Cyber-warfare continues to become a growing concern for security authorities all around the world. Beginning on April 27th 2007, Estonia became the first country to fall victim to a co-ordinated cyber-attack which lasted two weeks. “The attacks began on the day that Estonia authorities removed a Soviet-era war monument that had been the source of protests and diplomatic tensions with Russia for months. The government removed the monument, known as the Bronze Soldier, after a night of violent clashes and looting that ended with scores of arrests and the death of one protester. [1 – Cyberattack on Estonia stirs fear of ‘virtual war’]”. Following all the protests, a new problem began to arise as major websites within the country became inaccessible. “Such politically motivated attacks by organized hacker networks — known to specialists as “hactivism” — were also seen against Danish Web sites after the publications of cartoons of the Prophet Mohammed in a magazine. [2 – Analysis: Who cyber smacked Estonia?]”.
This paper will describe the attack and the vulnerability exploited by the hackers as well as the mechanisms and procedures owners or administrators of the system could use to prevent such an attack from being successful.
The cyber-attacks on Estonia were the result of hackers who, for political or personal reasons relating to the recent events, wanted to disrupt online services in the country in order to make a statement. Many websites were defaced or vandalized through various methods such as comment spamming or SQL injection attacks. While these attacks caused damage, the ones which caused the most significant problems were the DDoS attacks which “swamped the websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters [3 – Cyberattacks on Estonia 2007]”. The DDoS attacks used “global networks (known as botnets) of compromised computers (known as slaves or zombies), often owned by careless individuals [2]”, in order to flood Estonian servers with millions of packets of data per second. “This was not the first botnet strike ever, nor was it the largest, but never before had an entire country been targeted on almost every digital front all at once. [4 – Hackers Take Down the Most Wired Country in Europe]”.
The reason this attack was so successful was because “Estonia did not have a large base of computers comprising its infrastructure; meaning it was not very distributed and therefore any attack could affect them on a large scale [5 – Estonian Attacks Raise Concern Over Cyber ‘Nuclear Winter’]”. In this case, the attacks were co-ordinated on the networks of many Estonian websites such that nearly everyone in the country was affected in one way or another. While many organizations saw their web servers crash and go down for hours or days at a time, many citizens also found many of the online services they use daily unavailable. The attacks therefore caused much disruption for everyone which resulted in significant economic damage since virtually all online business transactions could not be processed for several days. Also, any businesses earning revenue through online advertisements on their websites saw their income disappear while their websites were down.
The majority of the damage from the cyber-attacks was caused by the use of botnets. A botnet is a “collection of compromised computers running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet’s originator can control the group remotely, usually through a means such as IRC and usually for nefarious purposes [6 – Botnet]”. In the case of the cyber-attacks on Estonia, multiple botnets were used to launch a Distributed Denial of Service Attack (DDoS). A Denial of Service attack (DoS attack) is an attack where a network is flooded with as many requests as possible such that the network becomes so slow it is effectively unable to respond to legitimate requests. A DDoS attack is the same as a DoS attack, however, instead of one system launching the requests, now thousands of compromised systems flood a networks bandwidth making it crash under the enormous load or become so slow it is equivalent to being unavailable or offline. In order for these requests to travel from the compromised computers to their destination targets, the packets must travel through many networks. Therefore, even though the attackers could not target every network within Estonia, by hitting many of the major websites, all the incoming packets also caused congestion on the networks they needed to pass through on the way to their targets within Estonia. Even websites which were not attacked ended up being unresponsive because congestion was blocking the paths needed to reach them.
In order to bring systems back online within Estonia, companies were forced to block all traffic coming from outside of Estonia. This is because the DDoS attacks were being launched from infected systems throughout the world, the large majority of which were from IP addresses outside of the country. By blocking this traffic, they were able to bring their systems back online, but were also blocking all legitimate users from outside the country from accessing their networks. In the mean time, security specialists were doing their best to track down where the compromised computers were so that they could then contact the responsible Internet Service Providers to have them block the user and contact them about the infection on their machine. “Cooperation between Private groups and public agencies is essential in defending against cyber-attacks, according to one security researcher [Gadi Evron] [7 – Black Hat 2007: Lessons of the Estonian attacks]”. The attacks against Estonia could have been much worse if all the involved agencies throughout the world simply ignored the fact that their networks were passing on illegitimate traffic on its way to Estonia. By working together, it was possible, not to find who launched the attack, but at least to find where the traffic was coming from and then block these paths one at a time while tracing back to as many infected machines as possible.
Defending against a DDoS attack is very difficult. “From a philosophical perspective, if the attacker’s pipe is bigger than the defender’s pipe, the attacker can always knock out the defender [8 – Mydoom lesson: Take proactive steps to prevent DDoS attacks]”. One way to help defend against such an attack is simply to anticipate that it may be coming and to therefore always be prepared by setting aside extra bandwidth and processing power that can then deal with sudden surges in traffic. “Another is to “retreat from your domain name” and essentially park your Web site at another address while the attack plays out [8]”. Finally, the best method to protect against a DDoS attack, but also the most expensive, is “geographically distributing Web servers such that even if one server or network segment is taken down by an attack, normal traffic can be redirected to other servers [8]”.
While system administrators can try the different approaches mentioned above to minimize the impact of a DDoS attack, there is no way for them to prevent the attack because all the requests flooding them come from so many different networks that it is impossible to determine which are legitimate and which are not. In fact, there are many known cases of legitimate traffic crashing web servers in the same manner that a DDoS attack would. For example, there is a well known unintentional problem coined as the “Slashdot Effect” which is what happens when the popular website Slashdot.org posts an article linking to a website. Slashdot.org is a very popular website which has a very powerful server to handle all of its traffic. Since Slashdot.org has such a large readership, when they link to a website, many thousands of people will click the link to visit the destination! If the website suddenly receiving this surge in traffic does not have a powerful enough server, all the people trying to visit the website will cause the server to become extremely slow or crash. Therefore, “the long-term answer to DDoS protection has to be in the [service provider] networks and backbones, because upstream service providers are in a better position to detect and choke off traffic directed at a specific IP address [8]”.
