- 19.09.2008: NSP-SEC Conference - Rotterdam, Netherlands
- 18.09.2008: Geographically Identifying SSH Brute Force Attacks
- 17.09.2008: GOVCERT.NL Conference - Rotterdam, Netherlands
- 16.09.2008: GOVCERT.NL Conference - Rotterdam, Netherlands
- 12.09.2008: Internet Security Operations and Intelligence (ISOI5) Conference - Tallin, Estonia
- 11.09.2008: Internet Security Operations and Intelligence (ISOI5) Conference - Tallin, Estonia
- 06.09.2008: Atrivo/InterCage - Malware Haven
- 05.09.2008: Shadowserver Bot Count Charts
- 13.08.2008: Georgian Attacks: Remember Estonia?
- 12.08.2008: See below.
- 11.08.2008: Georgian Websites Under Attack - DDoS and Defacement
- 20.07.2008: The Website for the President of Georgia Under Attack - Politically Motivated?
- 18.07.2008: SQL Injection List Format Update
- 05.07.2008: SQL Injection, Redirects and Drive-By Downloads, Oh My...
Tuesday, 12 August 2008
Georgian Websites Under Attack - Don't Believe the Hype
In his post Georgian Websites Under Attack - DDoS and Defacement, Steven reported on the distributed denial of service attacks that we have seen against several Georgian websites. Since that time, there have been numerous news articles and much speculation about who is behind the DDoS attacks. Many outlets are claiming that the Russian government is behind the attacks, but no one seems to have any proof.
Unfortunately, we have no proof either. And we have no proof to the contrary. What I can say, without a doubt, is that only the perpetrators know for sure who is behind it. At this point, everyone is speculating on who is behind the denial of service attacks. With that in mind, I'll offer a few more facts of what we do know, and offer my own personal opinions.
First, as Steven mentioned, we have seen at least six different C&C servers involved in the latest round of attacks. We have been tracking these servers for a while now, some for a year or more (and before you ask, yes we've tried to get them shut down, but with little co-operation), so we know their history. We have seen many different DDoS attacks from these particular C&C servers, but there doesn't seem to be any rhyme or reason to it. What does seem apparent is that the targeted sites don't strike me as being something a government would go after. Without listing the actual targets, they fall into the following broad categories:
- Adult video websites
- Prostitution websites
- White supremacy websites
- Carder websites (sites that trade in stolen credit card numbers)
- Online gambling websites
- Virtual currency websites (think PayPal, but not nearly that legitimate)
- Russian news websites
- Random Russian websites
- Many other websites
I just do not see why a government entity would attack those types of websites. Now, what does seem to be the case is that some number of these botnets are either "DDoS for hire" or "DDoS for extortion" services. The pattern of the sites that attack is reasonably regular, and it's rare to see them go after a non-commercial site of some sort.
The other speculation is that this is somehow related to RBN. Again, nobody has any proof of that, including me. I'm in the camp that thinks RBN was nothing more than a hosting provider who provided "bullet-proof" hosting. I don't think they, themselves, were posting malicious websites or posting child pornography. They hosted it, for sure, but that's all they did. So, I also don't think RBN (or whatever they became after being shut down) is actively attempting to deny service to anyone.
Who's behind the Georgian DDoSes? It's impossible to be sure, but it really just looks like a bunch of "patriotic" operators inside Russia. It's not Russia itself and it's not RBN.
=>Posted August 12, 2008, at 08:57 PM by Mike Johnson