How an Online Mob Crippled a Nation


Gadi Evron, an Israeli security expert, went to Estonia last spring to help out when that country's Web sites were attacked by botnets. The Estonians had moved a statue remembering Russia's defeat of the Nazis, which sparked what is now known as the first cyberwar. (A good chronology is here, at The New York Times.)

For years, Evron has rallied the security community to fight botnets. He shared his observations about Estonia at the Black Hat security conference this week. He believes the attackers were Russian (or Russian speaking Estonians), but not the Russian government.

- Russian speaking bloggers urged people to attack Estonian web sites. They provided URLs and instructions on how to ping the sites over and over by repeatedly striking keys, creating an online mob. "It's brilliant," Evron said. "You get other people to do your work for you."

- The attacks evolved over a few weeks from a series of pings, presumably from Russians pecking at their keyboards, to a couple of short botnet attacks to a full-scale botnet attack that lasted 24 hours. Before the last attack, bots appeared inside Estonia (meaning, Evron figures, that someone had taken the trouble to infect Estonian computers). The attack target was hard-coded into the bot source code. A notice on PayPal raising money to hire a botnet to attack Estonia had also appeared.

- The biggest of the botnet attacks was relatively small by world standards but was just big enough to take down Estonia.

- Estonians were more vulnerable to the attacks than others. Unlike Americans, they routinely bank online, get updates from their children's teachers online, and carry ID cards with PKI chips. They're more advanced than Americans on the technology front, but were also more exposed when their computers were attacked. People had trouble buying staples--milk, bread, gas--because they couldn't use credit cards. "Progress is good, I love the Internet," Evron said. "But what about resilience and fallback?"

- One contributor to the attacks was a misconfigured router. "There doesn't always need to be a bad guy," he said. "Don't always look for malice."

- What had to be protected during the attack--the critical infrastructure--was different than what many Americans would guess. It wasn't transportation and energy systems, Evron said--it was ISPs, banks, media Web sites, "the Internet itself."