The Effects of War: Gaza and Israel

The ongoing Israeli-Gaza crisis has had an effect, it seems, on Internet activity. Our monitors have been crunching all sorts of data, some of it related to Israel and the conflict in Gaza. Many reports are out and have analyzed a wave of website defacements around this conflict, so we wont cover those here.

We were motivated by a couple of things, the first being a series of reports about the disruptions on power and telecommunications by the Israeli bombing campaign, specifically these two articles: Gaza telecommunication systems offline from Turkish Weekly, and Gaza close to losing phone contact via the Press Association. With this in mind, I went ahead and looked at the reachability of IP prefixes assigned to the Palestinian Territories. What I did was enumerate all of the prefixes, then generate a random IP address in the prefix and traceroute to it. If I could reach the IP prefix network, the node is marked in blue in the graphic below. If not, it ends in a “*”, the all-too-familiar “hop missing” marker that we see in traceroute.

ps_traceroute_reachability.png

The routers that can’t find its next hop on its way to the Palestinian Territories are listed here, together with their ASN and network name, and country code:

1239    | 144.232.13.64    | US | SPRINTLINK - Sprint
8551    | 192.117.239.146  |    | BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone
1680    | 212.143.12.104   | IL | NetVision Ltd.
1680    | 212.143.12.4     | IL | NetVision Ltd.
8584    | 212.150.38.22    | IL | BARAK Netvision 013 Barak - Barak Network
8584    | 212.150.42.18    | IL | BARAK Netvision 013 Barak - Barak Network
1680    | 212.235.97.197   | IL | NetVision Ltd.
20965   | 62.40.124.242    | EU | GEANT The GEANT IP Service
3549    | 64.210.14.94     | US | GBLX Global Crossing Ltd.
15975   | 82.102.199.51    | PS | Palnet Communications Ltd. AS Number
12975   | 82.213.1.106     | PS | PALTEL-AS PALTEL Autonomous System
47253   | 93.184.0.138     | PS | BNET-AS Bnet AS Number

You can see that some of them are right there, either in Israel or the Palestinian Territories (PS), but a couple are far away, in Europe or the US. Note that I don’t know which prefixes end up in Gaza and which in the West Bank, nor do I know how stable the prefixes are. This is just a snapshot at this point in time from a network using Sprint as an upstream.

Note that this isn’t BGP analysis, just traceroute analysis. Danny tells me he didn’t see massive BGP disruptions for the PS prefixes we analyzed (the same ones from the above traceroute study).

As for DDoS activity, we’re seeing no major upticks in measured traffic to IL or PS prefixes and ASNs, but we are seeing a couple of botnets pound away on IL targets: the botnet C&C at h278666y.net is commanding its members to ICMP flood this host:

ns1.undaground.co.il A 212.199.206.200
ns3.metahost.co.il A 212.199.206.200

And the C&C at ddosmanager.org commanded its members to strike this host a few days ago:

poptraf.net A 212.150.34.56
poptraf.net NS ns1.nameself.com
poptraf.net NS ns2.nameself.com

Finally, we have been told about a website, “Help Israel Win”, that is using DDoS and a simple to use Windows tool to target PS and related websites. Users can download and “join the cause”, just like we’ve seen elsewhere (RU-GE, RU-EE, CN-CNN, etc).

HelpIsraelWinSite.png

Cyberwar enters yet another event, but so far there are no new major twists on the theme yet.

Related:

2 Responses to “The Effects of War: Gaza and Israel”

January 07, 2009 at 5:04 pm, Andrew Hay » Blog Archive » links for 2009-01-07 said:

[…] The Effects of War: Gaza and Israel | Security to the Core | Arbor Networks Security (tags: network cyberwar) […]

January 22, 2009 at 4:45 pm, Army, NATO sites defaced by Mideast protesters « Knowledge DB said:

[…] sites in Gaza following rocket launches from the territory. While some evidence of network attacks have been detected, there are no widespread denial-of-service attacks similar to the online conflict […]

Comments are closed.