I'm not sure if Anon fully understands the level of infrastructure and the level of preparation Facebook has... They'll need to come up with something a lot more compelling than a bunch of guys at home with LOIC.
This attack is scheduled to come soon after anon switches from LOIC to a "new cannon" dubbed #RefRef (http://anonops.blogspot.com/2011/08/new-hacking-tools-by-ano...). They're probably way overconfident in their abilities (#RefRef's description is thoroughly unconvincing), but at least they don't think they're going to DDoS one of the best-prepared sites in the world, AFTER telling them exactly what day the attack will occur on.
So if we assume these people have any idea what they're talking about, it's some kind of SQLi attack... presumably mySQL? I wonder at what point it'll occur to them that Facebook mostly serves data from memcached.
Uh... did I get something wrong here? A correction or something would be nice.
"RefRef is a revolutionary DoS java site. Basically, by using an SQL and .js vulnerability, you can send a page request packet from your home computer with embedded .js file, because of the vulnerability in the SQL/Javascript engine on MOST websites, the site actually TEMPs the .js file on its own server. So now the .js is in place on the host of the site. Next since you still have the request, it picks up the .js file, and all of the requesting for packets power happens on the server, not the requestee. I send two packets from my iphone, and everything else happens on the server. Basically eats itself apart, because since both are on the server, its all a local connection."
"The tool is very effective, a 17-seconds attack from a single machine resulting in a 42-minute outage on Pastebin yesterday. As expected, the Pastebin admins weren't very happy with their platform being used for such tests and tweeted 'Please do not test your software on us again.'"
"The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe organizations will rush to patch this flaw en masse before being hit."
first of all, there's no javascript "engine" on most websites. and every major vendor of SQL databases has it's own, so good luck in finding a vulnerability that works with MSSQL/Oracle/Mysql/Postgresql.
also, even if you manage to store a .js file in a temp directory (which would be handled by the web server, btw. nothing to do with sql/js) it's usually a very locked down directory (you can't even execute from /tmp by default in most GNU/Linux servers)
even so, you would still need to execute that .js file (and how? most servers can't run javascript)
I'm not saying this tool doesn't exist, but I'm pretty sure that's not how it works
i think you're getting downvoted because anonymous has proven many times in the past that at least the people "in charge" (as much as you can call it that) definitely know what they're talking about and are possibly comprised of security experts.
if this is in fact anonymous. i'm not convinced, too big a target for them to have so little fanfare/flair.
No way, you tell them you're attacking on Thursday night/Friday morning at midnight. Then do a headfake, a completely impotent showing, but keep at it for at least three hours. Then let it fall apart as users drift off.
Then, around eight am, when the US gets to work, and anyone at Facebook who took you seriously is sleeping in after the late night? Then. That's when you pull out the big guns.
I wonder which hour of the day is their busiest... That would be my true target time.
they just haven't even done anything novel. Why should we expect them to now? Facebook is very unlikely to have the usual slough of easy sql injections.
I am quite sure that someone good could find attacks against facebook. I am dubious that anonymous can.
There are many levels of intrusion. I give Anon enough credit that they might be able to cause some mayhem, maybe even some real harm. Maybe they'll take down Facebook Chat (to the great ambivalence of everyone)... but to 0wn/DDoS the main Facebook site altogether? I dunno...
It's like, I may be able to find some way to force all the toilets at CIA Headquarters to back up. That's not the same thing as compromising their spies' identities. Not all exploits are equal.
I am aware of what "attack surface" means and stand by my claim that anonymous, having done nothing novel so far, will not find attacks against facebook.
There is no way to tell if someone is credibly "within the Anonymous subculture" and "Anonymous" "releases" conflicting "press releases" with some regularity. There is no organization to "Anonymous", it's just an MSM-manufactured boogeyman to represent any teenager and/or groups of teenagers which knows how to send a lot of requests to a website simultaneously. samstave is also correct that those in power relish this since it gives them a lot of latitude to scare the commoners and get better tracing tools in place.
Sure it does. No true scotsman breaks down to a claim that some group has some Trait, then claiming that because some individual does not share the Trait they are by definition out of the group. I guess sometimes it's valid, but not here. Anon hasn't shown itself capable of an attack like this and if you look at the attacks by anon on scientology you'll be left wondering they were able to form a group identitiy with their fringe (core?) As it is.
Palish might be right that this doesn't sound like its from any of the main group.
Best of luck, Anon!
I'm not sure if Anon fully understands the level of infrastructure and the level of preparation Facebook has... They'll need to come up with something a lot more compelling than a bunch of guys at home with LOIC.