Twitter plays key role in DoS attacks in Iran

The unrest in Iran is serving as a warning on how easy it is for individuals and groups to use a social networking tool like Twitter to mobilise a cyber-army against a political or commercial target anywhere in the world.

Over the past few days, news media reports have described how Twitter is being used by ordinary Iranians to receive and broadcast real-time information on the political unrest in the country after recent elections.

But a still developing and less benign use of Twitter in Iran has been its application in denial-of-service attacks against key government officials, including those affiliated with President Mahmoud Ahmedinejad.

Initially, the tweets directed users to online locations with links that users could click on to participate in a DoS attack against a particular Iranian website, said Richard Stiennon, founder of IT-Harvest, a Birmingham, Mich.-based consultancy.

A Google Doc circulating on the web, for instance, lists several URLs pointing to Iranian websites listed by categories such as "Governmental and HARDLINE NEWS," "Police, Ministry of Interior," "Central Bank," "Commerce Banks" and "Office of Ahmadijenad and Khameneie." When a user clicks on any of the links, it initiates a continuous stream of page refresh requests to the targeted website that will eventually overcome the site if enough people click on the link.

More recently, tweets have begun circulating that allows users to achieve the same result by simply clicking on the embedded URL in the message. As soon as a user hits the page, as many as 24 frames open up simultaneously and refresh continuously, causing a DoS attack against the 24 separate websites Stiennon said.

"Once you click on what you see in Twitter, you immediately become part of the cyber-army," in Iran, he said.

Another tool that is available via Twitter is called bandwidth raep (bwraep), which is also a sort of DoS attack. This attack works by bombarding a web server with fake requests to serve up content-heavy images.

Tweets are also circulating that offer information on where to find malware capable of initiating so-called Ping and Syn flood attacks, which are designed to overwhelm servers with an incessant flood of useless requests, Stiennon said.

A Cyberwar guide for Iran elections reposted on BoingBoing exhorts would-be cyber warriors to be careful about using Twitter to launch such DoS attacks.

"If you don't know what you are doing, stay out of this game," the guide writes while asking volunteers to only target sites that "legitimate Iranian bloggers" pinpoint. "Be aware that these attacks can have detrimental effects to the network the protesters are relying on. Keep monitoring their traffic to note when you should turn the taps on or off."

It's unclear how successful these attacks have been. However, the use of Twitter in this way represents a new and potentially disturbing way to mobilise people for a cyber attack, Stiennon said.

"After this experience, the general populace has learned how to participate in cyber civil unrest," he said. In the past, when hactivists have wanted to enlist volunteers to participate in cyber attacks, such as happened in the nation of Georgia, they have typically directed people to go to specific forums and download software tools needed to attack the target sites. Or, they have simply used previously infected PCs to launch automated distributed DoS attacks against target sites.

"Twitter represents a socialisation of such attacks. It has a much broader reach than IRC channels and hacker discussion forums. It is a way to enlist cyber-volunteers very quickly and with very little effort," Stiennon said.

After seeing what's happening in Iran, it is not hard to see how similar attacks could be quickly mobilised against any political or business entity going forward, he said.

"It was interesting to see that proponents are inviting people to support their case over Twitter," by posting instructions on how to launch denial of service attacks against Iranian sites, said Bojan Zdrnja, a member of the SANS Internet Storm Centre in a post earlier this week.

"It's clear that Twitter became increasingly interesting to hacktivists due to a large user base," Zdrnja wrote. But so far, the attacks appear to be "technically very, very simple" and relatively easy to mitigate.