Similar political situations in the relations between Russia and the former republics of the Soviet Union who have done everything in their power to get as far away as possible from the Soviet past are certainly nothing new. It’s possible that this incident would have remained an issue for the diplomats to tackle, but several other factors compounded the issue and then something else happened. On April 27, the Estonian websites of the president, the prime minister, the Estonian parliament, police and a number of ministries were overloaded with an enormous number of requests from thousands of computers located around the world. This happened immediately after the Estonian police broke up a demonstration in Tallinn that had gathered in protest at the removal of the monument. Over 600 people were arrested, and about a hundred were injured in this skirmish with the police.

Immediately afterwards, a counterattack was made via the Internet. According to studies conducted by the experts at Finland-based F-Secure, the following websites were completely inaccessible on April 28:

* www.peaminister.ee (Website of the prime minister): unreachable
* www.mkm.ee (Ministry of Economic Affairs and Communications): unreachable
* www.sisemin.gov.ee (Ministry of Internal Affairs): unreachable
* www.vm.ee (Ministry of Foreign Affairs): unreachable

* www.valitsus.ee (Estonian Government): unreachable
* www.riigikogu.ee (Estonian Parliament): unreachable

The first attack lasted roughly until May 4. During this DDoS attack, over ten Estonian sites took a lashing. However everyone knew fully well that the worst was yet to come. May 9th, Russia’s Victory Day, was still ahead. The company Arbor, which specializes in protection against DoS attacks, later published its own statistics from observing the events in Estonia. Interestingly enough, their reports show that attacks began on May 3, 2007. It's possible that this was the day on which Estonian officials approached Arbor for assistance, as there are no data on the first wave of the attack (April 27th through May 3rd). The stats are shown here:



As we can clearly see, the second wave of attacks began on May 8th and peaked on the ninth of the month. Let us clarify the definition of "attack" in this context. Arbor reported that during the course of two weeks, they recorded 128 individual DDoS attacks, of which 115 utilized a typical ICMP-flood, 4 used SYN, and the remaining 9 were different variants of attacks meant to increase traffic.

Of course this is only part of all of the attacks that took place, but one can still get the general idea of the enormous scale of the attack. Furthermore, the overwhelming majority of the attacks were rather short-lived at one hour or less. Only 7 attacks lasting over 10 hours were recorded. The attack against Estonia happened on several levels at once. Besides the DoS attacks targeting key government sites, there were also mass defacements of dozens of other Estonian websites. Most of these were aimed at websites running different script engines which have a number of vulnerabilities ranging from CSS/XSS vulnerabilities to SQL injections.