Thanks for taking the time to read this. I'm going to keep this as short and concise as possible, but there is a lot of ground to cover. I will endevour to keep my opinions seperate from the facts by getting my opinion out of the way right away, you can skip it if you want and go directly to Section 2. 1.) My Opinion A.) At this point, I believe there are 3 signifigant Iranian sites that need to be dealt with due to their pschological value: 1.) leader.ir 2.) president.ir 3.) gerdab.ir a.) while the content on this site hasn't been updated in some time, the Basij are clearly expending resources keeping it up and running, and it has psychological value. b.) At this moment gerdab appears to be down, it has proven thus far to be extremely resiliant, so I am crossing my fingers it stays the *&^% down. B.) I also believe it is important to keep the government's info-warfare groups and sysadmins and generally smart people tied up fighting this psy-op BS war with us. And I ain't got nothing better to do. So- At the end of this document, I will suggest some non-standard ways to keep these resources loaded. B.) The Iranian government has nearly infinite bandwidth. leader.ir is loading faster than google.com from hosts all over the *&^%ing planet despite being hammered on by thousands of get-flood bots. Therefor, I do not believe that DDoSs from outside Iran are eating the bandwidth of the Protesters. I believe the government is eating that BW, and using it for leader.ir. C.) For reasons I will outline below, thread-starvation ttacks are also not working. D.) B + C = We Need To Be More *&^%ing clever!!! 2.) Facts A.) The page-refresh/get-flood DDoS attacks are not working on these sites (unless they have taken down gerdab, which I doubt, if that site is down, it's probably due to something more clever) 1.) leader, president, and _even_ gerdab are all behind load-balancers. 2.) I believe they are Cisco. a.) If you look closely, you will see that leader.ir has trace on half the time, and not the other half. 3.) This is also preventing thread-pool exhaustion attacks (like slowloris) from working. 4.) Plus, all of the damn page-refreshes are keeping the thread-pool from getting tied up. 5.) The Iranian sysadmins are clever. gerdab.ir was at one point handling 2035 simultaneous low-bw threads from one host, while happily serving up it's terror to another host in under .7 seconds. a.) They have re-compiled. b.) They have optimized. c.) They have withstood quite a pummling for many days now. 3.) Proposed Strategy and Starting-Points A.) Do some good recon. I am attaching a network map of the network at Tehran University where leader.ir lives. IF we look at some of the nodes on the same /24 we see some very *&^%ing interesting @#$%. 1.) 62.220.121.51 appears to be the local branch of Alalam publishing, and do you smell that? It's like in the wall... It smells like sloppy, sloppy code waiting to be fuzzed. 2.) 62.220.121.68 and .77 are running webmail servers. 3.) .76 is a virtual host. 4.) .135 is running *&^%ING Squirrel Mail! 5.) And, oh yeah... The cisco router at 62.220.97.230 has TELNET open. (PS, anyone got a good Farsi dictionary? We don't, and we're looking for one.) root@vmware:~# host -al gerdab.ir ns1.sinet.ir Trying "gerdab.ir" Using domain server: Name: ns1.sinet.ir Address: 81.12.12.201#53 Aliases: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29351 ;; flags: qr aa ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;gerdab.ir. IN AXFR ;; ANSWER SECTION: gerdab.ir. 600 IN SOA ns1.sinet.ir. hostmaster.shdc.sinet.ir. 2009062701 900 600 3600 600 gerdab.ir. 600 IN NS ns1.sinet.ir. gerdab.ir. 600 IN A 81.12.13.144 gerdab.ir. 600 IN MX 10 mail.gerdab.ir. files.gerdab.ir. 600 IN A 81.12.13.137 mail.gerdab.ir. 600 IN A 81.12.13.144 server1.gerdab.ir. 600 IN A 81.12.13.144 www.gerdab.ir. 600 IN A 81.12.13.144 gerdab.ir. 600 IN SOA ns1.sinet.ir. hostmaster.shdc.sinet.ir. 2009062701 900 600 3600 600 Received 258 bytes from 81.12.12.201#53 in 315 ms Are you starting to get the gist? This is War. We need to use some gurilla @#$% here. Old school. CONCLUSION: 1.) Recon, Recon, Recon. Let's start sharing network maps, service-scans, etc. 2.) Go after adjacent hosts, routers, fuzz web-apps, poison DNS, spoof @#$%, SQL injection, brute-force: Use Any MEans Neccessary. 3.) Use whois. Tie up every technical-contact, zone-contact and webmaster's inbox, voice-mail, and fax-line. Use skype. Automate it. $.01 gets a VOIP call to Tehran. A buck gets you 100. $100 can make quite a mess. 4.) Use forums like this one to share information and tactics. This constant whining on twitter re: "I've been begging for days PLEASE TAKE THIS SITE DOWN" is not helping. i5.) As we gather more intelligence, I will make it available in a similar fashion. 5.) The inhumane dictatorship suppressing its people in Iran is using the resources of a modern state to fight this war against its own people. We need to fight them back with more than page-refresh bots and blockable TOR exit-nodes.
whoever posted this please DM me on twitter @schachin Have something that might be of interest, but not wanting to post to everyone..
some info on govt block section 6 - old (early 2007), but might be useful?? All these network locations (or sites) were on "area no 6 partition" assigned to the leader of iran according to web research hope there is something that can help... Rank Site Avg Max Latest OS Server 1 mail.ahmadinejad.ir 218 219 217 Solaris 8 MDNServer 2 qudsway.com 37 125 2 Linux Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-18 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_perl/1.999.21 Perl/v5.8.4 3 tebyan.net 22 28 11 Windows Server 2003 Microsoft-IIS/6.0 4 same as 3 --> 5 Mahmoud Ahmadinejad - The Official Blog - Tehran, Islamic Republic of Iran 14 95 95 Windows 2000 Microsoft-IIS/5.0 6 شرکت خدمات هوایی پیام - 15 9 Windows 2000 Microsoft-IIS/5.0 7 JameJamOnline.ir - 17 16 Windows 2000 Microsoft-IIS/5.0 8 www.ict.ir - 23 4 Windows Server 2003 Microsoft-IIS/6.0 9 :: moqavemat.com :: - 38 8 FreeBSD Apache/2.2.3 (Unix) PHP/5.2.0 The sites shown have their IP addresses within the range owned by the Netblock Owner. The default view for this table is to show by average uptime. You can choose to redisplay the table ranked by Maximum value if desired. Network Owner information is based on information from the major ip address registries. We try to combine netblocks owned by the same company but often netblock registrations by the same company differ in spelling or in other ways. Please let us know if you see netblock urls that you think should be combined. You can add a host or site simply by querying it. ___________________________________________ BB here converted my data into actual URL's so will repost the converted data here with spaces... (guess they are still live) 5 www[.]ahmadinejad[.]ir 6 www[.]payamaviation[.]ir 7 www[.]jamejamonline[.]ir 8 www[.]ict[.]ir 9 www[.]moqavemat[.]ir
gerdab back up! Just as I suspected. They're back up. 'grats to whomever had them down for a few hours.
"this site is a govt hit list of us. trying to intimidate." Please persist: http://gerdab.ir/fa/pages/?... From Twitter: webgozar.com, stat provider, is owned by iranian intelli service, host in US! plz take it down in any way you can! Who was that masked man?...Bless you all.
natural23 Recon is key but coordination of use of our resources is going to be very important. Also Iran Sec/Intel know about this site (IWWP) and they are reading what write; we don't want to telegraph details about tactics and we can probably squeeze a little bit more, maybe a lot more, out of each approach before they adapt if the public form is utilized with proper discretion (i.e. only where the pub. form provides relatively uncompromised utility -- examples - calling for volunteers, leads to creative tech input..). Will be contrib. more. Thanks. This is for all of us, not only the Iranian ppl. nat23
Make your time. Anything within us borders or territory is fair game for dept of state phone call campaign. Either you call Hillary Clintons office or you ask your Senator to get some action on that front. Either method has worked in the past. The state dept is not interested in allowing an oppressive regime use any us resource, especially given our current state of alert (there's a certain clock showing Pacific Midnight). Iran has a cyber warfare investigation site up. Any hot action within /i/ winds up on their logs. They claim to be working with other intell agencies on the matter as investigations of organized crime. You do the math, but if the long arm of the Ayatollahs and Ahmedinedzad travesty of justice reaches you, that opens the door on their sponsorship of international terrorism. For some reason the Ayatollah has escaped prosecution by the Haag for ordering the slaughter of innocents. Their death squad knows exactly which international force they are dealing with. How will they choose to adapt? Cisco has backdoors, the US Navy is but a click away, Mr. Supreme Leader. Make your time.
ThePlanet.com Checking info on ThePlanet.com at Raymond Jahan (StopAhmadi) on Twitter Then proceed accordingly please. :-D
go get 'em easier targets, also important (many posting pics of protesters saying to hunt them.) @StopAhmadi: @ItalyOut Here are more US-hosted IR gvmt websites tom's posterous - Home #iranelection
At thus point, people need to take a look at how their efforts can either help the cause or throw it off course. This is no gamble, don't just throw your dice around. highest priority is gerdab- this is the mothership org. lower priority on any other .ir especially politicians. blogs are ignorable except any US hosted terrorist server posting faces of protesters for hunting purposes call your favorite USGOV agency especially FBI, dept of state, as well as all your congressional representation. If you're not comfortable doing this then you are not anon. Anon shall use every available resource to the maximum efficiency possible. get the planet dot com Etc by going thru the proper authorities, don't risk anything that should be focused elsewhere. Think before you click. Hate speech is not the same as protected speech. "Hit em hard and hit em often." -the inner crown.
Attacking the sites are proving to be a difficult task and marginal success. going after their DNS is a much better idea.
