Georgia On My Mind – Political DDoS

By: Jose -

The website for the President of Georgia, a former Soviet republic, has come under DDoS (hat tip: Shadowserver team). This attack appears to have a political motivation. One of the messages in the floods (HTTP, SYN, ICMP) reads “win+love+in+Rusia”. Tensions between Russia and Georgia appear to be running high lately.

While I am not positive what event or events triggered this attack, here’s some speculation based on reading around for Russia-Georgia tension:

I’ll be honest, the locations that Georgia is reportedly entangled in are unfamiliar to me. Itturns out that Abkhazia is described in Wikipedia as “a region in Georgia that is a de facto independent republic with no international recognition. Seems like there could be some tensions there. Also, Ossetia appears to be another neighbor with some relationships to Georgia, with Wikipedia offering some interesting recent history (ca 1990): “ethnic tensions between Ossetians and Georgians in Georgia’s former Autonomous Oblast of South Ossetia (abolished in 1990) and between Ossetians and the Ingush in North Ossetia evolved into violent clashes that left several hundreds of dead and wounded and created a large tide of refugees on the both sides of the border.”

I have to admit that when these sorts of attacks appear, I often have to race to learn political history and tensions and relationships. I’m no expert at geopolitics (and am actively seeking to work with folks who are), and as these sorts of attacks increase, their analysis is ever the more interesting.

I do not know who exactly is behind the attacks, if they are acting alone or if they are associated with a political outfit anywhere.. The Georgian presidential website is still inaccessible (possibly firewalled to thwart the attack, possibly still under attack by additional botnets). The C&C server is located in the US, and I’ve alerted various parties to try and get some traction on the attack to discover who it is. This botnet is somewhat recent to us in its activities, but uses a codebase we’re familiar with (Machbot).

Later this month, at Usenix Security in San Jose, I’ll be giving a talk on these sorts of attacks around the world. I’ll be discussing their activities in depth, and some additional data and attacks I haven’t blogged here. If you’re in town, be sure to stop by.

UPDATE I almost forgot, NATO’s been looking at expansion in Georgia it seems. That may also be a source of the tensions shown here.

Comments

  1. aside from the actual attack and its motives, some interesting communications from an “employee” of the hosting company where the site is located..

    one comment can be seen here – http://www.webhostingtalk.com/showpost.php?p=5220780&postcount=41

    “The issue yesterday and today has been with a very large DDoS. After yesterday, we had thought the issue was resolved after the IP being attacked was null-routed, but today things resumed again on several different IPs for the same customer and we have now been forced to ask that customer to leave”

    Now, what good does that do? Broadcasting this message on a public internet forum says one thing to any current and potential customers looking for a hosting provider.. “Next”

    Just because you may be a smaller provider, you cannot overlook the possiblity of attacks, while mitigation options out there are quite costly, there are alternatives which should be researched, tested, taught to your noc and staff and then used in practice.

    Link to full thread – http://www.webhostingtalk.com/showthread.php?t=709064

  2. Hi,

    You have been certainly looking in the right direction. Abkhazia and South Ossetia are regions of Georgia supported that have been seeking annexation to Russia with the support from Russian troops.

    You can search for relevant links in del.icio.us, some of the tags are:

    Ethnic-Cleansing-of-Georgians
    United_Nations_resolutions_on_Abkhazia
    Jamestown
    Georgia AND WSJ
    Georgia AND FT.com
    Georgia AND WashingtonPost
    Georgia AND Condoleezza-Rice

  3. This attack does appear to have geopolitical motives. A UN Observer mission in Georgia has maintained a peacekeeping force since 1993, lead by Russian troops.

    “a CIS peacekeeping force of Russian troops is deployed in the Abkhazia region of Georgia together with a UN military observer group; a Russian peacekeeping battalion is deployed in South Ossetia… OSCE observers monitor volatile areas such as the Pankisi Gorge in the Akhmeti region and the Argun Gorge in Abkhazia” According, to a recent update on CIA.gov under transnational issues.
    https://www.cia.gov/library/publications/the-world-factbook/geos/gg.html#Issues

    Possible motive for the attacker’s actions: Russia accuses Georgia of open aggression
    http://www.theglobeandmail.com/servlet/story/RTGAM.20080704.wgeorgia0704/BNStory/International/

  4. How long USA and so called “democratic countries” will cover the truth about this war?Around 1000 USA marines and military instructors use to train georgian`s troops before this war.USA,ISRAEL,UKRAINE, sold weapon to Georgia in huge volume.At this days african -americans military instructors were found dead in South Ossetia.New Hitler,Saakashvili who killed 2000 people mostly kids,elderly people has protection from USA,ISRAEL,UKRAINE,GB and some “friends countries”.Genocide by Saakashvili rewarded by countries who sold weapon to this dictator.Newspapers,tv,radio telling the same story about Russian invasion,but nobody says,that this war was planned event,long time before by good paid dictator Saakashvili.Why western people do not have information from South Ossettia,but fake video by tv companies? This is moment of truth and sooner or later people and countries who did it will be punished by God.