1. MasterCard attacked by voluntary botnet after WikiLeaks decision

    mastercard.com is currently under a distributed denial of service (DDoS) attack, making the site unavailable from some locations.

    The attack is being orchestrated by Operation Payback and forms part of an ongoing campaign by Anonymous. They announced the attack's success a short while ago on their Twitter stream:

    Operation Payback is announcing targets via its website, Twitter stream and Internet Relay Chat (IRC) channels. To muster the necessary volume of traffic to take sites offline, they are inviting people to take part in a 'voluntary' botnet by installing a tool called LOIC (Low Orbit Ion Cannon – a fictional weapon of mass destruction popularised by computer games such as Command & Conquer).

    The LOIC tool connects to an IRC server and joins an invite-only 'hive' channel, where it can be updated with the current attack target. This allows Operation Payback to automatically reconfigure the entire botnet to switch to a different target at any time.

    Yesterday, Operation Payback successfully brought down the PostFinance.ch website after the Swiss bank decided to close Julian Assange's bank account.

    Later in the day, they also launched an attack against the Swedish prosecutor's website, www.aklagare.se. The attack was successful for several hours, but now appears to have stopped. The Director of Prosecution, Ms. Marianne Ny, stated yesterday that Swedish prosecutors are completely independent in their decision making, and that there had been no political pressure. The same group also successfully took down the official PayPal blog last week, after WikiLeaks' PayPal account was suspended.

    As more companies distance themselves from WikiLeaks, we would not be surprised to see additional attacks taking place over the coming days. Concurrent attacks against the online payment services of MasterCard, Visa and PayPal would have a significant impact on online retailers, particularly in the run up to Christmas.

    Although denial of service attacks are illegal in most countries, Operation Payback clearly has a sufficient supply of volunteers who are willing to take an active role in the attacks we have seen so far. They are a force to be reckoned with.

    A real-time performance graph for www.mastercard.com can be viewed here.

    Posted by Paul Mutton on 8th December, 2010 in Around the Net with the following tags , , , |

  2. WikiLeaks attacked during launch of cablegate

    WikiLeaks experienced some website downtime last night, coinciding with its release of the US embassy cables at cablegate.wikileaks.org.

    Just before the latest leak was released to the world via their new "cablegate" site last night, WikiLeaks tweeted that they were under a mass distributed denial of service attack, but defiantly stated that "El Pais, Le Monde, Speigel, Guardian & NYT will publish many US embassy cables tonight, even if WikiLeaks goes down".

    Twitter user th3j35t3r claimed to be carrying out the denial of service attack against www.wikileaks.org, although in a tweet that has since been deleted, th3j35t3r stated that it was not a distributed attack. If WikiLeaks believed the attack to be distributed, it could suggest that other parties had also been carrying out separate attacks at the same time.

    th3j35t3r's Twitter profile lists his location as "Everywhere" and he describes himself as a "Hacktivist for good. Obstructing the lines of communication for terrorists, sympathizers, fixers, facilitators, oppressive regimes and other general bad guys.".

    th3j35t3r's Twitter feed lists dozens of other sites that have also been taken down, mainly communicated through "TANGO DOWN" messages posted via the XerCeS Attack Platform. The "tango down" phrase is used by special forces and is often heard in FPS games such as Rainbow 6 and Call of Duty, where it is used to describe a terrorist being eliminated.

    Referring to the success of the attack, th3j35t3r also tweeted, “If I was a wikileaks 'source' right now I'd be getting a little twitchy, if they cant protect their own site, how can they protect a src? "

    The main www.wikileaks.org site appeared to bear the brunt of the attack, suffering patchy or slow availability for several hours. Last night, the site was hosted from a single IP address, but has since been configured to distribute its traffic between two Amazon EC2 IP addresses on a round-robin basis. One of these instances is hosted in the US, while the other is in Ireland.

    Meanwhile, cablegate.wikileaks.org has so far escaped any significant downtime. This site has used 3 IP addresses since its launch, probably in anticipation of being attacked or deluged with legitimate traffic. Two of these IP addresses are at Octopuce in France, which also hosts the single IP address now used by warlogs.wikileaks.org. Ironically, the third IP address being used to distribute secret US embassy cables is an Amazon EC2 instance hosted in – you guessed it – the US.

    Performance graphs are available here:

    Posted by Paul Mutton on 29th November, 2010 in Around the Net with the following tags , , |

  3. Iraq War Logs no longer served by Amazon EC2

    The Iraq War Logs site run by WikiLeaks has been showing some choppy performance since last weekend, when its remaining Amazon EC2 instance stopped responding to HTTP requests.

    Over the past week, the DNS configuration for warlogs.wikileaks.org had been directing traffic to two IP addresses on a round robin basis. One of these IP addresses was at Octopuce in France, and successfully handled half of the HTTP requests sent to http://warlogs.wikileaks.org; however, the remaining 50% were directed towards an Amazon EC2 IP address in Ireland, which stopped accepting connections to port 80 last weekend.

    WikiLeaks appeared to fix the DNS problem today (Friday) – warlogs.wikileaks.org is now being served from just a single IP address in France. This is in contrast to the situation a few weeks earlier, when the site was being served from as many as 5 IP addresses, presumably to make the site more resilient to attack and high demand.

    Posted by Paul Mutton on 17th November, 2010 in Around the Net with the following tags , , , , |