Looking at the Estonian Denial of Service Attacks of 2007

Cyber Terrorism Incidence: The Estonian Denial of Service Attacks of 2007

There are different forms of cybercrimes including data theft, system compromises and DoS (denial of service) attacks. The motivations behind such internet attacks are varied. Some of the motivations include: economic sabotage, extortion and harmless fun particularly against pornography and gambling websites. Frustrations and retaliation are seemingly the main drive behind attacks on gaming networks, where player against player cyber-attacks happen relatively frequently. Contrary to popular opinion, politically motivated attacks appear to happen far more rarely than to attacks on gaming networks. The magnitude and type of internet attacks launched against a system or a network depends on the skills, motivations and capabilities of the attackers (Nazario, 2009). In April 2007, the Eastern European state of Estonia experienced what was to be the first wave of denial of service attacks. The attacks were accompanied by physical protests on the streets against the government for the action it took to remove a 1947 Soviet monument in Tallinn. The Bronze Soldier Monument was a symbol of the role played by the Soviet Union and its satellite states in the World Wars and other geopolitical conflicts. The protesters, angered by the governments move, launched DoS attacks on widely used government websites and also the sites maintained by newspapers, universities and banks. The cyber-attacks persisted for 3 weeks and only ceased after the government of Estonia decided to cut all international web traffic, which effectively prevented communication with the rest of the world (Richards, 2009).

According to authors Mirkovic and Reiher (2004) a DDoS (distributed denial of service) attack is a programmed effort that instructs computers to send to a victim (a system/network or computer) a large volume of traffic with the purpose of consuming the victim's bandwidth or overwhelming its servers. Regardless of the underlying intentions of the perpetrators, a DDoS attack is meant to interfere with the usual flow of information for either the external or internal users or both. The computers utilized for such attacks are either the bots in a botnet or programs that individuals have willingly installed into their own computers. An example of a DDoS attack is when individuals work in unison to continuously refresh a webpage from a browser such as Firefox, doing so from a very large number of sources aggregates the bandwidths of the computers being used together and this will overwhelm the server where the website is hosted. When the number of computers being used in such attacks are from an adequately large number of PCs source-based filtering becomes impossible. Distributed denial of service attacks are among the most frequent and visible types of internet attacks.

General summary

Overview of events

From April the 26th Estonia was hit by waves of denial of cyber-attacks. The issue behind the attacks was the removal of a Soviet War monument from Tallinn's town square. Estonia is made up of Estonians and Ethnic Russians and many observers have noted that the country's different groups co-exist harmoniously (Bureau of European and Eurasian Affairs, 2009). Similar to many other areas throughout Russia and other former members of the U.S.S.R. (Union of Soviet Socialists Republics), Estonia has a statue of a Soviet soldier. Such statues were erected throughout soviet republics to commemorate the contributions made by the soldiers during the Second World War. The Bronze Soldier statue has been a point of contention in Estonian politics and the then government opted to have it removed during the month of April in 2007 for many years. This led to protests throughout Estonia and also letters from the Russian government (Nazario, 2008). Apart from the street protests, denial of service attacks were also launched against both public and private sector websites, including banking, institutional and news sites. The attacks continued to come in waves and peaked on 9th May (Victory Day in Estonia and other former Soviet Republics). The attacks on Victory Day were recorded on Peakflow systems as having average bandwidth utilization of ninety-five Mbps and lasted about 10 hours each. This information was collected from various Peakflow sensors that aggregate the information into ATLAS through Internet Service Providers (ISPs) providing transit for Estonian internet service providers (Nazario, 2007).

Despite the attack itself being launched at about10 pm on April the 26th, it was relatively unnoticed over the next 24 hours until the country's defense minister Jaak Aaviksoo attempted to log onto the ruling party's website and was unable to do so. The perpetrators had targeted the ruling party's website first and proceeded to attack other party websites and public sector web pages including that of the Estonian parliament. Barely seven days after the initial wave of attacks, had the hackers managed to disrupt completely the services offered on the attacked websites leading to many of them going offline. The second waves of DoS attacks focused on Estonian news websites and many of them were also knocked offline. When the Estonian government investigating agencies revealed that the hacking zombie systems were not located within the country, news websites opted to block all incoming traffic from outside the country. The owners and editors of the news websites noted the irony that their websites could not report what was happening to the international community and other concerned parties, since blocking incoming international traffic was the only option they had to reduce requests to a low level so as to restore their websites (Richards, 2009).

The DoS attacks continued for several more days until May the 9th, the day that marked the end of the Second World War in the European theatre. At around 11 pm, the country was faced with its worst cyber-attack yet (over 4 million packets of information requests per second). The heaviest attack focused on the country's banking system. By the next day, Hansabank, Estonia's largest bank and the country's foremost institution in IT development and adoption, has shut down all its online-based operations. The shutting down of the bank's operations meant three things. First, it severed the connection between Hansabank and the rest of the globe, meaning that Estonian issued credit cards could no longer work outside the country. Second, it broke the connection between the bank and its ATMs throughout the country meaning that people in the country could not access their funds or their accounts. Third and most significantly, it prevented internet-based banking for Estonia, in country where a whooping ninety-seven percent of all banking operations are conducted online (Richards, 2009).

Technical description

The hackers utilized different methods of attack. The hackers utilized Russian language blogs and forums to spread programs such as ping flood scripts and to network their attacks. The perpetrators also utilized botnets in their attacks. The networking or collective effort can be seen in the fact that all tools utilized for the attacks were coordinated to strike at the same time (11 am local time). The coordination can also be seen in the fact that the attacks concentrated on areas where the country could be hurt must i.e. the attacks concentrated on Estonia's most important websites including government mail servers, the parliament's and the prime minister's websites. Many ministries also had to go completely offline courtesy of the attacks. As mentioned earlier many ministries had also been hit with news publications reporting that financial transactions had slowed down. The effects of the denial of service attacks seen in Estonia are to be expected particularly in a country that is as heavily reliant on the use of internet for day-to-day activities as Estonia is. The majority of the attacks that were recorded on ATLAS did end on Victory Day; some of them persisted for several more weeks (Nazario, 2009). Many of the government web pages were corrupted or defaced using various means such as SQL injections and comment spams. The DoS attacks that caused the most damage are those that hit broadcasters, news publishers, government ministries, banks and the country's parliament. The distributed DoS attacks utilized global systems (botnets) made of modified computers (zombies or slaves), often under the care of unknowing individuals, for the purposes of flooding the country's servers with millions of data packets per second. According to experts this was not the country's first botnet attack, neither was it the biggest to have ever hit the country. However, never in the history of Estonia had the entire country been faced by multiple cyber-attacks on almost all digital fronts of public and private institutions (Deceth, 2012).

The most damage the waves of cyber-attacks, was caused through the utilization of botnets (groups of compromised PCs running computer programs such as backdoors, Trojan horses or worms, under a single control/command infrastructure). The originator of the botnet can instruct the computers remotely, frequently through IRC and often for illegal purposes. In our Estonian case, several botnets were utilized to launch DDoS attacks. In DDoS attacks, instead of one system initiating requests, thousands of compromised computer systems launch requests making the system slow or unable to respond to the legitimate requests. This can cause a system to crash. In order for the requests to travel from the compromised computers to the destination servers, the packets must move through several networks. Thus, even though the attacks did not have the capability to attack all networks in Estonia, by hitting the country's major networks, all the millions of incoming packets of data caused congestion on the networks that they had to pass through on their way to their destination servers. Thus, even websites that had not been directly attacked ended up slowing down and being unresponsive owing to the millions of requests blocking the network pathways needed to reach them (Deceth, 2012).

These internet attacks had very huge effects owing to the way they were planned and executed. On the first day of the attacks, the networks were flooded with only thousands of packets per second and on the second day the rate of incoming connections was 2000 packets per second. By the last major day of attack, the rate had increased exponentially and was at four million packets of data per second on hundreds of different public and private sector websites.

Actors and Motivations

The April 26th DDoS attacks on Estonia were perpetrated by hackers who wanted to make a statement by disrupting internet-based services in the country. It has been established that the hackers acted on their own initiative particularly out of political motivations. The attackers were basically a group of experienced hackers who were protesting the removal of the Bronze Soviet monument. It happened that the experienced hackers contracted out their self-made botnets and other amateur hackers, who also participated in the attacks, did so by following online hacking guides. The fact that the hackers were from different areas and that they were not using the same program to hack the Estonian websites made it difficult to track them. The government of Estonia was however able to track and prosecute one of the hackers, a Mr. Dmitri Galushkevich, an Estonian of ethnic Russian extraction. Mr. Galushkevich had through his PC taken part in the DoS attacks on the ruling party's (Reform Party) website. The attacks completely shut down the ruling party's website for 10 days. Galushkevich pleaded guilty claiming that he was protesting the removal of the Soviet monument. He was subsequently fined 1635 dollars. According to Richards (2009), the government has however not been able to make any other arrests related to the DoS attacks.

Some computer experts and Estonian officials did claim that the attacks originated from Russia and that they came from IP addresses that were linked to the government of Russia. The government of Estonia also asserted that the attacks were perpetrated by the government of Russia. However, Mikko Hypponnen of F-Secure (a Finnish Internet Security company) had a differing opinion. He argued that there is only one IP address that directs to a government computer. Moreover, that it was obviously possible to launch a cyber-attack from there, but that the attacker could be anyone, from junior officials with access to government computers in the upper echelons. He also stated that DDoS attacks of the magnitude witnessed in Estonia could be from botnets of computers from around the globe and that there is a very small likelihood of locating the controller (Anderson, 2007).