The FBI raided a Dallas-based server farm and seized servers used in the distributed denial-of-service attack against PayPal earlier this month, according to an affidavit obtained by the Smoking Gun Website.
Federal agents are looking for clues as to the identity of the hackers who orchestrated the DDoS attack on PayPal, according to the affidavit. It is unclear whether the raids were successful in that regard.
The FBI began its investigation shortly after the Anonymous group of Internet activists launched DDoS attacks against PayPal and other financial and technical service companies for cutting off support to the WikiLeaks site after it published thousands of secret U.S. state department cables.
The PayPal blog was offline for a few hours as part of the DDoS campaign the Anonymous group called "Operation Payback." Volunteers were encouraged to download a point-and-click DDoS tool to attack PayPal and other targets, including Visa, MasterCard, Bank of America (earlier this week) and a Swiss bank that froze WikiLeaks founder Julian Assange's accounts.
FBI investigators believe that some volunteers used botnets of compromised machines to launch a more potent assault, according to the affidavit.
"Vigilante DDoS, a bunch of kids getting together and running a software," is not a particularly powerful attack because there is not enough volume, Jason Hoffman, of Joyent, told eWEEK. Attackers would have needed 5 million to 15 million people all on high broadband connections to "be effective," he said.
PayPal provided FBI agents with eight IP addresses of servers that were used to run IRC chat servers associated with planning the Operation Payback attacks, according to the affidavit. Investigators believed the same systems were used as command and control hubs for botnets used during the DDoS attacks.
According to the affidavit, "multiple, severe DDoS attacks" had been launched against PayPal, which amount to felony violations of a federal law covering the "unauthorized and knowing transmission of code or commands resulting in intentional damage to a protected computer system."
One IP address was traced to Host Europe, a Germany-based Internet service provider. The server in question turned out to belong to a man from Herrlisheim, France, but the root-level access to the machine appeared to be from a remote user with administrator access, said the affidavit. The log files indicate the commands to execute the attack came from a remote address, which led investigators to hosting firm Tailor Made Services in Dallas.
Investigators believe the command to launch the attack was made on Tailor Made Services systems and relayed to a server in Germany to hide its origin.
A pair of log entries on the compromised Host Europe machine contained the same message: "Good_night,_paypal_Sweet_dreams_from_AnonOPs," according to a sworn statement from FBI agent Allyn Lynd.
Agents raided Tailor Made Services on Dec. 16 after getting a search warrant based on the affidavit. Agents copied two hard drives from the targeted server during this raid, according to Smoking Gun. There is currently no information available about what was found on the drives.
Another IP address associated with the attacks was traced to a Canadian ISP in British Columbia, which was actually a virtual server physically hosted at California-based "co-location" firm Hurricane Electric. There is no information as to whether the company had been raided by agents at this time.