Estonian DDoS - a final analysis
In the aftermath of the recent distributed denial of service (DDoS) targeting Estonia, information has emerged that suggests this was not a concerted attack orchestrated by some single agency, but rather the spontaneous product of a loose federation of separate attackers. It appears to have been a statement of disapproval at the relocation of the Bronze Soldier, a memorial to the WW2 Russian Unknown Soldier, from the centre of Tallinn to a suburban cemetery. The social significance of this should not be underestimated - to the indigenous Russians the statue represents the wartime sacrifice, whereas to the native Estonians it represents Russian occupation of their country.
Data gathered by Arbor Networks showed that sources of attack were worldwide rather than concentrated in a few locations. Attack bandwidths ranged from under 10 Mbps to 95Mbps, with the majority in the range 10-30 Mbps. 75 per cent of attacks lasted no longer than one hour and only 5.5 percent, over 10 hours. However the peak global effect was of a botnet with up to 100Mbps capacity. Bearing in mind the level of IT power available in Estonia, this had a crippling effect on those services that were targeted.
Arbor Networks researcher Jose Nazario told heise that although various government agencies were taken offline, there was no apparent attempt to target national critical infrastructure other than internet resources, and no extortion demands were made. He commented "we've also seen non-botnet tools (human-net, so to speak) that turned peoples' computers into packet sources."
He cited the script http://fipip.ru/raznoe/pingi.bat, which ping floods about 18 Estonian sites (DNS and IPs for each site), explaining "this has been shared around on Russian language boards by various people, and there's no "smoking gun" of a Russian government connection." Nazario concluded "so, we see signs of Russian nationalism at work here, but no Russian government connection. None of the sources we have analyzed from around the world show a clear line from Moscow to Tallinn; instead, it's from everywhere around the world to Estonia."
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
