ITBusiness.ca

Operation: Payback attacks can be tracked down

People using a tool to conduct distributed denial-of-service (DDOS) attacks against other websites in support of WikiLeaks can easily be traced, according to computer security researchers.
Thousands of people have downloaded the “Low Orbit Ion Cannon,” a tool that bombards a targeted website with garbled traffic in an attempt to knock it offline. The tool has been promoted by Anonymous, a loose-knit group of online campaigners that has attacked companies that cut off support for WikiLeaks since it began releasing secret U.S. diplomatic cables in late November.

But researchers at the University of Twente in Enschede, Holland, say it is easy for ISPs to identify those using the tool, as it takes no measures to protect the identity of its users, according to their paper.

There are several versions of the Low Orbit Ion Cannon: one is a client application that is downloaded by a user and can be remotely controlled via an IRC (Internet Relay Chat) or be manually configured. The other is a JavaScript-based Web site.

With the client application, the targeted Web site can see the real IP (Internet Protocol) address of the computer conducting the attack, the researchers wrote. The IP address can be linked to the ISP providing the service, which can then investigate which subscriber the address corresponds too. The same condition happens when someone uses the Web-based tool.

One method used by those conducting a DDOS attack is to configure the program to use a fake IP address, but the Low Orbit Ion Cannon does not do that. DDOS attacks can also be coordinated using a botnet, or a network of machines that have been compromised. The owners of those computers are usually unaware their computers is infected and taking part in an attack.
The danger with the WikiLeaks attacks is that many of those less tech-savvy people eager to join the online campaign may be unaware that they can be traced.

“The current attack technique can therefore be compared to overwhelming someone with letters but putting your real home address on the back of the envelope,” the researchers wrote.

In the European Union, telecommunications operators must retain data for six months, which “means that hacktivists can still be easily trace after the attacks are over,” they wrote.

Already, police in the Netherlands have arrested two teenagers in connection with the attacks. Dutch prosecutors said one of them was easily tracked down.

The DDOS attacks, dubbed Operation: Payback, by Anonymous appear to be continuing, according to security vendor Imperva. The Low Orbit Ion Cannon has been downloaded about 67,000 times, Imperva said.
MasterCard, which stopped processing payments for WikiLeaks, was attacked again over the weekend, with statistics showing it experienced some downtime, according to Netcraft. A vast majority of security vendors are now labeling the Low Orbit Ion Cannon a threat and will block the program, Imperva said.

Imperva also said it has been monitoring some of the communication between people coordinating the attacks. Those attackers are recommending development of a system by which people are lured to some other content, such as pornography, but by visiting the website would invisibly launch the DDOS JavaScript tool.

That approach is unlikely to be effective, said Paul Mutton, a security threat analyst with Netcraft. The traffic intended to harm the website would come from a person’s Web browser.

Browser traffic is difficult to control, and there is processing overhead performed in the browser that tries to render whatever content comes back, Mutton said. That is in contrast to a dedicated tool that can send huge payloads.

“In a nutshell the Web-based version of the LOIC software is not as effective as the real thing, but they are far easier for anyone to use,” Mutton said.

Exit mobile version