Slate Podcast on Estonian DOS atatck

Merike Kaeo kaeo at
Thu May 24 17:06:50 UTC 2007

First of it's kind that it targeted a country.

As far as technical details I'm pulling something together for nsp- 
sec BoF at NANOG.  I saw the spike
to 4m pps on their management no 'claims' there.    
And yeah, OK, will need qualification.
Basically that was seen by Estonian ISPs as traffic coming  
in.........technically there wasn't much difference
to what people see today but the large scale coordination is  
unusual.  Or maybe not since it's  small country :)

As far as the important sites being down for a short time.....that  
was because the mitigation techniques had been
well thought out and they were prepared.  And a LOT of money was  
spent to add equipment and enforce
mitigation in the week before the worst was expected.  There was a  
lot of pro-active activity which I do find
to be unusual.    Noone wants to spend money on security (said very  

I'll include answers to your last questions in my preso.......

- merike

As far as technical
On May 24, 2007, at 9:35 AM, <michael.dillon at>  
<michael.dillon at> wrote:

>> It is an unusual
>> situation...or at least the first of its kind.
> Leaving aside the alleged political involvement of some government or
> other, this is far from true. Back in the days, when DOS attacks were
> delivered to mailboxes and USENET and IRC were the main tool of
> coordinating attacks, this was commonplace. A victim was identified,
> postings were made to newsgroups and IRC channels, and at the  
> appointed
> time, the attack begins.
> What is fundamentally different here?
> Using web forums and IM instead of USENET/IRC is not fundamentally
> different.
> Using botnets to amplify the attack, is different from the mailbombing
> of the past, however, the botnets are often used in DDoS attacks, so I
> don't think we can consider this fundamentally different.
> What about the attackers? Is there something about Russians that would
> explain this? Yes, I think so. Over the past 20 years, economic and
> social problems have hit Russia hard and the people that lived through
> this time learned how to cooperate effectively and how to change  
> tactics
> on short notice. At the same time, the Russian education system  
> produces
> people who are very good at technical subjects, like networks,
> programming, etc. This has combined to create various criminal groups
> who can make a good living from net abuse by building and renting
> botnets or selling various spamming services or just plain  
> phishing. The
> Russian mob does have a big market share of botnet C&C(Command and
> Control).
> IMHO, this is not about Estonia and this is not about the Russian
> government or military or intelligence agencies. This is all about  
> free
> enterprise thinking which is more deeply embedded in Russia than in  
> most
> of the developed world. Generally, these Russian hackers apply their
> skills to earning money or attacking each other, but Estonia
> accidentally raised the hackles of these people and they all pointed
> their firehoses in unison. It could have been any other country which
> does something that offends the sensibilities of ordinary Russians.
> On the other hand, if this attack had been directed at the USA, it  
> would
> have had far less effect. The USA has its economic and government
> infrastructure scattered across many cities with lots of network
> capacity between. The target for the firehose is more diffuse and
> therefore harder to hit. Estonia is a little country with all its eggs
> in one basket in one city.
> It was an interesting coincidence that one of the more vulnerable
> countries just happened to get a large number of criminal hacker gangs
> upset enough to turn from earning money to attack them. Perhaps they
> haven't heard that people who live in glass houses shouldn't throw
> stones.
> There has been a lot of hyperbole over these incidents and little
> factual information. Some people want to point the finger of blame,  
> but
> with botnets and diffuse C&C out there, this is not something that can
> be easily or quickly confirmed. If it was so easy, then we would have
> put the botnet operators out of business long ago. It's nice to hear
> that the Estonian CERT was prepared to respond to an attack and it's
> nice to hear that a lot of people helped mitigate the attack. But  
> there
> is nothing new in that. There are a lot of accusations about attacks
> coming from a certain list of countries or from certain specific
> computers of certain government officials, but these sound like  
> typical
> tabloid journalism explanations of any botnet-based DDoS. People say
> this was a BIG deal but then we hear that sites were down for only an
> hour. The Northeast blackout was a big deal, Katrina was a big  
> deal, but
> a few hours of outage for a few data centres in one city doesn't  
> seem to
> me like a big deal.
> A claim was made that 4 million packets per second were sent. I would
> like to hear more about this. How was it measured? Is this an  
> aggregate
> or was this directed at the largest victim? Was it ingress into the
> network or packets delivered on the site's CPE router? How does this
> compare to other DDoS incidents. And, most importantly, does it  
> indicate
> a growth in total DDoS capability (a bigger firehose than before)  
> or was
> it simply the usual stuff all sent to the same victim at the same  
> time,
> for a change.
> What can network operators learn from this? Do we need to beef up
> technical measures or will a well-run network already be prepared to
> mitigate this kind of thing? Is there some fundamental technical  
> aspect
> of this attack that was different from the past? Did the mitigation of
> the attack do something fundamentally different from the past?
> --Michael Dillon

More information about the NANOG mailing list