Tuesday, May 29, 2007

This is not cyber-warfare

Former Soviet republic Estonia has been under constant cyber-attack since it removed a Russian statue a month ago. Estonia claims that the attacks are from the Russian government. Journalists love the story and have been blindly repeating it, such as John Markoff reporting: "In Estonia, what may be the first war in cyberspace.

This is not the first such incident in cyberspace. Such incidents have been going on all the time. For example, two years ago when a Japanese prime minister offended China and South Korea by visiting a shrine containing the remains of convicted WW II war criminals. Along with street protests, there were extensive cyber-attacks against Japan sites from Korea and China. Back in 1999, while opponents to the WTO (World Trade Organization) were in the streets demonstrating against their meeting in Seattle, hacktivists were conducting a "cyber sit-in" against their website. This involved running JavaScript that would cause a user's browser to regularly refresh their homepage. Hacktivists have since used such sit-ins successfully in protests against oil companies, animal testing companies, and financial firms.

Like the attacks against Estonia, these attacks in cyberspace coincided with physical protests in the streets. Russia has an unusually large hacking underground with many people controlling large botnets. Any issue that brings Russian protests to the streets is therefore almost certain to bring with it DoS attacks. Thus, using Occam's Razor, it's unreasonable to believe that the Russian government itself had any direct influence on the cyber-attacks.

This story reflects the general paranoia of the Internet. Whenever anything happens, people seek to uncover the "plan" behind it. In reality, most bad things that happen on the Internet occur by happenstance, without any plan or conspiracy behind them.

An example of this is the Slammer worm of 2003. It hit South Korea especially hard. This is likely due to the fact that South Korea had unusually high bandwidth, and an unusually high percentage of vulnerable servers. There is absolutely no evidence that they were targeted by the worm, yet many in South Korea still believe the worm targeted them. Another example is the Witty worm of 2004. It hit the US military hard. This was due to the fact that the military controls the largest block of the world's IP address space and monitored it with vulnerable promiscuous systems. There is no evidence that they were targeted by the worm, but most people believed that the Army was the target.

Unfortunately, "happenstance" is not a legitimate story angle that reporters can report on. It's always something like "is this cyberterrorism" or "is this cyberwarfare".

EDIT: I just noticed this story on Slashdot, where the awesome guys at Arbor describe their analysis. They point out a few other examples, such as cyberattacks from Korea protesting a decision by an Olympic judge against a Korean athlete. Another example was a nationalistic cyberattacks traded between Packistan and India. Again, these incidents show evidence of popular protest rather than government directed cyberwarfare.

EDIT: Here's a link from Ars Technica that refuses to give up on the cyberwar theory.

4 comments:

dre said...

yet some attacks were/are real cyberwarfare.

would you believe that Code Red (the original) was an attack by the Chinese government/military targeting the US DoD? if the BGP DFZ were to have injected a 0/0 route during the initial release of the worm in order to capture leaked traffic, would you believe it then?

superficial attacks can provide a mechanism to conceal a larger, more targeted attack, so they should be handled in-depth just like any other incident

Unknown said...

Allen Wilson of SecureWorks was inteviewed regarding the Estonian DDoS attacks on CNN Headline News w/ Glen Beck last night around 7:30p EDT. He attempted to address the media-generated FUD, but Glen Beck is a complete moron so it was a challenge...

David Maynor said...

Come on, its CNN...

James Voorhees said...

Occam's razor may not apply when it comes to the activities of the Russian government. We don't know whether the government is behind the attacks, though reportedly many Estonians are convinced and the Estonian government is strongly convinced. But a government that, it appears, kills dissenters abroad and dissenting journalists at home would be quite capable of organizing a politically beneficial DDoS attack on a neighbor. The evidence is no conclusive in any of these cases and the denials of the Russian government are firm. Yet the coincidences have multiplied, so that is not unreasonable to conclude, as Russians would say: "ne sluchaino"--It is no accident.