Re: An account of the Estonian Internet War

[Gadi Evron <ge () linuxbox org>]

On Tue, 20 May 2008, Viktor Larionov wrote:
> Hi Gadi and all the rest of a community,
>
> I work and live in Estonia, and I was a witness to all happening here,
> especially on the cyber-sphere starting the first day.
>
> Let's skip the details on the political context of your story, which from my
> point of view is far from being neutral, and pass-on to technical part of
> it.
>
> First of all, neither I, nor (well as far as I know) anybody here have seen
> any evidence that attacks have originated from Russia. I certainly have no
> doubt that there may have been adresses located in Russian IP-pools
> attacking our government networks, but well we are professionals here, and
> we do understand what do botnets mean, do we ?
> What concerns the story about blogs and forum activities, well pardon, CNN
> also showed pictures of happening in Estonia, so did BBC, EuroNews, MTV3
> that gives me no arguments to claim that CNN is behind all that :)
>
> More of that, living here, and working in the IT sector for a half of my
> life I have noticed none of increasing hacker activity on my servers. (also
> the company servers)
> Neither did a lot of my friends here. In fact, yet I have not seen anyone,
> except for some political party though, who would have suffered from so
> called "cyber-war".
> All those stories about banks going offline, etc. etc. etc. - well may I
> tell you that my visa was working properly all the time, and my bank was
> 24/7 available.
>
> This all led me to the conclusion, that all the hush is about a couple (ok,
> maybe tens or hundreds) of DDoS attacks being done.
> Tell me, how many attacks or ok, attack attempts does your corporate network
> suffer during the day ?
>
> What concerns that student you wrote about, well, Gadi please, as far as I
> know that was a ping-of-death he commited against the server of one
> political party.
> And well, if your server goes offline due to a ping of death, the please,
> you have security issues, and serious ones... And for me, the story about
> "ugly russian hackers" in this context sounds more than hillarious for me.
> The more ridiculous it gets if one tries to make an international disaster
> of one "lazy admin forgetting to install a firewall".
> Give me a break...
>
> In general, a lot of IT experts around here, are concerned that no
> "cyber-war" has never happened, everything was going about a couple, maybe
> 10-20 DDoS attacks which took place, and sleeping admins off duty.
> And what concerns the security situation here in Estonia, well I should
> agree with you that, yes, our banks have the security which we may trust,
> well at least from my point of view. But if we go to the goverment level,
> then please...
> You don't even need to be a cracker know-it-all of any kind, a plain
> skript-kiddie skill will do the trick...e.g. recently checking out one
> software package for security breaches we have found a key to a some of 100
> Estonian goverment websites + web server user priveleges on the boxes
> itself...it took us 15 minutes not even being a security-expert of any sort.
> Fortunatelly for the goverment we are the good guys. :)
>
> Generally, pardon Gadi but, your story copies 1:1 the story the officials
> tell everybody, and well sorry but mr. Toomas Hendrik-Ilves'es IT skills
> leave me in a very grand doubt. So does the story he has no evidence for.
> So far the online community has seen none of the evidence the government was
> boasting about, a year has gone by - and personally I consider all this a
> one big bluff.

Dear Viktor. thank you for sharing your experience and your personal point 
of view, I appreciate that.

As to the banks, indeed actual, eventual, down-time was non consequential 
(for some, 2 hours) while others still did not process credit card 
requests a month later. All-in-all incident response made sure people in 
the streets only found out about certain issues through the press.

As to the technical evidence, indeed, the attacks, while sizable (c'mon, 
4mpps is still big) is almost insignificant when compared with size of 
attacks we have seen in the past. Very small in comparison.

I refuse to take a stand or offer an opinion (amymore) on if it was Russia 
or not, I convey only what I can prove, which on that regard is absolutely 
nothing except for the fact it was organized, ad-hoc or by an entity, you 
can decide for yourself.

It is not my place to take sides or comment politicially, DDoS hurts the 
`net, no matter who is under attack, and that is why the Internet security 
operations community and the CERTs community got involved, as well as 
myself.

Thanks again,

        Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.