hola a todos, buenas y gracias. hello everyone, i hope all of you are having a good day, and thank you for coming. my name is jose nazario and i'll be talking about the ddos attacks that took place against estonia in april and may of this year. the talk will be in English, and i'll take questions and your comments in #qc. you can find the slides on my website at http://monkey.org/~jose/presentations/umeet07.d/slides/ .. [slide 1] today's talk is based on some analysis i did where i work at Arbor Networks. at Arbor, we develop tools for large network operators to protect their networks against distributed denial of service (ddos) attacks, which can impact customers and the operator alike. in the past year we developed and deployed a new product called "ATLAS" where much of this data was gathered. at Arbor i am a senior security researcher and head of the ASERT team, Arbor's security engineering team. we build ATLAS, for example, develop new products and services, and help our customers protect the internet. i have spent a lot of time in the past five or six years that i've been at Arbor examining ddos and botnets. in this talk i will also introduce you to those concepts some. i live and work in ann arbor, michigan, USA. [slide 2] in this talk i want to talk about ddos attack basics, how we gather data about ddos events, and then more specifically about the attacks against estonia i analyzed this spring. [slide 3] ddos - or distributed denial of service attacks - are designed to overwhelm an adversary with more data than they can handle. the distributed nature is often designed to two two things. first, it can amplify the resources an attacker has to match or surpass those of their target. think about how much bandwidth you have and how much a popular website has. most of you would need thousands of connections like yours to be able to fill the pipe of a large provider or website. secondly, by coming "from everywhere", it makes it hard to stop traffic from a single point source to mitigate the attack. you can't just put a firewall in place. think about the bandwidth an attack can consume - gigabits in some cases - and how much bandwidth you have coming into that firewall. even if you stop the packets at the firewall, the damage is done. your pipe is full, and no customers can get through. [slide 4] at arbor i spend a lot of time measuring actual ddos attacks to discover who is launching them. we get asked to help stop them, and sometimes we want to shut down those attack networks. we capture ddos attacks in two major ways. the first is through our deployed products around the world, which customers have purchased and operate. we can get some of this data for our ATLAS system, so we have actual ddos event measurements. our products take the baseline of the traffic on the network and when they see spikes in specific kinds of traffic generate an alert describing the attack. you can view some ATLAS data for free at http://atlas.arbor.net/ . [slide 5] the second way that we get ddos attack information is from actively watching the botnets command such attacks. botnets are a major source of this kind of attack, and we can see new targets get hit. the impact of these attacks depends on the botnet size and aggregate bandwidth. [slide 6] earlier this year i did some analysis looking at the intersection of botnet commands seen for ddos and the actual ddos events we measured. in our previous studies we had seen about half of the botnets we were actively tracking launch at least one ddos event. about 13% of the attacks we saw commanded affected customers enough to generate an alert. about 2% of the alerts we saw had a clear botnet command behind them. this tells us that we're missing a lot of ddos events, but many never get big enough to have our customers see alerts. [slide 7] here's an actual ddos command give by a botnet this morning. this is an IRC botnet i'm tracking using a basic botnet infiltration tool we dubbed "bladerunner". this IRC botnet has been launching these sorts of attacks for several days now, if not longer. Sat Dec 15 08:38:20 2007 .login hacker -s Sat Dec 15 08:38:26 2007 .ddos.syn 195.117.245.117 21 800 -s Sat Dec 15 08:38:32 2007 .ddos.udp 195.117.245.117 21 800 -s you can see the attacker first authenticates himself to the bots with the "login" command and the password, in this case "hacker". he (or she) then commands two attacks against a target in poland: AS | IP | AS Name 5617 | 195.117.245.117 | TPNET Polish Telecom_s commercial IP network this approach of watching botnets with a fake bot client tool is quite common in the botnet tracking community. we all have our own tools, we usually don't share them very far, but they all work the same way. once we analyze malware, we can learn where the bot executable would connect. in the case of an IRC botnet we know the server and port, and the channel and any passwords we need to know. we can them configure our specialized IRC client to do the same. these are stripped down tools that look a lot different than the IRC clients we're using here (i use IRSSI, for example). all that these tools do is join the botnet and log the commands. [slide 8] here's another botnet command, this time from a web-based botnet. i've spent my time lately looking at a lot of these HTTP botnets because they're most often used strictly for DDoS attacks. here we can see a botnet command the network to flood a russian target: 10;2000;10;0;0;30;100;3;20;1000;2000#flood http blathata.spb.ru#40# again, this is an actual command from an actual botnet, and i recorded this command this morning. just like we do with IRC botnets, we capture malware, analyze where it would go, and then pretend to be it for weeks on end. in this case we have a URL to poll and some data to send to it to let the web server know that we're a bot. you can read about this specific kind of bot - in this case the example i showed above was from a codebase called "Black Energy" - in a detailed report i put together in october: http://asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available/ i've been tracking about 50 of these botnets, and every day i catch one or two more to monitor. we work with our customers and the operator community at large to track these attacks and stop them. [slide 9] on to the specifics of the estonian ddos attacks that occurred this spring. estonian politics this spring got very tense. briefly, estonia was a soviet republic up until the dissolution of the USSR. in the early 90's, estonia took bold steps to bring itself into the late 20th century and beyond, electing a new government headed by very young people. they invested heavily in technology and a free market, and in the past 15 years have become a fast growing part of the scandanavian economy. estonia also took great care to ensure that russians who live in estonia were a full part of society. i've always had a sweet spot in my heart for estonia. first, it's highly wired (or wireless), with about 98% internet access throughout the country. secondly i like the free markets they adopted, inspired by economist milton friedman. they're a success story there. finally, i learned about estonia in the mid 1980s through a composer, Arvo Part. in the intervening years i've made a few friends in estonia, but have yet to visit. [slide 10] this spring in the parliamentary elections the issue of a statue put up by the russian army at the end of world war 2 came up. the statue commemorates the victory of the soviet army over the nazi army who had occupied estonia. some estonians, however, saw it as a sign of a new occupier. when they had the chance to move the statue, the new government took it. this set off riots in the streets by russians living in estonia and protests by the russian government. these attacks appeared to have spilled online. politically motivated DDoS isn't new, and wont be going away any time soon. at the 2002 winter olympic games in salt lake city, for example, US short track speed skater apollo ono won after the south korean speed skater was disqualified. we then saw a ddos attack from many korean computers against the olympic website as a form of protest. just earlier this week i blogged about russian and ukrainian ddos attacks. i saw signs that russian dissident sites were being targeted, including the website of gary kasparov. similarly, the pro-russian party in the ukraine, "the party of regions", was hit with a ddos attack. [slide 11] on to the details of the estonia attacks. in the two weeks from may 3 to may 11 we saw about 128 attacks listed in ATLAS against estonia. the ddos events weren't spread out over just a few days, either. we saw most attacks peak on may 9, also known as "victory day" in the former soviet union (the day the soviet army defeated the nazi army in eastern europe). Attacks Date 21 2007-05-03 17 2007-05-04 31 2007-05-08 58 2007-05-09 1 2007-05-11 [slide 12] it turns out that not every destination was hit with the same intensity or number of attacks as others. some of the targets are pretty obvious and got repeatedly attacked, such as the ministry of finance, the parliament website, etc. others, such as the ministry of agriculture, didn't see so many attacks. here you can see the websites and addresses by how often they got attacked. unfortunately, i know that this isn't the complete list of targets, which you'll be able to see later. ATLAS does't have a complete view all of the time, but no one does. Attacks Destination Website 35 195.80.105.107/32 pol.ee 7 195.80.106.72/32 www.riigikogu.ee 36 195.80.109.158/32 www.riik.ee, www.peaminister.ee, www.valitsus.ee 2 195.80.124.53/32 m53.envir.ee 2 213.184.49.171/32 www.sm.ee 6 213.184.49.194/32 www.agri.ee 4 213.184.50.6/32 35 213.184.50.69/32 www.fin.ee 1 62.65.192.24/32 [slide 13] here you can see the estonian parliament website. it's mainly used to communicate with the public about some of their activities. it does not appear to be the major nerve center for the estonian government, that is mostly hidden away. [slide 14] this is one of the scripts we found on a russian language forum. in the messages, the authors were telling fellow board members to pound on estonia for their actions. they shared this script with them to help their PCs be a part of the attacks. as you can see this is a ping flood loop against many sites in estonia. not all of these showed up in our analysis of measured alerts. [slide 15] i pulled out the details of the attacks to look more closely at them. most of the attacks were ping floods, which is quite common in today's botnets. 115 of the attacks i analyzed were ICMP floods, 4 were TCP SYN floods, and 9 were generic traffic floods, meaning just normal traffic ramped up too high. [slide 16] like most of the ddos events we measure around the world, the attacks on estonia usually lasted less than an hour. however, this belies the fact that the attacks kept on occuring. the longest attacks we saw lasted for about 10 hours or more. Attacks Date 17 less than 1 minute 78 1 min - 1 hour 16 1 hour - 5 hours 8 5 hours to 9 hours 7 10 hours or more [slide 17] when the duration data is added to the attack intensity data, an interesting facet emerges. first, most of the attacks fall in the range of 10 Mbps to 30 Mbps, which is pretty common for DDoS attacks across the internet. secondly, while these attacks top out at about 100 Mbps, that's all they needed to swamp estonian infrastructure. these attacks were able to affect the estonian internet despite the fact that they are well within the "normal" range of most attacks we see. Attacks Bandwidth measured 42 Less than 10 Mbps 52 10 Mbps - 30 Mbps 22 30 Mbps - 70 Mbps 12 70 Mbps - 95 Mbps [slide 18] earlier i said that in some russian language blogs and forums we saw author encouraging others to launch these attacks. here is one such blog, a russian language blog on live journal. we saw similar comments - and scripts - in various russian language forums. [slide 19] here are some of those comments translated (poorly) into english. you can see that there is a lot of resentment against estonia for their actions by these authors. what we don't know if how independently these folks were acting. we don't know if they were sponsored or commanded by anyone else, including anyone associated with the russian government. [slide 20] i had a chance to look at some of the raw data in the attacks. our systems normally summarie the attackers' locations, but i had a chance to look at some raw flow data. i then graphed the sources for one of the attacks we measured. what was interesting was that it was spread around the world, but there were no forged addresses. this attack didn't utilize heavily spoofed addresses, telling me that we could start to identify if it was a botnet or something else. normally when a botnet forges addreses we see a lot of addresses that don't map back to a known country or a network. that's because the process of forging the addresses inevitably chooses addresss that aren't assigned. we saw nothing of the sort here. [slide 21] the data shown here, and data that i've had a look at thanks to friends and partners around the world, leads me to believe that at least two different types of attacks took place here, all coordinated. the first is that at least one botnet is involved in the attacks, although we haven't been able to recover any attack commands given. the second appears to be related to the DOS BAT scripts that you saw earlier from the russian-language blogs and forums. about half of the attacks we measured aggregated to discrete networks, suggesting both geographic and network localization. the other half appeared to come form all over the internet, consistent with a large botnet. note that our data doesn't implicate anyone in the attacks, aside from the blog authors and we don't know who they really are. i can't implicate or exonerate the russian government as some people claim. [slide 22] this event got a lot of attention this year because it's a classic davd and goliath story, and in the west (germany, the UK, france, and especially the US) russia is seen as growing in its belligerance in world politics. for the reasons a lot of people look at this event as a sign of russian willingness to bully smaller nations, and some look at it as a sign of the next wave of world war attacks. i don't know if that's the case, but we are seeing more politically motivated DDoS events as i said earlier. i hope this talk has been interesting, and thanks again for your time.