2010-12-31 Updates on the Investigations into "4chan" and "Anonymous" DDoS Attacks

Allegations and Investigation
On Dec. 16, the FBI raided a Texas server-hosting company in hopes of finding evidence to advance an investigation into the hactivist groups engaged in various attacks against Wikileaks-unfriendly institutions and individuals.

The investigation seems to have been set in motion as a direct result of PayPal's actions; PayPal is said to have supplied the FBI with various IP addresses hosting an IRC chat for current and prospective hacktivists. At least one hard drive was seized.

The Smoking Gun obtained the PayPal affidavit according to which

On December 2, 2010, Paypal Incorporated … contacted the FBI and reported that an Internet activist group using the names “4chan” and “Anonymous,” appeared to be organizing a [DDoS] attack against the company. The attack appeared to be organized in response to Paypal’s decision to suspend Wikileaks’ Paypal account, which Wikileaks was using to collect donations. The attackers, “Anonymous,” described themselves as being “average Internet Citizens” and stated their “motivation is a collective sense of being fed up with all the minor and major injustices we witness every day.” Later that same morning, at approximately 11:44am, Paypal advised the FBI that a DDoS attack against the company’s website … had begun. Since that time, there have been multiple, severe DDoS attacks against the Paypal website.

Attack Method
According to the affidavit, it is thought that some individuals were unknowingly involved in the DDoS attacks because their machines may have been compromised with botnets. In order for the attacks to have been effective, "[a]ttackers would have needed five to fifteen million people all on high speed broadband connections", Jason Hoffman of Joyent.com said in an interview with EWeekEurope.

Could there have been so high a number of willing volunteers, thus overriding the need for unknowing attackers whose machines were secretly infected with botnets? This remains an open question that cannot be rigorously addressed without empirical investigation, which is under way.

Sean-Paul Correll of Panda Security believes that botnets were, in fact, used: "Today we observed over 3,000 computers in the voluntary botnet, but we also have knowledge of a 30k node botnet."

This botnet infects computers via peer to peer filesharing systems, but it can spread via Microsoft Messenger and USB sticks as well, he said. Panda is trying to get a sample of the botnet code to analyze (source).

Thus far, it has been reported that 2 or more IP addresses were identified as being associated with the sources of the attacks, either in virtue of having hosted Anonymous chat services or in virtue of having been at the root of botnet distribution.

Search warrants were issued according to which the FBI was authorized to seize "records and material relating to the DDoS attacks or other illegal activities pertaining to the organization Anonymous or 4chan" (Source). Another search warrant was apparently executed by the German Federal Criminal Police. They found that

the "server at issue" belonged to a man from Herrlisheim, France. However, an analysis of the server showed that “root-level access” to the machine “appeared to come from an administrator logging in from” another IP address.

“Log files showed that the commands to execute the DDoS on PayPal actually came from” this IP, Agent Lynd reported. Two log entries cited in the affidavit include an identical message: “Good_night,_paypal_Sweet_dreams_from_AnonOPs” (Source).

Another IP address was traced to Tailor Made Services in Dallas (a dedicated server hosting company), and yet another was traced to an Internet service provider in British Columbia, Canada:

Investigators with the Royal Canadian Mounted Police determined that the Canadian firm’s “virtual” server was actually housed at Hurricane Electric, a California firm offering “colocation, web hosting, dedicated servers, and Internet connections,” according to its web site.

FBI Agent Christopher Calderon, an expert on malicious botnets who works from the bureau’s San Jose office, is leading the probe of the second IP (and presumably has seized a server from Hurricane Electric). Hurricane’s president, Mike Leber, did not respond to a message left for him at the firm’s office in Fremont, which is about 20 miles from PayPal’s San Jose headquarters (ibid.).