Inside Cyber Warfare - Jeffrey Carr [86]
Links to automated DDoS tools were circulated, along with recommended target websites. For example, Jose Nazario wrote on his blog Security to the Core:
Here’s a peek at one such script [Figure 10-1], using the “page reboot” site as a basis for the tools. Page reboot uses a very simple method, namely use Javascript to reload the URL in the page repeatedly. The browser will happily do so, just like the user was sitting there hitting F5 in their Internet Explorer. This can cause some stress on the attacker’s specific machine, reveals their IPs through the HTTP connections, and is trivial to filter, but is growing in popularity.
Figure 10-1. IFRAME elements embed a remote page into a local page
In this case someone’s put together a single page of HTML with multiple “IFRAME” elements which embed the remote page into the local page. This is a simple magnifier of the local site’s effect but has the effect of diminishing results: the attacker’s machine slows down for all attacks as it loads them and consumes more bandwidth as it loads all of the pages again and again.
A Norwegian journalist created a “Cyberwar Guide for Beginners” that provides guidance in a number of areas of interest to the global online community who is watching events unfold and wants to do something to help:
The purpose of this guide is to help you participate constructively in the Iranian election protests through twitter:
Do NOT publicise proxy IP’s over twitter, and especially not using the #iranelection hashtag. Security forces are monitoring this hashtag, and the moment they identify a proxy IP they will block it in Iran. If you are creating new proxies for the Iranian bloggers, DM them to @stopAhmadi or @iran09 and they will distributed them discretely to bloggers in Iran.
Hashtags, the only two legitimate hashtags being used by bloggers in Iran are #iranelection and #gr88, other hashtag ideas run the risk of diluting the conversation.
Keep your bull$hit filter up! Security forces are now setting up twitter accounts to spread disinformation by posing as Iranian protesters. Please don’t retweet impetously, try to confirm information with reliable sources before retweeting. The legitimate sources are not hard to find and follow.
Help cover the bloggers: change your twitter settings so that your location is TEHRAN and your time zone is GMT +3.30. Security forces are hunting for bloggers using location and timezone searches. If we all become ‘Iranians’ it becomes much harder to find them.
Don’t blow their cover! If you discover a genuine source, please don’t publicise their name or location on a website. These bloggers are in REAL danger. Spread the word discretely through your own networks but don’t signpost them to the security forces. People are dying there, for real, please keep that in mind.
Denial of Service attacks. If you don’t know what you are doing, stay out of this game. Only target those sites the legitimate Iranian bloggers are designating. Be aware that these attacks can have detrimental effects to the network the protesters are relying on. Keep monitoring their traffic to note when you should turn the taps on or off.
Do spread the (legitimate) word, it works! When the bloggers asked for twitter maintenance to be postponed using the #nomaintenance tag, it had the desired effect. As long as we spread good information, provide moral support to the protesters, and take our lead from the legitimate bloggers, we can make a constructive contribution.
Please remember that this is about the future of the Iranian people, while it might be exciting to get caught up in the flow of participating in a new meme, do not lose sight of what this is really about.
Unfortunately, by engaging in DDoS attacks, an individual may