Cyber attacks happen all the time. As you read this, your organization’s web server is being probed for vulnerabilities by would-be attackers, and today you will be the target of phishing, spam and virus-laden emails.

The most challenging attacks on the Internet are distributed denial of service attacks (DDoS) in which thousands – or even millions – of computers team up with the aim of knocking a single target offline. The attacks typically are executed by botnets, collections of infected computers controlled by an unknown attacker.

In the past three years, cyber attacks have been directed at a number of countries, including Estonia, Georgia, Russia, South Korea, the United States and, most recently, Australia. Although these attacks are the most widely publicized ones to date, they have been relatively minor with no lasting damage. Nonetheless, they serve as valuable case studies to understand the targets, attack techniques, and response strategies for denial of service attacks.

Under attack
In May 2007, political tensions in Estonia with ethnic Russians sparked riots in the Estonian capital of Tallinn. These physical riots were quickly followed by three months of cyber riots. DDoS attacks started against Estonian government websites and subsequently affected banking and media websites. Fifty percent of electronic commerce transactions were cut off for a 90-minute period, a short-lived but notable impact, especially considering the use of the national identity smart card in paying for public transportation. The mobile phone system was affected where it interfaced with the Internet. However, critical infrastructure such as energy or military systems was not affected. While the attacks clearly emanated from Russia, it remains unknown whether they were sponsored by the Russian government or were the work of nationalistic vigilantes. During the attacks, the Russian blogosphere was active with frequently updated lists of targets and techniques.

A series of cyber attacks affected Georgian and Russian websites in the period leading up to and during the Georgian invasion of South Ossetia in August 2008. The attacks consisted primarily of defacements of government and media websites and denial of service attacks against government websites. There was little impact beyond the government’s inability to get its message out via the web. However, it marked the first time that cyber attacks corresponded to actual military attacks; future state-to-state military actions will likely involve cyber attacks as well.

A DDoS attack targeted government websites in the U.S. and South Korea in July 2009. The primary goal appears to have been disruption, but there was no major impact. Allegations that North Korea was behind the attacks have not been confirmed. The estimated number of computers involved in the attacks was 20,000 to 40,000.

In February 2010, websites of the Australian government and parliament were vandalized and knocked offline by members of an online protest movement called “Anonymous,” objecting to the government’s Internet censorship plans.

While these reported attacks have been the most significant to date, they were cyber nuisances, not cyber warfare. A serious cyber attack would have effects equivalent to physical sabotage: interruption of electrical or fuel transmission, disruption of financial systems, loss of data, or compromise of military control systems.

Major military powers have been developing their cyber warfare infrastructure and are likely capable of cyber attacks of this magnitude. Non-state actors, such as criminals and terrorists, still lag in their ability to affect such powerful attacks, according to a report by the Center for Strategic and International Studies.

Band of bots
In all denial of service attacks, botnets play a major role. A botnet is a distributed collection of several hundred or thousand computers (bots) under the control of a single entity. The majority of bots are home computers on broadband Internet connections, compromised by viruses, malware, or other hacking methods. Computers can be infected by unwitting installation of malicious software, such as browser toolbars or video codecs, or by exploiting software vulnerabilities – out-of-date web browsers and PDF readers are the popular targets. Bots can easily evade virus scanners and computer owners are often unaware they have been compromised.

A sophisticated underground economy for botnets has developed, competing on features such as number of bots, maximum attack bandwidth, geographic location, and attack techniques. Pricing for botnets is hard to verify, but some reports suggest a going daily rental rate of $200 for 10,000 bots. When botnets are not being directed against a particular target, they attempt to infect new computers and grow the botnet.

Because of the distributed nature of the Internet, it can be hard to isolate an attack and even harder to identify the attacker controlling the botnet. During an attack, if the bots are located in the same country as the target, it means that stopping the attack is not as simple as cutting off connections with the rest of the world: for example, when botnets from outside Estonia were cut off, botnets inside the country were activated to continue the attack. Although there must be some person somewhere controlling the botnet, the control infrastructure is often distributed as well, making use of additional compromised computers as control servers with advanced self-defence techniques. Multiple levels of redirection and encryption quickly obscure the true source of an attack.

Crisis response
Attacks from distributed computers against multiple targets require a coordinated multi-party response. Many countries have a national computer emergency response team (CERT). In Canada, the Canadian Cyber Incident Response Centre, part of the Government Operations Centre in Public Safety Canada, plays this role.

On a day-to-day basis, these organizations provide information on significant computer threats, vulnerability reports, and software updates, and receive reports of cyber attacks from organizations throughout the country. During a significant cyber attack, they coordinate the national response and facilitate communication between businesses and government agencies.

Effective crisis response requires open communication between affected parties, but for many parties involved – especially private businesses – there are significant disincentives for disclosure, even during attacks. Companies may fear that too much disclosure informs competitors of internal business processes or that such disclosures may lead to legal liability.

For these reasons, an essential task of CERTs during non-attack scenarios is establishing relationships with partners. CERTs also need to establish multiple out-of-band communication methods, since attacks may disrupt traditional communication channels like email, the public web, or even mobile phone and telecommunications networks.

National response teams can also have the force of law behind their actions, expediting domestic information collection and response. However, most cyber attacks involve a significant international component and the legal force of a national CERT rarely extends beyond the country’s borders. A national CERT cannot force an ISP in another country to employ filtering or disclose information about attacking computers; they have to rely on the good will of peer organizations.

This dependency can be helped by building trust, but formal arrangements among allies will become increasingly important if national entities are to respond effectively to internationally distributed cyber attacks.

Douglas Stebila is a researcher in the Information Security Institute at the Queensland University of Technology in Brisbane, Australia and is part of a research project on protecting critical infrastructure from denial of service attacks funded by the Australia-India Strategic Research Fund (douglas@stebila.ca).