Immediately afterwards, a counterattack was made via the Internet. According to studies conducted by the experts at Finland-based F-Secure, the following websites were completely inaccessible on April 28:
* www.peaminister.ee (Website of the prime minister): unreachable
* www.mkm.ee (Ministry of Economic Affairs and Communications): unreachable
* www.sisemin.gov.ee (Ministry of Internal Affairs): unreachable
* www.vm.ee (Ministry of Foreign Affairs): unreachable
* www.valitsus.ee (Estonian Government): unreachable
* www.riigikogu.ee (Estonian Parliament): unreachable
The first attack lasted roughly until May 4. During this DDoS attack, over ten Estonian sites took a lashing. However everyone knew fully well that the worst was yet to come. May 9th, Russia’s Victory Day, was still ahead. The company Arbor, which specializes in protection against DoS attacks, later published its own statistics from observing the events in Estonia. Interestingly enough, their reports show that attacks began on May 3, 2007. It's possible that this was the day on which Estonian officials approached Arbor for assistance, as there are no data on the first wave of the attack (April 27th through May 3rd). The stats are shown here:
As we can clearly see, the second wave of attacks began on May 8th and peaked on the ninth of the month. Let us clarify the definition of "attack" in this context. Arbor reported that during the course of two weeks, they recorded 128 individual DDoS attacks, of which 115 utilized a typical ICMP-flood, 4 used SYN, and the remaining 9 were different variants of attacks meant to increase traffic.
Of course this is only part of all of the attacks that took place, but one can still get the general idea of the enormous scale of the attack. Furthermore, the overwhelming majority of the attacks were rather short-lived at one hour or less. Only 7 attacks lasting over 10 hours were recorded. The attack against Estonia happened on several levels at once. Besides the DoS attacks targeting key government sites, there were also mass defacements of dozens of other Estonian websites. Most of these were aimed at websites running different script engines which have a number of vulnerabilities ranging from CSS/XSS vulnerabilities to SQL injections.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.