Georgia DDoS Attacks – A Quick Summary of Observations

The clashes between Russia and Georgia over the region of South Ossetia have been shadowed by attacks on the Internet. As we noted in July, the Georgia presidential website fell victim to attack during a war of words. A number of DDoS attacks have occurred in the region, and often do when tensions flare. We have been observing the attacks, making measurements, and sharing data with a select group of others to trace the origins of the attacks and monitor the situation.

While some are speculating about cyber-warfare and state sponsorship, we have no data to indicate anything of the sort at this time. We are seeing some botnets, some well known and some not so well known, take aim at Georgia websites. Note that RIA Novosti, a Russian news outlet, was apparently targeted during this fighting. Georgian hackers are accused of this event.

Compared to the May 2007 Estonian attacks, these are more intense but have lasted (so far) for less time. This could be due to a number of factors, including more sizable botnets with more bandwidth, better bandwidth at the victims, changes in our observations, or other factors.

Below are some observations of the attacks based on our Internet statistics collection. These are observed attacks, ones that triggered alarms. We know that not all attacks are accounted for here, only many of the major ones. These attacks were mostly TCP SYN floods with one TCP RST flood in the mix. No ICMP or UDP floods detected here. These attacks were all globally sourced, suggesting a botnet (or multiple botnets) were behind them.

Number of attacks Destination
5 213.131.44.138
3 213.157.196.25
10 213.157.198.33
1 www.gazeti.ge

Raw statistics of the attack traffic paint a pretty intense picture. We can discern that the attacks would cause injury to almost any common website.

Average peak bits per second per attack 211.66 Mbps
Largest attack, peak bits per second 814.33 Mbps
Average attack duration 2 hours 15 minutes
Longest attack duration 6 hour

At this point we haven’t seen other attacks register alarms and continue to monitor the situation. We do see continued attacks against a number of sites, including Georgia news sites. Below is a graphic summarizing the attacks, showing the C&C that issued the command and the victim of the attack command. The data here was collected over the past 3 weeks. All of these are HTTP floods (ie rapid fire GET requests).

ge-attacks

Select links and information around the net:

  • As noted by the Shadowserver folks in Georgian Websites Under Attack – DDoS and Defacement, a number of other sites are under attack and have also suffered defacements.
  • The folks at Renesys have done some routing analysis of Georgia during the fighting. Great reading. Another tool to look at global BGP routing information is the RIS tool from RIPE. It’s slow but worth the wait.
  • Folks who get Stratfor sitreps and daily intel saw a piece earlier this evening entitled “Georgia, Russia: The Cyberwarfare Angle”. The content is available to subscribers only, or via shared emails.

    Details of the parallel Russian cyberwarfare campaign against Georgia began to emerge even as Russian tanks appeared on the south side of the Roki Tunnel in South Ossetia on Aug. 8. There is little doubt at this point that a concerted assault took place alongside conventional military operations.

    A good read.

  • Finally, I recently was invited to talk at USENIX Security in San Jose on political DDOS. At the time, the Georgia attacks were limited to the presidential website and no tanks had rolled into Georgia. The slides are available on my website.

We continue to monitor the situation here and will update this site with information as it becomes available.

11 Responses to “Georgia DDoS Attacks – A Quick Summary of Observations”

August 13, 2008 at 4:02 am, Cyberattaques et la Géorgie : Ping Fanatic Club said:

[…] guru d’Arbor Networks qui tracent l’évolution des attaques DDoS envers la Géorgie : /blog/asert/2008/08/georgia-ddos-attacks-a-quick-summary-of-observations/ (No Ratings Yet)  Loading […]

August 13, 2008 at 1:22 pm, Russian cyberwar! Yes, no, maybe so? — Security Bytes said:

[…] Jose Nazario at Arbor Networks, who knows from botnets and DoS attacks, also has an excellent analysis of the Russia-Georgia […]

August 13, 2008 at 4:25 pm, CyberWarfare « The Meat of the Matter said:

[…] Today’s wars are virtual as well as tactical. Spare yourself the over-technical reading at the link, and focus on this quote: “Details of the parallel Russian cyberwarfare campaign against Georgia began to emerge even as Russian tanks appeared on the south side of the Roki Tunnel in South Ossetia on Aug. 8. There is little doubt at this point that a concerted assault took place alongside conventional military operations.” […]

August 15, 2008 at 4:03 am, The other front: cyberwar - World Affairs Board said:

[…] put together a comprehensive overview of the attacks, complete with diagrams and a list of targets, here. "While some are speculating about cyber-warfare and state sponsorship, we have no data to […]

August 17, 2008 at 3:24 pm, Georgia-Russia Conflict: Cyberwar as Counterinsurgency « Weaponized Culture said:

[…] Jose Nazario, “Georgia DDoS Attacks – A Quick Summary of Observations“ […]

August 18, 2008 at 10:44 am, secpod.org » Blog Archive » SecDigest - 08-18-2008 said:

[…] of events that have occurred since 8th August are captured here and attack observations […]

October 08, 2008 at 4:50 am, US Air Force Reopens Cyber Command | The Mike Abundo Effect said:

[…] weak, unsophisticated 0.8 Gbps DDoS attacks are already weapons of war. In fact, those were exactly the weapons deployed in the recent Georgia-Russia conflict. Given Air Force resources, the Cyber […]

January 08, 2009 at 12:20 am, Recent Links Tagged With "estonian" - JabberTags said:

[…] public links >> estonian F.U.C… Saved by DeepGreene on Tue 30-12-2008 Georgia DDoS Attacks – A Quick Summary of Observations Saved by Dulce on Thu 25-12-2008 Russia-Georgia CyberWar Assessment Saved by meneertjuhh on Thu […]

January 21, 2009 at 9:03 pm, green card said:

Is there any information about this subject in other languages?

May 05, 2009 at 7:00 am, Attacchi Denial of Service: di cosa si tratta? - Appunti Digitali said:

[…] specie, negli anni si sono susseguiti numerosi attacchi su larga scala, l’ultimo dei quali si è verificato la scorsa estate durante il conflitto tra Russia e Georgia, e che ha visto coinvolti, come vittime, […]

October 23, 2009 at 5:27 am, Information Warfare in China « Freedom Nation said:

[…] 2 years ago during the conflict between Estonia and Russia (details here) and in Georgia in 2008 (the apparent cooperation of Russian government with the perpetrators led NATO to creation of […]

Comments are closed.