

[…] Network aveva registrato lo stesso comportamento dei service provider in occasione delle rivolte in Birmania e […]

February 02, 2011 at 5:30 pm, GiulianovaNews » Blog Archive » Egitto. segnalo un grafico realizzato da Arbor Networks, leader nelle soluzioni per il controllo della sicurezza delle reti mondiali, che mostra come alle h 17.20 del 27 Gennaio il traffico Internet da e verso l said:

[…] quelle che erano avvenute in Iran (/blog/asert/2009/08/1132/ )o in Birmana (/blog/asert/2010/11/attac-severs-myanmar-internet/), la invitiamo a visitare il blog di Arbor Networks : […]

Comments are closed.