[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <44E35A18.6010903@sdf.lonestar.org>
Date: Wed, 16 Aug 2006 13:47:04 -0400
From: bkfsec <bkfsec@....lonestar.org>
To: Rowland <rowland-wind@...cast.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Much Ado Over Whether Lieberman Campaign Site
Was Hacked
Rowland wrote:
>Some questioning of the Kos version here:
>
>http://www.brendanloy.com/2006/08/apparent-dos-attack-takes-out-lieberman-website.html
>
>
>On Tue, 2006-08-08 at 15:21, kaiser scapegoat wrote:
>
>
>>MSNBC has been reporting that the Lieberman campaign site was hacked. There
>>have been numerous theories on this since it was reported yesterday. Thought
>>you all might be interested in the attempt at technical analysis taking
>>place on Daily Kos:
>>
>>http://www.dailykos.com/story/2006/8/8/144119/5628
>>
>>
>>
The "www.brendanloy.com" rebuttal is actually relatively poorly written
and ignores a lot of the facts that existed on the ground on that day.
I had the opportunity on that day to look into the events and, though
I'm not part of either campaign, I was intrigued by the possibility that
a DDoS could have been happening during a political campaign like
that. And I can say that from the facts on the outside, it doesn't
appear that the site was actually under DoS... consider the following
facts, as they were shown on the day:
1. The site was down for an extended period of time -- far longer than
it takes to handle a basic DDoS...
2. Ping tests to www.joe2006.com returned normal or excellent results.
3. Ping tests to the IP of www.joe2006.com returned normal or excellent
results.
4. There was no lag accessing the service site for the ISP - OK, that
could be explained via the use of separate networks on each, but is
still not indicative of a DDoS.
5. Attempts to manually access the mail server for joe2006.com (not run
by myself, run by others) showed no issues with attempting to relay
mail. (This is pretty damning considering the fact that the lieberman
campaign claimed it's mail server was entirely down and they were
incapable of sending e-mail back and forth.)
6. At various points during the day, the content of the site changed...
at the beginning of the day, we had the "billing/support" message that
everyone posted screenshots of... then in the middle of the day,
something odd happened and messages from the Lieberman campaign appeared
on the site that claimed that the site was being attacked by the Lamont
campaign, essentially, and those messaged changed about once every ten
minutes... then after a little while all of those went away and the site
reverted to a new account template, or so it seemed. It's important to
note that there wasn't any lag accessing the site when the messages were
coming up.
At the beginning of the day, some Lieberman staffers seemed to be
reporting that they were hacked and that the site was defaced, oddly
referencing a defacement from July and claiming it was happening on the
day of the primary... and others were claiming that the site was under
DDoS and their mail server was down. Conflicting stories don't bode
well, but could be explained through confusion.
While I can't say that it wasn't a hack or a DoS, I can say that from
that gathered information, it doesn't look like a classical DDoS. I do
have an alternate theory, though, based entirely on conjecture and
considering the environment at the time -- The day before the primary,
when the site is first reported to have gone down, not anticipating
extreme traffic, the Lieberman site hit its bandwidth limit. As is
normal, traffic will spike at a candidate's site just before the
primary/election. (It was reported that day that the Lamont site saw a
similar spike in traffic, and had no difficulties.) Having run out of
bandwidth alotment, all the blogs lit up with news of "Joe-mentum's site
is down!" and everyone and their mother opened up their browser and
typed "www.joe2006.com" and, sure enough, the message about contacting
support/billing came up.
At this point, the hosting site would begin to show an odd and extreme
spike in traffic to the site that was not a pattern for its history.
Hits from, probably, all over the world would be coming into the site.
People were also reporting that they were pinging and portscanning the
site, this would only add to the confusion at the hosting center. An
amateur admin might have the initial gut reaction that "this looks like
a DDoS", because it kind of would to them, especially considering the
fact that people were refreshing their connections to see if the site
was really down for good or not. The campaign would then have up'ed
their bandwidth alotment at that point and thus, they started posting
nasty messages about being attacked.
I'll leave it to conjecture as to whether it was confusion or spin that
was the driving factor.
However, allow me to consider the possibility that what Joe-mentum's
staff was saying was entirely true. Ask yourself the following
question: Do you want a Senator who can't even handle a basic DDoS
attack on his site on a primary day to be a part of handling response to
a terrorist attack (and/or forming policy towards the handling thereof)?
With all his tough talk about who's best to defend America, here we have
a turn-coat traitor who can't even defend his campaign site...
-bkfsec
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists