August 02, 2007 - LAS VEGAS - A series of online attacks that seriously disrupted Web sites belonging to several banking and government organizations in Estonia earlier this year may have been perpetrated by a loosely organized, politically motivated online mob, a security researcher suggested today at the Black Hat 2007 conference.

The attacks hold several lessons about how large-scale Internet attacks can unfold and the responses that may be needed to deal with them, said Gadi Evron, security evangelist for Israel-based Beyond Security. "The use of the Internet to create an online mob has proven itself and will likely receive more attention in the future," following the Estonia attacks, said Evron, who wrote a post-mortem report on the incident for the Estonian CERT.

The widely reported attacks in Estonia started in late April and crippled Web sites belonging to the Estonian government -- including that of the nation's prime minister as well as several banks and smaller sites run by schools. The online attacks are believed to have been triggered by the Estonian government's decision to relocate a Soviet-era war memorial in Tallin called the Bronze Soldier.

The decision sparked more than two days of rioting in Tallin by ethnic Russians as well as a siege of the Estonian embassy in Moscow. It also appears to have sparked an Internet riot aimed at the country's online infrastructure, Evron said.

Initial media reports suggested that the denial-of-service (DOS) attacks may have been organized by the Russian government in retaliation for Estonia's decision to move the statue. The reality, however, is that the attacks were carried on by an unknown number of Russian individuals with active support from security-savvy people in the Russian blogosphere. Evron said.

Many Russian language blogs offered simple and detailed instructions to their readers on how to overload Estonian Web sites using "ping" commands, for instance, Evron said. The bloggers also kept updating their advice as Estonian incident responders started defending against the initial attacks.

The attacks started with pings and quickly scaled up to more sophisticated attacks, including those enabled via botnets from outside Estonia. One attack was launched by a specially crafted botnet with targets hard-coded in their source, Evron said. Some bloggers attempted to collect money to hire botnets to launch attacks against targets in Estonia, Evron said.

The timing of the attacks, their scope and the sudden availability of botnets to aim at Estonian targets suggest that some level of organization was involved, Evron said. But there is no evidence to explain who was responsible.

Overall, none of the attack methods were new or sophisticated, Evron said. Neither were they particularly large as far as DOS attacks go, he said. But they were enough to seriously disrupt several services in what is a very Internet-dependent country. For instance, because bank sites were crippled, many citizens were unable to conduct ordinary transactions such as buying gas and groceries.

The attacks highlight several issues -- chief among them the importance of incident response, Evron said. When the attacks started, the Estonian responders first focused on the targets rather than sources. Filtering technology was used to throttle back on traffic aimed at target systems, which, at its peak, reached between 100 to 1,000 times the normal amount of traffic.

Quick decisions were made on which systems to protect first and all connections to those systems from outside the country were blocked. Efforts were also made to lure attackers to less critical systems and draw their attention way from the more important ones, Evron said.

The Estonian incident also showed how -- at least in that country's case -- "critical infrastructure" proved to be banking and private-sector companies, ISPs and media Web sites, not Estonia's transportation or energy sectors, Evron said.