Posted by: David Schneier
Information Security Threats
The specter of cyber-warfare has been looming over the Internet since its earliest days. Once people figured out that they could send malicious traffic to remote computers, it was only a matter of time before discussions turned to how this could be useful in the context of military operations. Given that the Internet’s predecessor was developed on a contract for the Department of Defense, this was a logical school of thought. But despite all of the theories, speculation and postulating, the number of confirmed incidents of one country launching government-sponsored attacks against another country’s networks is essentially zero. Everyone thinks it’s happening and lots of people have suggested that China, Israel, the U.S. and a couple of other countries have been using directed attacks in this way, but there’s no way to know for sure.
So when the shooting war between Russia and Georgia began last week, security experts and non-experts alike were quick to point to the fact that there had been some recent DDoS attacks against Georgian government sites. It’s cyberwar, I tell you! The Russians had it all set up weeks ahead of time! And they’re getting help from the Russian Business Network (RBN) too. It certainly fits together nicely, doesn’t it? RBN is notorious for hosting malware sites and all manner of other garbage, and has been implicated in some attacks as well. So why wouldn’t they join the party and DoS their neighbors?
Well, as it turns out, that string of pearls doesn’t add up to a necklace. The guys at the Shadowserver Foundation, who first noticed the Georgian DDoS attacks and follow botnet and online crime activity closely, posted a terrific analysis of the ongoing attacks against Georgian government sites and came to a logical conclusion: The Russian government isn’t DoSing anyone. Or at least not these targets.
What I can say, without a doubt, is that only the perpetrators know for sure who is behind it. At this point, everyone is speculating on who is behind the denial of service attacks. With that in mind, I’ll offer a few more facts of what we do know, and offer my own personal opinions.
First, as Steven mentioned, we have seen at least six different C&C servers involved in the latest round of attacks. We have been tracking these servers for a while now, some for a year or more (and before you ask, yes we’ve tried to get them shut down, but with little co-operation), so we know their history. We have seen many different DDoS attacks from these particular C&C servers, but there doesn’t seem to be any rhyme or reason to it. What does seem apparent is that the targeted sites don’t strike me as being something a government would go after. Without listing the actual targets, they fall into the following broad categories:
- Adult video websites
- Prostitution websites
- White supremacy websites
- Carder websites (sites that trade in stolen credit card numbers)
- Online gambling websites
- Virtual currency websites (think PayPal, but not nearly that legitimate)
- Russian news websites
- Random Russian websites
- Many other websites
I just do not see why a government entity would attack those types of websites. Now, what does seem to be the case is that some number of these botnets are either “DDoS for hire” or “DDoS for extortion” services. The pattern of the sites that attack is reasonably regular, and it’s rare to see them go after a non-commercial site of some sort.
So there you have it. As tantalizing as the prospect of an all-out cyberwar is to headline writers and military talking heads everywhere, it’s probably not the case here. But what about the RBN, you say? Glad you asked.
The other speculation is that this is somehow related to RBN. Again, nobody has any proof of that, including me. I’m in the camp that thinks RBN was nothing more than a hosting provider who provided “bullet-proof” hosting. I don’t think they, themselves, were posting malicious websites or posting child pornography. They hosted it, for sure, but that’s all they did. So, I also don’t think RBN (or whatever they became after being shut down) is actively attempting to deny service to anyone.
Who’s behind the Georgian DDoSes? It’s impossible to be sure, but it really just looks like a bunch of “patriotic” operators inside Russia. It’s not Russia itself and it’s not RBN.
Done and done. I guess we’ll just have to wait until the next Cricket World Cup to see the West Indies DoS England out of contention.
Update: Jose Nazario at Arbor Networks Inc., who knows from botnets and DoS attacks, also has an excellent analysis of the Russia-Georgia situation. His conclusion is the same: no evidence to point to state-sponsored attacks.