• United States



by Dave Gradijan

Beyond Estonia: Bots Get Political

Jan 16, 20087 mins
Build AutomationCSO and CISO

By Katherine Walsh

Botnets and distributed denial-of-service attacks aren’t just for extortion anymore.

Increasingly, say Arbor Networks researchers Danny McPherson and Jose Nazario, DDoS attacks–and the sophisticated botnets used to power them–are being used for political reasons. And despite the fact that the U.S. government hasn’t been crippled by DDoS attacks, as the small country of Estonia famously was last April, it’s not because there aren’t botnets out there with enough fire-power to do it.

That’s the message that McPherson, chief research officer of Arbor Networks, and Nazario, a senior security engineer at the Lexington, Mass.-based network security provider, will deliver to military and law enforcement personnel this week at the Department of Defense Cyber Crime Conference in St. Louis. In a pre-conference interview with CSO, McPherson gave a snapshot of his and Nazario’s research findings and the transforming landscape of global attacks, the political motivations behind many DDoS attacks, and how the government can prepare for some of largest network threats.

CSO: What does the global attack landscape look like?

Danny McPherson, chief research officer at Arbor Networks: We see thousands of DDoS (distributed denial-of-service) attacks every day. We sift through those with a fine-tooth comb and try to determine which ones are the most significant and why. The most prominent usually turn out to be really large attacks, wide-scale attacks, well-distributed attacks, or attacks with really interesting targets. DDoS motivation has traditionally been linked to extortion, but the attacks could be ego-driven or personal. Extortion is still quite prevalent–the rate of those attacks is still growing. But as the Internet and e-commerce become bigger factors, we are starting to see more attacks related to politics or economics–during an election perhaps. Interestingly enough, those attacks are the louder ones. (Somebody might slam a lot of traffic to make a website unavailable.) Although we still see lots of covert attacks that attempt to fly under the radar (most likely in an attempt to steal intellectual property), the politically motivated attacks seem to be very obvious, and the motivations tend to come to the surface pretty easily.

CSO: How much of a threat are those politically motivated denial-of-service attacks?

McPherson: It’s an emerging issue. We’re monitoring well over a terabyte per second of traffic across roughly 100 service providers globally. We see on the order of 2,000 or so attacks per day. About 1 percent of those attacks are what we consider significant or interesting, and of those, there is an upslope in politically motivated attacks. But it’s still a small fraction as of right now. It’s only within the last couple years that we have even been able to isolate and determine these kinds of attacks. Five years ago, you never would have been able to sift through the data and see all this stuff, unless it was very loud and obvious.

Botnets are the primary driver for DDoS attacks today. There are two components to that. One is the infection, propagation and compromise vector. The other side is related to what those bots are asked to do. So on one side we monitor the infection and propagation (who is controlling the botnets, where they are controlling them from and who they are attacking). For our research purposes, we flagged some attacks and then went back and looked at who triggered them. Then we examined other areas they attacked, looking for patterns. We were then able to tie certain types of nefarious or malicious activity and behaviors to certain groups.

CSO: What were some of the most prominent or influential attacks last year?

McPherson: The incident in Estonia made lots of headlines. [In April, a large DDoS attack was launched on several of the country’s government websites, including the prime minister’s Reform Party.] Ninety-eight percent of Estonia is essentially online: The government is pretty much paperless, and it’s a small country. They don’t have a huge amount of external Internet connectivity, so it doesn’t take a lot to overwhelm the system. Every day in the United States we see attacks that are at the scale of the largest attacks on Estonia; it’s just that the targets of those attacks have much larger infrastructures. If Yahoo or Google gets hit by an attack of that magnitude, it wouldn’t be as devastating to them as it was to Estonia. The interesting thing is that most of the attacks in Eastern Europe right now seem to be politically motivated. One group making attacks on Victor Yushchenko’s site was also attacking the site of Gary Kasparov [former Russian world chess champion turned politician]. They were also attacking some other Russian dissident sites.

CSO: What kinds of targets do you see in the United States?

McPherson: That’s partly why the Estonia incident stands out–you don’t see a huge number of DDoS attacks on the U.S. government, and I think that’s because of the bandwidth available. The capacity to connect to the Internet is much more significant here than in a lot of Eastern European countries. But still, there is a fire-power out there with botnets for this sort of attack in the United States. Thirty-seven-gigabit DDoS attacks were reported last year in our infrastructure security survey. That will overwhelm any service provider on the Internet today. But the folks managing these botnets don’t try to make a lot of noise with the government. What we do see on the U.S. government site is a lot of targeted stuff (the alleged Chinese attacks on the Pentagon, for example). For the people behind these bots, it’s about their motivations–whether or not they want to make a statement, or become involved with cyber espionage.

CSO: Looking ahead to the rest of 2008, what are going to be the biggest network security challenges?

McPherson: One of the most interesting evolutions we’ve seen in the last 18 months is related to the distribution, hierarchy and amount of intelligence in engineering more resilient botnets. Traditionally, your host would get compromised, and traffic would always flow back and forth for a command-and-control infrastructure. I could tell your computer what I wanted it to do. Today, there are peer-to-peer botnets and encrypted transactions. Some of the tools we see developing in Russia are sending command-and-control traffic over HTTP and web channels. It’s very difficult to identify, filter and mitigate that traffic. I think the continued sophistication of botherders on the Internet is going to be the biggest challenge from a botnet or a wide-scale infrastructure security perspective.

The continued sophistication of the compromised vector is another issue. Nobody wants to be caught now when they compromise hosts. They want to compromise a system, and they want their malicious code to stay on the system without being detected. So what you find is that not only is it difficult to see something that’s infected, but you can’t see if it’s talking to other devices on the network in some anomalous way.

CSO: What are some steps that need to be taken in order to mitigate that risk?

McPherson: People need to share information to find compromised hosts. The data we have only becomes valuable when we have large quantities of it and people who can analyze it. Over the last two years we’ve seen a concerted effort from global governments, industry and academics to share more information and intelligence. When you do that, the value of the aggregate is so much greater than any individual effort.

In addition to more information sharing, we also need to understand the motivation of these folks. Traditionally it was “I want to thump my chest because I attacked someone and took their website down.” Now the motivation is either political or economic–making sure someone doesn’t get elected, or stealing intellectual property. Understanding the motivations of the miscreants behind these attacks is absolutely critical.

Staff Writer Katherine Walsh can be reached at

The comment field below does not work. Please send your feedback directly to the author.