Mastercard, Visa and Paypal: Revenge for Wikileaks

Yesterday, Mastercard, Visa and Paypal were attacked by a Distributed Denial of Service (DDoS) attack. The idea of this sort of attack is that you throw lots and lots of packets at the system you're trying to attack in order to overwhelm it. The tricky part to defend against is that the attack comes from many, many IP addresses, so you can't just filter the attacking IP address. Embarrassing for them because their website (and other bits of infrastructure) went down under attack.

The reason I'm bringing this up is two fold. It's different from previous attacks.

Firstly, it's a little worrying that key parts of these large companies infrastructure like this isn't being protected against this stuff. It's complicated to do well, but there are good products out there to do it. Radware have an excellent DDoS engine in their products for instance, as do several others. As the packets used to attack the system are generated by the same tool, it's usually possible to identify patterns and block them (hint: the SYN packets all look similar if not the same).

Secondly, the attacks have been launched from systems sourced in a different way to the usual infect-and-own botnets. The botnet that is being used to generate these attacks has been built, in part at least, by volunteers. Objectors to the way in which WikiLeaks has been treated have ganged together and installed a piece of botnet control software. This is a new attack vector and worth thinking about. It's a more nefarious use of spare CPU and network bandwidth than SETI@Home or other cancer-busting distributed computing tools.

I heard the 22 year old 'hacker' known as ColdBlood - probably, c0L|)bL00|), sigh - talking on Radio Four this morning about how the group Anonymous are responsible. Not only did he make himself sound rather dumb technically but he also has no idea what his own politics are.. In response to a direct question about "What are your politics?", he paused and then verbally shook his head to explain that he "doesn't know." Honestly, if you're going to make a stance on something at least know a) why and b) what you're talking about.

It's still an interesting attack model, and I'll be watching how this progresses.