FRAMINGHAM – In recent days, news and government Web sites in Georgia have suffered DDoS (distributed denial of service) attacks. While these attacks seem to indirectly affect the backbone of the Georgian Internet, it is still there.
News reports popped up everywhere, along with supposedly informed technical analysis, claiming anything from the Georgian Internet routes being hijacked to Russia launching a cyber offensive, but with little proof. Let’s try to understand what is really happening over there, and what it means.
1.) There are botnet attacks against Georgian Web sites.
2.) These attacks affect the Georgian Internet infrastructure indirectly, due to the mass of traffic sent, but the Internet is still very much there.
3.) Some Georgian Web sites have been defaced with political statements.
4.) Unrelated, a media war is being fought.
Up to the Estonian war, such attacks would be called “hacker enthusiast attacks” or “cyber terrorism” (of the weak sort). Nowadays any attack of a political nature seems to get the “information warfare” tag. When 300 Lithuanian Web sites were defaced last month, “cyber war” was the buzzword, even though it ended up being an internal Lithuanian matter.
Running security for the Israeli government Internet operation and later founding the Israeli government CERT [Computer Emergency Response Team], I found that such attacks were routine. Seeing the panicked reaction this type of attack has generated seems quaint from my perspective.
Not all fighting is warfare. While Georgia is obviously under DDoS attacks that are political in nature, it doesn’t so far seem different from any other online aftermath by fans. Political tensions are always followed with online attacks by sympathizers. DDoS attacks harm the Internet itself rather than just this or that Web site, which often requires some of us in the vetted Internet security operations community to get involved in mitigating the attacks, if they don’t just drop on their own. Our purpose is not to get involved in any local situation, but rather to preserve our common global critical infrastructure – the Internet.
Could this somehow be indirectly related to Russian military action? Yes, but there is no evidence to indicate it is the case as of yet. If anything, the opposite seems likely at this point in time.
Food for thought: Considering Russia was past playing nice and used real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically. At this point, Internet operations will no longer allow them any plausible deniability.
The nature of what’s going on is just starting to clear up, but until we are certain anything state-sponsored is happening on the Internet it is my official opinion this is not warfare, but just some unaffiliated attacks by Russian hackers and/or some rioting by enthusiastic Russian supporters.
To be honest here, no one truly knows what’s going on in Georgia’s Internet except for what can be glimpsed from the outside, and what has been written by the Georgians on their blog (they opened a blog on Google’s blogger service soon after their websites were taken offline). They were probably a bit busy avoiding getting killed by Russian bombs, though.
Renesys has been following the Georgian Internet links, which seem to be there, but occasionally drop due to power failures. Unlike what was previously reported, most of Georgia’s outgoing routes are connected through Turkey rather than Russia, so Russian Internet service providers had little effect on stopping or hijacking connectivity to or from Georgia, if they indeed attempted it. This, however, raises an interesting question regarding what connectivity smaller countries have to the world, and where the bottlenecks are.
There have also been claims that Russian Business Network (RBN) – a criminal bullet-proof, law-proof, hosting organization – was behind the attacks. There is little evidence to support that at this time, although it has been clearly shown botnets using RBN’s services to stay beyond the reach of the law were part of the attacking force. RBN’s involvement and the possibility that Russian Internet service providers hijacked routes to Georgia is possible, but not enough information has been collected yet for us to be sure.
So it is clear their Web sites are under attack, and that Internet visibility-wise, the impact is real for the Georgians. And yet, it is simply too early and there is not enough information to call this an Internet war. It is too early to establish motive or who the perpetrator is, however much we may want to point fingers.
Following any political or ethnic tension, an online aftermath comes in the form of attacks, defacements, and enthusiast hackers swearing at the other side (which soon does the same, back). From a comic of the Prophet Muhammad to the war in Iraq, the Internet has given people a voice, even if sometimes expressed in irrational ways.
While Georgia’s suffering is real, such attacks are nothing but routine here in Israel. When I ran the defense for the Israeli government Internet operation and then the Israeli government CERT, such attacks would occur daily if not by the minute. Hackers on the other side would band together, talk, coordinate a date, exchange tools, and attack.
In fact, I unintentionally started bigger so-called “wars” on my own when talking to the Israeli press. One such example was three years ago when 180 Israeli Web sites were defaced by unaffiliated Turkish hackers. Enthusiasts responded to the news story in comments and then attacked the “other side.” I learned to avoid the press on such matters.
While I apologize for the analogy, after 9-11 Israelis were shocked. We were sympathizing, emphasizing and crying for the victims. What we did not understand was why people were still shocked 10 minutes past, as this was a normal every-day life happening for us over here. The same applies for cyberspace, where we have gotten used to this.
The difference in this attack was that the Georgian authorities, like numerous others around the world, were not prepared to fend off such an attack.
In my article “Battling Botnets and Online Mobs” for the Georgetown Journal of International Affairs coverage of the Internet war in Estonia, I quoted Martin van Creveld who predicted how our opponents will no longer be just countries, but organizations, decades ahead of his time. It is my stated belief that on the Internet playing field any individual or loosely affiliated group can be that player in an information warfare scenario.
How will we be able to tell if Russia was somehow sponsoring these attacks? If we end up suspecting it as likely, we probably would still never be able to know with complete certainty. That does not mean Russia won’t make use of these attacks to their benefit. In the aftermath of the Estonian war, Russia used the incident to create a stronger deterrence against the former Eastern-block nations, affecting international politics and the security of the region.
One claim which has been made is that these botnet attacks against Georgia had been staged for a while before the attacks. Shadowserver, as one reliable source, released information that shows how DDoS attacks are a regular occurrence, world-wide, and that attacks against Georgian Web sites before the military engagement in the field in recent days were not necessarily relevant, as sites which were attacked ranged from gambling to pornography rather than political targets.
If it indeed isn’t Russia, who attacked is a much scarier notion as that means this was all done by kids (read amateurs). Other seemingly unaffiliat