Threat Intelligence

Estonia: To Black Out an Entire Country – part one

Dimitar Kostadinov
October 1, 2013 by
Dimitar Kostadinov


The cyber-attacks that befell Estonia in 2007 is a case much discussed and underrated at the same time. Many tend to ignore the eloquent fact that this incident represents the first time when an entire country's information defense systems and resources were put to the test. Moreover, according to the rumors, Estonia was attacked by foreign entities, which under some circumstances may qualify this little cyber-offensive as a use of force, or even an armed attack, pursuant to UN Charter.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

In this line of thinking, if we take the famous quote by Albert Einstein about the two things that are infinite—the universe and human stupidity—it is not difficult to imagine how the whole situation could steam up to the boiling point. Then perhaps another genius thought from the very same person will fit perfectly: "I do not know what the third world war will be fought with, but the fourth world war will be fought with sticks and stones."

Given the seriousness of the 2007 Estonia case, this article endeavors to examine the most important aspects of the event in question from the political, legal and technical perspectives.

Content of First Part: Introduction, Means and Types of Attacks, Attack Facts and Statistics, Temporal Survey

Content of Second Part: Attack Targets & Impact, Succinct Legal Commentary, Why the Suspicion Falls on the Eastern Neighbor? , Conclusion. Importance

Because the focus is on the tech review, the order of the two articles is reversed. Thereby, the reader can learn first more about the technical analysis and then proceed to the political context of Estonian cyber-war.

I. Means and Types of Attacks

Fig. 1: Cyber Arsenal at hand for waging a Baltic cyber-war

The cyber-war campaign against Estonia takes on many different forms. The principal means and methods of attack range from unsophisticated denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, such as ping flooding, to more of these on a higher level achieved by the use of a botnet. Web defacements and enormous amounts of email and comment spam were also employed to facilitate the project, "Let's put a country to its knees." Of course the entire dish of "revenge" (by definition best served cold, but not likely so in this case) was spiced up through different Internet forums, simultaneously disseminating public propaganda and easy-to-handle instructions (for the laymen) of how to attack online targets in Estonia effectively and in a coordinated manner (Tikk, Kaska, & Vihulm, 2010).

DoS and DDoS Attacks

This type of attack carried the main weight of the cyber-assault against Estonia. The DoS and DDoS attacks draw their "inspiration" from the fact that the Internet depends on bandwidth and these acts can actually block the targeted servers and effectively clog up the Internet. Moreover, the whole execution often is not extremely complex. In theory, if a target, such as an email service or website, is being bombarded by enough emails or requests in a short time, the bandwidth will eventually fail to cope with that amount of inbound data and simply jam, rather resembling a main street during rush hour (Charvat, 2010). Simply put, a DoS attack is "a concerted malevolent effort to deny access to any electronic device, computer, server, network or Internet resource by its intended users" (Tikk, Kaska, & Vihulm, 2010, p.112).

A. Ping-flooding

In the first phase of the Estonia assault, ping-flooding was widely used (Tikk, Kaska, & Vihulm, 2010). The process was triggered by calling up recruits in certain Russian-language online forums and distributing also accurate information on how to launch ping commands with numerous parameters on the MS Windows command line, which check whether the targeted computers are available. At some further moment, the man on the street (the man on the web) is presented again through the same forums and blogs with the opportunity to copy an executable .bat file onto his personal computer and then initiate and carry out automated ping requests. Seeking to disturb the normal functioning of the targeted system, these requests are repeated hundreds of times per second (Davis, 2007).

When performed single-handedly, this cyber-attack may not cause significant harm and thus can be categorized as simple denial-of-service attack. On the other hand, being coordinated, these automated ping requests could create some disturbance to the intended target. And coordinated they are. To bring into line those cyber-attacks in April and May 2007, thereby amplifying the impact on the Estonian information infrastructure, the participants used internet relay chat (IRC).

Speaking of participants, the people who carry out the ping-flooding are mostly unsophisticated troublemakers—they merely copy programs line by line off hacker websites. The media, in fact, frequently refer to them as "script kiddies," young people who, in the heat of the moment, are led on to participate in this nevertheless nefarious act (Davis, 2007).

B. Botnets

A botnet is a network of slave computers (bots) over which a criminal entity has assumed control. From a master computer, a wrongdoer can direct all the bots (a.k.a. zombies or zombie-computers) in the botnet to log onto a website or email simultaneously. A prominent mark of the botnet networks is that they usually consist of millions of computers dispersed across the world, with the slaves showing no initially apparent symptoms. It is widely perceived in the hacker communities that setting up botnets is not challenging for experienced hackers, and that they do exist on the black market, ready for sale (Charvat, 2010).

Undoubtedly, bringing the botnets into action set the little Baltic cyber-warfare at another levelthe more advanced DDoS attacks employ giant network of botnets, which may have comprised thousands of infected computers. Evidence that the attackers rented time on several botnets, inter alia, testifies to the great resources at hand to the perpetrators (Janczewski & Colarik, 2008).

Estonia suffered a quite heavy DDoS attack precisely because the attackers used a large number of compromised computers. The way one to launch a heavy coordinated attack against definite target is only as complicated as sending the right commands to the master computer that, in turn, passes on the instructions to daemon installed on the slave computers (i.e., bots). There are four widely-known tools that help in devising and harnessing a DDoS attack:

  1. Trinoo—direct flood of UDP packets without spoofing IP addresses, hence making the track-back of the attack origin possible
  2. Tribe Flood Network (TFN)
  3. The updated TFN2K version—the strength of this tool is that it can produce a variety of floods, e.g., UPD flood, SYN flood, ICMP flood, and Smurf-type attacks. In TFN, via ICMP ECHO REPLY packets, the master machine sends unencrypted commands to daemon in order to avoid firewall filtering. However, this was later corrected in the updated TFN2K version, which operates with encrypted communications and one-way spoofing.
  4. Stacheldraht—functions by supporting different forms of floods, as it is set up with the same configuration as TFN, but at the same time it manages to encrypt its communication. Hence, Stacheldraht appears to be a hybrid of TFN and Trinoo (Saleem & Hassan, 2009).

DDoS and the effect on Estonia

Data collection from Arbor Network Active Threat Level Analysis System (ATLAS), whose results is claimed to reflect on 80% monitoring of the Internet traffic, revealed the following statistics:

-Over the three weeks of the attack, IP addresses within Estonia were targeted with DoS attacks, most of which were ICMP ping-flooding that aims at entire systems instead of at a specific port or service within the server.

-There were 128 unique DoS attacks: 115 ICMP floods, 4 TCP SYNC floods, and 9 generic traffic floods.

-More than one botnet network took part in the onslaught, impeding the ability to track down the perpetrators.

(Saleem & Hassan, 2009)

What dismays the network security specialists as uncommon about the cyber-attacks on Estonia is that they lasted weeks and were of extremely high intensity. According to those specialists' calculations, some of the botnets harnessed to facilitate the DDoS attacks have chained approximately 100, 000 zombie PCs (Schreier, 2011).

As the attacks progressed, massive waves of DDoS attacks aimed to bring down governmental and private sector web sites, carefully selecting critical information infrastructure targets (e.g., DNS). At their peak, the wide array of offensive tactics produced surges in the form of incoming Internet traffic that were nearly 400 times higher than its normal standard (Tikk, Kaska, & Vihulm, 2010).

It is a curious fact that the denial-of-service effect was observed more severely by users outside Estonia. The main reason for that is a large amount of the incoming flow of foreign queries was cut off so that the system could process the exorbitant traffic and filter out the genuine queries (Tikk, Kaska, & Vihulm, 2010).

Defacement of Websites

Many Estonian www sites were defaced. The breakthrough was achieved by utilizing comment spamming or SQL injection attacks. Almost all Estonian ministries were targets (Toth, 2007-2008).

For what is worth, the hackers penetrating into website of the Estonian Prime Minister showed some sense of humor (of course, from the type that usually goes one way only) by posting a fabricated "official" apology in Russian and tampering with a photo of the Prime Minister to add a Hitler moustache (Tikk, Kaska, & Vihulm, 2010).

Others Estonian websites are defaced to display a Soviet soldier. Nonetheless, those pages were restored in short order (Toth, 2007-2008).

Other Types of Attack

Enhanced distribution of artificially generated unsolicited bulk e-mail (UBE) was directed against governmental e-mail servers and individual e-mail accounts.Due to the public policy of openness in Estonia, applicable since the beginning of the new millennium, that allows publishing contact addresses granted to all public service employees on the websites they are in office, these contact addresses are spammed repeatedly and posted on forums. In general, most systems are able to withstand the blow (Tikk, Kaska, & Vihulm, 2010).

II. Attack Facts and Statistics

Some experts regard the attack flow during the three weeks mention above as "steady in nature," even though not distributed uniformly, with some website sustaining heavier loads of traffic (Saleem & Hassan, 2009). Others, referring to the ATLAS online recordings and analysis, deem that there were distinct ups and downs in the intensity of the attacks affecting the Estonian information infrastructure (Toth, 2007-2008).

The data gathered reveals the most damaging attacks blasted streams of over 90 Mbps at Estonia's networks, with a durations as long as 10 hours. As one commentator assesses it: "That is a data load equivalent to downloading the entire Windows XP operating system every six seconds for 10 hours" (Janczewski & Colarik, 2008, p. 478).

The government networks were not able to cope with the increased traffic because their design allows them to process up to 2 Mbps, and their servers sustained multiple surges accumulating a traffic that amounts to 200 Mbps (Schreier, 2011).

Table 1. Number of Attacks













Table 2. Duration of Attacks








Less than 1 minute

1 min - 1 hour

1 hour - 5 hours

5 hours to 9 hours

10 hours or more

Table 3. Bandwidth used for attacks


Bandwidth measured





Less than 10 Mbps 10 Mbps – 30 Mbps

30 Mbps - 70 Mbps 70 Mbps - 95 Mbps

(Saleem & Hassan, 2009)

III. Temporal Survey

Note: Photo of the Soviet-era World War monument relocated on the night of 26/27. Presumably, this was the precipitating event for the following unprecedented street riots and digital crisis in Estonia.



Fig. II: Estonia 2007 timeline-intensity diagram

(N.B. based on temporal sequence and saturation of red)

Phase I—Emotional Response (April 27 to 29)

The first wave of attacks against Estonia reportedly hit its government websites on 27 April 2007 at dusk. This early action spreads out to affect online media outlets broadcasting news about the ongoing street riots and overall political situation in the country. Initially, the assault was carried out by relatively simple methods, therefore labeled "cyber-riots", perhaps so as to stand in some correspondence to the street ones (Tikk, Kaska, & Vihulm, 2010).

The "Emotional Response" phase is also characterized by the recruitment and participation of so-called script kiddies—young people allegedly or Russian origin. They were initially prompted to act through forums, blogs, and chat rooms; an appeal for general action was accompanied as well with precise but simple instructions on how to participate in the DDoS attacks.

The instructions in question contain ping commands for initiating ICMP attacks. By converting the commands into a batch file and then uploading it to a given web address, the script kiddies, or homemade fire-starters, were able to deploy these ready-made software spikes and contribute to the ignition of a three-week cyber-blaze, which almost burned the information infrastructure of Estonia to the ground.

And very soon the Estonian government felt the scourge coming out of everywhere and nowhere at the same time: "government websites that normally receive 1, 000 visits a day reportedly were receiving 2, 000 visits every second" (Schreier, 2011, p. 109). However, it should be kept in mind that these attacks are rather unsophisticated.

Phase II – Main Attack (April 30 to May 18)

The second phase was the stage that brought a touch of sophistication into the Estonia 2007case. The major difference from the initial emotional response is the employment of larger botnets. Even though the local authorities have already taken some measures to diminish the cyber-crisis, the combination of larger botnet system with the already acting cyber-weapons used in Phase I caused widespread disturbance in the online services of the Baltic country. For example, the domain name servers (DNSs) were attacked repeatedly throughout the entire period between April 30 and May 18 (Tikk, Kaska, & Vihulm, 2010).

Outside the highlight days ("days of thunder") described below, network traffic measurements attest to levels higher than normal range. In the majority, however, these surges of malware attacks were manageable, but some sites here and there crashed and remained out of reach for periods of time (Tikk, Kaska, & Vihulm, 2010).

First Wave (May 3-4)

The heavy botnet assault began on 3 May, when private sites and servers were struck by DDoS attack. The online services of several Estonian banks were shut down, with several others saved at great monetary costs, and international banking services were also severely affected (Schreier, 2011).

In the night of May 4, a DDoS attacks persevered, crashing websites and DNSs, displaying significant precision and intensification in concentration, a clear indicator of a botnet connection. The unknown entities behind these attacks are determined to keep their status of anonymity intact by hiding their tracks—a task achieved in three-lane fashion: "by using global botnets, by routing their attacks through proxy servers in other countries (including NATO countries) and likely by spoofing their IP addresses" (Tikk, Kaska, & Vihulm, 2010, p. 19).

Second Wave (May 9-11)

Yet another surge was expected on День Победы or The Victory Day (May 9). On this day Russia commemorates the defeat of Nazi Germany in World War II and it is a big national holiday. Indubitably, the relevance of the "bronze soldier" dispute located in Tallinn arises anew. During the traditional military parade in Red Square, Putin proclaimed: "Those who are trying today to…desecrate memorials to war heroes are insulting their own people, sowing discord and new distrust between states and people" (Davis, 2007, p. 9).

Whether or not this speech stoked more script kiddies into fervor is a controversial matter, so let us rely on the facts about what actually happened during those days. Basically, everyone's expectations for resuming cyber-hostilities were met accordingly. Here is the testimony of one of the foreign security experts, a beholder, aiding the Estonian government in dealing with the cyber-threat:

Everything looked normal on the networks. Traffic coming into Estonia was average for this time of night—about 20,000 packets per second. At exactly 11 pm, Estonia was slammed with traffic coming in at more than 4 million packets per second, a 200-fold surge. Globally, nearly 1 million computers suddenly navigated to a multitude of Estonian sites, ranging from the foreign ministry to the major banks. It was a larger-scale version of what had happened to the Postimees, except that the entire country's bandwidth capacity was being squeezed. A botnet comprising mostly hijacked computers in the U.S. (Davis, 2007, p. 8)

The so-described blast of information streams and queries is directed at hundreds of websites (Richards, 2009). Another evidence report that: "On May 9, the attacks shut down up to 58 sites at once. This wave of attacks mostly targeted government websites (including official communications channels of the government)" (Tikk, Kaska, & Vihulm, 2010, p. 20).

By May 10, the cyber-onslaught took out the online services of Hansabank, the largest commercial bank of Estonia. For the customers using the bank in question, what happened results in three major setbacks:

  1. The online banking services were brought to a standstill.
  2. The connections between the Hansabank branches and ATMs across Estonia were severed.
  3. The online disconnection between the local bank and its foreign counterparts prevented customers from using Estonian banking cards.

Fortunately, these negative effects are resolved within a couple of hours (Richards, 2009).

Third Wave (May 15)

The severe cyber-attacks gradually subside and the days after May 10 are relatively calm. A new spike (a huge botnet strike comprising about 85,000 "enslaved" PCs), however, emerges on May 15. Once again the targets are government institutions. Owing to the protective measures taken by the Estonian Computer Emergency Response Team (CERT-EE), the heightened amount of traffic does not pose significant damages this time. Among the small exceptions is the web portal of SEB Eesti Uhispank that remains shut down for about 1.5 hours (Tikk, Kaska, & Vihulm, 2010). The national emergency toll-free number 112 is briefly out of reach as well (Schreier, 2011).

Fourth Wave (May 18)

The last strong DDoS assault hit the websites of Estonian government. On May 19, the attacks cease and the world's first cyber-war comes to an end (Richards, 2009). It should be noted that even after that date some Estonian banks continue to experience diminished disturbances (Tikk, Kaska, & Vihulm, 2010).

Reference List

Charvat, J. (2010). Cyber Terrorism: A New Dimension in Battlespace. Retrieved on 07/09/2013 from

Davis, J. (2007). Web War I. Retrieved on 07/09/2013 from

Estonia Cyber Attacks 2007. Retrieved on 07/09.2013 from

Janczewski, L. & Colarik A. (Eds.). (2008). Cyber Warfare and Cyber Terrorism. Hershey, USA: IGI Global.

Richards, J. (2009). Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security. Retrieved on 07/09/2013 from

Saleem, M. & Hassan, J. (2009). "Cyber warfare," the truth in a real case. Retrieved on 07/09/2013 from

Schreier, F. (2011). On Cyberwarfare. Retrieved on 07/09/2013 from

Tikk, E., Kaska, K. & Vihul L., (2010). International Cyber Incidents: Legal Considerations. Retrieved on 07/09/2013 from

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Toth, B. (2007-2008). Estonia under cyber attack. Retrieved on 07/09/2013 from

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.