The attack was monitored by several U.S. Internet watch operations, including the center run by the Department of Homeland Security known as U.S.-CERT, for Computer Emergency Response Team.

A person at U.S.-CERT, authorized to speak to the media but not to give his name, said the center was "not involved in any response" but had passed information about the incident, called a Distributed Denial of Service attack, to DHS intelligence analysts.

The person said the attack did not look like a prelude to, or opening salvo in, any wider assault. "We don't think it is part of anything larger," he said.

In Lithuania, 300 Web sites were defaced earlier this month after a law was promulgated banning the public display of Soviet symbols. Estonian government Web sites were pounded by a massive series of DDOS attacks in April and May 2007, after a decision to move a monument honoring Soviet World War II soldiers. The attacks were part of a series of protests from Russia and ethnic Russians in Estonia.

DDOS attacks work by bombarding the server where the site is based with bogus messages and requests from huge networks of computers that, often unbeknownst to their owners, have been infected by malicious software and taken over by hackers.

Such bot-nets, short for robot-networks, can be rented from the hackers that run them, known as bot herders, and have been used before in cyberwar attacks like the one on Estonia last year.

The flood of messages makes the server unable to deal with legitimate Web traffic, so those trying to visit the site will experience abnormal delays and may not be able to reach it at all.

Security analysts who tracked the attack on Saakashvili's Web site say it, and other unrelated sites hosted on the same server, were unreachable or cripplingly slow for up to 24 hours.

A spokesman for the president told local news outlets nothing had happened.

"It's not true; the Web site didn't stop even for a minute over the weekend," spokesman Vano Noniashvili told the Georgian Messenger.

"It happened," said Marcus Sachs of the SANS Institute, a non-profit computer security research outfit that runs a 24-hour watch operation known as the Internet Storm Center.

Sachs said incident handlers at the center saw the first reports of the attack posted by a volunteer security monitoring operation called ShadowServer, but then independently confirmed the attack was in progress.

"We can see the commands being issued to the bot-net by its command and control server," Steven Adair of ShadowServer told UPI.

"This was the first and (so far) only attack command we have seen issued," Adair said, adding the group had been "monitoring that bot-net for some time."

"We didn't expect it to be so interesting," he said.

Adair and Jose Nazario, senior security researcher at Arbor Networks, both conformed to UPI that the president's site, www.president.gov.ge, had been unreachable or cripplingly slow for up to 24 hours.

Nazario said that although the company providing Internet service to the U.S.-based command and control server had taken it offline shortly after the attack began, it was too late by then, because the slave computers in the bot-net already had received their attack instructions.

"That didn't stop the attack," he said. "The attack stopped when it was over."

Neither Noniashvili nor his deputy responded within 24 hours to an e-mail request for clarification. Officials at the Georgian Embassy in Washington said the press spokesman was out of the country and no one could add anything to the spokesman's denial.

One reason officials are sometimes reluctant to talk about such incidents is that, because bot-nets can be rented anonymously, there is often no way to tell who is really behind a cyberattack.

Nazario noted that the bot-net commands contained the phrase "Win love in Russia," which he said was "a not very subtle way to leave no doubt about where they came from."

Adair said the registration information for the Internet domain controlled by the command server gave a Russian contact address. "The WHOIS contact information was in Russia," he said, referring to the massive database that lists the occupant of every piece of Internet real estate.

But Adair acknowledged it is more than easy to provide bogus information in the database, and that cybercriminals often do so.

And one Internet security analyst, who was in Russia at the time, told UPI that Russian network specialists were of the opinion that Ukraine was behind the attack and was trying to pin the blame on Russia.

"Attribution is always a problem," said Nazario.

Community
Email This Article
Comment On This Article

Share This Article With Planet Earth

del.icio.us	Digg	Reddit
YahooMyWeb	Google	Facebook

Related Links
Cyberwar - Internet Security News - Systems and Policy Issues