Threat Level: green Handler on Duty: Tom Webb

SANS ISC: Possible DDOS on gov.au sites starting tonight? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Possible DDOS on gov.au sites starting tonight?

The group anonymous, who were reported to be responsible for the attack on scientology sites now have the Australian Government in their sights.  In 2008 the Australian Government decided that the internet should be filtered.  They are running trials with a number of ISPs.  There is within Australia a fair amount of resistance to this practice for a number of reasons.  You can read the government position here (http://www.dbcde.gov.au/online_safety_and_security/cybersafety_plan/internet_service_provider_isp_filtering).   This Wikipedia article has more information on the issue as well (http://en.wikipedia.org/wiki/Internet_censorship_in_Australia)

In addition to opposition to this scheme within Australia it looks like the group anonymous has also become involved.  A web site 09-09-2009.org was set up and it looks like activities are coordinated through another web site.  The crux of their demands is for the senator responsible for the filtering scheme to resign and the plans for filtering to be abandoned, or else. 

The or else is a DDOS attack on Australian government sites starting at 9.00 am GMT which is 7.00PM on the east coast.  Fax machines and phone lines may also be targeted.  Some "interesting" activity has been observed on some of the networks, but whether this is related or not is uncertain at this stage. 

In preparation, make sure you have your incident handling processes ready, make sure that servers and other perimeter devices are patched so they are better able to resist attack.  You may want to have your ISP's contact details handy just in case you need them to stem the flow of traffic.  If your infrastructure is outsourced, maybe ask the outsourcer what plans they have in place, should anything happen.   But most importantly decide if switching off the site in the face of an attack is an option for you.

Mark H

Mark

391 Posts
ISC Handler
You said that it's supposed to start at 9:00 am GMT which is 7:00 pm on the East Coast. I'm assuming you mean Australia time by that? Since 9 am GMT would be 5:00 am EDT.

Have a great day:)
Patrick.
Anonymous
Our site is a .gov.au site. I have been noticing a marked increase in tcp/445 traffic and also probes from within Australia (telnet, vnc, etc.). It should be interesting to see what's going to happen.
Anonymous
Being in AU I was referring to my east coast ;-)
7.00 pm EST
Mark

391 Posts
ISC Handler
The Twitter account AnonymousHH is definately linked to the website 09-09-09.org. I'm in Tassie local govt.
Mark
6 Posts
Sorry for the duplicate posting; Firefox resent the post after I clicked on the resend button...

A quick analysis of my logs regarding tcp/445 reveals a constant barrage of deny packets averaging one a minute. I haven't as yet exported into Excel to calculate the unique IP daily totals. But I would expect that if this were a botnet that they have sufficient numbers to successfully DDoS us.
Mark
6 Posts
i hope you plan on reporting every single one... these people shouldn't be allowed to have internet access if they intend on wasting it on random ddoses... i agree with their cause (anti-censorship), but the end doesn't justify the means.
Anonymous
Since 1 Sept 2009 00:00:00 EST (Local Time) 3213 unique IP addresses attempted access to tcp/445, 3169 of which performed this only one time. 5 IP addresses, all of which in Australia, have attempted the access numerous times, the greatest 44 times.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!