Radio Free Europe Distributed Denial of Service Attack

Just got a hold of this blog posting from Arbor Networks security expert, Dr. Jose Nazario…It seems that the latest target of the “DDoS as a political statement” movement may be Radio Free Europe/Radio Libery. News about the attacks has surfaced online, including this source: RFE/RL Websites Hit By Mass Cyberattack, via the Radio Free Europe/Radio Liberty website

The attack, which started on April 26, initially targeted the website of RFE/RL’s Belarus Service, but quickly spread to other sites. Within hours, eight RFE/RL websites (Belarus, Kosovo, Azerbaijan, Tatar-Bashkir, Radio Farda, South Slavic, Russian, and Tajik) were knocked out or otherwise affected.

The “denial-of-service” (DOS) attack was intended to make the targeted website unavailable to its users, according to RFE/RL’s Director of Technology Luke Springer. “The way this is normally done is by flooding the target website with fake requests to communicate, thereby using up all [the website’s] free sources and rendering the site useless to all the legitimate users,” Springer said.

RFE/RL has taken countermeasures and restored full service to most of its Internet sites. The primary target, the Belarus Service, is still affected.

Shades of Cold War activities here … During the Cold War, the Soviet Union and other members of the Warsaw Pact regularly jammed RFE/RL’s signals. [RFE/RL History].

Motivations are likely to be political, as other reports indicate, as RFEL tries to use the airwaves to spread information sometimes counter to official line offered by the audiences’ political bodies. Via the Register (see the link below), some folks are pointing the finger at the Belarus government:

RFE provided no solid evidence, but said the Belarusian government was most likely behind the attacks. The Belarusians “see free information - flowing information of ideas and so forth - as the oxygen of civil society,” RFE President Jeffrey Gedmin said. “They’ll do anything they can to cut it off. If it means jamming, if it means cyber attacks, that’s what they’ll do.”

The data we have does not point to anyone in particular, especially a government, but we do have evidence that shows that a Russian-language DDoS botnet is at least partially responsible for the attacks. The botnet targeted four somewhat related sites:

svaboda.org, what appears to be a Belarusian language RFEL site; I am unable to translate the content of the site and cannot figure out what specifically upset someone

charter97.org, an English language news site about political activities in Belarus

legis-group.ru, a Russian-language site

and compromat.net, a Russian language news site

All of the attacks that we logged occurred within a short time frame on April 26. We’ve been in contact with various Internet security teams with details about these attacks.

Other reports around the net include:

Chernobyl coverage blows up in Radio Free Europe’s face, in The Register

Radio Svaboda site is unavailable for two days, via Charter ‘97

US radio websites in Eastern Europe hit by cyberattack: bosses, via AFP

While some reports indicate that this attack was carried out by political agents, we have no evidence of that, just info about the tools and botnet behind the attack. The Estonia example should show you how difficult it is to tie some of these attacks down to specific individuals and what it’s important to not jump to conclusions.

This very topic - politically motivated DDoS attacks - is something I’ll be delivering in an invited talk at Usenix Security in the Bay Area this year. I’m honored to be asked to talk and I hope to see you all there later this year.

Check out his blog at: http://asert.arbornetworks.com/

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.