Hacker toolkits attracting volunteers to defend WikiLeaks

Low Orbit Ion Cannon

There has been a lot of talk about the attacks coordinated by AnonOps, a group of internet vigilantes, which decided to fight back against payment processing companies suspending accounts used to donate to Wikileaks and its founder Julian Assange.

The attacks are coordinated through the AnonOps webpages, IRC server infrastructure as well as several Twitter accounts. The operation of the voluntary botnet is very simple but it seems to be quite effective.

Yesterday, Twitter decided to shut down some of the Twitter accounts inviting users to join the attacks. However, the attack on the main VISA website after the attacks on Mastercard, PayPal and Swiss Bank Post Finance was successfully launched.

Following these initial attacks, which seriously influenced the operation of the sites under attack, another attack on Mastercard Securecode card verification program was launched. This attack seriously affected payment service providers and the financial damage for Mastercard still needs to be determined.

Immediately after the AnonOps attacks on the payment processing companies started, a retaliation DDoS attack on AnonOps hosting infrastructure has been launched. Their main site anonops.net is unresponsive at the time of writing this post.

It looks like there is an outright war going on. However, contrary to many discussions following the discovery of Stuxnet, the sides in the conflict are not sovereign states but groups of internet users spread around the globe proving that warfare on internet brings out a whole new dimension to the term.

Participation in DDoS attacks is illegal in many countries and users accepting the invite by AnonOps are under a serious risk of litigation. Many people believe that privacy on the internet can be somewhat protected, but beware, the source IP addresses of attackers, which will inevitably end up in the target’s website log files, can easily be matched with user’s accounts if ISPs decide to cooperate with the law enforcement agencies.

The workflow of an AnonOps attack is quite simple:

  1. Visit the AnonOps website to find out about the next target
  2. Decide you are willing to participate
  3. Download the required DDoS tool – LOIC
  4. Configure LOIC in Hive Mind mode to connect to an IRC server
  5. The attack starts simultaneously, when the nodes in the voluntary botnet receive the command from the IRC server

Since the principle of the operation is already well known I wanted to take a look at the main weapon used to conduct DDoS attacks – LOIC (Low Orbit Ion Cannon). LOIC is an open source tool, written in C# and the project is hosted on the major open source online repositories – Github and Sourceforge.

The main purpose of the tool, allegedly, is to conduct stress tests of the web applications, so that the developers can see how a web application behaves under a heavier load. Of course, a stress application, which could be classified as a legitimate tool, can also be used in a DDoS attack.

LOIC main component is a HTTP flooder module which is configured through the main application window. The user can specify several parameters such as host name, IP address and port as well as the URL which will be targeted. The URL can also be pseudo-randomly generated. This feature can be used to evade the attack detection by the target’s intrusion prevention systems.

The Hive Mind option is responsible for connecting to the IRC server used for attack coordination. Using the Hive Mind mode, AnonOps can launch attacks on any site, not just the one you voluntarily agreed to target.

The connection uses a standard HTTP GET request with a configurable timeout and a delay between the attempted connections. Most of the web servers will have a configurable limit on the number of connections they accept and when that limit is reached the server will stop serving all following request which has the same effect as the server being offline.

The IRC communication protocol is implemented using the free C# IRC library SmartIRC4Net.

There is a Java version of the tool – JavaLoic, which uses a Twitter account as the command and control channel. However, the Java version is much easier to detect using intrusion prevention systems as the attack uses fragmented HTTP requests forming a static string “hihihihihihihihihihihihihihihihihihihihihihi”.

Sophos products have been detecting LOIC as a potentially unwanted application since 14 February 2008.

There is no doubt that a lot more will happen in this conflict built around the support for WikiLeaks and a lot more will be said about it. Make sure you visit Naked Security and the Sophos Facebook page to learn all about the future developments.