1. Anonymous attacks on
Tunisian Government
Haythem EL MIR, CISSP

2. About Presenter
+10 year of security experience
Technical Manager of the National Agency for
computer Security of Tunisia
Head of the Incident Response Team tunCERT
National Cyber Space protection coordinator
Setting-up of Incident Response units
Consultancy and training in Africa

3. Introduction
Computer Emergency Response Team are one of
the main today tool to enhance cyber security.
A CERT have to ensure:
• A centralized coordination for IT security issues
(Trusted Point of Contact)
• Centralized and specialized unit for incident
response.
• Technology and security watch.
• Cyberspace monitoring.
• The expertise to support and assist to quickly recover
from security incidents.
• Awareness of all categories of users.

4. Who are Anonymous?
Anonymous is a decentralized network of
individuals focused on promoting access to
information, free speech, and transparency.
The group has made international headlines by
exposing The Church of Scientology,
supporting anti-corruption movements in many
emerging countries.
Anonymous are considered as a group of
hacktivist, trying to act anonymously to hack
information systems belonging to freedom
enemies.

5. Anonymous favorite targets

6. Tunisian Anonymous
Since the Tunisian operation in January 2011,
Anonymous did not stopped to fascinate young
Tunisian hackers and cyber activist.
Small groups started to be constituted, and may
anonymous initiatives was run to gather all these
groups under the same organization and adopt
the same objectives
Tunisian Anonymous On facebook (About 110k)
{ Elite Attack}
Anonymous TN On facebook (About 20k)
ＡｎｏＮＹｍＯｕｓ On facebook (About 50k)
www.anonymous-tunisia.org
AnonTunisia (Twitter)

7. Tunisian anonymous groups: main objectives
Internet freedom (anti-censorship)
Guarding the revolution objectives
• Fighting the old regime
• Investigating on corruption
• Leaking confidential information
Interfering with politics
• They have their own political ideas
• Fight some special political parties

8. Biggest attacks and breaches

9. Tunisian anonymous groups: in the media

10. The government position
The Minister of ICT announced on the national TV
that the National Information Security Agency and
the Tunisian CERT will be fighting Anonymous: A
declaration of War.
Anonymous reacted by announcing a special
operation against the security Agency
www.ansi.tn on the 28th of April 2012 and
another operation against the government for the
1st of May.

11. The main anonymous attack: dDos

12. The main anonymous attack: dDos
Low Orbit Ion Cannon (loic)
Web Stress Tool.
Can be used in a stand-
alone mode or it can be
synchronized using an IRC
Server.
This software needs to be
installed

13. HOIC: Hight Orbit Ion Cannon

14. The main anonymous attack: dDos
With LOIC, Anonymous succeeded to cause a denial of
service on many servers within few minutes
 Very strange behaviour to be analyzed
Analysis steps
• Log analysis for a DDoSed servers   Surprising
• LOIC traffic analysis
• DoS simulation in lab
• dDos simulation in lab
• Server Analysis
 The default configuration of web servers is the problem
• Developing a new tuning and hardening guide for apache
server to resist to such attacks

15. The main anonymous attack: dDos
TCP Connection: Three way handshake
1
Apache
HTTP sessions: GET HTTP 1.0
2

16. The main anonymous attack: dDos

17. The main anonymous attack: dDos
IRC Server
C&C

18. The main anonymous attack: dDos
Good news: it cannot be used with proxy
Proxy Server

19. The online LOIC: JS LOIC
http://pastehtml.com/
http://f**kati.yolasite.com/
http://anoon.mypressonline.com/

20. IRC communications
#optunisia- Channel Topic: Operation Tunisia | Target: www.ati.tn | Discuss
further actions | English only in channel | DO NOT USE HIVE | Anonymity
http://piratepad.net/ep/pad/view/ro.sEBJTH2Q/latest | www.anonnews.org |
wikileaks.yunicc.org | over9000.splinteredsanity.com | forscherliga-rof.eu |
news.pinky-and-brain.com |
<Greeny> Hey im new what should i do before ddosing ?
<@Ismael> inside Tn --> get on the streets and portest
<GZ3r0> SQL Injection Vulnerability Detection
<GZ3r0> http://www.tn.gov/
<medo> fire 193.95.67.22 port 53 udp
#optunisia- Channel Topic: OperationTunisia | TARGET: 193.95.67.22 port 53
(UDP) | HIVE IS UP: irc.hiddenaces.net:6667 #loic | KEEP FIRING UNTILL
TOPIC SAYS OTHERWISE | Setup GUIDE: herpderp01.byethost7.com | Join
#operationfreedom for more government ass-whooping | ENGLISH ONLY

21. IRC communications
<zargos> how can i do a fire with you
<Mouwaten> please how to fire ?
<VforTunisia> how can I help?
<claude> 4anyone have a tutoriel how to ddos
<lek> how can i join the attack ?
<feh> i wonder how you can deface a website
<mib_idlwgn> wait how do you do 64GB ping?
<C0DeR> how can we enjoy the ddos attack ?
<mib_yjp5ph> how can I change my MAC adress?
<tunisianow> how to learn ddossing ?
I was not only for Hacking
<@Ismael> YOU have to RIOT on the STREETS
<purpleleaves> people in tunisia get out on the streets and protest
<op-Tunisia> pepolle in tunisia attacking in streets now
<@Ismael> tunsians you have to get you asses on the street and end this
<@Ismael> getb the f**k on the streets and RIOT!
<@Ismael> Leave you computers the F**K alone and RIOT on the streets1
<Merovingien>: Some say a DDOS is the same as a street protest

22. IRC communications
<zorro> ansi is not a gov.tn !!!
<zorro> Do not target ansi ; it is not a gov.tn
<zorro> ansi is a media web site
<zorro> To All : be carefull about LOIC ; some versions are infected !!
<zorro> Stock exchange is not Governmental !!
<zorro> Do not target stock exchange
<F_Youth> zorro => are u kidding?
<zorro> But Indonesia would be a good target also LoL
<zorro> No freedom in Indonesia !!
<zorro> Tunisia is a very sunny country
<zorro> DDoS in not efficient at all ; what a lot of energy spent in the wind !!
<zorro> international pressure should go where really people suffer
(palestine, afghanistan, iraq, ...)
<@p2cv> zorro: then stop complaining and invite people to your cause
<zorro> don't miss real causes : poverty, real oppression, lack of education,
lack of health, child explotation
<zorro> wikileaks does NOT provide food for african people
<zorro> with DDoS, u r spending ur energy in the wind !!
<@p2cv> !k zorro
* zorro was kicked by Chuck (Requested (p2cv))

23. The main anonymous attack: dDos
Country IP nb Country IP nb
France 15208
Switzerland 934
United States 8891
Libya 794
Algeria 4762
Japan 738
Germany 3144
Egypt 3115
Spain 717 Total Country Total IP
Argentina 707
Morocco 3028
186 77272
Russia 2874 India 703
Saudi Arabia 2853 Hungary 693 Total number of
Brazil 2387 targets Attacks
Poland 677
Canada 2346
Ukraine 647 44 DoS, DDoS, Defacement
Italy 2023
Taiwan 1917
Netherlands 561
China 1716
United Arab Emirates 554
United Kingdom 1431
Qatar 486
Belgium 1223
Romania 1054 Bulgaria 486

24. The defense strategy
The Tunisian CERT was the main coordinator to handle
these attacks.
Activation of the national reaction plan.
Activation of the crisis mode.
Incident coordination:
• With local IS, Telco, and Critical infrastructures.
• With international partners.
Action taken
• Watching hackers and studying their behavior.
• Anticipating attacks.
• Analyzing Millions of log lines and developing blacklist.
• Sharing blacklist.
• Neutralizing IRC servers.
• Securing and Hardening vulnerable servers.

25. Role of the CERT: National coordination
Inform all stakeholders (ISPs, Telcos, Defense,
National Security, Financial Sector, Energy Sector,
…).
Monitor all critical Web Sites, and inform
companies about any abnormal behavior.
In case of attacks, collect and analyses log files.
Identify the list of IPs participating to the attack,
and develop a temporary black-list.
Continuously update the black-list, until the end of
the attack.

26. Role of the CERT: International coordination
The LOIC was synchronized using 3 different IRC
servers (1 in Russia, 2 In USA).
7 IRC server for communication (Canada, 3
Germany, Netherland, Austria)
 Taking down theses server will end the attack.
Collaboration with FIRST network and
international partners to take down these servers.
International assistance to mitigate the attack
(exchanging list of IPs to filter).

27. Conclusion
Anonymous is not a common group of hacker:
• They are not hackers but they are a huge number of
activist.
• They do not use very sophisticated hacking
techniques.
• They can be assister by hacking groups (LulzSec,
TeamPoison, …) and also local groups.
Facing anonymous attack, can only be done
through coordination.
Anonymous will be one of the main threat for the
next period:
• Their number is increasing.
• They start to be organized.
• They start to learn hacking and recruit hackers.

28. Thank you!