April 26 was the 22nd anniversary of the meltdown at the Russian Chornobyl reactor. On this day, Radio Free Europe / Radio Liberty (RFE/RL) began its live Web report covering a rally of thousands of people, organized by the Belarusian opposition. The demonstration was to protest the government’s decision to build a new nuclear power station and the plight of uncompensated Chornobyl victims. What followed was a Distributed Denial of Service (DDoS) attack, flooding the Belarusian RFE/RL Web sites with up to 50,000 hits every second. Eight RFE/RL websites (Belarus, Kosovo, Azerbaijan, Tatar-Bashkir, Radio Farda, South Slavic, Russian, and Tajik) were knocked out or otherwise affected for almost two days. This effectively silenced the coverage. Two other Web sites were targeted in the same attack, belonging to the opposition groups Charter 97 and Belarus Partisan.

The next day, April 27th, marked the one year anniversary of the cyber attack on Estonia. The incident began when Estonian government moved a war memorial honoring Russian-Estonians who died fighting the Nazis. Gadi Evron, the former Israeli Government CERT manager who was in Estonia at the time of the attacks, has published an article titled, “Battling Botnets and Online Mobs” in the Georgetown Journal of International Affairs. Evan explains the attack:

Once bloggers started reporting their small-scale attacks, more experienced players became involved. Before long, botnets were being used. The involvement of the Russian government in the affair cannot be confirmed. What raised speculation, however, is the failure–or unwillingness–of the Russian authorities to stop the cyber riot against Estonia for over three weeks after the initial attack.

In an attempt to deal with future attacks, seven NATO countries are backing the establishment of the Cooperative Cyber Defence (CCD) Centre of Excellence (COE) in Estonia. General James Mattis, NATO’s Supreme Allied Commander Transformation/Commander, at the signing ceremony stated, “The need for a cyber defense center to be opened today is compelling…It will help NATO defy and successfully counter the threats in this area.” The center will be tasked with conducting research and training on cyber warfare. The US showed its backing by agreeing to send an observer.

Cyber attacks are occurring in every country. Last month Chinese hackers called for a DDoS against CNN.com in retaliation for news coverage of Tibet protesters. The organizers felt the news coverage was skewed against China. The attack was reported called off because the amount of coverage of the approaching attack expected to limit its effectiveness. Still, on the day of the planned attack, CNN was knocked offline for three hours. The Internet research website Netcraft reported, “CNN’s website suffered downtime within a three hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated.”

Providing information on scale of compromised servers, malicious attackers, and the spread of malware is the Shadowserver Foundation. The organization gathers, tracks, and reports on malware, botnet activity, and electronic fraud. It is a great source of information concerning cybercrime. Richard Perlotto, the gentleman who runs the technology and operational side of the Shadowserver Foundation, spoke last week at the Asia Pacific Information Security conference (AusCERT2008). Additional presentations and interviews from the conference can be accessed through ITRadio. Below is a sample map showing DDoS attacks in 2007.

In the old days, countries controlled information through clamping down on the press and shutting down television stations. Pakistan meant to exercise country wide censorship February, when the the telecommunications ministry order access to YouTube blocked. According to Danny McPherson, Arbor Networks’ Chief Research Officer, in his posting “Internet Routing Insecurity::Pakistan Nukes YouTube?” Pakistan Telecom had three options:

1. deploy access-control lists (ACLs) on all your router interfaces dropping packets to or from these IPs
2. statically route the three IPs, or perhaps the covering prefix (208.65.153.0/24), to a null or discard interface on all the routers in your network
3. employ something akin to a BGP blackhole routing function that results in all packets destined to those three specific IPs, or the covering prefixes, being discarded as a result of null or discard next hop packet forwarding policies, as discussed here

Pakistan Telecom selected option three. Because Pakistan’s BGP traffic was offering very precise routes to what it declared were YouTube’s Internet servers, routers took it to be more accurate than YouTube’s own information about itself. That data was supposedly accidentally shared with Hong Kong’s PCCW, who failed to validate the BGP data. PCWW then shared the data with other ISPs throughout the Internet. Believing Pakistan Telecom had faster routes to YouTube, service provides started sending their YouTube traffic requests to Pakistan.

McPherson spoke with ITRadio on the topic, “How to destroy the Internet.” In the interview, McPherson discusses what occurred in Pakistan and how, “the control path, in general, on the Internet (DNS and routing, in particular) are two of the most fragile pieces of the Internet infrastructure.”

Kimberly Zenz, Senior Threat Analyst at VeriSign iDefense, pointed out that times have changed and blocking a site from an ISP is an increasingly unreliable way of censoring the Internet. Bringing down a site with a DDoS or shutting down the Internet completely are more effective options. For example, faced with a major protest movement for the first time since 1990, the government of Myanmar cut off the country’s Internet access completely. The actions of the Myanmar government are not unique. The OpenNet Initiative (ONI) tracks Internet censorship with the aim “to investigate, expose and analyze Internet filtering and surveillance practices in a credible and non-partisan fashion.” The site has a intriguing global filtering map and can provide valuable non-partisan information on Internet censorship throughout the world.

RFE/RL President Jeffrey Gedmin raises the concern that the number of cyberattacks will only increase, when he stated:

The Belarusians, the Iranians — they all have basically the same objective. They see free information — flowing information of ideas and so forth — as the oxygen of civil society. They’ll do anything they can to cut it off. If it means jamming, if it means cyberattacks, that’s what they’ll do.

Providing additional insight into the conditions that are helping foster hacking, Zenz was interviewed and presented at AusCERT2008. For additional information, Zenz co-authored with Eli Jellenc the fascinating report “Global Threat Research Report: Russia.” While the report is focused on Russia, the conditions exist in may countries.

Remember the good old days when our view of hacking was mostly based on the movie War Games? Hackers where misunderstood high school kids who might break into a government site just for the thrill of it, or maybe to play games. Who can forget the famous lines, “Greetings Professor Falken, Shall We Play a Game?” If you don’t recall the movie, or that line, you really need to work on your geek culture. While life and hacking may have appeared simple in those days, one cannot deny that today’s Internet offers the most interesting challenges. It is an exciting time to be a security monk. In the end, what’s not to love?