Iran DDOS



There have been a variety of good reports (zdnet, sans, fp ) on the DDOS campaigns targeting Iranian sites after the election. However, one of the things I’ve noticed is the tendency to characterize this as something relatively new. But this has been happening for at least a decade! See, http://www.fraw.org.uk/download/ehippies/archive/op-01.html , http://www.fraw.org.uk/download/ehippies/archive/op-01a.html, http://www.thing.net/~rdom/ecd/archives.html

I think that one of the issues that’s being overlooked is the mobilization and participation component. To just DDOS a site its easier to use/buy/rent/etc… a botnet. That involved few people, it is easy, and its is effective. To get a bunch of people to basically refresh a site (even if they are using some rudimentary automated tools) requires participation. I have doubts about whether the downtime of the targeted sites is due to this type of attack. I suspect that there are likely other attacks involved that do the heavy lifting.

But to think that it takes a lot of people to execute an act of civil disobedience on the Internet is naiive. Programs make a difference, not people.” — Oxblood Ruffin, cDc

Anyway, I’m finding that these sites are unavailable:

16/06/09 12:18 http://ahmadinejad.ir/ 217.218.155.110 503
16/06/09 12:18 http://www.justice.ir/ 62.193.12.10 503
16/06/09 12:18 http://www.iranjudiciary.org/ 62.18.21.156 (51, ‘Network is unreachable’)
16/06/09 12:18 http://rajanews.com/ 10.7.222.162 (51, ‘Network is unreachable’)
16/06/09 12:18 http://www.farsnews.com/ 77.104.73.15 (61, ‘Connection refused’)
16/06/09 12:18 http://www.leader.ir/ 62.220.121.130 (61, ‘Connection refused’)
16/06/09 12:18 http://www.president.ir/ 80.191.69.11 timed out
16/06/09 12:18 http://www1.farsnews.com 77.104.73.16 timed out
16/06/09 12:18 http://www.irna.ir/ 81.12.51.146 timed out
16/06/09 12:18 http://www.police.ir/ 81.28.32.52 timed out
16/06/09 12:18 http://www.mfa.gov.ir/ 217.172.99.41 timed out

The defacers seem to be out too:

http://zone-h.org/mirror/id/9003285

One comment.

  1. We can assume that another kind of attack was made in order to permit a stronger, faster and easier DDoS.
    And it is not unthinkable that hacktivists conducted preventive spotting operations on iranian government systems to find where and how to strike.

    To complete your point of view, both theories about mobilization are plausible but, if iranian government had some king of proof about low participation on DDoS and about the simple use of automated attacks to suggest that hacktivists were numerous, we would already been informed of the trick in order to minimize foreign perception of the DDoS.

Post a comment.