NANOG-eesti

8/13/2019 NANOG-eesti

1/21

Cyber Attacks on Estonia

Short Synopsis

Merike Kaeo

[email protected]


2/21

Agenda

Some Statistics of Connectivity

Quick Timeline of Events

Some Traffic Graphs

Planning and Preparation

Attack Analysis

Some Thoughts


3/21

Where Is Estonia?


4/21

Some Statistics

!Size - Population: 1,324,333

- Area: 45,000 sq km

(260km east-west, 240km north-south)

!Internet Coverage - 1080 WiFi Covered Areas

http://www.wifi.ee/?p=area&lang=eng - 95% WiMax Coverage http://www.wifi.ee/?p=area&lang=eng

http://www.elion.ee/docs/traadita_interneti_tugijaamad.gif

http://www.norby.ee/wimax/kaart3.html

- 98% CDMA ED-VO http://www.televork.ee/?id=131

!Internet Usage - 99% for banking

- 100% for government

- 5.5% Internet voting in 2/07 elections

- 86% of 2006 taxes done online

- Project Tiger Leap (1993)


5/21

Tallinn Internet eXchange


6/21

Network Map - Government


7/21

Timeline of Events

April 26 May 9 May 11 May 18 May 23

Usual types

of attacks

Cyber attacks

increase

Large-scale

cyber attack

starts midnight

Moscow time

Paid BotNet

Time Ends

Some more

attacks

Apparent end to

3-week deluge

(Note: Timeline not to scale)

Typical Attacks- Phishing

- Email SPAM

- Web Site Defacing

- Syn / ICMP floods

- BotNets


8/21

April 27, 2007

(one normal day and Sat attack)


9/21

April 28-30, 2007

(First night of attack until Monday)


10/21

Measuring bps (May 2, 2007)


11/21

Paid Time End - May 11th


12/21

Sample Google Search

Need to know Russian but try it:

Search string:

http://www.google.com/search?q=pinguem+estonskie+servera


13/21

Ping pps (April 28-30, 2007)


14/21

Ping bps (April 28-30, 2007)


15/21

Attack Data (May 8-9, 2007)

After filtering ICMP ~4Mpps became ~1,2Mpps

After packet scrubbing ~1,2Mpps became ~150kpps (23:37)

After packet scrubbing ~1,2Mpps became ~3kpps (03:09) High-level analysis

~3Mpps of pure ICMP echo

~1Mpps of pure SYN (probably)

~150kpps needs closer analysis

From ~4Mpps only ~3kpps is not attack


16/21

Planning and Preparation

Meetings held April 30, 2007 with mobilephone, ISPs, DNS *.ee, banks and

Central Criminal Police, Security Police Board, The InformationBoard

May 2, 2007 same folks to introduce 2nd CERT contact whileprimary was at a meeting in Prague (TF-CSIRT & CE CERT)

What was decided? No sudden actions or thoughts,

if there is prepared crisis plan, use it

if not, use common sense

If something goes down and it is not really vital, let it be downuntil there is enough free time to bring it back up

Everybody understood his role and need of cooperation since itsbeen done before (i-voting)


17/21

Technical stuff

Where was traffic measured? Ingress points into Estonia network

Other data points

www.president.ee 200Mbps (2Mb line) www.valitsus.ee 1.3Gbps (akamai)

How does it compare to other DDoS incidents? Technically nothing new - but persistence and mix of

multiple botnet sources and normal users interesting Larger than most, falls within top 1% of daily attacksArbor sees, with aggregate of attack flows and targetdistribution set


18/21

Some Analysis

Detailed analysis still a wip and many folks

helping with raw data processing

Some information on Arbor blog but its not

yet definitive - just a snapshot - heres what

is relevant:

Many attacks on different days

Some targets have very high persistence (10+days)


19/21

Operational Take-Away

What can operators learn from this? Example of well-defended attack with help from nsp-sec trusted

individuals (nsp-sec is effective and kudos to all participants)

Will a well-run network already be prepared to

mitigate similar scenarios? BCP 38 Some infrastructure hiding

Effective monitoring

Fundamental technical aspect that was different

from the past? (none) Did mitigation of the attack do something

fundamentally different from the past? (no)


20/21

Some Thoughts

Only panicked individuals were in theinternational press True in both physical and virtual world

What is concern to operators?

Operators worked WITH managers and governmentand police and all understood consequences

Need to keep to pre-determined plans

End-game is to FIND SOURCE and arrest criminals

Technically/Motivationally not unique Preparation - critical for effective defense ($$)

Openness with information How many CERTs openly publish targets?


21/21

Acknowledgments Estonian CERT

www.cert.ee

NANOG-eesti

Documents

Transcript of NANOG-eesti