2008-04-01
Abstract
'We have tracked tens of thousands of DDoS attacks ... A subset of [them] appear to be politically motivated.’ Jose Nazario, Arbor Networks
Copyright © 2008 Virus Bulletin
DDoS attacks are designed to overwhelm a target network with resource requests, leaving the victim unable to handle legitimate requests. These can come in many forms, but typically we see traffic floods that consume bandwidth rather than application resources. DDoS attacks are not new, and have grown in intensity and popularity in the past ten years with the rise of botnets.
Botnets provide the needed firepower behind a DDoS attack – bandwidth and computers – as well as the infrastructure to manage such an attack. In measurements conducted in 2006 we found that approximately half of all of the botnets we monitored launched at least one DDoS attack. Traditional botnets are not the only source of these attacks, though, as we are increasingly seeing specialized kits being deployed to launch and control DDoS attacks.
Our own research over the years has shown a steady increase in the severity of DDoS attacks. Based on surveys with tier-1 ISP operators, we found that the largest observed DDoS attacks in the wild top over 40 Gbps
Motivations for DDoS attacks are often related to retaliation or anger, and sometimes include extortion or punitive attacks. In the past few years we have tracked tens of thousands of these sorts of attack across the globe and have found that no network is immune to such an event. Most frequently we see small attacks against broadband subscribers or small e-commerce sites. Larger, more sophisticated attacks involve extorting major online businesses. Some attacks have caused businesses significant financial problems through the loss of the ability to handle customers or bandwidth charges.
At present, we are witnessing a series of DDoS attacks against online gambling sites. These are orchestrated by a small set of attackers and may be related to extortion schemes. In these attacks, several poker and casino sites have been hit with sustained attacks lasting days and, in some cases, weeks. These can cripple the victim’s site – directly impacting on the business.
A subset of DDoS attacks appear to be politically motivated. In one of the most high-profile events recently, Estonian government and national infrastructure sites were hit with several weeks’ worth of DDoS attacks. These attacks coincided with the staging of street protests over Russia’s history in Estonia. Many people assumed that Russian authorities had orchestrated the attacks, although no evidence was found to support that claim. We found that botnets as well as manual coordination were behind most of the DDoS attacks, with Russian-language forums used in the organization of the attacks.
More attacks were staged in the winter of 2007 against Estonian newspaper DELFI, during its coverage of the trials of several Russians charged with street-level crimes during the protests earlier in the year.
Other politically motivated DDoS attacks we have seen recently include those against Russian politician Gary Kasparov and his party during the run up to the winter 2008 elections.
Political DDoS events are not limited to Russian and European networks. Most of the attacks we measure through our ATLAS system are sourced from the US, and the majority of the attacks we see target US victims. This makes sense given the amount of address space located in the US. In the past we have also seen DDoS attacks related to Indian and Pakistani conflicts, and recently against Iranian targets.
As international tensions rise and the number and size of botnets continue to increase, we expect this specific attack motivation to continue. It will be interesting to see how geopolitical events unfold online in the coming months and years.
