Slate Podcast on Estonian DOS atatck

michael.dillon at michael.dillon at
Thu May 24 16:35:04 UTC 2007

> It is an unusual 
> situation...or at least the first of its kind.

Leaving aside the alleged political involvement of some government or
other, this is far from true. Back in the days, when DOS attacks were
delivered to mailboxes and USENET and IRC were the main tool of
coordinating attacks, this was commonplace. A victim was identified,
postings were made to newsgroups and IRC channels, and at the appointed
time, the attack begins.

What is fundamentally different here?

Using web forums and IM instead of USENET/IRC is not fundamentally
Using botnets to amplify the attack, is different from the mailbombing
of the past, however, the botnets are often used in DDoS attacks, so I
don't think we can consider this fundamentally different.

What about the attackers? Is there something about Russians that would
explain this? Yes, I think so. Over the past 20 years, economic and
social problems have hit Russia hard and the people that lived through
this time learned how to cooperate effectively and how to change tactics
on short notice. At the same time, the Russian education system produces
people who are very good at technical subjects, like networks,
programming, etc. This has combined to create various criminal groups
who can make a good living from net abuse by building and renting
botnets or selling various spamming services or just plain phishing. The
Russian mob does have a big market share of botnet C&C(Command and

IMHO, this is not about Estonia and this is not about the Russian
government or military or intelligence agencies. This is all about free
enterprise thinking which is more deeply embedded in Russia than in most
of the developed world. Generally, these Russian hackers apply their
skills to earning money or attacking each other, but Estonia
accidentally raised the hackles of these people and they all pointed
their firehoses in unison. It could have been any other country which
does something that offends the sensibilities of ordinary Russians. 

On the other hand, if this attack had been directed at the USA, it would
have had far less effect. The USA has its economic and government
infrastructure scattered across many cities with lots of network
capacity between. The target for the firehose is more diffuse and
therefore harder to hit. Estonia is a little country with all its eggs
in one basket in one city. 

It was an interesting coincidence that one of the more vulnerable
countries just happened to get a large number of criminal hacker gangs
upset enough to turn from earning money to attack them. Perhaps they
haven't heard that people who live in glass houses shouldn't throw

There has been a lot of hyperbole over these incidents and little
factual information. Some people want to point the finger of blame, but
with botnets and diffuse C&C out there, this is not something that can
be easily or quickly confirmed. If it was so easy, then we would have
put the botnet operators out of business long ago. It's nice to hear
that the Estonian CERT was prepared to respond to an attack and it's
nice to hear that a lot of people helped mitigate the attack. But there
is nothing new in that. There are a lot of accusations about attacks
coming from a certain list of countries or from certain specific
computers of certain government officials, but these sound like typical
tabloid journalism explanations of any botnet-based DDoS. People say
this was a BIG deal but then we hear that sites were down for only an
hour. The Northeast blackout was a big deal, Katrina was a big deal, but
a few hours of outage for a few data centres in one city doesn't seem to
me like a big deal.

A claim was made that 4 million packets per second were sent. I would
like to hear more about this. How was it measured? Is this an aggregate
or was this directed at the largest victim? Was it ingress into the
network or packets delivered on the site's CPE router? How does this
compare to other DDoS incidents. And, most importantly, does it indicate
a growth in total DDoS capability (a bigger firehose than before) or was
it simply the usual stuff all sent to the same victim at the same time,
for a change.

What can network operators learn from this? Do we need to beef up
technical measures or will a well-run network already be prepared to
mitigate this kind of thing? Is there some fundamental technical aspect
of this attack that was different from the past? Did the mitigation of
the attack do something fundamentally different from the past? 

--Michael Dillon

More information about the NANOG mailing list