I had an interesting demonstration this evening from a hacker who goes by the handle “The Jester” or in so-called l33t speak, th3j35t3r which is his Twitter ID. Since January 1, The Jester has been systematically wreaking havoc with several websites he associates with Al Quiada and Jihadists via a Denial of Service attack delivered over the web through an anonimizer service.
The Jester has been documenting his attacks against www.alemarah.info, www.radicalislam.org, islamicpoint.net, www.almaghrib.org, www.as-ansar.com, www.islamicnetwork.com, www.islamicawakening.com, www.ansarnet.info, since the beginning of 2010.
Early today he posted:
Official Presidency Website of Iran (www.president.ir) will be unavailable for the next 40 minutes, due to their oppresive Islamic regime.
I approached The Jester through DM and provided my email address. I wanted to understand his(?) motivations and intentions. These are still not completely clear but this post sums it up.
The Jester is taking on radical Islam through the web.
Via email he told me:
Hi again Richard,
Forgive me if I may sound vague on any of the following, as you can probably understand I need to protect my oewn identity for the moment.
I am an ex-soldier with a rather famous unit, country purposely not specifed. I was involved with supporting Special Forces, I have served in (and around) Afghanistan amongst other places. Since 'leaving' the governments payroll, it has occured to me that the bad-guys are in fact starting to utilize the web more and more as a recruitment, communication, and propaganda medium.
I have been and continue to develop methods and tools to disrupt, mis-inform and obstruct this kind of terrorist activity. Kinda like taking them down from the inside, and using my weapon of choice. The method I have used to take-down the sites mentioned on twitter is rather special, it's only downfall right now is that it is obviously only temporary disruption. But I can however take down and put back their sites at will. The attack is like a DDOS attack, except without the first 'D'.
There is nothing 'distributed' about this. It is possible with very low bandwidth and a single low-spec linux machine.
I am still refining the tool, but if you check right now - www.alemarah.info is in fact temporarily down, until I decide to bring it back.
The idea here is to target known sites and cause much trouble, but not be destructive and defacing. it's a very surgical strike and causes no collateral or long-term damage.
The Jester makes a point that he is not defacing web sites, a practice he denounces as mere graffiti.
We had a brief IM conversation this evening. He wanted to demonstrate his Denial of Service tool which he says works over layer 7 (web) and he launches from his linux server. For now, a defense is to simply block his attacking IP address. That will be easy to enhance as he uses a web proxy anyway. I gave him permission to whack ThreatChaos but, thanks to my recent move to MediaLayer he found that www.threatchaos.com was in the 10% of web sites he could not take down (woot! I'm good.) While I was searching through a couple of other domains of mine he suggested that he take down http://mbna.co.uk a banking site.
[17:34] thejester: I choose jihad supporters personally, but for the purposes of this demo I will hit anything for a few seconds.
[17:34] thejester: I need you to know I dont own the domains.
[17:34] stiennon: right
[17:35] thejester: how about MBNA.co.uk?
[17:35] thejester: now do you think I own a bank?
[17:35] thejester: a bank owned by bank of america?
[17:35] stiennon: don't do that! Might lose somebody some money.
[17:36] thejester: its real temporary
[17:36] thejester: and surgical, no harm done once I kill the attack
[17:36] stiennon: http://fastcabins.com/ but that is at tumblr.com
[17:37] thejester: hows mbna.co.uk looking?
[17:38] stiennon: not so good.
[17:38] thejester: okay its back in a few seconds.
[17:38] stiennon: connection interrupted
The MBNA site was down for only about ten seconds. I suggested he take down a friend’s site which he did. It took about 30 seconds for him to launch the attack which lasted 30 seconds. I am still going through the logs from that site but I could see the requests coming from the anonimizer site.
The identity of The Jester remains a mystery. Towards the end of our conversation he posed an interesting question:
[17:48] thejester: my question to you is, am I a baddie?
Tough question. In the absence of a lawful society is vigilantism wrong? Certainly there are many players on both sides of cyber conflicts that feel strongly about their purpose. But in the final analysis I have to say that taking down websites is unlawful and wrong. And, in this case, taking down Jihadist sites may hurt The Jester’s cause.
In the age old battle between generals and spies there is a similar conflict. The spies want to preserve their sources; the generals want to take them out. I imagine that counter terrorism groups around the world rely on the sites that The Jester is targeting for valuable information, information that could lead to the capture of the next Christmas Bomber.
So my message to The Jester (I know you are reading this since I sent you the link!):
Come in from the cold. Work with counter-intelligence and counter-terrorism teams to further your vendetta.