Radio Freedom: Yet Another DDoS Attack
April 28th, 2008By Supranamaya Ranjan
This must be the summer of geo-politically motivated Distributed Denial of Service (DDoS) attacks. We are close to the one year anniversary of the first cyber-war against the Baltic republic of Estonia. Last week CNN was DDoS’ed by supporters of a pro-China group called, Revenge of the Flame. And in the course of all this, a bystander sports site, Sports Network Management, which only had the misfortune of sharing the word ‘cnn’ in its website while not being directly affiliated to CNN at all, also got DDoS’ed. To top it all, in apparent retaliation, one of the sites behind the patriotic drive sweeping China, Red Heart China Signature (www.5sai.com), got its site DDoS’ed by a group of ip-addresses located in Europe.
Close at the heels of all these intense attacks and counter-attacks, we hear of yet another. Various news sources are reporting that Radio Freedom Europe’s Belarus site was DDoS’ed this weekend starting from April 26. The radio station was going to cover mass protests in Minsk, Belarus dedicated to the anniversary of the Chernobyl disaster. The radio station had plans to direct people to their website to check out pictures, videos of the coverage, etc. However, much to their dismay their site was totally inaccessible for 2 days and 2 nights under a massive DDoS storm. According to the RFE/RL Belarus Service Director:
“There was not much we could do because at this moment we also lost e-mail communication and Skype communication with Belarus. As we found out later, the attack was so massive that the firewall that protects Radio Free Europe went down. And a number of other [RFE/RL] sites went down as well.”
These attacks set a scary precedent. That political agendas can very easily find their way in the form of online hacks and attacks. Even more scarier is the fact that the exact perpetrator of a DDoS attack can be very difficult to pin-point, especially if the attack was launched by a Botnet.
Let alone find the identity of the attacker, it can sometimes be incredibly difficult to even find the location of the attacker. In these geo-political attacks, a lot of times, claims are made that the attack was launched from a certain country or region. A case in point are reports that suggested that the DDoS attack on Red Heart China Signature was launched in Europe. However, there could be a completely different picture, where those 4 European ip-addresses were only used as frontmen for the attack, while for all practical purposes, the actual attacker could be somewhere in Antarctica, controlling those 4 machines.
So the point being that to perform detailed and accurate forensics of these sorts, Managed Security Services as provided by the ISPs is better off than an edge-security solution installed at the web site itself. Web server logs of the victim site can only provide an idea of the frontmen of the attack. While, ISPs can not only detect that a DDoS attack is underway and hence alert the web site, they can also correlate and identify who else did the attackers talk to - and potentially determine the botnet controller or the real perpetrator of the attack.