Possible DDOS on gov.au sites starting tonight?

Published: 2009-09-09
Last Updated: 2009-09-09 11:45:11 UTC
by Mark Hofman (Version: 2)
7 comment(s)

The group anonymous, who were reported to be responsible for the attack on scientology sites now have the Australian Government in their sights.  In 2008 the Australian Government decided that the internet should be filtered.  They are running trials with a number of ISPs.  There is within Australia a fair amount of resistance to this practice for a number of reasons.  You can read the government position here (http://www.dbcde.gov.au/online_safety_and_security/cybersafety_plan/internet_service_provider_isp_filtering).   This Wikipedia article has more information on the issue as well (http://en.wikipedia.org/wiki/Internet_censorship_in_Australia)

In addition to opposition to this scheme within Australia it looks like the group anonymous has also become involved.  A web site 09-09-2009.org was set up and it looks like activities are coordinated through another web site.  The crux of their demands is for the senator responsible for the filtering scheme to resign and the plans for filtering to be abandoned, or else. 

The or else is a DDOS attack on Australian government sites starting at 9.00 am GMT which is 7.00PM on the east coast.  Fax machines and phone lines may also be targeted.  Some "interesting" activity has been observed on some of the networks, but whether this is related or not is uncertain at this stage. 

In preparation, make sure you have your incident handling processes ready, make sure that servers and other perimeter devices are patched so they are better able to resist attack.  You may want to have your ISP's contact details handy just in case you need them to stem the flow of traffic.  If your infrastructure is outsourced, maybe ask the outsourcer what plans they have in place, should anything happen.   But most importantly decide if switching off the site in the face of an attack is an option for you.

Mark H

UPDATE 1

Well the DDOS Started at 7 pm on the dot and has been going on for about an hour or so.   www.pm.gov.au is being kept busy and over the hour it was unavailable from where I am for a few minutes at best.  The attack seems to be mostly multiple web requests on the site which exhausts the threads on the web server causing it to respond with a 503 error.  Once left alone by a few of the attackers the site is again more than happy.  As far as impact goes the net result seems to be zilch.

UPDATE

The attack is over.  It achieved some publicity and managed to make the pm's website unavailable for a few minutes.  Otherwise there was no impact. - M    

Keywords: DDOS
7 comment(s)

Comments

You said that it's supposed to start at 9:00 am GMT which is 7:00 pm on the East Coast. I'm assuming you mean Australia time by that? Since 9 am GMT would be 5:00 am EDT.

Have a great day:)
Patrick.
Our site is a .gov.au site. I have been noticing a marked increase in tcp/445 traffic and also probes from within Australia (telnet, vnc, etc.). It should be interesting to see what's going to happen.
Being in AU I was referring to my east coast ;-)
7.00 pm EST
The Twitter account AnonymousHH is definately linked to the website 09-09-09.org. I'm in Tassie local govt.
Sorry for the duplicate posting; Firefox resent the post after I clicked on the resend button...

A quick analysis of my logs regarding tcp/445 reveals a constant barrage of deny packets averaging one a minute. I haven't as yet exported into Excel to calculate the unique IP daily totals. But I would expect that if this were a botnet that they have sufficient numbers to successfully DDoS us.
i hope you plan on reporting every single one... these people shouldn't be allowed to have internet access if they intend on wasting it on random ddoses... i agree with their cause (anti-censorship), but the end doesn't justify the means.
Since 1 Sept 2009 00:00:00 EST (Local Time) 3213 unique IP addresses attempted access to tcp/445, 3169 of which performed this only one time. 5 IP addresses, all of which in Australia, have attempted the access numerous times, the greatest 44 times.

Diary Archives