Jester Unveils XerXeS Automated DoS Attack

Wednesday, February 10, 2010

Anthony M. Freed

6d117b57d55f63febe392e40a478011f

By Anthony M. Freed, Director of Business Development at Infosec Island

Anti-jihadi hacker The Jester (th3j35t3r), continues his campaign against militant Islamic websites, and now reveals the development of an automated version of his DoS attack, which he calls the XerXeS project.

While most of the conversations concerning Jester are regarding the ethics and lawlessness of his crusade, no one has addressed the fact that The Jester has developed an attack technique that could be employed against our own critical systems.

I asked The Jester to explain a little more about how he first developed the DoS attack, what the implications the addition of autonomous AI features will have on his effectiveness, as well as his thoughts on our ability to defend against such attacks should the method be adapted by comparatively more rogue elements than himself.

Q:  How did you first develop your DoS technique?

A:  Okay it started with a little script I wrote a while back to harden-test servers. I modified this script, and it was just a nasty script, very cumbersome. When I realized the extent of the jihad online recruiting and co-ordination involvement (much later), I realized I could turn this script into a weapon.  But the problem with that was it took me constantly shell hopping and wasn’t very user friendly. Now I have started on project XerXeS, an intelligent frontend with the ability to hit multiple targets autonomously.

Q:  What about collateral damage to third party systems?

A:  Many people worry about the nodes between me and the target. This technique affects nobody but the intended target. All intermediaries remain unaffected.

Q:  Have you tested XerXeS on a live target yet?

I just did another live-firing test of XerXeS and posted on Twitter.  It went well.  In fact, I really want to do another one right now. Check out almaghrib.org – I will demonstrate on them for you. They will be flat-lining in a minute. I like this one, it’s kind of tricky, but I am building in a little artificial intelligence to my method so I can run it unattended. It can now detect a system attempting to fight-back and adjust to overwhelm it.

Q:  Are you running the attack now?

Yes, they just hit back again but to no avail. I need to tweak XerXeS a little bit still, but it is definitely going to work completely unattended when it’s done. Refresh the site now - they are down!

Q:  So the automation does not hinder your technique’s effectiveness?

No, not at all. Each new wave uses a different IP (location). It starts with just one, but ramps it up if it detects system counter-measures.

Q:  So XerXeS uses a graduated attack?

Yes, it starts off nice and slow, which usually takes a site down in less than 30 seconds. But if it can’t take the target out in 30 seconds, it triggers the AI and adjusts the attack.

Q:  Do you still have to identify the targets first, or does it automatically search and destroy?

Right now I specify targets. It’s better that way, and safer, as I can’t afford any false-positives.

Q:  So XerXeS can be set it up to take down multiple targets at random intervals, and really drive your targets nuts?

Oh yes! This is how I will render their websites undependable for coordinating terrorist activities. I am building a nice simple GUI and adding elements of AI that can auto-detect if the target 'wakes up' during a strike and counter that autonomously. I am also adding the ability for the software to halt the attack after any specified time period.

Q:  Will XerXeS increase the frequency of your attacks?

Yes. The frequency of my attacks is currently limited to the time I have to spend on this project. XerXeS will make the attacks less of a shell-hopping exercise, and more of a fire and forget exercise.

Q:  What are the implications if something like XerXeS was combined with a large zombie network, and coordinated against critical U.S. infrastructure, like our communications, power grids, or financial systems?

XerXes requires no zombie network or botnet to be effective. Once a single attacking machine running XerXeS has smacked down a box, it's down, there is no need for thousands of machines. But, XerXeS does not hurt intermediary nodes along its path to the target. So the answer is that such institutions’ systems would still be intact, as it causes no collateral damage, just not functional.

Q:  So something like XerXeS in the wrong hands could be a serious threat?

Even if someone were stupid enough to hit critical targets like those, they couldn't keep it up forever, and the nature of XerXeS ensures no data or systems would be physically harmed. Someone would have to be really dumb to hit those kinds of targets.

Q:  Is it likely another hacker with less noble intentions may soon replicate your technique?

Yes this could happen, the technology for this type of activity has existed for years, it’s just the particular way I happen to put it all together. I combined various methods and technologies into a single weaponized product - that is where the real difference lies in my methods. I would be a fool to think I am only one developing this type of gadget. I am just the only one who tweets about it!

Q:  How easily could we defend our systems from such attacks?

Web delivery servers could theoretically defend temporarily, but then XerXeS learns from each, in effect modifying the fine tunable aspects of the strike, just like cutting a new key to fit a lock.

Q:  What role will you play in helping the good guys prepare and defend against something like XerXeS?

Regarding helping the good guys defend against such an attack, I can guarantee that no bad guy has this in his arsenal yet, and no bad guy will ever get it from me. I have not been approached directly by any sec/mil/spook types, but if that happens I would be glad to help out. Preferably, they would approach me with a signed immunity from prosecution document. I am not going to just throw myself to the wolves.

Q: Do you feel like Oppenheimer did after they successfully tested the atom bomb – like you let the genie out of the bottle?

No. I don't presume to think I am clever as Oppenheimer, this is the part of the evolution of things, and not just in IT terms. If it wasn't for hackers fuelling the solutions that make for better security, we would still be using abacuses. It's just the way it is. But the XerXeS Project is specifically only aimed at disrupting the online communication channels of Jihadist’s enough for them not to be able to rely on them anymore, and nothing else.

Q: Do you want to add anything else?

I want the emphasis to be on the reason for this project, I don't mind talking about XerXeS but I need the true message to get out. If it wasn’t me and XerXeS, I am sure there must be others like me. I am sure there is an element of your readers who are interested in the 'how', but the issue really is the 'why'. Project XerXeS is an ongoing project that is a means to an end. The end goal is to disrupt the online communications, recruitment and co-ordination efforts of international and homegrown terrorists.

Conclusion

Now some questions for our readers: Based on what little we know of The Jester’s XerXeS DoS attack, what are the implications for our own network security should this technique be employed by nefarious hackers against us? 

Does The Jester’s conditional offer of cooperation warrant the extension of some sort of immunity in exchange for critical information that could be employed both against “enemy” systems and also in defense of our own?

And is there a place in our cyber defense strategy for virtual mercenaries?

Possibly Related Articles:
52393
Operating Systems Breaches Webappsec->General
Hacks Political Jester Patriot Hackers DoS DDoS th3j35t3r Hacktivist
Post Rating I Like this!
D5e39323dd0a7b8534af8a5043a05da2
Fred Williams How could these defensive tactics help thwart this type of attack?

1) Honeypots - put a honeypot on the perimeter of your network. The Jester would be tempted to attack this box instead of the real production servers?

2) Load balancing on the webservers - if a Dos attack brings down one or two servers in the cluster, route all traffic to the underutilized servers and potentially shut down the vulnerable ones?

3) Proxy servers or NAT - the idea is to hide the real IP addresses and only publish the IP address of the proxy? This way if Jester is targeting XerXes to an IP, it would be the IP of the proxy server?

Fascinating stuff, Anthony!
1265911713
6d117b57d55f63febe392e40a478011f
Anthony M. Freed Wow - great analysis! I am but a humble writer and researcher - hoping for some more of you technical wizards out there will chime in on your theories of Jester's DoS attack method, as well as possible mitigation efforts that can be deployed to defend against such attacks. Thoughts?
1265912996
D5e39323dd0a7b8534af8a5043a05da2
Fred Williams I'm no techno wiz by any means. However, I can see where traditional defenses against other DoS attacks could be used to twart Jester's DoS attack. A simple IDS rule setup to measure the amount of packets arriving at a destination IP and an action of closing the door may work also.
1266007299
Dba00ace283759a06b07f9ae2f6b0751
dgonzalez This is by far one of the most interesting posts I have read online in sometime. I can’t begin to phantom the thought of what sort of methodologies are behind Jesters methods… I have to say I am very intrigued. On another note, regarding his ethics, is it wrong? Maybe, but how wrong are the people who he is targeting? If there was a Jester for all the “BAD GUYS” (spammers, child p**n sites, scammers, etc…) the interweb would be a better place.

MHO
Regards
1266009279
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.