Behind the attack on Malaysia Today

A reader, Morning Dew posting from Australia, believes that Malaysia Today suffered an attack on its server in the US — and stretching the bounds of possibility, says “it is not inconceivable that Kuala Dimensi” could be behind it. He (she?) points the finger to the Internet providers, the government, and possibly even kuala dimensi. Of course it could also be possible that Indonesian hackers did so (but then they would plant an anti-Malaysia message).

But the reasons are likely to be a combination of the Port Klang Free Zone debacle, the Saiful Bukhari alleged sodomy case, and the Bagan Pinang by-election. The Barisan Nasional names its candidate on Tuesday. Nomination day is Friday. The election is in two weeks’ time. And then there’s always Dr Who, ever-present everywhere.

Malaysia Today readers see also these posts:

‣ Getting access to Malaysia Today
other ways to read RPK’s postings
http://uppercaise.wordpress.com/2009/09/27/getting-access-to-malaysia-today/

‣ Malaysia Today site not available again
what happened when Malaysia Today was attacked on Friday
http://uppercaise.wordpress.com/2009/09/27/malaysia-today-site-not-available-again/

‣ The secret Cabinet papers
The Cabinet memorandums on the RM12bil Port Klang Free Zone debacle
http://uppercaise.wordpress.com/2009/09/20/proxy-bookmarks-for-malaysia-today/

When I posted Malaysia Today site not available again I said the error messages “indicate that the server itself was down … Or possibly [under] a massive attack”. And Morning Dew seems to confirm this. His account sounds plausible to a non-technie like me, but I will leave it to technical experts to assess it.

Morning Dew, who seems technically accomplished, also reminds that the evasive measures I outlined in earlier posts would only be effective against a block by Malaysian authorities.

• Remember, if the site is down, no proxy server can help you get through. The same if the site is under attack from DOS — Denial of Service — or other means.
Set up your browser to use a proxy server

http://uppercaise.wordpress.com/2009/09/27/set-up-your-browser-to-use-a-proxy-server/

Morning Dew’s explanation of what is most likely to have happened, and what Malaysia Today could do in future:

Here in full are Morning Dew’s comment posted in a lengthy comment to Getting access to Malaysia Today. I thought it deserved to stand by itself.

All the above strategies will only work if it is a blockade instituted by the authorities. What MT is experiencing is actually a denial of service attack. The first wave of attack I had noted that it wasn’t the blockade and had actually presented what I had found out. Unfortunately MT team refused to publish my comments and even blocked subsequent comments. The blockade was only working for a short while and when I by-passed the blockade I notice the error messages were coming through from MT’s own proxy server. It was either slapped with an injunction or the server was hacked.

Recent inaccessibility has very strange error messages from the proxy. This led me to believe that there was page substitution –- one of those man in the middle attack. Or the MT’s proxy had been planted with a backdoor. The hacker can go in and out anytime he/she wanted to.

I had also noticed that there was a lot of “reset” messages. This is basic harassment by a man in the middle attack. Such a person can only be there if he/she had access to the gateway. This meant ISP or the recent centralised security gateway launched by Abdullah badawi. Every time a message was requested it would just send a reset signal to the server and the server would drop the whole process. This strategy is very simple and a simple script can create a lot of havoc. But must have access to gateways. This is where the smoking gun can be found. Reset signal also received when proxy was used. A lot of proxyies don’t encrypt the request so it is in the clear.

How to defeat ? Assuming that the proxy wasn’t violated some things that could be done :

Some of the suggestions above may look as if it would prevent or reduce the revenue stream of MT but this is false. All ads could be distributed with the main content.

Who are the most likely culprit doing all these ? If it is “reseting” of access then the ISPs are involved or perhaps a tech head inside is involved probably bribed to do the evil bidding of others. It is not inconceivable that Kuala dimensi MAY have a hand in it.

If the proxy server of MT had been hacked then it could involved the government or kuala dimensi. They could have hired some “dickhead” to do it. Squid proxy server used by MT is a public domain proxy server and its strength and weaknesses are well documented.

If it is denial of service, which I believe it is not, then you will require a large number of machines doing it at the same time. The attack can’t be sustained. Who has access to large number of machines ? Government. Or large number of machines had been infected by a particular virus that just target MT server as was the case with yahoo some time back.

DOS will also cause the server to send reset signal when the buffer overflow due to excessive number of requests. If MT team were to look at the log they will know if it was DOS by flooding the website or a man in the middle attack was going on.

Just some thoughts. Now don’t shoot the messenger.

Updated:2009-09-29:01:56MYT
sha1sum:96b72fedac68ad669d0223a2a0967af3478d7cc9
Original version
sha1sum:22a6b80813c571939ad791b56b4f3bb1409582c1

Presented in service of keeping alive free speech and a free press in Malaysia