I’ve been looking at politically motivated DDoS events for some time now, geopolitics has always fascinated me. This has been a hot topic for some time, really kicked into high gear earlier this year with the Estonian DDoS events. Recently there was a DDoS against the site for Ukraine President Viktor Yushchenko. With this in mind, I went looking for what may be more politically motivated DDoS attacks based on botnet tracking.
I first went looking for attacks against Ukrainian sites in the past 3 months, basing my analysis on botnet-driven DDoS events. This timeframe is from October, 2007, until a few days ago (early December, 2007). Most of the attacks were against what appear to be Ukrainian e-commerce sites. The only substantial politically motivated DDoS attacks of note in there are agianst the Party of Regions website. What’s interesting is that the Party of regions appears to be a Ukrainian pro-Russian site, and their leader is Ukrainian Prime Minister Viktor Yanukovych. The earlier DDoS events seen in the Ukraine that got attention were against the Ukrainian President site, who appears to share different politics. I wound up finding several controllers commanding attacks against a host of Ukrainian sites, but nothing that appeared to target Yushshenko’s site. The timeline I put together is below, so you can see what happened. The boxes and arrows show the C&C controller and the targets that the bots were told to attack.
Yesterday, however, I saw two DDoS targets commanded by a botnet master against Russian sites. The first is the website for Gary Kasparov, famed Russian chess grand master and now anti-establishment politician in Russia. This morning the site is offline (the HTML came from the Google cache, but all pics that called out to the real site failed to load). The site loaded for me OK during the attack yesterday, so I think this is not directly due to the attack I tracked.
The other Russian target site that got my attention was www.namarsh.ru, which appears to be (I don’t read Russian, so I’m relying on others’ information) another Russian dissident site. This site appears OK today.
Watching these sorts of attacks from afar is fraught with peril if you try and interpret motivations. I can dream up scenarios where Russian hackers attack Russian dissident websites and politicians’ websites (and why, for example, a Ukrainian site that is pro-Russian is attacked), but I don’t know who is at the keyboard. I’ll keep watching these attacks and seeing what I can figure out, but so far it’s just a matter of guessing at motivations.