Wikileaks DOS Attack Tool: Not Anonymous
The software used by the pro-Wikileaks group “Anonymous” to attack visa.com and other websites is known as “Low Orbit Ion Cannon” or LOIC; it was originally a stress-testing program designed to test how websites perform under high traffic loads. LOIC has since morphed into a DDOS attack tool that can form a “botnet” with other systems running the software.
Yesterday researchers at the University of Twente in the Netherlands released an analysis of the LOIC software used by Anonymous, showing that it’s anything but anonymous. In fact, they compare using LOIC to sending hate mail with a real return address on the envelope.
For a number of days the websites of MasterCard, Visa, PayPal and others are attacked by a group of WikiLeaks supporters (hacktivist). Although the group calls itself “Anonymous”, researchers at the DACS group of the University of Twente (UT), the Netherlands, discovered that these hacktivists are easily traceable, and therefore anything but anonymous.
In this report we present an analysis of the two versions of the tool named LOIC (Low Orbit Ion Cannon), which is used by the hacktivists to perform their attacks. The main conclusion is that the attacks generated by the tool are relatively simple and unveil the identity of the attacker. Therefore, the name of this hacktivists group, “Anonymous Operation”, is misleading: the hacktivists’ original IP address is shown in clear.
If hacktivists use this tool directly from their own computers, instead of via anonymization networks such as Tor, the real Internet address of the attacker is included in every Internet message being transmitted, therefore making it easy to be traced back. We also found that these tools do not employ sophisticated techniques, such as IP-spoofing, in which the source address of others is used, or reflected attacks, in which attacks go via third party systems. The current attack technique can therefore be compared to overwhelming someone with letters, but putting your real home address at the back of the envelop.
In addition, hacktivists may not be aware that international data retention laws require that commercial Internet providers store data regarding Internet usage for at least 6 months. This means that hacktivists can still be traced easily after the attacks are over.
Here’s the full report (PDF).