Note: This analysis is a joint effort by Jeff Carr of Intelfusion, Jart Armin of HostEploit.com, and Greg Walton, IWMP. Further analysis will be forthcoming by individual contributors at their respective Web sites. UPDATED by IWMP: 29 January 2009
On January 18, 2009, a large scale DDoS attack began against Kyrgyzstan Internet service providers (ISPs). Key national Web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have only been available intermittently from Jan 18th 09.
Russian-based servers primarily known for cybercrime activity have been identified through IP analysis with the attacks on Kyrgyzstan.
Fig 1 – Kyrgyzstan DDos Snapshot – Alignments of Core Network Servers – 012109
Figure 1 shows the Internet routing during the later stages of the Kyrgyzstan DDoS attacks.
Table 1 – Kyrgyzstan DDos Snapshot – Details of Core Network Servers
Figure 2 – Mapping the Attacks, Routing the DDos against Kyrgyzstan’s AsiaInfo – 15th to 25th Jan 09
Figure 3 provides a BGP (Border Gate Protocol) Internet traffic routing for the period of the 15th to the 25th of January 2009, with primary focus on highlighting the DDoS traffic against AS8511 Asiainfo Kyrgyzstan.
Analysis
The Kyrgyz denial of service attacks occurred against the back drop of a number of significant political events in the country. The attacks coincided with earlier reports that several popular Internet sites were accessible Kyrgyzstan, leading to accusations of Internet filtering.
There is no clear evidence as to who is involved or responsible, and past experience suggests that the range of possible actors includes state organizations, political parties, commercial entities, or individuals, Including journalists trying to manufacture a news story. Anyone with money and contacts within the CIS computer and technology community can order these kinds of attacks at relatively low cost. A high-quality DOS attack can be purchased for US$500.
The executing agents for the current DOS attacks are likely Russian hackers with moderate skill levels who regularly engage in cyber crime, especially the rental of bot nets. IWMP and the OpenNet initiative have documented several instances in which these kinds denial of service attacks were used during domestic political contests (Kyrgyzstan 2005 and Belarus in 2006). Denial of service attacks were successfully used by pro-Russian hackers against Estonia in May 2007, and again during the Russian Georgian war of August 2008.
The disruption caused by these DOS attacks point to the difficulty governments face in coordinating a response. Neither Kyrgyzstan Russian authorities reacted rapidly to ending the attacks even though the servers servers used by hackers in the attacks were located on networks operated by JSC and Golden Telecom. To date, there is no evidence to suggest that the RF Ministry of Interior or Ministry of Communications has taken any steps to deny Russian hackers access to these servers.
Timeline of Political Events
January 17: Prominent opposition leader detained in Kyrgyzstan
January 17: Political confrontation intensifies. Opposition activists form new coalition UPM (United People’s Movement)
January 19: Two opposition leaders detained and charged
January 19: Russia presses Kyrgyzstan to close US base
January 20: Kyrgyzstan Opposition denied use of Parliament Press Center
January 22: Journalists ordered to file personal information
January 22: Kyrgyz Opposition Party denied registration
Related Links:
Kyrgyz Websites subject to unexplained failure and hacking during the Parliamentary Elections (2005)
The Kyrgyzstan Cyber Attack That No One Is Talking About