Political DDoS around the world

2008-04-01

Jose Nazario

Arbor Networks, USA
Editor: Helen Martin

Abstract

'We have tracked tens of thousands of DDoS attacks ... A subset of [them] appear to be politically motivated.’ Jose Nazario, Arbor Networks


DDoS attacks are designed to overwhelm a target network with resource requests, leaving the victim unable to handle legitimate requests. These can come in many forms, but typically we see traffic floods that consume bandwidth rather than application resources. DDoS attacks are not new, and have grown in intensity and popularity in the past ten years with the rise of botnets.

Botnets provide the needed firepower behind a DDoS attack – bandwidth and computers – as well as the infrastructure to manage such an attack. In measurements conducted in 2006 we found that approximately half of all of the botnets we monitored launched at least one DDoS attack. Traditional botnets are not the only source of these attacks, though, as we are increasingly seeing specialized kits being deployed to launch and control DDoS attacks.

Our own research over the years has shown a steady increase in the severity of DDoS attacks. Based on surveys with tier-1 ISP operators, we found that the largest observed DDoS attacks in the wild top over 40 Gbps

Motivations for DDoS attacks are often related to retaliation or anger, and sometimes include extortion or punitive attacks. In the past few years we have tracked tens of thousands of these sorts of attack across the globe and have found that no network is immune to such an event. Most frequently we see small attacks against broadband subscribers or small e-commerce sites. Larger, more sophisticated attacks involve extorting major online businesses. Some attacks have caused businesses significant financial problems through the loss of the ability to handle customers or bandwidth charges.

At present, we are witnessing a series of DDoS attacks against online gambling sites. These are orchestrated by a small set of attackers and may be related to extortion schemes. In these attacks, several poker and casino sites have been hit with sustained attacks lasting days and, in some cases, weeks. These can cripple the victim’s site – directly impacting on the business.

A subset of DDoS attacks appear to be politically motivated. In one of the most high-profile events recently, Estonian government and national infrastructure sites were hit with several weeks’ worth of DDoS attacks. These attacks coincided with the staging of street protests over Russia’s history in Estonia. Many people assumed that Russian authorities had orchestrated the attacks, although no evidence was found to support that claim. We found that botnets as well as manual coordination were behind most of the DDoS attacks, with Russian-language forums used in the organization of the attacks.

More attacks were staged in the winter of 2007 against Estonian newspaper DELFI, during its coverage of the trials of several Russians charged with street-level crimes during the protests earlier in the year.

Other politically motivated DDoS attacks we have seen recently include those against Russian politician Gary Kasparov and his party during the run up to the winter 2008 elections.

Political DDoS events are not limited to Russian and European networks. Most of the attacks we measure through our ATLAS system are sourced from the US, and the majority of the attacks we see target US victims. This makes sense given the amount of address space located in the US. In the past we have also seen DDoS attacks related to Indian and Pakistani conflicts, and recently against Iranian targets.

As international tensions rise and the number and size of botnets continue to increase, we expect this specific attack motivation to continue. It will be interesting to see how geopolitical events unfold online in the coming months and years.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.