Anonymous (OpIsrael): Last night members of Anonymous began sharing a DDoS tool online again and encouraging other members to set it up on their devices, as well while also directing them on its use. The tool being shared was the Saphyra DDoS tool, which has been around since 2016. Saphyra is somewhat unique in the fact that it targets network layer 7 (application) and results in an HTTP flood on the target. Saphyra contains 3,200 unique user agent strings and more than 300 unique referrer field strings. This means that there are more than one million possible combinations of user agent string/referrer instances. The use of these unique requests allows Saphyra to avoid caching engines and increases the likelihood of success for the attack. When the tool was last analyzed, it was believed that it was connected to a network of approximately 1.8 billion bots. The last time that Saphyra was seen in heavy use was during a significant attack on NASA in 2016.
Analyst Notes
While the tool was not tied to any specific upcoming actions, it is likely that this is another move by members of Anonymous to prepare for this year’s much anticipated phase of the OpIsrael campaign, which is fast approaching.
