I explained last month in LOIC Exposes Attackers that the Anonymous attack tool of choice was not anonymous — it does not hide the IP address of attackers.

Now an affidavit on the Smoking Gun shows how the FBI and German Federal Criminal Police (BKA) are using logs to track down the IRC servers that initiated the attack on PayPal.

Log files showed that the commands to execute the DDoS on PayPal actually came from IP address 72.9.153.42. Below are the log entries from the server as provided by the BKA…Based on my experience and training, I know that companies providing co-location facilities do not always label or externally identify the computer servers at their facilities with their IP address. Therefore, as part of the process of identifying the computer system that I seek to search, I may be forced to check each system belonging to the target customer until I have determined that it is the computer to be searched.

I find it hard to believe that the agent would rely on an external label even if one existed on the equipment. It is even stranger to hear the absence of labels used as a reason to widen the scope of a search. The affidavit copy ends with an ominous half-sentence:

This check may involve a check of the network traffic emanating from each system or, in the worst case scenario, the

…network traffic emanating from every system in the company? Is that like a warrant to install surveillance on an apartment that includes the caveat that the entire city might have to be tapped? Where is page 6?