I read that the Pentagon was looking into ways to take down Wikileaks, but ultimately decided to do nothing. There was talk of Cyber Command getting involved and this got me wondering if those in charge realize what they are trying to do. Several politicians have spoken out, but it’s clear they don’t grasp the concepts involved. It isn’t as simple as finding one server and turning off the power. Without even exploring the legal issues with active attacks, lots of research has to be done to determine what exactly needs to be accomplished to shutdown a website. I’ve found the more you understand the intricacies of the operation the more complicated the task becomes. When you want to take down a website like Wikileaks, there is more involved than flipping a switch. Here’s a high level operations plan for a scenario like shutting down Wikileaks.
Goal:
First we need to decide the end result. Are we trying to shutdown a single webserver? Shutdown the wikileaks.org domain? Are we targeting specific information that we don’t want people to see? Are we trying to do this as fast as possible? Can we take our time and covertly infiltrate the wikileaks organization? Are we just trying to make the entire site inaccessible to everyone? Are we trying to destroy their ability to disseminate any information? Is this a political exercise or are we prepared to use methods that the world would consider cyberwar?
Applying political pressure may work in the US or in NATO countries, but eventually the target will move to a location that doesn’t want to cooperate. Amazon kicked wikileaks off it’s service, but the site quickly moved. http://www.guardian.co.uk/media/2010/dec/01/wikileaks-website-cables-servers-amazon
Let’s say we want to prevent anyone from contacting wikileaks.org, we’re skipping politics and methods short of destroying hardware are fair game. This leaves us with vulnerabilities in software used by Wikileaks, DNS and network disruption. With these guidelines, we need a plan.
I don’t think the planning stage is as simple as saying, let’s hijack their DNS and make the website impossible to access. A thorough operation will involve multiple attack vectors working in concert. Breaking the operation into smaller parts will allow teams to focus on their specific attack method. The tiger teams would be for software, DNS and network attack. I won’t go into detail on each method, but give some potential attacks.
Reconnaissance:
For all the attack methods, we need to double and triple check that who and what we are attacking is the actual target. It’s important that we minimize collateral damage. Attacking a target unrelated to wikileaks might be an accepted risk, but it’s one thing to know that we’re affecting more than just the target and not knowing we’ve created a bigger mess because we didn’t research properly. Shared hosting is common and if we took out an entire server, we might bring down unrelated blogs and websites in the process. Additionally, hardware located in foreign countries presents messy diplomatic problems if our methods are considered cyberwar.
Software:
Once we verify the target/targets, we need an inventory of the software and operating systems running on those devices. WIth this list of information, we can use exploits to target those applications. Depending on the level of urgency, we could stick to publicly available exploits, or we could reach into our bag of tricks and use unknown zero day vulnerabilities to bring down the software applications on one or more of Wikileaks systems. If we can gain access to these systems we can lock out the system admins and reconfigure or wipe the systems remotely.
DNS:
A court order could be used to confiscate the wikileaks.org domain, but we’ve ruled that out as an option. We could use methods from the software team to disable nameservers for the wikileaks.org domain. The issue is that even if we are able to compromise and prevent the domain from being used, the website can be easily moved to another domain that is better protected. (I think targeting DNS is a never-ending task) Fast Flux http://en.wikipedia.org/wiki/Fast_flux is a good example of how easy it is to change DNS. We could target the nameservers with a Denial of Service (DoS) attack http://en.wikipedia.org/wiki/Denial-of-service_attack. This would prevent users from finding the url for wikileaks.org, but not prevent them from hitting the IP directly or going to a new domain name.
Network:
From a network perspective, there are a few things we can do to prevent people from visiting the websites. Flooding the webservers, a DoS, would prevent legitimate connections from accessing the website. The downside here is that you need lots of bandwidth and many hosts to perform this attack, not to mention all the networks that are affected in between yours and the target.
Disrupting Border Gateway Protocol (BGP) http://en.wikipedia.org/wiki/BGP is another option, but collateral damage is more likely. Hijacking the address space for Wikileaks would be possible with the right infrastructure. BGP could be used to redirect their traffic to our own servers or just make requests to the website timeout. BGP hijacking would get more complicated with a globally load balanced network of webservers. Again, an attack platform infrastructure would have to be maintained to ensure the website was completely inaccessible.
Execution:
We have our recon information, we’ve evaluated our options and created operation plans and each or our teams have their orders. Now we execute the plan. Let’s assume each team is successful and our target is offline. Now what?
Monitor:
After all the planning, recon and attack execution, we need to do Battle Damage Assessement (BDA) http://en.wikipedia.org/wiki/Battle_damage_assessment How do we know we were successful? Is the domain up somewhere else? Is the information we’re trying to contain on another domain? Did they change IPs? Did they move to a new ISP? We need to be able to assess our efforts and continue to monitor for any status change. Depending on what we are trying to accomplish, the monitoring could be considered the most important part of the entire process.
I’ve just scratched the surface on what’s involved in taking down a website. The thought of a politician asking the Pentagon why a website with sensitive information hasn’t been forcibly removed is scary. The idea that a relatively new organization like Cyber Command could be orchestrating active attacks around the globe should concern everyone. I hope Cyber Command has smart people, that think too much, working these issues and that they realize it’s not as easy as pushing a button and shutting wikileaks down. Believe it or not, the internet is more complicated than trucks in a series of tubes. I suppose the real challenge is educating the politicians….