

Anonymous' new weapon - nickolai
http://www.h-online.com/security/news/item/Anonymous-s-new-weapon-1418337.html

======
zemo
what a sad attack. A browser will only issue six simultaneous http requests
per domain, so you have a per-user concurrency ceiling of six. The only thing
they're proving is that the DOJ website was built by disinterested consultants
and doesn't handle a large number of concurrent users. Bravo. What a
revelation. You could probably say the same about most websites on the
Internet.

This type of behavior isn't insignificant; it's dangerous. The fact of the
matter is that most people have no idea what programmers are capable of, and
what makes one attack sophisticated and dangerous or another one benign. These
high-visibility, low-value attacks do absolutely no damage to "the
establishment". On the contrary, the visibility of the attacks makes this type
of behavior doublespeak fodder.

 _Computer hackers broke into government computers last night, disabling
government communication. What can hackers do to your Facebook profile? Does
your child have a Facebook profile, and are they safe? Tune in at ten and find
out how you can protect your children._

Etc. All closing civilizations invoke a powerful and unseen enemy. What is
more powerful and unseen than The Internet? We must be careful, as a
collective, to draw the line in how we protest. "terrorists" were the last
great invisible enemy, but people are getting tired of hearing about
"terrorists". They're just not scary like they used to be. Will "hackers" be
the next great invisible enemy? Why not? Everyone has a computer; a little
fright center in their living room, or held up to their head. We get up in
arms about location tracking in iPhones, but:

 _Law enforcement officials say that the tracking technology was put in there
to help locate lost children or assist in the pursuit of known criminals. But
now, officials say, computer hackers have found a way to get to this
information, tracking you wherever you go. What information is your phone
sending that you can't afford not to know about? Find out at ten._

There's a right way and a wrong way to defend Net Neutrality. This is not the
right way.

------
jimfl
One interesting side effect of this tactic is that actual LOIC users may now
have some plausible deniability, as they can claim they were duped into
participation.

~~~
bradleyland
I did some Googling but was unable to find a lot of technical detail on the
type of attack executed by LOIC. A quick glance at the source code on Github
shows the capability for HTTP flooding, but the Wikipedia page mentions a TCP
flood. I'm not sure whether it's capable of both, or which is used more in
practice.

In any event, the traffic from a web browser is going to look different from
traffic generated by LOIC. A web browser is a very high-level tool with lots
of constraints to keep web pages from doing "bad things". These constraints
would make it pretty easy to profile traffic from web browsers vs LOIC.
Granted, LOIC could mimic these constraints, but that would significantly
diminish its operating capabilities.

The whole conversation surrounding LOIC and this new web based tool is full of
bad information and misunderstandings.

~~~
WA
LOIC is a simple tool which executes a SYN flooding attack. I wonder why this
wasn't mentioned here in the comments yet.

It works like this: Your computer asks to open a TCP connection by sending a
SYN packet to the server. The server responds with SYN/ACK. Your computer is
expected to send ACK to complete the 3-way-handshake and to establish the
connection. Except for, in this attack, your computer never sends ACK.

The server usually reserves a few resources to maintain that half-open
connection, such as a socket and a thread that waits for the connection to
finish.

If enough people do this, the server runs out of resources rather quickly and
it's practically impossible to block it without a server farm. Even if a
firewall-script prevents the server from crashing by limiting the number of
open (half-open) connections, by blocking attacking IP addresses and by
reducing their timeout, it can't be distinguished between legitimate traffic
and DoS-traffic.

So, given that a single computer easily pumps out several hundred or even
thousand requests per second, the amount of traffic quickly grows when many
users are involved.

By the way, with a single computer, it is more or less impossible to take down
a server with only SYN flooding, as your computer requires more or less the
same computational power to establish the connection and most servers have
more RAM and a bigger connection to the internet.

It really gets messy, when you use encryption, where the server has to do more
computational work than a client. Then, you can easily DoS a server from a
single computer. However, this is NOT done with the LOIC, but there was a tool
recently that performs this kind of attack against, I forgot, I think Apache
with a vulnerable OpenSSL version.

So, this whole attack is on OSI layer 4 and is indeed a TCP-based attack. HTTP
traffic is on layer 5+ and it's not possible to achieve half-open TCP
connections with a browser.

Nevertheless, a DoS is still possible. There are two ways:

1\. Many clients ask simultaneously for a computational expensive operation.
For example, some sort of filtering mechanism for the member list of a
community site. Depending on the database backend, such a request can cause a
more or less sophisticated SQL query.

These are usually the places where programmers should optimize their queries
(or use caching etc.) to prevent the server from crashing.

2\. Simply ask for a resource like an image or a larger JS-file, but do this
often with many clients. This happens also, when a small blog writes a good
article and is linked on HN or reddit. The incoming traffic is too big be
handled.

Generally speaking, it depends heavily on the server's environment regarding
caching, optimization, load balancing, a firewall script, an Intrusion
Detection/Prevention System etc. whether or not a browser-based attack can be
successful.

------
inconditus
Anyone have a source? I'm curious how crafted GET statements can lead to a
DDOS.

~~~
thaumaturgy
I was able to find one without too much difficulty (not linking to it though).
Pastebin and the like seem to be removing the links almost as quickly as they
show up though.

As with everything I've seen from "Anonymous" so far, it's a completely
unsophisticated attack. All it does is create an image object in JS and set
the src of the image object to the URL to be attacked, with some random
garbage appended to confuse naive caching systems. It initially attempts to do
this about once every millisecond, but it looks like it will shut itself down
if there are too many failed requests.

It's pretty lame. I mean, they're not targeting an especially bandwidth-heavy
thing. They're not submitting forms to flood a database or crash an email
server. They're not attempting to exploit any vulnerabilities at all. They're
literally just trying to spam it for as long as their attention span lasts.

The only thing a network monkey needs to do to mitigate an attack like this
one is mount a few nginx proxies to handle anything with the garbage URL
attached and then immediately close the connection while letting everything
else through.

edit: Hah! The biggest single element on the justice.gov home page is the
_jquery script_ it includes, which is almost twice the size of the index page.
Anon could have doubled their effectiveness just by sending requests for
jquery instead. :-)

~~~
narcissus
There was a similar project a while ago called Lad Vampire (by a group called
Artists Against 419) that used to do the same thing to fake baking sites. It
was pretty effective and to be honest, it was kind of cool seeing the sites
being listed as going down over time.

~~~
thyrsus
"fake banking". The trip to urban dictionary for "fake baking" didn't turn up
anything plausible.

------
thereallurch
I'm still not sure what DDOS'ing a government website will ultimately achieve.
So you cant access justice.gov for a few days...how many of you visit that
site daily? How does this affect the Justice department other than making some
IT guy look bad?

I see what they are trying to do. They want to show that the will of a few can
control the masses...but hijacking a bystander's browser will only make
Anonymous look like a bunch of assholes. This tactic will give the media
and/or government a way to paint Anonymous in a different light.

~~~
indiecore
I think if they really wanted to hit someone where it hurts they should be
targeting banking frontpages ie: where you sign in for online banking.

Since anon is basically reduced to tearing down posters they may as well tear
down the posters with functionality built in.

------
Mithrandir
Here's the source code for it: <http://pastebay.com/302697>

Here's what it looks like w/o the JS attack code:
<http://pastehtml.com/view/bloqs5aae.html>

d0z.me (<http://d0z.me/>) is similar in effect to this, although not the same.

