We've been getting hit with a very odd scan/DDoS coming entirely from TOR. It wasn't doing much against us, at its best it was using .5 of a single core on our server (we have 32 cores). Once our DoS scripts detected it and notified me, I setup a block on the traffic pattern. After some discussion in IRC, lattera pointed out that hack3r.com has been being hit by a similar attack that has been holding them down since Monday, June 17th. Not sure if these attacks are related at all or not, but I felt I should discuss what I know about the attack on their site.
Unlike our attacks, their attack was claimed by @antisecdotnet. This was posted to anonops: http://pastebin.com/dFHM4CNV
I'm not sure how hack3r is being held down by a single TOR node, but it would appear they have their apache grossly misconfigured. Rumor is that ocyrus took down the search functionality in hopes to keeping the site up - but it hasn't done much to help as every time I try to reach the site it appears to be down.
Here is a sample of one of the requests that originally downed the site:
GET /search/node/is/hacking1944 HTTP/1.1\r\n
TE: deflate,gzip;q=0.3\r\n
Host: www.hack3r.com
Referer: http://www.google.com
User Agent: TANGO DOWN FAGGOTS @antisecdotnet
I am interested in how a layer 7 apache DoS like this was so effective against h3c but I'm not very involved with that group anymore. It does seem like DoS is becoming more and more the attack of choice for most malicious groups in the hacking community. I find this rather unfortunate as I really miss the days of 0day attacks and mass exfiltration. Nothing is better for a blackhat group than stealing data, backdooring servers, and then being able to completely have a laugh at the owned group's expense.