Slashdot Mirror
FBI Raids Texas ISP For Anonymous DDoS Info
jcombel writes with this link to The Smoking Gun, which says "As part of an international criminal probe into computer attacks launched this month against perceived corporate enemies of WikiLeaks, the FBI has raided a Texas business and seized a computer server that investigators believe was used to launch a massive electronic attack on PayPal."
Computerworld has a story, as well.
I agree with you. As a former ISP employee, it is pretty well known that the FBI has electronic taps into most ISP companies. I assume the same would be true for datacenter operations as well. I have to imagine watching the traffic silently would have yielded more info than shutting down servers and taking them in for review. No need to worry about masking keys when you can watch the raw traffic come in and see who the major actors are.
But more than that, why raid a datacenter? Why not work with the datacenter to get what they need and minimize an outage for any other custemers. It is like the FBI treats datacenters and ISP's as bad actors and doesn't trust that they aren't in on the crime which I think is rather outrageous.
Union strike and protest can also damage the economy. Let put all these peoples behind bars. Who the fuck they think they are? Damaging sort term profit of the all powerful corporations!
First mistake: They list the IP in the affadavit OUTSIDE of the logs twice as 72.9.153.42 instead of 72.9.153.142 as it should be. One could assume that they could have now raided the wrong server in Tailor Made's farm.
Second mistake: "root" is just an IRC nickname on AnonOPs, and this person does NOT have root access on the IRC server that was raid as falsely assumed in the affadavit. They have oper with override privileges, and that was what was logged. The raid on the server at Tailor Made Servers was made under false pretenses.
Third mistake: Those logs show... [Thu Dec 9 11:14:27 2010] - OVERRIDE: root(root@72.9.153.142) TOPIC #loic '!lazor default targethost=api.paypal.comsubsite=/ speed=3 threads=15 method=tcp wait=false random=true checked=false message=Good_night_paypal_Sweet_dreams_from_AnonOPs port=443 stop' ... if anyone here has looked at LOIC's topic parsing, there's two mistakes the FBI made there. The first is that there's no space between targethost=api.paypal.com and subsite=/. The second is that this person "root" is STOPPING the attacks by adding "stop" at the end of the topic. Unless they can show logs of this "root" person throwing "start" in the topic instead of stop, this person is doing exactly the opposite of "willingly and knowingly" executing commands to start a DDoS attack.
Anonymous guys should google an implementation of slowloris-over-Tor "XerXeS" like Th3j35t3r uses... (Yeah implementations are out there, do you think th3j35t3r wrote his tool by himself??? LOL)
Going over Tor hides the IP and doing this attack via multiple machines would make them a really nasty bunch of fuckers.
On the other hand maybe they should not do that. You see, one can easily prevent the "XerXeS" tool by just tarpitting multiple connections from a single IP. Or, better yet, tarpit all Tor exit node IPs. Then to hide oneself, the attacker would need multiple machines, essentially a botnet.
As for the former alternative. If you don't have TARPIT support, run: module-assistant auto-install xtables-addons-source
Then run: iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j TARPIT
Latter option left as an exercise for the reader. Tweaking connlimit-above left as an exercise to the reader :)