Flash mobs may have been responsible for those denial-of-service (DoS) attacks in Estonia last May. So says Gadi Evron, security evangelist for Beyond Security, who gave a thorough presentation last week at Black Hat and then again at Defcon, recounting in detail the events surrounding the attack, some of which he experienced first-hand, surrounding the attack. Although he originally joked that the KGB was to blame--and quickly explained that the KGB no longer existed--Evron said could not prove conclusively that the Russians were behind the events. Yet he did call it the first true cyberwar, if only that the commerce and day-to-day functions of one country were interrupted significantly. Evron said we can all learn by what was done. Unlike the United States and many other countries, Estonia's 1.4 million people are among the most wired populations in the world, so for several days, ordinary people were unable to pump gas, buy bread, or pay their bills because of a nationalistic dispute with another country. And remember, this was just a small attack, a taste of what's to come.

A bloodless war
Back in April, the Estonian government announced a plan to move a statue and gravesites honoring Russian-Estonians who died fighting the Nazis. On Friday, April 27, Estonian officials relocated the Bronze Soldier, a Soviet-era war memorial, to a park outside the nation's capital. The decision provoked rioting by ethnic Russians. They took to the streets of the capital, Tallinn, in protest and blockaded the Estonian Embassy in Moscow. And in a rather unique way, a few even took their ire to the Internet.

Early on the morning of Friday, April 27, at 2 a.m., the first of many denial-of-service attacks started. By 6 a.m., the Estonian networks were up but straining under the increased load. Over a few, short hours, Internet traffic into Estonia went up by as much as 1,000 percent. Continuing into the next day, a Saturday, the government of Estonia realized this was not a normal DoS event. Evron said, even so, the government officials decided to go home, go to bed, and resume work on Monday. But a mass e-mail stating "tomorrow is DoS day" was sent throughout Estonia over the weekend, and at 6 a.m. on Monday, April 30, Evron said, "all hell broke loose."

	A mass e-mail stating 'tomorrow is DoS day' was sent over the weekend, and at 6 a.m. on Monday, April 30, Evron said 'all hell broke loose.'

Effects of this new 'war'
Evron said that for the next two days, the Estonian parliament was unable to send or receive e-mail because of the increasing volumes of spam. Meanwhile, DoS attacks on local networks rose and fell over the next two weeks. "Suddenly, out of nowhere, a lot of folks started attacking Estonia." The operators of Estonia's networks struggled to keep the bogus, sometimes automated, traffic from clogging the local Internet, but the attacks kept changing, coming from different sources. At one point, compromised computers within Estonia contributed to the attack.

Afterward, Evron said there was some forensic evidence that suggested a part of this attack was organized. For example, the initial inciting spam. There was also at least one bot agent written specifically to wreak havoc over the first few days in May. In a previous interview, Dr. Jose Nazario told me that May 9 is a Russian holiday commemorating the defeat of the Nazis, so the peak Internet action against Estonia coincided with that. Throughout a two-week period, the rest of the traffic was apparently spontaneous. Typically during a DoS attack, ISPs collect individual packets, then filter against the bogus ones. In this case, the packets were all over the map, further suggesting a spontaneous action of many different people rather than an organized assault. That is why Evron refuses to accuse any one agency. He said, "Anyone pointing fingers is wrong."

CERT to the rescue
Evron flew to Estonia shortly after the crises started to help the local Computer Emergency Response Team (CERT)--which consisted of exactly two people. Once it was apparent this was a major operation, Estonian officials kicked it up to CERT Bund in Germany, and ultimately to CERT FI in Finland for additional help and support.

What happened in Estonia, Evron said, could happen somewhere else, perhaps on a larger scale, in the future.

Computer network specialists from many countries began assisting Estonia beyond politics, operating on the sheer need to keep the internal networks up and operational. "If we could take one lesson from the Estonia event," Evron said, "it is that Incident Response worked."

Other lessons learned
Estonia is a small country, so why the big deal? What's significant is that the denial of service attacks affected the Estonian economy. This wasn't just an attack on the government; it affected the average person on the street. Many Estonians rely on the Internet for basic services such as paying for food, water, and gas. By shutting down access to banks, these services could not be paid. "The more technology there is within a country, the more dependent the country is on technology" he said, "and therefore, the more vulnerable." He said the same applies to the Internet. What happened in Estonia, Evron said, could happen somewhere else, perhaps on a larger scale, in the future.

Evron said we also need to rethink what we consider our critical assets our in light of this. "The critical infrastructure was not what we expected; it was (not the government, but) the private and business sectors." Evron said ISPs, banks, and even the media need to be protected against such attacks. The media, he said, are necessary to get information out in a time of crises.

Are we likely to see this type of "warfare"--either sponsored or guerilla--in the near future? TalkBack to me.