Site icon Panda Security Mediacenter

‘Tis the Season of DDoS – WikiLeaks Edition

Scroll to the bottom for the latest updates…

DDoS attacks are flying across the Internet like there is no tomorrow.  Just a few days ago, a hacktivist operating under the handle “th3j35t3r” decided to single-handedly take down the Wikileaks website with a DoS tool of his (or their) own creation.  He issued a statement on Twitter shortly after explaining that the attacks against the WikiLeaks website were made for “attempting to endanger the lives of our troops, ‘other assets’ & foreign relations.”   According to our statistics, his attacks resulted in 1 day 3 hours and 50 minutes of downtime for WikiLeaks before the site was completely yanked offline by Amazon and EveryDNS.

Note: Initiating a DDoS attack is illegal in many countries and we do not recommend that you participate in this or future campaigns.

On the other side of the attack spectrum, the anonymous attackers involved in Operation:Payback have vowed to take a temporary break from their mega-assault on the entertainment industry in order to spend some time helping WikiLeaks.  Their first attack has been set on PayPal, after the U.S. based company closed its doors on WikiLeaks citing an AUP violoation.

PayPal issued the following statement on their blog:

“PayPal has permanently restricted the account used by WikiLeaksdue to a violation of the PayPal Acceptable Use Policy, which states that our payment service cannot be used for any activities that encourage, promote, facilitate or instruct others to engage in illegal activity”

Shortly after the PayPal announcement, Anonymous decided that the PayPal Blog would be its first DDoS target in Wikileaks related counterattacks.

The following statements were released on an Anonymous Twitter account:

“TANGO DOWN — thepaypalblog.com — Blog of Paypal, company that has restricted Wikileaks’ access to funding. #Paypal #Wikileaks #WL #DDoS”

“Close your #Paypal accounts in light of the blatant misuse of power to partially disable #Wikileaks funding. Join in the #DDoS if you’d like”

According to our stats, ThePayPalBlog.com has been down as of 4AM PST on 12/4/2010 and shows no sign of coming back online anytime soon.

Anonymous organizers had this to say in regards to the temporary switch in focus,

While we don’t have much of an affiliation with WikiLeaks, we fight for the same: we want transparency (in our case in copyright) and we counter censorship. The attempts to silence WikiLeaks are long strides closer to a world where we can not say what we think and not  express how we feel. We can not let this happen, that is why we will find out who is attacking WikiLeaks and with that find out who tries to  control our world. What we are going to do when we found them? Except for the usual DDoSing, word will be spread that whoever tries to silence or discourage WikiLeaks, favors world domination rather than freedom and democracy.”

 

 

Update – 12/4/2010 – 10:50 AM PST:

After nearly 7 hours of constant attacks, the PayPal blog has either been deleted or permanently taken offline.  Accessing the blog this morning revealed the following 403/access forbidden error:

403 error on ThePayPalBlog.com

Update – 12/4/2010 – 1:24 PM PST:

ThePayPalBlog.com is no longer resolving to the 403 error page and is completely down again.

Update – 12/4/2010 – 2:50 PM PST:

PayPal has reduced its entire blog to a plain text statement regarding their decision to suspend WikiLeaks.

PayPal Blog Notice

Update – 12/5/2010 – 1:28 PM PST:

ThePayPalBlog.com is now back up after 75 service interruptions and 8 hours 15 minutes of total downtime.  This report doesn’t take into account the many hours that ThePayPalBlog.com resolved to a 403 error.

ThePayPalBlog.com

Update – 12/6/2010 – 3:06 AM PST

Official plans to support WikiLeaks have been announced.

Update – 12/6/2010 – 12:00 PM PST

Anonymous has launched its second attack on the main PayPal website.  Minutes after they announced the launch of the attack, their infrastructure started to take a hit.  Their website is now unavailable and presumably under counter DDoS attack.

The following poster has been circulating on the Internet:

Anonymous :: Paypal Attack Poster

Update – 12/6/2010 – 12:30 PM

They are now going after postfinance.ch, the bank that took down Julian Assange’s defense

fund.  We have recorded 5 minutes of downtime so far.

Update – 12/6/2010 – 1:52 PM

The attack on postfinance.ch is ongoing.  The site first went down at 12:33 PM PST and has been down for over one hour.

postfinance.ch downtime

Update – 12/6/2010 – 3:02 PM

The Anonymous website is currently under heavy DDoS attack.  We’ve observed just under 2 hours of downtime and 23 service interruptions since the pro-wikileaks attacks started this morning.

Anonymous Counterattack

Update – 12/6/2010 – 5:07 PM

The attack against PostFinance.ch is still underway.  We have observed 4 hours 41 minutes of continuous downtime since the attack started.

In addition to the DDoS attack, some Anonymous members are spamming PostFinance offices with the following image.

Update – 12/7/2010 – 12:03 AM

The attack against PostFinance.ch is still going strong with 11 hours 35 minutes of recorded downtime and counting.

This DDoS is one of the first successful attacks on a financial institution and is getting in the way of customers doing business with the company.  One user wrote on Twitter, ” #payback can you stop the DDoS on postfinance for 10 minutes so that I can bank please? pretty please?”

#payback can you stop the DDoS on postfinance for 10 minutes so that I can bank please? pretty please?

Update – 12/7/2010 – 9:30 AM

Anonymous attacked postfinance.ch well into last night, with 16 hours and 30 minutes of recorded downtime.  The chat room currently has over 900 people joining in on the attack, as well as over 500 computers involved in their voluntary DDoS botnet (LOIC HIVEMIND).

(Low Orbit Ion Canon) is a DDoS tool developed by the attackers to carry out their DDoS attacks.  The software allows users to insert a command and control address into the application, which will then automatically connect their computer to the “HIVEMIND” and immediately start attacking a predetermined target.

Here is what the software looks like:

 

Update – 12/7/2010 – 9:44 AM

The target has switched over to http://aklagare.se, the Swedish prosecutors.  The website was down instantaneously after the target was selected with over 500 computers in the voluntary botnet attacking the site all at once.

Update – 12/7/2010 – 10:16 AM

Over 1000 people have joined the chat to participate in the attacks against anything anti-WikiLeaks.

 

Update – 12/7/2010 – 2:10 PM

We have recorded 4 hours 26 minutes of downtime for Aklagare.se, since the attack started focusing on the site at 9:44AM PST

Update – 12/7/2010 – 3:06 PM

The target has been switched to EveryDNS.com, the DNS provider that took WikiLeaks down. The target was announced at 2:52 PM PST and the website was taken down just one minute later at 2:53 PM PST.  We have 10 minutes of recorded downtime and counting:

Update – 12/7/2010 – 3:51 PM

The target has now been changed to http://lieberman.senate.gov.  This marks the first time Operation Payback has targeted a government site under “Operation Avenge Assange.”

Update – 12/7/2010 – 4:16 PM

We have recorded the first downtime for lieberman.senate.gov.  There are currently just under 1,000 attackers in the chat room and almost 600 computers connected to the voluntary botnet.

http://lieberman.senate.gov went down for 1 minute at 4:11 PM PST:

lieberman.senate.gov downtime

Update – 12/7/2010 – 4:56 PM

has been under a constant DDoS counter-attack, but the attacks against the site intensified shortly after announcing the attack on Senator Lieberman’s website.  We’re not sure who exactly is involved in the retaliation against the group, but we suspect that it may be a group of patriots attempting to protect the greater interests of the United States of America.

Here is a uptime graph of Operation:Payback’s website:

DDoS against Operation:Payback

Update – 12/7/2010 – 5:54 PM

The attack on lieberman.senante.gov ended with 8 service interruptions and 12 minutes of downtime.  The attack is now back on e-finance.postfinace.ch, which has been hit the hardest with 61 service interruptions and 1 day 2hours 36 minutes of downtime.

lieberman.senate.gov downtime

Update – 12/7/2010 – 7:20 PM

They have switched targets to www.advbyra.se, the lawyer of the 2 girls who were allegedly raped and/or assaulted by Julian Assange.

The site took only 1 minute to bring down and has been down for the past 15 minutes.

Update – 12/7/2010 – 8:15 PM

A small group of Anonymous protesters (not everyone) have started attacking Sarah Palin’s website (sarahpac.com) in retaliation for stating that Assange should be hunted like a terrorist.  We have observed 6 minutes of downtime so far.

This highlights the fact that no one is “in charge” of this attack campaign.  These attackers make target suggestions and follow along at will… even if just a few of them are on board with it.

Update – 12/8/2010 – 1:56 AM

We have observed 256 service interruptions and 94 hours of combined downtime since these attacks started on December 4th.  We also observed over 8 hours of  counter-ddos downtime on the attackers (anonops.net) site.

Below you will find our latest updated downtime tracker:

Note: Each site name can be clicked on and will take you to the corresponding part of the blog post.

Site Interruptions Downtime (h:m)
ThePayPalBlog.com 77 8:19
PostFinance.ch 55 33:08
e-finance.postfinace.ch 61 33:07
www.aklagare.se 11 13:00
everydns.com 4 0:31
lieberman.senate.gov 8 0:12
ADVBYRA.SE 32 5:11
sarahpac.com 8 0:25
TOTAL 256 94 hours

 

Update – 12/8/2010 – 2:37 AM

This attack campaign evolves so quickly that they already started targeting MasterCard.com while I wrote my last update for the night.

Mastercard Takedown Announcement

MasterCard.com first went down at 1:14 AM PST with 4 service interruptions and is currently experiencing 1 hour+ of ongoing downtime.

MasterCard.com Downtime

Update – 12/8/2010 – 3:17 AM

The Internet hosting provider (space2u.com) of the Lawyer representing the 2 girls who were allegedly raped/assaulted by Julian Assange has voluntarily suspended the ADVBYRA.SE website indefinitely.

Here is a snip of the conversation taken from the chat:

 

This marks the first time a website has been voluntarily removed by an ISP as a direct result of “Operation Avenge Assange.”

Update – 12/8/2010 – 5:18 AM

Mastercard.com is still down with 940 computers in the voluntary botnet attacking the site all at once. We have 3 hours 57 minutes of recorded downtime so far.

Update – 12/8/2010 – 8:24 AM

Mastercard.com is still selected as the main target and has not came back online since our last report.  7 hours of downtime and counting.

The amount of participants in the attackers chat room have soared to over 2200 people and there are currently over 1,700 computers in the voluntary botnet.

Update – 12/8/2010 – 12:26 PM

Mastercard.com still under attack with 11 hours of downtime and counting, but the target will change to Visa.com at 1 PM PST.

This is the first time that the group officially targets Visa.com, but we have already observed 106 service interruptions and over 12 hours of downtime for Visa since we started monitoring yesterday at 9PM.

 

Update 12/8/2010 – 4:14 PM

Twitter has suspended the @anon_operation account.

Update  – 12/8/2010 – 8:11 PM PST

Operation Payback has selected PayPal as a target again.  We have observed PayPal’s very first downtime at 6:43 AM today and the site has been going up and down ever since.

We have observed 33 minutes of total downtime and response times in the 2,600-4,000 ms region.

PayPal Downtime
PayPal Response Time

Update – 12/8/2010 – 9:00 PM

 

If you have been following our blog post today, then you may know that we were under a constant and steady DDoS attack throughout the day.  In the spirit of this post, I’ll go ahead and announce that the PandaLabs blog sustained 139 service interruptions and over 5 hours of downtime today.  It’s still unclear as to who exactly is to blame for the attack, but it’s obvious that they did not want these attacks documented for the general public.

People have been asking me all day if there is some sort of “patriot response” to Operation Payback and there is no doubt in my mind that an initiative does exist, but no one besides @Th3J35t3r has publicly “attacked back” and he/they still haven’t said anything about these latest attacks.

So, what makes me think that there is some sort of underground patriot response?  Well, let’s take a look at the statistics….

The Operation Payback website has sustained a series of DDoS attacks despite being hosted on a “bulletproof” server specializing in anti-ddos and hosted in Russia.

Anonymous Website Downtime

The Anonymous chats server has periodically become flooded with bots.  Here is some of what they had to say:

Flood bots invade #WikiLeaks

PandaLabs Blog Downtime:

PandaLabs Blog Downtime

I expect more counter-attacks as Operation Payback progresses, but it’s still unclear if these patriots will ever make themselves publicly known.

Update – 12/9/2010 – 1:13 AM

There are currently over 500 computers in the voluntary botnet (LOIC Hivemind).   They are all targeting  paypal.com (note: not www.paypal.com), which has been unresponsive for the past 1 hour 20 minutes and counting.

Update: 12/9/2010 – 11:15PM – Luis Corrons:

A JS version of LOIC is available for the participants of the attack, only a browser is needed, so you can even launch the attack from an iPhone.

 

 

Update: 12/10/2010 – 2:20AM – Luis Corrons:

 

Attacks are going on in all directions. While the next step was to attack amazon.com, Anonymous’ server infrastructure was heavily attacked, and in fact they have been taken offline for a long period of time during the day. Right now they are currently regrouping and strategizing for future attacks.

Here is an uptime graph of Operation:Payback’s website:

Anonymous Website Downtime


Update 12/10/2010 – 12:00 PM PST


There have been reports of a new Anonymous initiative called “Operation:Leakspin,” which is aimed at reviewing and exposing sensitive confidential information taken from the WikiLeaks releases.

Here is the announcement image:

Operation:Leakspin

In speaking to Operation:Payback organizers, they have maintained that they have nothing to do with this new initiative.  This highlights the fact that a group like “Anonymous” has no leaders and therefore cannot be easily controlled.  Members split up and form their own initiatives when they want or feel the need to.  In this case, we suspect that this new initiative came to light after Operation:Payback communication infrastructure was crippled most of yesterday and today.  It’s still unclear as to what the strategic direction of the Operation:Payback will be in the future, but it looks like the original group is starting to split up into several splinter operations.

Update: 12/11/2010 – 12:10 PM

Operation:Payback is back after suffering from infrastructure issues, which caused their IRC network to be unavailable for quite some time.  The chat room is currently filled with over 1,200 users, many of which are targeting mastercard.com.

Mastercard.com started to slow down at around  6:43 AM PST this morning and went down completely at 12:27 PM PST.   We have recorded a total of 1 day 13 hours and 23 minutes of downtime for mastercard.com since the attacks started on December 8th.

Mastercard Downtime Graph

Update – 12/11/2010 – 2:03 PM

Many people have asked us how the anonymous voluntary botnet (LOIC hivemind) works.  After the LOIC DDoS tool is installed and running on a computer, the user must first insert the command and control (IRC) server into the program.  Once the C&C is set, the software will then automatically connect the computer to the #loic IRC control chat room under the user name LOIC_+6 random alphanumeric characters.

The person in control of the #loic chat room (in this case @BillOReilly) will then set the topic to initiate the coordinated attack on all of the volunteer computers.  Here is what a typical command looks like:

!lazor default targethost=targetdomain.com subsite=/ speed=20 threads=20 method=tcp wait=false random=true

Here is a screenshot of what the room looks like:

Note:  Initiating DDoS attacks is illegal in many places in the world.  We do not recommend that anyone participates in these attacks!

Operation Payback :: Hivemind Voluntary Botnet (click to enlarge)

Update – 12/13/2010 – 2:31 AM – Luis Corrons

A second person has been arrested in the Netherlands for having joined the DDoS attacks coordinated by Anonymous. In some countries, such us the Netherlands or UK, participating in these kind of attacks is considered a crime, while in others there is no yet legislation on this topic.

It is important to note that the LOIC (Low Orbit Ion Canon) tool provided by Anonymous doesn’t mask the IP address of the user, so anyone using this will be sending his IP address with the attack.

Update – 12/13/2010 – 8:30AM PST – Sean-Paul Correll

There have been wide scale attempts at shutting Operation:Payback down.  One server operator going by the handle MoztoX told us that one of his servers was DDoS’d well into late last night. “We’re receiving 130kb packets coming in at a rate of 80MBit/s,” he said.  Another Operation Payback organizer said that the attacks were, “fairly powerful,” but that “nothing is ever cancelled / OP will be here until we are no longer needed / our stated mission and goals remain.” When asked where he thought the attacks were coming from, he simply stated, “unsure at the moment,” “…the obvious assumption would be twofold / companies that have been targeted by the users of our irc is one / 2 would be anyone else out there who disagrees with our views”

The graphs MoztoX provided (below) show a sudden 1000% increase in traffic:

Packets Per Second graph provided by Maxtor
Traffic graph provided by MoztoX

Twitter and Facebook have also made attempts at silencing the group by suspending organizer profiles, which lead from having just a few “official” profiles to a ton of unconfirmed profiles. The situation has escalated to the point where several groups are releasing statements out to the media without the knowledge of the original Operation:Payback organizers.  In addition, the publication of the arrests taking place in the Netherlands has lead to a steady stream of incoming Dutch supporters.  They even have their own chat room inside of the network.

From our view, this sudden increase of supporters mixed with takedown efforts are creating a splintering effect, where the original organizers are tasked with focusing on reacquiring infrastructural assets instead of strategic direction of the group.  A great example of this was the Operation:Leakspin initiative, which came to light after the group sustained one of its first hard hitting DDoS attacks. These destabilization efforts have left many supporters unclear as to what the direction of the group is and we started observing smaller coordination efforts all with slightly different missions from what the organizers originally intended for Operation:Payback.  One example of this is the Operation:Daylight initiative, which was created by a former Operation:Payback organizer.

These changes are going to make reporting and confirmations extremely difficult because there is no longer a central source of communication with the organizers.  This is not one massively coordinated campaign anymore, it’s pure anarchy.

Update – 12/13/10 – 11:00 PM PST – Sean-Paul Correll

The following image urging Anonymous members involved with Operation:Payback to “securely delete” all logs and cease all illegal activity immediately has been making its rounds on the Internet.

 

 

Ridiculous, this is an obvious ploy to try and scare people away,” said one Operation Payback organizer going by the handle “shitstorm”

The image goes on to state that DDoS supporters are at low risk if they were just observers (lurker), medium risk if they downloaded the DDoS tools, and at high risk if they used the DDoS tools.  The organizers that I spoke to do not agree with the message in this image and even went on to bash the spelling errors in the image. “It’s a troll,” stated another organizer who wished to continue to remain Anonymous.

I should point out (as we have before) that the voluntary botnet connections are not encrypted or obfuscated in any way.  IP information is transmitted to whichever site the group is attacking, so it’s entirely possible to be traced back.

Another cause for supporter concern is that the organizers could have accepted a server donation (leaf node) from an untrusted source, which could mean that the administrator of this node would have access and logs to all of the information across the entire network.  The organizers stated that they don’t think this has happened and that they have a vetting process for new server applicants, although they would not disclose their qualification methods with us.

Update – 12/14/10 – 12:43 AM PST – Luis Corrons

A small group within Anonymous has started the Operation Payback, Mission: Leakflood

It is the first FaxDDoS I have ever seen. This is the “official” announcement:

Update – 12/14/10 – 4:23 AM PST – Luis Corrons

As a self-defined anarchic group, Anonymous has many different things going on at the same time. This particular one has attracted my attention, as it means to take the protest from the Internet to the real life. Called “Operation Paper Storm”, the idea is to have the streets plastered with propaganda the next Saturday December 1.

Update 12/14/2010 – 11:38 AM – Sean-Paul Correll

According to organizers, Google was also among the companies silencing the group. Operation Payback organizers used Google docs to store campaign fliers, as well as conduct polls to determine future targets.  It’s unclear as to which part(s) of the Google TOS  have been violated by the group, but according to the organizers, several of these polls have been taken offline by the company.

Google Docs TOS

Update – 12/15/2010 – 3:52 PM

There is a small splinter group (20-30) who are attacking a Venezuelan government website.  Their reason behind the attacks?  President Chavez wants to take steps to censor the Internet in Venezuela.

Operation Payback organizers said that they do not have anything to do with these attacks, but that they could not stop people from doing them.  “We don’t support them, but hey, it’s a free world,” said an organizer.

It’s unclear as to what the present direction of Operation Payback is, as no official target has been selected for quite some time.  For now it seems that Operation Payback organizers are satisfied with what they’ve done so far. “We have accomplished more than I ever thought possible,” said one organizer.

As for the group of individuals targeting Venezuelan government sites, the site has been down ever since we started monitoring it with over 1 hour of total downtime.

The organizers of that group have also said that they have more Venezuelan targets in mind for the near future.

 

Check back frequently for updates.

Exit mobile version