On-going DDoS attacks against Iranian websites
Par Pierre CARON, mercredi 24 juin 2009 à 11:28 :: General :: #316 :: rss
Denial of service encouragement messages have been published on various websites since roughly a week. These messages target Iranian governmental websites; see, for instance, this blog post that was published on June 21st on Twitter.
This call to action was relayed through hundreds of Twitter user accounts (link, link, link). The choice of this specific social networking platform was indeed good, as hundreds of Twitter users read and copied the message on their own feeds; moreover, the call to action was incidentally published on dozens of news websites covering the events in Iran, as these websites automatically syndicate "twits" using search keywords related to Iran. The message could therefore be read directly next to press articles, giving the call to action a comfortable visibility in a short timeframe [link].
The tool enabling this attack was named "Page Reboot". It consists of a PHP script that opens on a single page dozens of redirect frames pointing at Iranian websites, being refreshed at a chosen rate. At the beginning of their attack, the hacktivists were using the PageReboot.com web service ; then they wrote their own script for an easier deployment on several web servers of their choice (such as WhereIsMyVote.info which is now offline). This way, the attackers could migrate the script whenever they want, so as to keep the attack up and running. An example of this is the website http://91.199.0.11/ that was hosted in France; this website was pre-configured to attack the following targets:
- http://www.Presstv.ir
- http://www.Leader.ir
- http://www.Kayhannews.ir
- http://www.farsnews.com
- http://www.farsnews.ir
- http://www.Irib.ir
- http://www.Irna.ir
- http://www.mfa.gov.ir/cms/cms/Tehran/fa/index.html
- http://www.Moi.ir
- http://www.Police.ir
- http://www.Justice.ir
- http://www.live.irib.ir
- http://www.iribnews.ir
This tool was set up by an individual identified under the nickname "Zampf". He also published on his Twitter feed technical details about the IT technologies deployed on the targeted Iranian governmental websites.
Dancho Danchev's weblog [link] also presents other rudimentary DoS tools that could be downloaded by cyber-activists. These tools are executable files, which target similar websites. What seems different about this attack from previous "nationwide" DDoS attacks (in Estonia and Georgia for example) is the lower level of technical skills of the attackers: until now, no botnets seems to have been involved in this attack. As a result, the efficiency of the attack is unclear, as some targets appear undisturbed, others being slightly slowed down, and a few of them being taken completely offline.
Interestingly enough, this campaign seems to have started on IRC channels, such as #iran, #iranelection, #hackers, #iran09, #mousavi, #basij, #GR88, #neda (named after the woman who was shot to death, and whose agony was filmed on a cellphone and quickly spread all over the world). Far from being perfectly coordinated, this movement also has its detractors, which can also be read on Twitter: some people are calling to stop the DDoS attack, for various reasons -- one of them being that it would be more efficient to surgical-hack those government websites [link].
Anyway, these attacks clearly illustrate political activist campaigns on the Internet, and the ease even for unstructured activist groups to quickly develop technical tools in order to get itself heard.