Estonian DDoS Attacks – A summary to date

Time sure flies. I looked up from working and noticed I hadn’t blogged in a while. And I noticed that I hadn’t been analyzing the Estonian DDoS attacks in a week or two.

ATLAS gives us an amazing view into the Internet’s activities. ATLAS collects DoS attack data from around the world through sharing arrangements and even from some of our Peakflow SP deployments. As such, the recent DDoS attacks on Estonia are visible, in part, from within ATLAS. I’ve always had a soft spot in my heart for Estonia. Since the fall of the Iron Curtain, it’s become technically advanced, society has done wonders to improve itself and it’s jumped, quite successfully, into the modern world. It has a nearly model economy, based in large part on the teachings of Milton Friedman who favored free markets unfettered by state control.

As you can imagine, having development access to the ATLAS data repository allows me to build new reports and crunch the data in new and exciting ways. I analyzed about 2 weeks of DDoS attacks on Estonia this morning using internal tools and reporting systems, and here’s what I found.

We’ve seen 128 unique DDoS attacks on Estonian websites in the past two weeks through ATLAS. Of these, 115 were ICMP floods, 4 were TCP SYN floods, and 9 were generic traffic floods. Attacks were not distributed uniformly, with some sites seeing more attacks than others:

Attacks Destination Address or owner
35 “195.80.105.107/32” pol.ee
7 “195.80.106.72/32” www.riigikogu.ee
36 “195.80.109.158/32” www.riik.ee, www.peaminister.ee, www.valitsus.ee
2 “195.80.124.53/32” m53.envir.ee
2 “213.184.49.171/32” www.sm.ee
6 “213.184.49.194/32” www.agri.ee
4 “213.184.50.6/32”
35 “213.184.50.69/32” www.fin.ee (Ministry of Finance)
1 “62.65.192.24/32”

The attacks themselves haven’t been steady, at least from the perspective given by ATLAS. If we look at how many attacks occurred on every day, we can see that they peaked a week or so ago, but they haven’t necessarily stopped.

Attacks Date
21 2007-05-03
17 2007-05-04
31 2007-05-08
58 2007-05-09
1 2007-05-11

As for how long the attacks have lasted, quite a number of them last under an hour. However, when you think about how many attacks have occurred for some of the targets, this translates into a very long-lived attack. The longest attacks themselves were over 10 and a half hours long sustained, dealing a truly crushing blow to the endpoints.

Attacks Date
17 less than 1 minute
78 1 min – 1 hour
16 1 hour – 5 hours
8 5 hours to 9 hours
7 10 hours or more

Finally, this is a decent sized botnet behind the attack, with aggregate bandwidth at our points of measurement maxing out at nearly 100 Mbps.

Attacks Bandwidth measured
42 Less than 10 Mbps
52 10 Mbps – 30 Mbps
22 30 Mbps – 70 Mbps
12 70 Mbps – 95 Mbps

Largest attacks we measured: 10 attacks measured at 90 Mbps, lasting upwards of 10 hours. All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years.

Links around the net to more information about the attacks:

44 Responses to “Estonian DDoS Attacks – A summary to date”

May 17, 2007 at 7:21 pm, Security Watch » Blog Archive » CERTs to the Rescue said:

[…] Arbor Network show some interesting analysis of traffic relating to the above attacks on thier Blog. […]

May 18, 2007 at 4:27 am, Massive DoS attacks on Estonia at Security Samizdat said:

[…] Updated (May-18): The Arbor Networks blog (”Security to the Core”) has some information about the targets of the attacks and other quantitative data. […]

May 18, 2007 at 5:37 am, Brian Honan said:

Interesting to also see that TERENA has published details as to how the European CSIRT community have responded to assist Estonia deal with the attacks.

http://www.terena.org/news/fullstory.php?news_id=2103

May 18, 2007 at 12:15 pm, fresh wordpress installation » Estonia suffers cyber-warfare DD0Ses said:

[…] Cory Doctorow: Russia is accused of being the first country to declare cyber-war on another nation: the ongoing Estonian conflict has been accompanied by a massive DDoS attack on critical Estonian networks: […]

May 18, 2007 at 8:40 am, Estonia suffers cyber-warfare DD0Ses at LifeParticles.com said:

[…] Cory Doctorow: Russia is accused of being the first country to declare cyber-war on another nation: the ongoing Estonian conflict has been accompanied by a massive DDoS attack on critical Estonian networks: […]

May 18, 2007 at 9:57 am, Just wonderful things » Estonia suffers cyber-warfare DD0Ses said:

[…] Cory Doctorow: Russia is accused of being the first country to declare cyber-war on another nation: the ongoing Estonian conflict has been accompanied by a massive DDoS attack on critical Estonian networks: […]

May 18, 2007 at 10:02 am, www.andrewhay.ca » Suggested Blog Reading - Friday May 18th, 2007 said:

[…] Estonian DDoS Attacks – A summary to date – Good analysis of the issues that Estonia was facing. Largest attacks we measured: 10 attacks measured at 90 Mbps, lasting upwards of 10 hours. All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years. […]

May 18, 2007 at 12:09 pm, BelchSpeak said:

Jose, thanks for the facts. How about a little opinion now? Do you think this was state sponsored in that the government or military launched the attacks?

Or was it the common criminal element that herds botnets just piling on?

May 18, 2007 at 2:10 pm, The Waving Cat » Blog Archive » Russia engaging in cyber war against Estonia? said:

[…] Link, via. (Summery of the attacks.) […]

May 18, 2007 at 2:36 pm, Security Bytes » New details from cyberattack on Estonia said:

[…] This morning I wrote about the blistering cyberattacks against the Baltic nation of Estonia in recent weeks. We’ve since come across an interesting blog posting from Jose Nazario over at Arbor Networks offering more detail on the size and scope of the attacks. […]

May 20, 2007 at 8:14 pm, Privacy and Identity Theft » Blog Archive » The Estonian DDoS Attacks - Do Governments Really Get it? said:

[…] I’m travelling in Europe this week, and tonight we were discussing the massive DDoS attacks that have been happening against Estonian websites for several weeks. […]

May 20, 2007 at 4:16 pm, Cyber attacks against Estonia « More shameless remarks by Larko said:

[…] Cyber attacks against Estonia Jose Nazario writes about the ongoing Ddos attacks against Estonia (via Peeter Marvet): We’ve seen 128 unique DDoS attacks on Estonian websites in the past two weeks through ATLAS. Of these, 115 were ICMP floods, 4 were TCP SYN floods, and 9 were generic traffic floods. Attacks were not distributed uniformly, with some sites seeing more attacks than others […]

May 21, 2007 at 6:10 pm, Web2.0 Effect Blog Web 2.0 Blog Technology Help » Blog Archive » Cyber war in Estonia said:

[…] Arbor Networks’ Jose Nazario has now blogged his initial analysis of the event. He reports that Arbor Networks recorded 128 unique DDoS attacks on Estonian-based URLs. Most lasted less than one hour, with the longest lasting 10 hours and thirty minutes. As for the strength, measured in how many packets of information flooded the given URL to make it inaccessible, the attacks were relatively light, with only ten of the attacks measuring 90-plus Mbps, including one of the 10 hour attacks. At its peak on May 9, the attack shut down up to 58 sites at once. […]

May 22, 2007 at 10:31 am, monsterlippa » Blog Archive » Attivismo contro l’Estonia said:

[…] Gli attacchi Distributed Denial Of Service contro la rete estone degli ultimi giorni sono stati da molti attribuiti alla Russia. Secondo John Bambenek dell’ISC al SANS invece questo è probabilmente un caso di hacktivism. Le tante proteste e i boicottaggi dal lato filorusso indicano che in molti, infervorati dalla questione, hanno messo al lavoro le loro botnet. Gestire una botnet e usarla per lanciare un DDOS ICMP non è per niente difficile come per esempio avvelenare un oppositore col Polonio 210. […]

May 22, 2007 at 12:23 pm, Kas Vene Föderatsioon oli seotud küberrünnakutega? « neeger!@#% said:

[…] Eesti vastu korraldati rohkelt rünnakuid ja see on parim Venemaa valitsust rünnakutega siduv asitõend? What the fuck? […]

May 25, 2007 at 8:34 pm, ddos de da: Internet attacks still considerable · Security to the Core | Arbor Networks Security Blog said:

[…] Bits and Pieces: November 12DDoS Attacks from NowhereEstonian DDoS Attacks – A summary to dateDDoS & Symantec’s Internet Security Threat ReportOn DDoS Attack Activity […]

May 30, 2007 at 2:16 pm, After Estonia: Cyberwar Is Not The Biggest Threat | 0HV.NET : Internet Blog said:

[…] If you want to see what types of attacks are being conducted, check out this dashboard developed by Arbor Networks, called Atlas, for a daily summary. And here’s a blog post by Arbor’s Jose Nazario, a security researcher, describing some details of the attacks on Estonia. […]

June 01, 2007 at 10:25 am, O bazar de nes » Ciberguerras e software libre said:

[…] Unha vez atendida a tipoloxía do ataque (ver tamén os datos), é sinxelo comprender que -a pesar das medidas que se poidan tomar nos servidores destino do ataque- a potencia do mesmo radica no número de computadores cautivos da netbot (ata un millón parecen ser os usados neste caso). Por isto, a robustez contra ataques informáticos DDOS radica máis en aumenta-la seguridade do usuario medio que de grandes gastos nos servidores atacados. Como indicaron Bruce Schneier e compañía hai anos: o monocultivo informático é unha peza clave da fortaleza dos atacantes. Porque a tecnoloxía non é boa nin mala, pero tampouco neutra. […]

June 07, 2007 at 6:13 pm, Privacy and Identity Theft » Blog Archive » The New Face of DDoS: Spamhaus attacked, and Estonia asks Russia for help said:

[…] 2. In May 2007, Estonian government agencies and online companies were DDoSed in a massive politcally motivated attack from all around the Globe. At least one Estonian bank shut off access to their site from networks outside the country. Russia was blamed for many of the attacks. Now Estonia is < a href=”http://www.reuters.com/article/internetNews/idUSL0671620620070606″>asking the Russian government for help to find the cyber-criminals. […]

June 08, 2007 at 8:19 pm, Security Watch » Blog Archive » Botnets - Digital Weapons of Mass Destruction? said:

[…] Jose Nazario from Arbor networks conducted an analysis of the IP addresses observed from the analysis of their Atlas systems where he highlights the attacks cannot be proven to be sponsored by Russia.  Indeed in an interview Jose Nazario concedes that while the IP addresses do not prove Russia mounted these attacks, they also do not exonerate Russia either.  On the other hand, the Asymmetric Threats Contingency Alliance (ATCA) claim they have evidence proving Russia colluded with the owners of various Botnets to carry out these attacks. […]

June 10, 2007 at 7:09 pm, Abram Razzuvaev said:

Hi collegues,

I try to understand the speculation on DDoS on Esstonia and found-out the subj. a bit crazy.

First …. can you possibly let us now, was any legal estonian defenitions for DDoS-attack or it was illegal speculation of security-minded-fricks and gov. pr-managers?

If I”l take wikipedia term, “”is an attempt to make a computer resource unavailable to its intended users” – it means for me, if anybody from another country access the web site on another lang. – he became guilty, if web hoster whant this. Stupid!

Second
It’s nice to see matrix bandwith–destination. For example – how much traffic have been sent to gov. resources. I founded in google, they have only 4 Mbit link to Internet. May they can afford more in 21 centuary, to assure that people will be provided with information ?

June 24, 2007 at 8:20 am, Are you prepared for cyberwar? « subatomico security said:

[…] But now, first with the Estonian DDoS attacks allegedly coming from Russia, and then with last week’s attack against Pentagon computers, the topic is back on the spot: cyberwar. […]

July 03, 2007 at 7:59 pm, Bathayon » After attacks, US government sending team to Estonia said:

[…] “The data that we have does not speak to who’s behind it. There’s no smoking gun,” said Jose Nazario, senior security engineer with Arbor Networks, who has studied the attacks. […]

July 04, 2007 at 1:45 am, After attacks, US government sending team to Estonia - MTB - Technology Feed - All About Technology said:

[…] “The data that we have does not speak to who’s behind it. There’s no smoking gun,” said Jose Nazario, senior security engineer with Arbor Networks, who has studied the attacks. […]

January 26, 2008 at 5:22 pm, Leaderless resistance against the Church of Scientology? said:

[…] colleague Chris Diehl at JHU APL suggested the Estonian cyberwar might be a good example to study how the Blogosphere was used for this by combining sentiment […]

February 25, 2008 at 2:36 am, Westlife said:

It’s nice to see matrix bandwith–destination. For example – how much traffic have been sent to gov. resources.

February 28, 2008 at 9:39 am, Technology latest news » Blog Archive » After attacks, US government sending team to Estonia (InfoWorld) said:

[…] no smoking gun,” said Jose Nazario, senior security engineer with Arbor Networks, who has studied the […]

July 13, 2008 at 12:33 am, Sobre DDoS, CastleCops, y la lucha común contra las redes criminales en internet | nv1962 said:

[…] la cosa puede llegar a ser bastante grave, como el año pasado cuando multitud de servidores de entidades oficiales en Estonia sufrieron un ataque masivo de DDoS, según parece a manos de nacionalistas rusos. Y hace poco más de una semana, se repite con un […]

September 05, 2008 at 8:41 pm, Zero Day mobile edition said:

[…] It is also possible that such a widget could directly declare its purpose. During the recent Estonian and Georgian DDoS event, a simple script was circulated that allowed the average citizen to participate in the DDoS attack. […]

November 09, 2008 at 5:58 pm, Week’s Links | lonerunners.net said:

[…] Estonian DDoS Attacks – A summary to date […]

September 21, 2009 at 2:45 pm, Stop DDoS and Worms at ISP Level? | The Shivling said:

[…] the part of ISPs, and, potentially, governments, considering the magnitude of attacks suffered by Estonia in 2007, as well as China’s and North Korea’s burgeoning military / government-sponsored […]

September 29, 2009 at 9:44 pm, Fighting DDoS Attacks at the ISP Level : Information Security Resources said:

[…] the part of ISPs, and, potentially, governments, considering the magnitude of attacks suffered by Estonia in 2007, as well as China’s and North Korea’s burgeoning military / government-sponsored cyberwar […]

October 23, 2009 at 5:20 am, Information Warfare in China « Freedom Nation said:

[…] warfare (IW) so far happened 2 years ago during the conflict between Estonia and Russia (details here) and in Georgia in 2008 (the apparent cooperation of Russian government with the perpetrators led […]

March 10, 2010 at 1:00 pm, DDoS: News Reports, interview, Panel Discussions (2006-2009) | Data Communications & Networking said:

[…] Estonian DDoS Attacks – A summary to date, by Jose Nazario, ArborSERT blog, May 21, 2007 […]

November 04, 2010 at 3:12 pm, DDoS Attack on Myanmar Takes the Country Offline | __--::: Deepquest :::--__ said:

[…] a few notable exceptions. At 10-15 Gbps, the Burma attack is also significantly larger than the 2007 Georgia (814 Mbps) and Estonia DDoS. Early this year, Burmese dissident web sites (hosted outside the […]

November 06, 2010 at 4:10 pm, Project on Information Technology & Political Islam » Blog Archive » News: “Attack Severs Burma’s Internet” said:

[…] a few notable exceptions. At 10-15 Gbps, the Burma attack is also significantly larger than the 2007 Georgia (814 Mbps) and Estonia DDoS. Early this year, Burmese dissident web sites (hosted outside the […]

November 07, 2010 at 6:33 am, Distributed Denial of Service (DDoS) Attacks/tools « TieuVinhLong said:

[…] Estonian DDoS Attacks – A summary to date, by Jose Nazario, ArborSERT blog, May 21, 2007 […]

January 05, 2011 at 5:49 pm, n said:

these attacks need to be addressed more, its crazy in this day and age we are getting hacked so much and private information is being stolen

May 04, 2011 at 2:47 pm, Tools DDos » _AmoresWebDesign -Cyber BlogAmoresWebDesign -Cyber Blog said:

[…] Estonian DDoS Attacks – A summary to date, by Jose Nazario, ArborSERT blog, May 21, 2007 […]

May 27, 2011 at 12:01 am, Distributed Denial of Service (DDoS) Attacks/tools | Chuotnhat.com said:

[…] Estonian DDoS Attacks – A summary to date, by Jose Nazario, ArborSERT blog, May 21, 2007 […]

June 15, 2011 at 10:44 am, Ciberguerras e software libre « No sólo software said:

[…] vez atendida a tipoloxía do ataque (ver tamén os datos), é sinxelo comprender que -a pesar das medidas que se poidan tomar nos servidores destino do […]

September 03, 2011 at 9:00 am, History of DOS -Denial of Service Attack said:

[…] Estonian DDoS Attacks – A summary to date, by Jose Nazario, ArborSERT blog, May 21, 2007 […]

September 11, 2011 at 4:04 pm, DDoS Attacks Links | U.S. Cyber Labs- Cyber NoteBook said:

[…] Estonian DDoS Attacks – A summary to date, by Jose Nazario, ArborSERT blog, May 21, 2007 […]

November 03, 2011 at 6:16 am, seo said:

seo…

[…]Estonian DDoS Attacks – A summary to date | DDoS and Security Reports | Arbor Networks Security Blog[…]…

Comments are closed.