By Robert Vamosi
Special to CNET News.com
May 29, 2007
Newsmaker - When it comes to denial-of-service attacks, Jose Nazario has
seen just about everything.
As senior security researcher at Arbor Networks, Nazario closely
monitors network attacks. A denial-of-service, or DoS, attack occurs
when someone directs a large number of requests to a target URL so
quickly that the Web server can't respond, and the site becomes
A distributed denial-of-service, or DDoS, attack occurs when hundreds or
thousands of compromised computers are enlisted. Arbor Networks has a
tool called the Active Threat Level Analysis System that enables Nazario
to collect information on DoS attacks worldwide.
On April 27, officials in Estonia relocated the "Bronze Soldier," a
Soviet-era war memorial commemorating an unknown Russian who died
fighting the Nazis. The move incited rioting by ethnic Russians and the
blockading of the Estonian Embassy in Moscow. The event also marked the
beginning of a large and sustained distributed denial-of-service attack
on several Estonian national Web sites, including those of government
ministries and the prime minister's Reform Party.
Nazario was one of the first to publish information about those
cyberattacks. He spoke with CNET in the wake of the events in Estonia.
Q: Have there been any previous attacks comparable to the cyberattack
situation in Estonia?
Nazario: Compared to larger, higher-profile attacks, it isn't
necessarily larger than the rogue DNS (domain name system) server attack
this past winter, no larger than the attacks resulting from the Olympics
a few years ago with the Apolo Ohno controversy. (In 2002 at the Salt
Lake City Games, Ohno won the gold medal in the 1,500-meter
speed-skating race after South Korean Kim Dong-Sung was disqualified;
soon after, several United States-based servers were hit with a DDoS
attack from machines that appeared to be based in South Korea.
The Estonia attacks certainly are overwhelming and crippling many of
those sites in Estonia based upon the resources that they have. But it's
the background nature of those attacks that's novel, in comparison to
other denial-of-service attacks.
There's no extortion going on. They're not demanding to the Ministry of
Finance, the Ministry of Agriculture, "Pay us $50 million, or we keep
this up." They're not trying to disrupt e-commerce--they're making a
So the size isn't necessarily groundbreaking. We're talking about 100 or
200 megabits per second. Looking at our infrastructure surveys that we
have published--and we have one going on currently for release later
this year--we have seen that this is on the low side of an average size
of attack on providers that we talk to, who run our products or don't
run our products, who participate in our survey. It's kind of a
Would the Estonia event be comparable to the India-Pakistan
cyberconflict of a few years ago? I recall volleys of nationalistic
viruses sent between the two countries with some DoS attacks thrown in.
Nazario: Yes, definitely, though it's probably more applicable to the
Apolo Ohno situation, where you have a nationalistic driver behind the
DDoS attack. We saw some specific tools created (for the Olympic
attack), as well as some botnets that were under the control of people
who were emotionally attached to the events. Attacks were launched
against a specific target based upon national interests or based upon
A recent blog of yours suggested that a variety of different DoS methods
were used on the Estonia sites. Does that support the theory that random
sympathetic individuals, say in Russia, may be behind the attacks, as
opposed to an organized, coordinated attack?
Nazario: Not necessarily. While we do think the Estonian attacks are due
to multiple, different kinds of botnets, or different tools or different
groups, all with sort of a same angle behind them, the fact that the
attacks are different in their nature isn't necessarily the indication
there that comes from other kinds of analysis.
We have, in the past, seen DoS attackers interested in keeping their
attack effective by changing the tactics as they go along. And they will
keep on changing the attack as it goes on.
They'll change locations, if they have a big enough botnet; sources, if
they can overwhelm the defenses that selectively look at different kinds
of sources; or the individual traffic types or packet types to overwhelm
protocol-based defenses on the perimeter of the network.
That said, we have seen evidence suggesting that there were multiple
botnets and tools--both botnet-related and not botnet-related--behind
the Estonian attacks. We have seen this based upon some analysis of
existing botnets that we and others are tracking, as well as monitoring
forums and software releases where people are encouraging others to show
their displeasure with Estonia--in this case, by launching these
Might we see other DDoS attacks in the very near future? Or is the
Estonian situation just a one-off, a response to a specific event?
Nazario: I don't think it's a one-off. You mentioned the India-Pakistan
issues; I mentioned the South Korean Olympic issues from several years
ago. We have seen this kind of thing before. You look around the globe,
and there's basically no limit to the amount of skirmishes between
well-connected countries that could get incredibly emotional for the
population at large.
In this case, it has disrupted the Estonian government's ability to work
on online, it has disrupted a lot of its resources and attention. In
that respect, it's been effective. It hasn't brought the government to a
crippling halt, but has essentially been effective as a protest tool.
People will probably look at this and say, "That works. I think we're
going to continue to do this kind of thing." Depending on the target
within the government, it could be very visible, or it could not be very
Some countries are probably better equipped to handle this than others.
We monitor thousands of DoS events each day in our ATLAS system that
comes from our installations around the world and our sensors around the
world. The bulk of them are things that are against people you wouldn't
even know or existed--just random people, people on broadband
lines--where someone gets upset with them online and says "I'm going to
make your life uncomfortable for the next hour or two."
We do see attacks against big corporations and big governments, and if
you look at those attacks, some of them are probably politically
motivated as a way of speaking out. I don't think this is going to
become as common as seeing people on the streets. But it's something
that some governments have to consider much more than I think they
needed to five years ago.
You mentioned distractions. Is it a matter of the Estonian government
sites filtering their traffic?
Nazario: It's not just within the Estonian government but also within
their providers. The Estonian providers are, of course, working with a
much larger community--the European providers, the North American
providers (and) Asian providers that give them inbound traffic as well
as the attack traffic. They're working with people to identify the root
cause of these attacks and shut them down, as well as push the traffic
back even further to alleviate those problems without disrupting normal
service. The number of people required to help them do this is rather
high, given the size of the staff that they have and that they don't
normally see those kinds of things.
A couple of Estonian service providers have been under denial-of-service
attack for the past six months to a year, by a virus called Allaple, and
we're not clear as to what the author's trying to do other than upset
some people in Estonia. It doesn't appear to have as clear a cause or
reason behind it as these recent attacks against the Estonian government
We know that they're scrambling, and we're working with folks from the
Estonian Computer Emergency Response Team and the region, as well as the
Estonian providers, to deal with it. We know that they've been working
on this for quite a while, a number of weeks, really reaching out, and
it is a very high-focus, high-priority item for them.
The attacks haven't stopped, have they?
Nazario: We know they haven't stopped, but we're not seeing them with
such intensity right now.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com