Search Engine Shutoff – Tehran.

Political unrest resulting from the presidential election in Iran has escalated to a internet battle between the Iranian government and activists, according to the BBC and other sources.

In response to the election, supporters of Mir Hossein Mousavi launched distributed denial-of-service (DDoS) attacks against Tehran government websites and used Twitter to encourage others to do the same. Mousavi proponents are challenging the recent presidential election that Mr. Ahmadinejad seems to have won. The use of search engines to find such information had increased sharply but then seems to have been limited by the government.

Specifically, at 3 p.m. eastern standard time on 20th June 2009, political activists initiated DDoS offensives against government websites, using Twitter and Facebook to share sites where users could download tools to participate in the attacks, Ariel Silverstone, an independent security consultant, told SCMagazineUS.com.

Following the initial attacks and Twitter posts, the Iranian government, shut down internet usage in Iran to block citizens’ access to information. For a period of 20 hours the Iranian government shut off internet services it is claimed. At that time Iranian television broadcast only movies, and there were no references to the protests occurring in the streets.

It appears that the internet shutdown was lifted mid-afternoon on Sunday 21st June, but the Iranian government now is reportedly filtering traffic and has blocked certain sites, such as Facebook and the BBC news website. There were a number of reports that Twitter email addresses and Facebook accounts were hacked by what appears to be the Iranian government, although concrete evidence is hard to find.

Once the internet and search engine shutoff was lifted in Iran, more sites proliferated that offered internet sharing tools for download, so others could participate in cyberattacks against Iranian government websites.

Political “hacktivists” have posted instructions on how to execute DDoS attacks against Iranian leadership websites. They are targeting websites of the Iranian government and Iranian news bureaus controlled by the Iranian government, including http://www.leader.ir/; http://president.ir/; http://www.irib.ir/; http://www.iribnews.ir/.

So far, the DDoS attacks against the Iranian government have taken several forms. One of the tools available for download enables users to participate in a “ping flood” attack, in which a huge number of network monitoring packets are sent to a web server, with the intention of causing it to crash. Further to this users can also download a different program that would enable them to participate in a “GET flood” DDoS attack. In this style attack, the downloaded program acts like a web browser and continuously tries to access a web page over and over, making the target web server unable to respond to legitimate requests.

One recent Twitter message read: “Join the information attack (Cyber War) on Ahmadinejad’s government.” The tweet then includes a link to a Google Docs file (accessible via the search engine) with a list of sites that users can click on to participate in a DDoS attack. If users click on one of the listed URLs, their browser refreshes multiple times, the impact on the growing search marketing activities in Iran has been huge with legitimate companies suffering and their internet marketing being hit.