NANOG-eesti
-
Upload
nietzscheean5589 -
Category
Documents
-
view
226 -
download
1
Transcript of NANOG-eesti
-
8/13/2019 NANOG-eesti
1/21
Cyber Attacks on Estonia
Short Synopsis
Merike Kaeo
-
8/13/2019 NANOG-eesti
2/21
Agenda
Some Statistics of Connectivity
Quick Timeline of Events
Some Traffic Graphs
Planning and Preparation
Attack Analysis
Some Thoughts
-
8/13/2019 NANOG-eesti
3/21
Where Is Estonia?
-
8/13/2019 NANOG-eesti
4/21
Some Statistics
!Size - Population: 1,324,333
- Area: 45,000 sq km
(260km east-west, 240km north-south)
!Internet Coverage - 1080 WiFi Covered Areas
http://www.wifi.ee/?p=area&lang=eng - 95% WiMax Coverage http://www.wifi.ee/?p=area&lang=eng
http://www.elion.ee/docs/traadita_interneti_tugijaamad.gif
http://www.norby.ee/wimax/kaart3.html
- 98% CDMA ED-VO http://www.televork.ee/?id=131
!Internet Usage - 99% for banking
- 100% for government
- 5.5% Internet voting in 2/07 elections
- 86% of 2006 taxes done online
- Project Tiger Leap (1993)
-
8/13/2019 NANOG-eesti
5/21
Tallinn Internet eXchange
-
8/13/2019 NANOG-eesti
6/21
Network Map - Government
-
8/13/2019 NANOG-eesti
7/21
Timeline of Events
April 26 May 9 May 11 May 18 May 23
Usual types
of attacks
Cyber attacks
increase
Large-scale
cyber attack
starts midnight
Moscow time
Paid BotNet
Time Ends
Some more
attacks
Apparent end to
3-week deluge
(Note: Timeline not to scale)
Typical Attacks- Phishing
- Email SPAM
- Web Site Defacing
- Syn / ICMP floods
- BotNets
-
8/13/2019 NANOG-eesti
8/21
April 27, 2007
(one normal day and Sat attack)
-
8/13/2019 NANOG-eesti
9/21
April 28-30, 2007
(First night of attack until Monday)
-
8/13/2019 NANOG-eesti
10/21
Measuring bps (May 2, 2007)
-
8/13/2019 NANOG-eesti
11/21
Paid Time End - May 11th
-
8/13/2019 NANOG-eesti
12/21
Sample Google Search
Need to know Russian but try it:
Search string:
http://www.google.com/search?q=pinguem+estonskie+servera
-
8/13/2019 NANOG-eesti
13/21
Ping pps (April 28-30, 2007)
-
8/13/2019 NANOG-eesti
14/21
Ping bps (April 28-30, 2007)
-
8/13/2019 NANOG-eesti
15/21
Attack Data (May 8-9, 2007)
After filtering ICMP ~4Mpps became ~1,2Mpps
After packet scrubbing ~1,2Mpps became ~150kpps (23:37)
After packet scrubbing ~1,2Mpps became ~3kpps (03:09) High-level analysis
~3Mpps of pure ICMP echo
~1Mpps of pure SYN (probably)
~150kpps needs closer analysis
From ~4Mpps only ~3kpps is not attack
-
8/13/2019 NANOG-eesti
16/21
Planning and Preparation
Meetings held April 30, 2007 with mobilephone, ISPs, DNS *.ee, banks and
Central Criminal Police, Security Police Board, The InformationBoard
May 2, 2007 same folks to introduce 2nd CERT contact whileprimary was at a meeting in Prague (TF-CSIRT & CE CERT)
What was decided? No sudden actions or thoughts,
if there is prepared crisis plan, use it
if not, use common sense
If something goes down and it is not really vital, let it be downuntil there is enough free time to bring it back up
Everybody understood his role and need of cooperation since itsbeen done before (i-voting)
-
8/13/2019 NANOG-eesti
17/21
Technical stuff
Where was traffic measured? Ingress points into Estonia network
Other data points
www.president.ee 200Mbps (2Mb line) www.valitsus.ee 1.3Gbps (akamai)
How does it compare to other DDoS incidents? Technically nothing new - but persistence and mix of
multiple botnet sources and normal users interesting Larger than most, falls within top 1% of daily attacksArbor sees, with aggregate of attack flows and targetdistribution set
-
8/13/2019 NANOG-eesti
18/21
Some Analysis
Detailed analysis still a wip and many folks
helping with raw data processing
Some information on Arbor blog but its not
yet definitive - just a snapshot - heres what
is relevant:
Many attacks on different days
Some targets have very high persistence (10+days)
-
8/13/2019 NANOG-eesti
19/21
Operational Take-Away
What can operators learn from this? Example of well-defended attack with help from nsp-sec trusted
individuals (nsp-sec is effective and kudos to all participants)
Will a well-run network already be prepared to
mitigate similar scenarios? BCP 38 Some infrastructure hiding
Effective monitoring
Fundamental technical aspect that was different
from the past? (none) Did mitigation of the attack do something
fundamentally different from the past? (no)
-
8/13/2019 NANOG-eesti
20/21
Some Thoughts
Only panicked individuals were in theinternational press True in both physical and virtual world
What is concern to operators?
Operators worked WITH managers and governmentand police and all understood consequences
Need to keep to pre-determined plans
End-game is to FIND SOURCE and arrest criminals
Technically/Motivationally not unique Preparation - critical for effective defense ($$)
Openness with information How many CERTs openly publish targets?
-
8/13/2019 NANOG-eesti
21/21
Acknowledgments Estonian CERT
www.cert.ee