The DDoS attack against CNN.com, whether successful or not in terms of the perspective of complete knock-out, which didn't happen, is a perfect and perhaps the most recent example of a full scale
people's information warfare in action. Utilizing the bandwidth of the over 200 million nationalism minded Chinese Internet users, can greatly outpace any botnet's capacity if coordinated, or though the use of automated DIY tools, like the ones we've seen released for the purpose of attacking CNN.com
CNN.com was indeed inacessible for a period of three hours according to NetCraft, and literally any web site performance monitoring too with a historical perspective for a host can prove the same :
"
The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas. Subsequently, an attack was purportedly organised to start on Saturday 19th April, but cancelled. However, our performance monitoring graph shows CNN's website suffered downtime within a 3 hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated. Netcraft is continuing to monitor the CNN News website. Live uptime graphs can be viewed here."
Unrestricted warfare is all about bypassing the most fortified engagement points, and achieving asymmetric dominance by excelling where there are no engagement points, in order for the attacker to enjoy the pioneer advantage. Now that CNN.com was indeed slowed down to a situation where it was unnacessible, what remains to be answered is how was CNN.com DDoS? Throught a botnet, or through
the collective bandwidth of virtually recruited Chinese citizens? Despite that the common wisdom in terms of botnets used speaks for itself, this is China hacktivism and therefore common wisdom does not apply in an unrestricted warfare situation, and best of all data speaks for itself.
-
Through the use of DIY DDoS ToolsBesides
anticnn.exe which I assessed in a previous post, there's also the Supper DDoS tool that as it appears was also getting actively recommended for participating in the attack, courtsy of a Chinese script kiddies group. Some basic info :
Scanners Result: 3
/32 (9.38%)DDoS.Win32.Sdattack.A; DDoS.Trojan
File size: 1510643 bytes
MD5...: ed25e7188e5aa17f6b35496a267be557
SHA1..: 71138f0c0556dde789854398c3c7cde29352662b
For instance, Estonia's DDoS attacks were a combination of botnets and DIY attack tools released in the wild, whereas the attacks on CNN.com were primarily the effect of people's information warfare, a situation where people would on purposely infect themselves with malware released on behalf of Chinese hacktivists to automatically utilize their Internet bandwidth for the purpose of a coordinated attack against a particular site.
-
Collectively building bandwidth capacity and mobilizing novice cyber warriorsWhat if a simple script that is automatically refreshing CNN.com multiple times in several IFRAME windows, gets embedded at thousands of sites, and then promoted at hundreds of forums, with a single line stating that - "If you're a patriot, forward this to all your friends"? Now, what if this gets coordinate to happen at a particular moment in time? This is perhaps the most realistic scenario to what exactly happened with CNN.com, and data speaks for itself, in fact I can easily state that the bandwidth generated by this massive PSYOPs campaign is greater than the one used by a botnet that's also been DDoS-ing CNN.com. All of these sites are basically refreshing CNN.com every couple of seconds, thereby wasting the sites's bandwidth, the only flaw of this attack approach compared to a botnet, is that all the participating hosts are Chinese, and therefore as NetCraft pointed out, CNN blocked access to certain countries, take these countries as China for instance. If it were a botnet used, the diversity of the infected hosts would have required more efforts into dealing with the attack, then again from another perspective regular web traffic compared to network flood is sometimes harder to detect as a DDoS attack.
hackerhf.com/cnn.html
80aft.com/cnn.htm
tom765.cn/cnn.html
ah930.com/cnn.htm
0851qiche.cn/cnn.htmlxdadmin.com/cnn.html
ah930.com/cnn.htmls234sdf3.cn.webz.datasir.com/cnn.aspbbscar.com.cn/cnn
120abc.cn/cnn.html
hospltal.cn/cnn.html
bbs.cityzx.cn/cnn.htm
bestmf.cn/cnn.html
anlycloud.com/cnn/cnn
qibubbs.net/ddoscnn.htm
maje.cn/cnn.html
edu.sina.googlepages.com/FuckCNN.htm
urlonline.com.cn/kaocnn.html
lmpx.net/cnn.htmily88.com/cnn.html
zjipc.net/cnn
axlovechina.cn/
idernice.com/cnn.asp
conncn.com/cnn.html
xuanxuanmu.000webhost.com/cnn.html
jianw1.cn/cnn.htm
bjzs114.com/cnn.htm
0851qiche.cn/cnn.htmlyaanren.net/cnn.html
todayol.cn/cnn.html
17bnb.com/cnn.htm
hackerhf.com/cnn.html
hnjdbbs.com/cnn.html
sql8.net/cnn
bh125.cn/cnn.html
razorcn.cn/cnn.html
93HR.com/cnn.html
tke08.com/cnn.htm
vipeee.com/cnn.htmThis is also the statement made for the recruiting purpose across the forums, including remarks against France's policy against China :
Anti-CNN Plans v4.19"
Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows: We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland. We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. France on bad faith.Recently, the United States "cnn" Since, as we said a number of Chinese people can not accept things, is that we are willing to endure, willing to yield? We plan on taking the lead in the 2008.4.19 "cnn" Web site attacks, as a Chinese, please support us. Plot: 1, first of all, all the conditions for full, I expect four days later, in the - on April 19, 2008, 8:00 p.m., at www.cnn.com against a DDOS attack! More than three hours on the CNN Web site with the assistance of attacks, How DOS attack CNN website? If you are patriotic, please forward!
iframe Id="cnn" width="100%" height="100"> script> Var e = document.getElementById ( 'cnn'); SetInterval ( "e.src = 'http://www.cnn.com'", 3000); / / 1000 said that 1,000 ms, you can modify and transmit
You can also directly open qibubbs.net/ddoscnn.htm open on the trip, you do not affect anything. I have to, I have friends in all of it again, the strong support of friends, and their repercussions great, and to many people, have been transmitted in other friend, a classmate now has begun to link their Web sites the I believe that compatriots in China, in collaboration with CNN article seconds click rate in the second can at least 50 million times, if the 200 million Internet users click on, I believe CNN, will be suspended instantaneous, as our fellow countrymen will be more hackers the chance to win big, exciting good mood now, and looks forward to 8:00 after we are all fellow hackers smoothly, we will sincerely pray that China win. The great motherland is not to take advantage of the separatist elements, all anti-China reunification of the sophistry of speech are all in vain Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows:
We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland. We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. "
This particular DDoS people's information warfare attack against CNN.com is also a great example of a psychological operations (PSYOPS) chain-letter. Given China's 3.0 state of social networking, messages forwarding people to sites that would automatically refresh their browsers with CNN.com were distributed at over 5000 web forums, with a bit of propanga taste enticing everyone to forward the message by telling them "If you're a patriot forward this attack link", so if you don't, it means you're not a patriot, another indication of China's understanding of the effectiveness of psychological operations (PSYOPS) online.
Yet another massive SQL injection attack is making its rounds online, and this time without the SEO poisoning as an attack tactic, has managed to successfully infect the United Nations events page, which is now also marked as malware infected page, and with a reason since both the malicious URl and the injection are still active. According to WebSense :
Let's assess the malicious injection. nihaorr1.com/ 1.js (219.153.46.28) is attempting to load nihaorr1.com/ 1.htm, where several other internal exploit serving URLs and javascript obfuscations load through IFRAMES, such as :
and finally serve the malware, by also taking us out of the point and loading another malicious IFRAME farm at gg.haoliuliang.net/one/ hao8.htm?036 (222.73.44.162) :
