Links about th3j35t3r

The Jester is a hacktivist who uses a secret "XerXes" DoS attack tool he made which uses incomplete requests, and is apparently similar to SlowLoris. Like SlowLoris, this attack can take down vulnerable servers from a single attack point and can avoid collateral damage to intermediate devices.

Update: Wikileaks Attack 11-28-10

Today the Jester targeted Wikileaks and took it down for a few hours, by my estimate. He also proved that he was the real attacker, because he announced on Twitter that he would let it back up in 3 minutes, and I was able to reconnect to it within about 6 minutes. Then he took it down again.

I seem to have better information than any news articles I have seen about it. This is not a DDoS. It's a single attacker, sent through Tor or some similar anonymizer, if it's the same Xerxes tool the Jester demonstrated in the video linked below.

The Jester frequents #jester. I have gone there twice to try to do some good, but I haven't found any way to make things better. The Jester is not willing to release his tool or discuss it in any detail. It seems to be a layer 7 attack using a variety of incomplete requests, like SlowLoris.

Regardless of your political position about Wikileaks, I think it is outrageous that a single attacker can just shut sites down at will. We need better defenses against Layer 7 DoS!

I also think the Jester won't be around much longer. He seems to be on they typical gunslinger's path of self-destruction, pulling larger and larger stunts as a challenge to the world. And when I have tried to bring these things up in the IRC room, all I get is macho posturing and slogans, people bragging about how powerful their attacks are.

Pulling off so many high-profile attacks, and also engaging in social networking like Twitter and IRC, is self-contradictory. The Jester is vulnerable to social engineering attacks. I'm sorry to see a train-wreck in progress.

I can't make the Jester stop attacking sites, but we should be able to defend them from such attacks. Unfortunately, I don't see anything stopping layer 7 DoS attacks effectively at present.

4chan took down a lot of sites recently with DDoS, and no one seems able to stop the Jester's attacks. Hopefully Wikileaks or Amazon (who hosted Wikileaks during the attack) will post their packet logs so security researchers can analyze the attacks and try to prepare countermeasures.


4chan Users Organize Surgical Strike Against MPAA

Excellent OWASP presentation explaining Layer 7 DoS


Background on the Jester from January

The Jester's Twitter Feed

The Jester's Blog

2-11-2010: Jester Unveils XerXeS Automated DoS Attack

2-22-2010: Exclusive Video of XerXeS DoS Attack

3-11-2010: Hacker Releases Second Video of Enhanced XerXeS DoS Attack on Apache Vulnerability

Hijacking Web 2.0 Sites with SSLstrip and SlowLoris -- Sam Bowne and RSnake at Defcon 17

Slowloris HTTP DoS