The Effects of War: Gaza and Israel
The ongoing Israeli-Gaza crisis has had an effect, it seems, on Internet activity. Our monitors have been crunching all sorts of data, some of it related to Israel and the conflict in Gaza. Many reports are out and have analyzed a wave of website defacements around this conflict, so we wont cover those here.
We were motivated by a couple of things, the first being a series of reports about the disruptions on power and telecommunications by the Israeli bombing campaign, specifically these two articles: Gaza telecommunication systems offline from Turkish Weekly, and Gaza close to losing phone contact via the Press Association. With this in mind, I went ahead and looked at the reachability of IP prefixes assigned to the Palestinian Territories. What I did was enumerate all of the prefixes, then generate a random IP address in the prefix and traceroute to it. If I could reach the IP prefix network, the node is marked in blue in the graphic below. If not, it ends in a “*”, the all-too-familiar “hop missing” marker that we see in traceroute.
The routers that can’t find its next hop on its way to the Palestinian Territories are listed here, together with their ASN and network name, and country code:
1239 | 126.96.36.199 | US | SPRINTLINK - Sprint 8551 | 188.8.131.52 | | BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone 1680 | 184.108.40.206 | IL | NetVision Ltd. 1680 | 220.127.116.11 | IL | NetVision Ltd. 8584 | 18.104.22.168 | IL | BARAK Netvision 013 Barak - Barak Network 8584 | 22.214.171.124 | IL | BARAK Netvision 013 Barak - Barak Network 1680 | 126.96.36.199 | IL | NetVision Ltd. 20965 | 188.8.131.52 | EU | GEANT The GEANT IP Service 3549 | 184.108.40.206 | US | GBLX Global Crossing Ltd. 15975 | 220.127.116.11 | PS | Palnet Communications Ltd. AS Number 12975 | 18.104.22.168 | PS | PALTEL-AS PALTEL Autonomous System 47253 | 22.214.171.124 | PS | BNET-AS Bnet AS Number
You can see that some of them are right there, either in Israel or the Palestinian Territories (PS), but a couple are far away, in Europe or the US. Note that I don’t know which prefixes end up in Gaza and which in the West Bank, nor do I know how stable the prefixes are. This is just a snapshot at this point in time from a network using Sprint as an upstream.
Note that this isn’t BGP analysis, just traceroute analysis. Danny tells me he didn’t see massive BGP disruptions for the PS prefixes we analyzed (the same ones from the above traceroute study).
As for DDoS activity, we’re seeing no major upticks in measured traffic to IL or PS prefixes and ASNs, but we are seeing a couple of botnets pound away on IL targets: the botnet C&C at h278666y.net is commanding its members to ICMP flood this host:
ns1.undaground.co.il A 126.96.36.199
ns3.metahost.co.il A 188.8.131.52
And the C&C at ddosmanager.org commanded its members to strike this host a few days ago:
poptraf.net A 184.108.40.206
poptraf.net NS ns1.nameself.com
poptraf.net NS ns2.nameself.com
Finally, we have been told about a website, “Help Israel Win”, that is using DDoS and a simple to use Windows tool to target PS and related websites. Users can download and “join the cause”, just like we’ve seen elsewhere (RU-GE, RU-EE, CN-CNN, etc).
Cyberwar enters yet another event, but so far there are no new major twists on the theme yet.
- Israel/Hamas battle goes Web 2.0 from ArsTechnica
- Israeli news site down, blames cyber attack, on C|Net; also see Cyber Attacks Coincide with Israel’s Attack on Gaza from Never Yet Melted.
- Muslim hackers attack Israeli websites as Gaza strikes continue, from SC Magazine
- More Attacks on Israeli Websites via the blog Politically Motivated Computer Crime and Hacktivism
- On Cyber War from the MCW Research blog discussing these attacks and if they rise to the level of warfare