Iran DDoS Activity: Chatter, Tools and Traffic Rates

I’m here in Talinn at the CCD COE Cyber Warfar Conference listening to Martin Libicki’s perspectives on information warfare in modern warfare theories. This is an interesting week to be here with last week’s Charter97 attacks in Belarus (with someone from Charter97 speaking yesterday) and the unrest in Iran leading to a wealth of activity.


As Craig wrote earlier this week (and he’s continuing his analysis, I hope it gets written up soon) there’s some large-scale filtering going on in Iran, visible from the outside world as a bandwidth drop. This has major implications for any attacks inbound:

The struggle for transit capacity becomes a zero-sum game, because of the requirement that domestic providers come to a central place (DCI) for their international bandwidth and to exchange traffic with each other. In other words, if you attack a pro-government site, you are almost certainly also stealing bandwidth from pro-opposition sites.

Jim Cowie, CTO of Renesys, quoted by Evgeny Morozov in a blog entry entitled More on the unintended consequences of DDoS attacks on pro-Ahmadinejad web-sites that is well worth reading. (Evgeny’s blog is worth reading continuously, by the way.)

Rather than using simple code, with automated viral botnets and the like, these efforts are largely being driven by hand. There are a number of simple scripts going around that can be downloaded and which continually re-load the target Web sites in a browser window.

Kit Eaton writing in a blog entry entitled Iranian Protests Becoming Crowd-Sourced Cyber War on the Fast Company website.

Here’s a peek at one such script, using the “page reboot” site as a basis for the tools. Page reboot uses a very simple method, namely use Javascript to reload the URL in the page repeatedly. The browser will happily do so, just like the user was sitting there hitting F5 in their Internet Explorer. This can cause some stress on the attacker’s specific machine, reveals their IPs through the HTTP connections, and is trivial to filter, but is growing in popularity.

IR page reboot iframe collection.png

In this case someone’s put together a single page of HTML with multiple “IFRAME” elements which embed the remote page into the local page. This is a simple magnifier of the local site’s effect but has the effect of diminishing results: the attacker’s machine slows down for all attacks as it loads them and consumes more bandwidth as it loads all of the pages again and again.

“We turned our collective power and outrage into a serious weapon that we could use at our will, without ever having to feel the consequences. We practiced distributed, citizen-based warfare,” writes Matthew Burton, a former U.S. intelligence analyst who joined in the online assaults, thanks to a “push-button tool that would, upon your click, immediately start bombarding 10 Web sites with requests.”

Source: Noah Shachtman writing in Web Attacks Expand in Iran’s Cyber Battle (Updated Again) on the Wired website.

However if you think you can get enough people to participate, the impact on a local attacker’s bandwidth can be offset with the effect of coordination. A human run botnet but one that is friendly to the attacker, they need very little computer sophistication beyond “surf to this page”.

Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page “refresher” tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to “lite” versions of their sites in an attempt to mitigate the attack.

… Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year’s Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception – there’s no indication of a botnet involvement in the present attack.

Dancho Danchev, writing in Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites. And he’s right, mostly. There’s no botnets attacking Iranian opposition sites; in fact the only botnet attack commands against sites in Iran in the past week or so that I’ve seen are against a stereotypical Iranian website spreading news against American and Israeli news. Hardly the stuff that would be expected to be seen if there’s a massive pro-opposition DDoS flood afoot.

The attackers who participate by loading these pages and going off to dinner, sleep, or on with their days open themselves up to attacks back through drive-by attacks. Imagine a simple scenario: the victims modify their sites to include some code like LuckySploit that commits a simple set of attacks. The attacker’s machine reloads the page (this is, after all, part of the attack). Hit a browser or accessory bug and bam, the attacker has been attacked. Now you’ve got a foothold on the attacker’s machine and, if you’re a sophisticated cyberwar player, you can use this to further understand your adversary.

This is a dangerous strategy. If you’re going to employ this kind of attack you need to remember you may be putting your “army” at risk. This is the kind of thing that folks should keep in mind in any Cyberwar Guide To Helping The Iranian Protesters.

Also we can question, and measure, how effective this attack may be. There’s just no massive traffic uptick visible in our monitors that we may expect to see in this kind of event. That’s not to say it’s not happening, it’s just not on the same scale as attacks in China, the US, or Russia that we typically see, at least from our perspective.

Most importantly the Iranian protesters and supporters recognize the duopoly of their situation. If they attack sites they take that meager amount of bandwidth left from those who may be using it to get news and organize street protests. Indeed, the community seems to be thinking along these lines. Outsiders like my friend Pedro Bueno write “No guys, that’s not the right path”. On DailyKos we can see:

If everyone were actually to do this, we’d risk losing the Twitter feeds and emails that are providing the eyewitness accounts to the current events in Tehran, all to shut down websites for a regime that is already losing credibility fast.

Source: Do NOT DDOS Iranian websites on DailyKos.

Twitter is being used to coordinate these protests and cyber attacks, as noted by my friend Gary Warner writing on his blog. Twitter’s also being used as people re-think their use of DDoS to effect change in Iran.

I’m currently pausing all ddos activity until it becomes clear what to do

From: strager_tu on Twitter, June 17 2009.

And that seems to be what people are thinking right now.

5 Responses to “Iran DDoS Activity: Chatter, Tools and Traffic Rates”

June 21, 2009 at 2:31 pm, Jeffrey said:

Good post. I’m incorporating some of this content for the section of my book “Inside Cyber Warfare” (with attribution, of course)! If you have other thoughts to share, feel free to email me, Jose.

June 23, 2009 at 4:22 pm, Stoppt die Mullahs – Updates « Freunde der offenen Gesellschaft said:

[…] diese Ideen von meinen Kontakten in Teheran über Twitter aus Iran. Trotzdem: Die Meinung über den Nutzen von DDoS ist […]

June 23, 2009 at 12:42 pm, Alex Williams said:

Hello – Your perspectives are quite well-informed. Would you have some time to talk with us about being a guest blogger? We serve a large community of IT managers who have a high degree of interest in what you write about.

We have bloggers from several of the data security vendors and wish to expand into the larger realms of information security as they relate to issues about cyber warfare and espionage.

I hope we get the chance to talk soon.

June 26, 2009 at 6:11 am, hans said:

DDoS is harmful for protesters, instead provide proxy servers.

Read this if you want to help or get help!

The government in Iran is still increasing internet filtering and throttling in an attempt to silence their people. Anonymous info shows that many in Iran are looking for proxy and Tor information in Tehran and all around the country. Please donate your bandwidth to help bring down the Iran Curtain. Here are links on how to help and get help on this:

English: Tor and the Iranian Election – Bring down the Iran Curtain | Ian’s Brain

July 01, 2009 at 6:28 am, prasówka iran – technologia, rewolucje na twitterze i facebooku nie sÄ… fajne « harce said:

[…] arbornetworks – Iran DDoS Activity: Chatter, Tools and Traffic Rates […]

Comments are closed.