A new paper by researchers at the University of Twente in the Netherlands shows the tool being used in denial-of-service attacks does not hide users' IP addresses.
Those participating in denial-of-service attacks in support of WikiLeaks may
not be as anonymous as they think.
According to an
analysis (PDF) of the Low Orbit Ion Cannon (LOIC) tool by researchers from
the University of Twente
in the Netherlands,
the tool does not protect the Internet Protocol (IP) address of its users. The
revelation could be bad news for those participating in the opt-in
botnet believed to have taken down a number of high-profile
Websites in an effort dubbed "Operation Payback."
LOIC was first developed as a network load-testing tool. The program, the
researchers note, performs a denial-of-service attack by sending a sequence of TCP
(Transmission Control Protocol), UDP (User Datagram Protocol) or HTTP
(Hyper-Text Transfer Protocol) requests to a target site. The original version
allows the user to select a target host, their method of attack and other
parameters to customize the requests to be sent.
The version being used in Operation Payback includes an additional "Hive
Mind" mode that enables it to be remotely controlled via the Internet Chat
Relay (IRC) protocol, thereby making the user part of a botnet. A third,
Web-based version of LOIC was released last week and runs in any browser that
"The tool ... does not attempt to protect the identity of the user, as
the IP address of the attacker can be seen in all packets sent during the
attacks," the researchers wrote. "Internet Service Providers can
resolve the IP addresses to their client names, and therefore easily identify
the attackers. Moreover, Web servers normally keep logs of all served requests,
so that target hosts also have information about the attackers."
Payback is the work of Anonymous and claims sites belonging to MasterCard,
PayPal and PostFinance among its victims. There hasn't been much in the way of
law enforcement actions against the attackers, but Dutch authorities did arrest
a 16-year-old in connection with the attacks Dec. 8.
The researchers note that the attackers can cover their tracks through
anonymization networks such as Tor. Those not using such services will have
their real Internet address included in every Internet message being
transmitted, the researchers wrote.
"We also found that these tools do not employ sophisticated techniques,
such as IP-spoofing, in which the source address of others is used, or
reflected attacks, in which attacks go via third party systems," according
to the paper. "The current attack technique can therefore be compared to
overwhelming someone with letters, but putting your real home address at the
back of the envelope."
HD Moore, chief security officer at Rapid7, said he came to the same
conclusion in his own testing of LOIC.
"Anyone whose IP address shows up in multiple targets' logs is going to
have a lot of trouble avoiding charges, or at least pressure to expose other
folks," he said.
Gunter Ollmann, vice president of research at Damballa, told eWEEK in an
interview Dec. 9 that LOIC is just one of "hundred
and hundreds of tools and almost all are freely downloadable."
"Simple Google searches will reveal their location(s)," he said.
"In addition, social networking groups focused upon a particular protest
will often include links and command and control configuration details-so, in
that sense, if you're interested in joining a particular protest, access to the
optimal tools is trivial. Some DDoS agents are available in commercial versions-and
are usually purchased by professional on-demand DDoS service providers."