Thursday 9 December 2010

Operation Payback

updated on UltraDNS Anycast solution on Dec 9, 0815 EST 
updated on Visa, MC on Dec 10, 0600 EST 
Here is the follow up of the story of Amazon, VISA, MasterCard, PayPal, SwissPost and many more companies involved in "cablegate". More than week ago those companies took WikiLeaks.org web page and WikiLeaks donations off-line (more: [1] [2] [3]).Today WikiLeaks' supporters are taking them down.

Due to the DDoS (Distributed Denial of Service) attack called "Operation Payback" both VISA and MasterCard's web pages were off-line on Thursday. People behind so called Operation Payback campaign are targeting all corporations that have withdrawn services from Wikileaks.

What is DDoS?
DoS (Denial of Service) attack is an attempt (successful in case of VISA and MasterCard) to make a computer resources unavailable to its users. In case of a DDoS (Distributed Denial of Service) attack, large numbers of computers distributed across the networks attack a single target. Computers used for the attack are either compromised systems (botnets) or legitimate hosts managed by people who decide to use their machines to flood the victim. In the Operation Payback most of the "attackers" were legitimate hosts deliberately used by their owners to send large number of queries to the Visa and MC servers.  (D)DoS attack can force different services of the victim including Web site (WWW), e-mail or transaction systems to cease operation. In some cases denial of service attack can also destroy files in the affected computer systems.

DDoS attacks are tools used by "hacktivists" as form of protest or revenge (WikiLeaks case). Today DDoS are generally used for cyber criminals to profit from:
  • ransom payed by victim to stop the attack and avoid further financial losses,
  • companies who want to knock out competitors from the market (sabotage, brand damage)
Current situation
As of December 9th, 2010, 0740 EST, VISA.com has not been reachable, but at least their Name Servers were reachable. In the contrary neither MASTERCARD.COM's web page nor their Name Servers have been reachable. Due to the fact that Name Servers of MasterCard haven't been reachable, it's likely that not only web page but also e-mail service were disrupted.

UPDATE: After 8+ hours of inaccessibility, web pages of VISA and MasterCard were back on-line.


And the winner is...
Attack on VISA and MasterCard shows, that "Operation Payback has actually one big winner - NeuStar's UltraDNS service. VISA made a good decision choosing UltraDNS as DNS provider. UltraDNS is using so called "UltraDNS Managed DNS Service" with the ability to advertise the same public IP addresses out of multiple machines and networks. By using IP Anycast, UltraDNS is bringing the answers for a DNS query closer to the end user, and it becomes far more likely that the query will reach its destination and be responded to quickly. IP Anycast makes DDoS attacks much more difficult, requiring more botnets or attacking computers to be involved in the attack. As UltraDNS says IP Anycast and BGP protect our network from security threats and Distributed Denial of Service attacks. Because queries are routed based upon where they enter the UltraDNS network, DDoS attacks will be "distributed" amongst our servers, thus "diluting" the strength of any DDoS attack.


VISA.COM - ping on Dec 9, 0815 EST
Ping 72.52.5.101
[visa.com]
Timed out
Destination network unreachable
Timed out
Timed out
Destination network unreachable
Destination network unreachable
Timed out
Timed out
Destination network unreachable
Timed out

Average time over 10 pings: 0 ms



VISA.COM - Name Servers query on Dec 9, 0815 EST
Retrieving DNS records for visa.com...
DNS servers
pdns3.ultradns.org
pdns2.ultradns.net
pdns1.ultradns.net
pdns6.ultradns.co.uk
pdns5.ultradns.info
pdns4.ultradns.org


Answer records
visa.com
TXT
3600s
visa.com
TXTv=spf1 ip4:198.80.42.3 ip4:198.241.159.4 ip4:69.20.125.232 ip4:198.241.175.106 ip4:216.251.253.98 ip4:67.208.216.61 ~all3600s
visa.com
SOA
server:pdns1.ultradns.net
email:hostmaster@visa.com
serial:2010120909
refresh:10800
retry:3600
expire:604800
minimum ttl:300
300s
visa.com
A72.52.5.101300s
visa.com
MX
preference:10
exchange:portal5.visa.com
3600s
visa.com
MX
preference:10
exchange:portal2.visa.com
3600s
visa.com
MX
preference:10
exchange:portal1.visa.com
3600s
visa.com
NSpdns6.ultradns.co.uk86400s
visa.com
NSpdns5.ultradns.info86400s
visa.com
NSpdns4.ultradns.org86400s
visa.com
NSpdns3.ultradns.org86400s
visa.com
NSpdns2.ultradns.net86400s
visa.com
NSpdns1.ultradns.net86400s

Authority records

Additional records
portal5.visa.com
A198.241.174.1383600s
portal2.visa.com
A198.241.159.33600s



MASTERCARD.COM ping on Dec 9, 0815 EST
IP address:
Error: Try again

Host name: mastercard.com
Alias:
mastercard.com
is from () in region



TraceRoute to [mastercard.com]
Hop(ms)(ms)(ms)
IP AddressHost name
Trace complete

Retrieving DNS records for mastercard.com...
DNS servers
dns2.mastercard.com [209.64.210.34]
dns1.mastercard.com [216.119.210.196]

DNS server returned an error: Name server failed

4 comments:

  1. It's hard to understand why MasterCard is using only two(!) name servers.

    Bart

    ReplyDelete
  2. hahah yeah funny and the people behind it are on facebook..
    http://www.facebook.com/pages/Operation-Payback-WikiLeaks/137281102994460

    ReplyDelete
  3. but yet facebook did not removed wikileaks fanpage

    http://www.facebook.com/wikileaks

    ReplyDelete
  4. At least they don't publish "copyright protected" (=belonging to USG) documents on FB. But anyway, Mark Zuckerberg is unpredictable ;)

    ReplyDelete