Internet attacks against Georgian web sites

From: Gadi Evron <ge@linuxbox.org>
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk,funsec@linuxbox.org
Subject: Internet attacks against Georgian web sites
Date:


In the last days news and government web sites in Georgia suffered DDoS 
attacks. While these attacks seem to affect the Georgian Internet, it is still 
there.

Facts:
1. There are botnet attacks against .ge websites.
2. These attacks affect the .ge Internet infrastructure, but it's reachable.
3. It doesn't seem Internet infrastructure is directly attacked.
4. Every other political tension in the past 10 years, from a comic of the 
Prophet Muhammad to the war in Iraq, were followed by online supporters 
attacking targets which seem affiliated with the opposing side, and vise-versa.

Up to the Estonian war, such attacks would be called "hacker enthusiast 
attacks" or "cyber terrorism" (of the weak sort). Nowadays any attack with a 
political nature seems to get the "information warfare" tag. When 300 
Lithuanian web sites were defaced last month, "cyber war" was the buzzword.

Running security for the Israeli government Internet operation and later the 
Israeli government CERT such attacks were routine, and just by speaking on them 
in the local news outlets I started bigger so-called "wars" when enthusiasts 
responded in the story comments and then attacks the "other side".

Not every fighting is warfare. While Georgia is obviously under a DDoS attacks 
and it is political in nature, it doesn't so far seem different than any other 
online after-math by fans. Political tensions are always followed by online 
attacks by sympathizers.

Could this somehow be indirect Russian action? Yes, but considering Russia is 
past playing nice and uses real bombs, they could have attacked more strategic 
targets or eliminated the infrastructure kinetically.

Coulda, shoulda… the nature of what's going on isn't clear, but until we are 
certain anything state-sponsored is happening on the Internet it is my official 
opinion this is not warfare, but just some unaffiliated attacks by Russian 
hackers and/or some rioting by enthusiastic Russian supporters.

It is too early to say for sure what this is and who is behind it.

The RBN blog (following the Russian Business Network) is of a different 
opinion:
http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare.html
and:
http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-2-sat-16-00.html

Also, Renesys has been following the situation and provides with some data:
http://www.renesys.com/blog/2008/08/georgia_clings_to_the_net.shtml

(Thanks to Paul Ferguson for the URLs)

DDoS attacks harm the Internet itself rather than just this or that web site, 
so soon this may require some of us in the Internet security operations 
community getting involved in mitigating the attacks, if they don't just drop 
on their own.

Gadi Evron.

--
"You don't need your firewalls! Gadi is Israel's firewall."
     -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant General,
        Israel's Ministry of Finance, at the government's CIO conference, 2005.

     (after two very funny self-deprication quotes, time to even things up!)

My profile and resume:
http://www.linkedin.com/in/gadievron



Copyright © 1995-2021 LinuxRocket.net. All rights reserved.