Tuesday, June 16, 2009

Armchair CyberWarriors: Twitter and #IranElection

Our friends over at ThreatChaos let us know about the newest "CyberWar" in their blog this morning, so we went over to Twitter (yeah, follow /garwarner) and decided to check things out for ourselves.

Apparently the Moral Compass of the Internet is currently indicating that CyberWar is a harmless feel good activity that Americans should be involved in. Let me quickly go on the record to say: ALL DDOS ACTIVITY IS A CRIME AND SHOULD NOT BE ENCOURAGED OR CONDONED IN ANY CIRCUMSTANCE

First, let's get the legal part out of the way. In the United States, the relevant code is Title 18 Part I Chapter 47 § 1030(a)(5)(A)(i), which says that anyone who:

(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

is in violation of the law and can be fined and imprisoned for up to one year (unless their intrusion causes medical or physical harm, or unless they are already a convicted felon, or unless they seek monetary gain, in which cause the penalties go up).

So, is the president of Iran's website a protected computer? No, probably not. But any computer engaged in Interstate commerce is a protected computer. For example, all of the computers belonging to your ISP, which you are placing load on by your criminal activity. If it turns out you were collaborating with others in order to cause this activity to occur, say for instance, all of your buddies on Twitter, then you could also be said to be part of a Conspiracy, but we won't get into that here.

Before we spend any more time on the wisdom of deciding as a private citizen to declare war on a foreign power, let's see what's actually going on in Twitter-space with regards to this DDOS:

Esko Reinikainen of Wales is offering this #iranelection cyberwar guide for beginners, which includes some Ghandi type actions, such as identifying yourself as an Iranian blogger with a time zone of GMT +3.30, on the theory, I suppose, that Iranian security forces will get confused as they seek out the real Iranian bloggers, and book a flight to Wales or the United States to stop the blogger. His point #6 is:

6. Denial of Service attacks. If you don't know what you are doing, stay out of this game. Oly target those sites the legitimate Iranian bloggers are designating. Be aware that these attacks can have detrimental effects to the network the protesters are relying on. Keep monitoring their traffic to note when you should turn the taps on or off.

Of course you can tell the "legitimate" Iranian bloggers, because they use the tags "#iranelection" or "#gr88" in their posts.

Many of those calling for DDOS attacks are harmless voices that suggest things like:

/nzmrmn - #DDOS this http://isna.ir/ISNA/Default.aspx?Lang=E 1. Load page in browser 2. Hit refresh a million times. 3. ??? 4. Profit!

Others call for DDOS but offer no guidance whatsoever:

/vwkess - ...keep DDOS attacks.

While others promise that the DDOS is having a great affect, such as:

/FREETHEFUTURE: RT UNCONF: News from Inside Tehran #DDOS affecting police communications, not able to track protestors PLZ RT!!

which is being heavily retweeted:
/djd1414, /FreePersians, /ian_lcv, /momsprissy, /Chromedaffodils, /z3bbster, TheBarRag, etc., etc.

Given the high tech crowd on Twitter though, it was certain that someone would come along and build a better mousetrap. Many Twitter folks discussed using "PageReboot.com" early in the DDOS. Giving this site a URL is an easy way for the site to be constantly reloaded. While historically the site has received little traffic, and almost all of it from China (88%), the MediaTemple hosted site is now showing that 25% of its traffic originates from Tehran.

/ElizabethFinn God/Allah bless everyone fighting in Iran. Set your browsers to http://www.pagereboot.com/?url=http://www.khamenei.ir/&Refresh=1 Goodnight.

/Tigrael http://www.pagereboot.com/?url=http://www.farhang.gov.ir/&refresh=1

/protactinium84 Hurt websites. http://www.pagereboot.com Set to 1. http://www.khamenei.ir/ http://www.presstv.ir/ www.President.ir http://www.irna.ir

/kamaleddin RT Lets take this down everybody CopyPasteKeepOpen http://www.pagereboot.com/...www.bornanews.ir&refresh=1 Let EVERYONE know.

The site was taken down, however, as the Twitter's reported:

/iran88 - pagereboot.com used for DDOS attacks in Iran is purposely DOWN.

One popular tweet offering a replacement for the original "PageReboot" is suggesting that people visit the site "whereismyvote.info". At the moment 9 of the 16 targeted pages are unreachable.

The site actually loads a webframe from "www.my-persia.com/ie", which in turn loads 16 frames named "Frame1.html" through "Frame16.html".

Each of these frames is using a service called "PageReboot" which causes the frame to reload itself once per second, so that visiting the single webpage will cause each of 16 "targeted" sites to be visited every second by each person viewing the page. The pages currently targeted by My-Persia are:

1. www.irna.ir = a search string is used to maximize the load on the server.
2. farsnews.com
3. www.rajanews.com = a search string is also used here to maximize the load on the server.
4. www.ahmadinejad.ir
5. www.leader.ir = a search for "khamenei" is used
6. www.president.ir = this site is actually still online despite being the most targeted of the campaign. Located on
7. www.irib.ir
8. www.iribnews.ir
9. www.kayhannews.ir = this site is the second one responding as live in my current visit.
10. farsi.khamenei.ir = actually sends a message back, saying that "Your IP, location, and other information has been recorded! Security Defence Team!"
11. www.entekhab10.net
12. www.isna.ir = also live, hosted at, which means DDOSing this box is an attack against a computer in Ontario Canada.
13. presstv.com = also live, hosted at
14. www.moi.ir = also live, hosted at
15. english.iribnews.ir = also live, hosted at
16. www.leader.ir = using a search

Other sites also are being put out to do "refreshes" automatically, such as:

/uberguru - who points us to "refreshthing.com" currently being used to DDOS isna.ir

/iran88 - Use refreshthing.com instead of pagereboot if it is down

/ironcamel - provides a pointer to a list of Iranian embassies around the world and suggests those as better DDOS targets: http://www.embassyworld.com/Iran/

/Spooky_Fox - providing a list of proxies to use to perform your DDOS on the site "iran.whyweprotest.net" -- people logging in there are posting offers for proxies to allow "anonymized" twitter posting. Of course following the general theme of paranoia that this whole site is based upon, one has to ask how we know those aren't Iranian security forces offering the proxies??

Others are asking people to STOP the DDOS, such as:

/iron_riots - "RT: Pls stop DDOS on iran's website they slow down the entire countries internet"

/B2020 - (same thing)

/OrangeCorner - offers a link on Daily Kos on why NOT to DDOS Iran. I agree with the general argument ( http://www.dailykos.com/story/2009/6/15/742591/-Do-NOT-DDOS-Iranian-websites ), but please don't tell my Fox News mother-in-law I agreed with something on Daily Kos, or she won't cook me dinner tonight!

/danteimprimis - Iranians reporting that the DDOS attacks on gov't sites are hurting overall bandwidth. May be satisfying, but we should stop.

/danielsandberg - To #IranElection protestors: DO NOT DDOS Iranian gov websites:

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.