August 11, 2008
Update: Georgian Government Websites Under DDoS & Cyber Attack
The Georgian Republics Parliament website has been defaced as well:
parliament.ge now shows:
Original post continues below:
Some of the Internet resources of the Georgian government have been the targets of fairly steady DDoS attack's since early July of 2008. The website of the President of Georgia has been hit fairly heavily over the last few days and is currently going off line randomly as it is overcome by the attack (it was up this morning but has been down for several hours now).
The Threat Expert Blog had an article about similar attacks on president.gov.ge back on 20 July 2008. In that article they credited Steven Adair for the information regarding the botnet involved in the attack, likewise Steven gets credit for bringing the ongoing attacks to my attention this morning. Stevens latest post on this issue can be found on the Shadowserver web site later today (I'll update this post when that info becomes available).
True to form there's appears to have been a cooperative effort between the cyber attacks and the military attacks on the ground in Georgia. Whether the attacks are the work of the Russian government or that of those sympathetic to their cause remains to be seen. Estonia recently suffered a similar fate less the actual physical invasion forces.
Update by Howie: Comment by Thomas R. Burling, CFO
Tulix Systems, Inc, reprinted in main post by permission.
Just trying to get the word out. Because of the conflict between Russia and the Republic of Georgia we are getting hammered. We broadcast, for expatriots, three Georgian television stations and a special announcement site for the Georgian President Mikhail Saakashvili (president.gov.ge) if you are carrrying any Georgian based material be careful, we are receiving attacks all across the spectrum, not only on our Georgian websites but all of our issued IPs. Fortunately we have the equipment and technicians who can handle it. But if you don't and have any material related to the war you may want to premptively take it down.We agreed to host the President's site because Russian hackers had taken down the entire internet in Georgia. These people are nuts. Our techs are getting no sleep at all. It's one thing to attack the .ge site. It is another to take our table out of ARIN and try to take the whole network down.
Here's a sample of what we're seeing regarding the attacks on Georgian resources, on and off, since mid July (source IP's removed):
2008-07-20 15:15:14 18.104.22.168 president.gov.ge flood icmp www.president.gov.ge
2008-07-20 15:15:12 22.214.171.124 president.gov.ge flood tcp www.president.gov.ge
2008-07-20 15:15:08 126.96.36.199 president.gov.ge flood http www.president.gov.ge
2008-07-20 14:14:23 188.8.131.52 president.gov.ge flood icmp www.president.gov.ge
2008-07-20 14:14:20 184.108.40.206 president.gov.ge flood tcp www.president.gov.ge
2008-07-20 14:14:17 220.127.116.11 president.gov.ge flood http www.president.gov.ge
2008-07-20 13:13:33 18.104.22.168 president.gov.ge flood icmp www.president.gov.ge
2008-07-20 13:13:32 22.214.171.124 president.gov.ge flood tcp www.president.gov.ge
The RBNExploit blog claims that the Internet routing for the Georgian Internet resources may have been under attack in an effort to stop proper routing to those services. The RBNExploit Blog claims the Russian Business Network is involved, I can't verify that claim but if you don't know what the RBN is you need to go find out. RBN is responsible for quite of bit of the nastiness on the Internet as far as cyber crime and fraud goes.
Additionally, the Georgian Office of Foreign Ministry was also defaced with images likening the Georgian President to Hitler, details are available at Interfax.
(This article cross posted at The Black Flag)