June 15th, 2009

Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites

Posted by Dancho Danchev @ 8:19 am

Categories: Browsers, Denial of Service (DoS), Pen testing, Web 2.0

Tags: Denial Of Service, Web, Server, Web Site, Site, Cyberattack, Distributed Denial Of Service, Security, Internet, Dancho Danchev

Approximately 24 hours ago, the Iranian opposition coordinated an ongoing cyber attack that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites, including the President’s homepage which continues returning a “The maximum number of user  reached, Server is too busy, please try again later…” message.

Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page “refresher” tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to “lite” versions of their sites in an attempt to mitigate the attack.

Let’s assess this very latest example of people’s information warfare concept, find out which sites remain affected, and discuss the attack tools used:

The campaign appears to have been organized through Twitter, which despite public reports that the site has been banned in Iran, appears to be still accessible through a a persistent supply of proxy servers on behalf of the opposition.

Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year’s Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception - there’s no indication of a botnet involvement in the present attack.

Instead, the attack relies on the so called people’s information warfare concept, which is the self-mobilization of individuals, or their recruitment based on political/nationalistic sentiments by a third-party, for conducting various hacktivism activities such as web site defacements, or launching distributed denial of service attacks.

The following are some of the sites that are currently under attack, remain totally unresponsive, or return “server is too busy” error messages:

• Ahmadinejad.ir - Mahmoud Ahmadinejad’s Official Blog - under attack
• Leader.ir - Office of the Supreme Leader, Sayyid Ali Khamenei - under attack
• President.ir - Presidency of The Islamic Republic - under attack
• Farsnnews.com - Fars News Agency -  under attack
• Irib.ir - Islamic Republic of Iran Broadcasting - under attack
• Kayhannews.ir - News Portal - “Service Unavailable”
• Irna.ir - Islamic Republic News Agency - “service unavailable”
• Mfa.gov.ir - Ministry of foreign affairs , Islamic Republic of Iran - under attack
• Moi.ir - Ministry of Interior - under attack
• Police.ir - National Police - under attack
• Justice.ir - Ministry of Justice - under attack
• Presstv.ir - Iranian Press TV - “server is too busy”

Chatter from the hacktivists’ trenches send over Twitter, or web forums during the past 24 hours:

- “Overload Iran’s propaganda websites–we can do it together!”
- “we can suspend IRIB propaganda! just click & keep it refreshing!”
- “Take part in disabling the iranian propeganda leave on as long as possible”
- “Our efforts are working!!! RT @NewIRAN: Leader.ir; President.ir; FarsNews.com all now appear to be down”
- “Iran needs your help. Help us flood Iran Govt sites khamenei.ir is one of our targets. Go to PageReboot.com and set @ 2 secs”
- “we are currently flooding Iran Government websites - we have successfully taken down numerous sites already”
- “Great news! PressTV.ir has been shut down thanks to our efforts!”
- “IRIB, RESALAT, Kayhan, FarsNews, President.ir, and Leader.ir all brought down. Please help keep them down.”
- “president.ir is down!!!”
- “SPREAD: tool for denial of service web attack. run on president.ir and irib.ir”
- “I’m reaping at 200kb/sec baby.”
- “sweeeeeet, Farsnews is finally down! keep it up guys. I have 5 browsers open using Page Reboot.”
- “Let’s continue the attack. They have a very efficient server compared to other sites, but we successfully killed it many times already. Try to reload your application.”
- “It’s down again. I can’t view it from NZ. Keep at it people.”
- “I’m going to set up a massive solo attack on Resalat using 8 virtual machines on 8 CPUs while I go to bed. I understand it’ll be hard to make it go down but I’m going to try.”
- “done. I am also using couple of virtual M. Lets see if we can bring it down.”
- “HAHAHAHAHAHAHAHAHA!!!! RESALAT DOWN!!!!!!!!!! THAT WAS F*CKING BRUTAL!!!”

Among the first web-based denial of service attack used, is a tool called “Page Rebooter” which is basically allowing everyone to set an interval for refreshing a particular page, in this case it’s 1 second. Pre-defined links to the targeted sites were then distributed across Twitter and the Web, through messages link the following :

“Please spread word about a cyber effort to exert pressure on the paramilitary in Iran. They have launched denial of service attacks on US websites that are run by live bloggers feeding us up to the minute information about what is going on in Iran on the ground. To fight back, open these two URLs in as many tabs/windows as possible and simply leave your computer running overnight! We must show solidarity with them in their quest for freedom! The 2nd link targets PressTV, the mouthpiece of Ahmadinejad and Khamenei.”

The second stage of the campaign consisted in the distribution of a multiple iFrame loading script which was automatically refreshing farsnews.com; irna.ir and rajanews.com, the results of which you can see in the attached screenshot. The script has since changed its location and is advertised under a new domain.

Next –>

Pages: 1 2