Iranian DDoS Mob Exposed to Drive-By Attacks

Following the controversy in Iran, over the recent allegedly rigged presidential elections, a guerrilla-type cyberwar broke out. Contesters resorted to launching denial of service attacks against governmental websites to accompany street protests against the re-election of President Ahmadinejad.

Similar methods of protesting, though far from ethical, have been seen following most recent political or armed conflicts, such as the ones between Russia and Georgia or Israel and Hamas. However, the Iranian distributed denial of service attacks are far from hi-tech.

These are actually HTTP request floods performed by thousands of users through automatic page refresh scripts, rather than last-generation botnets or hacked servers with large bandwidth at their disposal. A "group created a special web page that supporters should visit. This web page is very simple – it creates 10 iframes, each iframe pointing to a different site in Iran," Bojan Zdrnja, security researcher with the Internet Storm Center, explains.

"The visitor can then change the frequency which will be used to refresh iframe status. The browser will then regularly refresh every single web site from the list attached below. This is a poor man's DDoS," Mr. Zdrnja concludes.

Security researchers warn that not only are such attacks fairly easy to repel, but they could just as easily be turned against the hacktivists. "The attackers who participate by loading these pages and going off to dinner, sleep, or on with their days open themselves up to attacks back through drive-by attacks," Jose Nazario of Arbor Networks advises.

He goes on to describe a scenario where "victims modify their sites to include some code like LuckySploit that commits a simple set of attacks." In such a case, "The attacker’s machine reloads the page […] Hit a browser or accessory bug and bam, the attacker has been attacked," he explains.

The cyber-protesters also have another issue with this approach – by doing this, they cut everyone's, including their own, access to information. The Iranian government has almost isolated the country from the outside world, Internet peering-wise. This means that attacks like these, which originate from within the national network, overload it and make it unresponsive for everyone.