Governments looking to silence critics and stymie opposition have added distributed denial-of-service (DDoS) attacks to their censoring methods, according to a security expert speaking at the Source Boston Security Showcase.
As the use of DDoS for political gains increases, expect the Internet to become more militarized, said Jose Nazario, senior security researcher at Arbor Networks Inc., in an address on Wednesday.
"I don't think anyone is going to die because of these attacks, or a phone won't work, but it is early," he said, noting that other weapons have evolved from less-harmful initial forms.
In DDoS attacks, botnets, or a group of compromised computers used for malicious purposes, attempt to connect en masse to a victim's Web site. The server hosting the site is unable to respond to the abundance of communication requests and shuts down or returns pages so slowly that site is essentially inaccessible.
"The premise is to aggregate bandwidth and knock an adversary offline," said Nazario.
Nazario discussed how major international political situations spawned DDoS attacks. Unsuccessful DDoS attacks were launched at the Pentagon's network after a 2001 collision between a U.S. Navy spy plane and Chinese fighter jet, resulting in the U.S. plane making an emergency landing in China, he noted. CNN's Web site experienced a similar attacks after one of the network's reporters made disparaging comments about China's hosting of the Olympic Games. Chinese nationals were reportedly responsible for both incidents.
"These folks are launching these attacks to show support for their own government," said Nazario.
Nazario mentioned the 2007 DDoS incidents that crashed the Estonian government's servers. Russia supposedly conducted those attacks after the government of its former territory moved the statue of a Russian soldier. The attackers built primitive tools and launched a basic campaign, which ultimately shut down the government, he said.
Russia was also reportedly responsible for the August 2008 DDoS attacks against Georgia, another former Soviet Republic. Russia launched a military attack against Georgia to support a separatist faction. Cyberattacks against Georgian government Web sites coincided with Russia's military campaign, the first time in 10 years that Nazario saw an Internet and ground war launched simultaneously.
Governments are interested in using DDoS attacks because tracing their originators and financiers has proved to be difficult for security researchers. Arbor Networks could not conclusively link the Estonian attacks to Russia, while Estonia questioned Arbor's findings, said Nazario.
"We can tell you certain technical aspects, but we can't tell you who is paying them," he said. "There is no smoking gun as to who launches the attacks."
The pace and complexity of DDoS attacks are increasing, Nazario said, as opposition groups further use the Internet to coordinate. Groups using the Web to communicate makes it a natural target, he said.
The result of this cyberwarfare will turn the Internet into a battleground as governments and citizens launch these attacks, Nazario said.
"Militarization of the Internet is happening," he said. "There are plenty of nonstate players, so governments can say, 'It wasn't us.' This levels the playing field. Kids in Kiev as well as the government have this."
According to Nazario, some governments are more candid about engaging in cyberwarfare or their intentions to enter such conflicts. China has supposedly discussed its cyberwar plans, and a Russian government executive allegedly admitted to using propaganda campaigns during the conflict with Georgia. These campaigns consisted of a Web site directing Russians to use cyberwar tactics against pro-Georgia sites. One site set up by Moscow supporters resembled a professional news site and went up immediately after Georgian troops fired on Russian soldiers, he said.
France is reportedly looking into cyberwarfare, and the U.S. has repeatedly discussed the concept of a military botnet, said Nazario.
While governments develop cyberwarfare strategies, they are also attempting to develop defenses against such attacks.
Estonia took the issue to NATO, but the organization's slow policy-development pace resulted in no agreement being reached. This problem also hampered efforts in the European Union to develop a solid online security strategy.