Monday, December 7, 2009

Review: Jose Nazario on Political DDoS Attacks

Time for another review. This time it is Jose Nazario's CWCON paper called "Politically Motivated Denial of Service Attacks." He is looking at DDoS as one of the more visible and popular cyber attack forms and is limiting his sample to the ones with a political motivation (vs the standard criminal motivation - money).

NOTE: The final published version of this paper was accepted after the conference so it includes some more recent examples.

His research is based on data from three sources: ATLAS project at Arbor Networks (basically, ATLAS collects data from sensors to provide an overview of the more visible cyber campaigns), infiltrated botnet C&C servers and border gateway protocol (BGP) routing data.

He starts out with a little overview of major political DDoS campaigns of the past, covering the following events:
  • 2001 Hainan Island incident
  • 2007 Estonia campaign
  • 2008 China v CNN campaign
  • 2008 Georgia campaign
  • 2008 Burma
  • 2007 elections in Russia
  • 2008 Radio Free Europe campaign
  • 2008 anti-NATO campaign in Ukraine
  • 2009 MSK forum DDoS in Kazakhstan
  • 2008 DDoS-censoring of Russian opposition websites
  • 2009 Israel v Gaza/Hamas
  • 2009 Kyrgyzstan - a false positive?
  • 2008 Kommersant DDoS
  • 2009 Kazakhstan opposition sites under DDoS
  • 2009 South Korean/US campaign
It is noticeable how most of these events are known by the target only. In history, conflicts are usually named after both/all participants or at least the participants are known. In cyber conflicts, however, it seems to be the norm that the aggressor remains anonymous. Even if all the circumstantial evidence and opinions point against one entity, rarely is there enough proof to attribute the attack in court.

He continues to describe the attacker type that seem to be behind most of the attacks listed. In general, the attackers are "classic right-wing" supporters of the government and targeting internal or external opposition. He also writes about using propaganda to recruit supporters for a cyber campaign and then training them online - a basic ad-hoc cyber militia. What the militia cannot achieve with finesse and expertise, they make up in numbers (DDoS).

He points out that the classical goals for such attacks are to punish the target, or to show dissent, or to censor the target (especially true for attacks against news outlets and opposition parties). He brings examples of partial attribution: Nashi youth group in Russia, the Chinese Honker Union and StopGeorgia.ru. Note that in all these cases the attackers made the claim - nothing has been proven in court (as far as I know).

He reviews some broad responses to the cyber campaigns listed and finishes with recommendations:
  • harness public support and international cooperation
  • deploy available commercial tools
  • be open to commercial offers to help
  • develop a more efficient decision making process
  • delegate authority
  • consensus is sometimes not necessary
In conclusion, he also points out that we need to study guerilla and asymmetric warfare in order to succeed on the cyber battlefield.

The paper has numerous examples from recent years and thus gives a good overview of the extent of the problem. However, the examples have different level of detail (often too vague) to be of much help on researching a specific case. I would have expected a more detailed analysis of a limited number of campaigns. As always, read the paper for full value.

No comments:

Post a Comment