Kamis, 09 Desember 2010

This the Season of DDoS – WikiLeaks Edition

Scroll to the bottom for the latest updates…

DDoS attacks are flying across the Internet like there is no tomorrow.  Just a few days ago, a hacktivist operating under the handle “th3j35t3r” decided to single-handedly take down the Wikileaks website with a DoS tool of his (or their) own creation.  He issued a statement on Twitter shortly after explaining that the attacks against the WikiLeaks website were made for “attempting to endanger the lives of our troops, ‘other assets’ & foreign relations.”   According to our statistics, his attacks resulted in 1 day 3 hours and 50 minutes of downtime for WikiLeaks before the site was completely yanked offline by Amazon and EveryDNS.

On the other side of the attack spectrum, the anonymous attackers involved in Operation:Payback have vowed to take a temporary break from their mega-assault on the entertainment industry in order to spend some time helping WikiLeaks.  Their first attack has been set on PayPal, after the U.S. based company closed its doors on WikiLeaks citing an AUP violoation.
PayPal issued the following statement on their blog:

“PayPal has permanently restricted the account used by WikiLeaks due to a violation of the PayPal Acceptable Use Policy, which states that our payment service cannot be used for any activities that encourage, promote, facilitate or instruct others to engage in illegal activity”
Shortly after the PayPal announcement, Anonymous decided that the PayPal Blog would be its first DDoS target in Wikileaks related counterattacks.
The following statements were released on an Anonymous Twitter account:

“TANGO DOWN — thepaypalblog.com — Blog of Paypal, company that has restricted Wikileaks’ access to funding. #Paypal #Wikileaks #WL #DDoS”
“Close your #Paypal accounts in light of the blatant misuse of power to partially disable #Wikileaks funding. Join in the #DDoS if you’d like”

According to our stats, ThePayPalBlog.com has been down as of 4AM PST on 12/4/2010 and shows no sign of coming back online anytime soon.
Anonymous organizers had this to say in regards to the temporary switch in focus,

While we don’t have much of an affiliation with WikiLeaks, we fight for the same: we want transparency (in our case in copyright) and we counter censorship. The attempts to silence WikiLeaks are long strides closer to a world where we can not say what we think and not  express how we feel. We can not let this happen, that is why we will find out who is attacking WikiLeaks and with that find out who tries to  control our world. What we are going to do when we found them? Except for the usual DDoSing, word will be spread that whoever tries to silence or discourage WikiLeaks, favors world domination rather than freedom and democracy.”
Anti-Anti WikiLeaks

 Update – 12/4/2010 – 10:50 AM PST:
  After nearly 7 hours of constant attacks, the PayPal blog has either been deleted or permanently taken offline.  Accessing the blog this morning revealed the following 403/access forbidden error:
  403 error on ThePayPalBlog.com

Update – 12/4/2010 – 1:24 PM PST:
ThePayPalBlog.com is no longer resolving to the 403 error page and is completely down again.

Update – 12/4/2010 – 2:50 PM PST:
PayPal has reduced its entire blog to a plain text statement regarding their decision to suspend WikiLeaks.
PayPal Blog Notice

Update – 12/5/2010 – 1:28 PM PST:
ThePayPalBlog.com is now back up after 75 service interruptions and 8 hours 15 minutes of total downtime.  This report doesn’t take into account the many hours that ThePayPalBlog.com resolved to a 403 error.

Update – 12/6/2010 – 3:06 AM PST
Official plans to support WikiLeaks have been announced.

Update – 12/6/2010 – 12:00 PM PST
Anonymous has launched its second attack on the main PayPal website.  Minutes after they announced the launch of the attack, their infrastructure started to take a hit.  Their website is now unavailable and presumably under counter DDoS attack. The following poster has been circulating on the Internet:

Anonymous :: Paypal Attack Poster

Update – 12/6/2010 – 12:30 PM
They are now going after postfinance.ch, the bank that took down Julian Assange’s defense
fund.  We have recorded 5 minutes of downtime so far.

Update – 12/6/2010 – 1:52 PM
The attack on postfinance.ch is ongoing.  The site first went down at 12:33 PM PST and has been down for over one hour.

 postfinance.ch downtime

Update – 12/6/2010 – 3:02 PM
The Anonymous website is currently under heavy DDoS attack.  We’ve observed just under 2 hours of downtime and 23 service interruptions since the pro-wikileaks attacks started this morning.

Anonymous Counterattack

Update – 12/6/2010 – 5:07 PM
The attack against PostFinance.ch is still underway.  We have observed 4 hours 41 minutes of continuous downtime since the attack started. In addition to the DDoS attack, some Anonymous members are spamming PostFinance offices with the following image.

Update – 12/7/2010 – 12:03 AM
The attack against PostFinance.ch is still going strong with 11 hours 35 minutes of recorded downtime and counting. This DDoS is one of the first successful attacks on a financial institution and is getting in the way of customers doing business with the company.  One user wrote on Twitter, ” #payback can you stop the DDoS on postfinance for 10 minutes so that I can bank please? pretty please?”
 #payback can you stop the DDoS on postfinance for 10 minutes so that I can bank please? pretty please?

Update – 12/7/2010 – 9:30 AM
Anonymous attacked postfinance.ch well into last night, with 16 hours and 30 minutes of recorded downtime.  The chat room currently has over 900 people joining in on the attack, as well as over 500 computers involved in their voluntary DDoS botnet (LOIC HIVEMIND). LOIC (Low Orbit Ion Canon) is a DDoS tool developed by the attackers to carry out their DDoS attacks.  The software allows users to insert a command and control address into the application, which will then automatically connect their computer to the “HIVEMIND” and immediately start attacking a predetermined target.
Here is what the software looks like:

Update – 12/7/2010 – 9:44 AM
The target has switched over to http://aklagare.se, the Swedish prosecutors.  The website was down instantaneously after the target was selected with over 500 computers in the voluntary botnet attacking the site all at once.
Update – 12/7/2010 – 10:16 AM
Over 1000 people have joined the chat to participate in the attacks against anything anti-WikiLeaks.

Over 1000 attackers have joined in on the attacksA

Update – 12/7/2010 – 2:10 PM
We have recorded 4 hours 26 minutes of downtime for Aklagare.se, since the attack started focusing on the site at 9:44AM PST

Update – 12/7/2010 – 3:06 PM
The target has been switched to EveryDNS.com, the DNS provider that took WikiLeaks down. The target was announced at 2:52 PM PST and the website was taken down just one minute later at 2:53 PM PST.  We have 10 minutes of recorded downtime and counting:

Update – 12/7/2010 – 3:51 PM
The target has now been changed to http://lieberman.senate.gov.  This marks the first time Operation Payback has targeted a government site under “Operation Avenge Assange.”

Update – 12/7/2010 – 4:16 PM
We have recorded the first downtime for lieberman.senate.gov.  There are currently just under 1,000 attackers in the chat room and almost 600 computers connected to the voluntary botnet.
http://lieberman.senate.gov went down for 1 minute at 4:11 PM PST:
lieberman.senate.gov downtime

Update – 12/7/2010 – 4:56 PM
Operation:Payback has been under a constant DDoS counter-attack, but the attacks against the site intensified shortly after announcing the attack on Senator Lieberman’s website.  We’re not sure who exactly is involved in the retaliation against the group, but we suspect that it may be a group of patriots attempting to protect the greater interests of the United States of America.

Here is a uptime graph of Operation:Payback’s website:
DDoS against Operation:Payback

Update – 12/7/2010 – 5:54 PM
The attack on lieberman.senante.gov ended with 8 service interruptions and 12 minutes of downtime.  The attack is now back on e-finance.postfinace.ch, which has been hit the hardest with 61 service interruptions and 1 day 2hours 36 minutes of downtime.

 lieberman.senate.gov downtime

Update – 12/7/2010 – 7:20 PM
They have switched targets to www.advbyra.se, the lawyer of the 2 girls who were allegedly raped and/or assaulted by Julian Assange.
The site took only 1 minute to bring down and has been down for the past 15 minutes.
Update – 12/7/2010 – 8:15 PM
A small group of Anonymous protesters (not everyone) have started attacking Sarah Palin’s website (sarahpac.com) in retaliation for stating that Assange should be hunted like a terrorist.  We have observed 6 minutes of downtime so far.
Sarah Palin DDoS
This highlights the fact that no one is “in charge” of this attack campaign.  These attackers make target suggestions and follow along at will… even if just a few of them are on board with it.
Update – 12/8/2010 – 1:56 AM
We have observed 256 service interruptions and 94 hours of combined downtime since these attacks started on December 4th.  We also observed over 8 hours of  counter-ddos downtime on the attackers (anonops.net) site.
Below you will find our latest updated downtime tracker:
Note: Each site name can be clicked on and will take you to the corresponding part of the blog post.
Site Interruptions Downtime (h:m)
ThePayPalBlog.com 77 8:19
PostFinance.ch 55 33:08
e-finance.postfinace.ch 61 33:07
www.aklagare.se 11 13:00
everydns.com 4 0:31
lieberman.senate.gov 8 0:12
ADVBYRA.SE 32 5:11
sarahpac.com 8 0:25

TOTAL 256 94 hours

Update – 12/8/2010 – 2:37 AM
This attack campaign evolves so quickly that they already started targeting MasterCard.com while I wrote my last update for the night.
Mastercard Takedown Announcement
Mastercard Takedown Announcement
MasterCard.com first went down at 1:14 AM PST with 4 service interruptions and is currently experiencing 1 hour+ of ongoing downtime.
MasterCard.com Downtime
MasterCard.com Downtime

Update – 12/8/2010 – 3:17 AM
The Internet hosting provider (space2u.com) of the Lawyer representing the 2 girls who were allegedly raped/assaulted by Julian Assange has voluntarily suspended the ADVBYRA.SE website indefinitely.
Here is a snip of the conversation taken from the chat:

This marks the first time a website has been voluntarily removed by an ISP as a direct result of “Operation Avenge Assange.”

Update – 12/8/2010 – 5:18 AM
Mastercard.com is still down with 940 computers in the voluntary botnet attacking the site all at once. We have 3 hours 57 minutes of recorded downtime so far.

Update – 12/8/2010 – 8:24 AM
Mastercard.com is still selected as the main target and has not came back online since our last report.  7 hours of downtime and counting. The amount of participants in the attackers chat room have soared to over 2200 people and there are currently over 1,700 computers in the voluntary botnet.

Update – 12/8/2010 – 12:26 PM
Mastercard.com still under attack with 11 hours of downtime and counting, but the target will change to Visa.com at 1 PM PST.
This is the first time that the group officially targets Visa.com, but we have already observed 106 service interruptions and over 12 hours of downtime for Visa since we started monitoring yesterday at 9PM:

Visa.com Downtime
Visa.com Downtime
Update 12/8/2010 – 4:14 PM
Twitter has suspended the @anon_operation account.

Update  – 12/8/2010 – 8:11 PM PST
Operation Payback has selected PayPal as a target again.  We have observed PayPal’s very first downtime at 6:43 AM today and the site has been going up and down ever since.
We have observed 33 minutes of total downtime and response times in the 2,600-4,000 ms region.
PayPal Downtime
PayPal Downtime
PayPal Response Time
PayPal Response Time

Update – 12/8/2010 – 9:00 PM

If you have been following our blog post today, then you may know that we were under a constant and steady DDoS attack throughout the day.  In the spirit of this post, I’ll go ahead and announce that the PandaLabs blog sustained 139 service interruptions and over 5 hours of downtime today.  It’s still unclear as to who exactly is to blame for the attack, but it’s obvious that they did not want these attacks documented for the general public.

People have been asking me all day if there is some sort of “patriot response” to Operation Payback and there is no doubt in my mind that an initiative does exist, but no one besides @Th3J35t3r has publicly “attacked back” and he/they still haven’t said anything about these latest attacks.
So, what makes me think that there is some sort of underground patriot response?  Well, let’s take a look at the statistics….
The Operation Payback website has sustained a series of DDoS attacks despite being hosted on a “bulletproof” server specializing in anti-ddos and hosted in Russia.
Anonymous Website Downtime
Anonymous Website Downtime

The Anonymous chats server has periodically become flooded with bots.  Here is some of what they had to say:
Flood bots invade #WikiLeaks
Flood bots invade #WikiLeaks

PandaLabs Blog Downtime:
PandaLabs Blog Downtime
PandaLabs Blog Downtime

I expect more counter-attacks as Operation Payback progresses, but it’s still unclear if these patriots will ever make themselves publicly known.

Update – 12/9/2010 – 1:13 AM
There are currently over 500 computers in the voluntary botnet (LOIC Hivemind).   They are all targeting  paypal.com (note: not www.paypal.com), which has been unresponsive for the past 1 hour 20 minutes and counting.

Check back frequently for updates.

Tidak ada komentar:

Posting Komentar