Thanks for taking the time to read this. I'm going to keep this as short and concise as possible, but there is a lot of ground to cover. I will endevour to keep my opinions seperate from the facts by getting my opinion out of the way right away, you can skip it if you want and go directly to Section 2. 1.) My Opinion A.) At this point, I believe there are 3 signifigant Iranian sites that need to be dealt with due to their pschological value: 1.) leader.ir 2.) president.ir 3.) gerdab.ir a.) while the content on this site hasn't been updated in some time, the Basij are clearly expending resources keeping it up and running, and it has psychological value. b.) At this moment gerdab appears to be down, it has proven thus far to be extremely resiliant, so I am crossing my fingers it stays the *&^% down. B.) I also believe it is important to keep the government's info-warfare groups and sysadmins and generally smart people tied up fighting this psy-op BS war with us. And I ain't got nothing better to do. So- At the end of this document, I will suggest some non-standard ways to keep these resources loaded. B.) The Iranian government has nearly infinite bandwidth. leader.ir is loading faster than google.com from hosts all over the *&^%ing planet despite being hammered on by thousands of get-flood bots. Therefor, I do not believe that DDoSs from outside Iran are eating the bandwidth of the Protesters. I believe the government is eating that BW, and using it for leader.ir. C.) For reasons I will outline below, thread-starvation ttacks are also not working. D.) B + C = We Need To Be More *&^%ing clever!!! 2.) Facts A.) The page-refresh/get-flood DDoS attacks are not working on these sites (unless they have taken down gerdab, which I doubt, if that site is down, it's probably due to something more clever) 1.) leader, president, and _even_ gerdab are all behind load-balancers. 2.) I believe they are Cisco. a.) If you look closely, you will see that leader.ir has trace on half the time, and not the other half. 3.) This is also preventing thread-pool exhaustion attacks (like slowloris) from working. 4.) Plus, all of the damn page-refreshes are keeping the thread-pool from getting tied up. 5.) The Iranian sysadmins are clever. gerdab.ir was at one point handling 2035 simultaneous low-bw threads from one host, while happily serving up it's terror to another host in under .7 seconds. a.) They have re-compiled. b.) They have optimized. c.) They have withstood quite a pummling for many days now. 3.) Proposed Strategy and Starting-Points A.) Do some good recon. I am attaching a network map of the network at Tehran University where leader.ir lives. IF we look at some of the nodes on the same /24 we see some very *&^%ing interesting @#$%. 1.) 220.127.116.11 appears to be the local branch of Alalam publishing, and do you smell that? It's like in the wall... It smells like sloppy, sloppy code waiting to be fuzzed. 2.) 18.104.22.168 and .77 are running webmail servers. 3.) .76 is a virtual host. 4.) .135 is running *&^%ING Squirrel Mail! 5.) And, oh yeah... The cisco router at 22.214.171.124 has TELNET open. (PS, anyone got a good Farsi dictionary? We don't, and we're looking for one.) root@vmware:~# host -al gerdab.ir ns1.sinet.ir Trying "gerdab.ir" Using domain server: Name: ns1.sinet.ir Address: 126.96.36.199#53 Aliases: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29351 ;; flags: qr aa ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;gerdab.ir. IN AXFR ;; ANSWER SECTION: gerdab.ir. 600 IN SOA ns1.sinet.ir. hostmaster.shdc.sinet.ir. 2009062701 900 600 3600 600 gerdab.ir. 600 IN NS ns1.sinet.ir. gerdab.ir. 600 IN A 188.8.131.52 gerdab.ir. 600 IN MX 10 mail.gerdab.ir. files.gerdab.ir. 600 IN A 184.108.40.206 mail.gerdab.ir. 600 IN A 220.127.116.11 server1.gerdab.ir. 600 IN A 18.104.22.168 www.gerdab.ir. 600 IN A 22.214.171.124 gerdab.ir. 600 IN SOA ns1.sinet.ir. hostmaster.shdc.sinet.ir. 2009062701 900 600 3600 600 Received 258 bytes from 126.96.36.199#53 in 315 ms Are you starting to get the gist? This is War. We need to use some gurilla @#$% here. Old school. CONCLUSION: 1.) Recon, Recon, Recon. Let's start sharing network maps, service-scans, etc. 2.) Go after adjacent hosts, routers, fuzz web-apps, poison DNS, spoof @#$%, SQL injection, brute-force: Use Any MEans Neccessary. 3.) Use whois. Tie up every technical-contact, zone-contact and webmaster's inbox, voice-mail, and fax-line. Use skype. Automate it. $.01 gets a VOIP call to Tehran. A buck gets you 100. $100 can make quite a mess. 4.) Use forums like this one to share information and tactics. This constant whining on twitter re: "I've been begging for days PLEASE TAKE THIS SITE DOWN" is not helping. i5.) As we gather more intelligence, I will make it available in a similar fashion. 5.) The inhumane dictatorship suppressing its people in Iran is using the resources of a modern state to fight this war against its own people. We need to fight them back with more than page-refresh bots and blockable TOR exit-nodes.