FEATURE Anonymous: serious threat or mere
Steve Mansfield- annoyance? Devine
Steve Mansfield-Devine, editor, Network Security
For a couple of weeks in December 2010, the Wikileaks ‘Cablegate’ contro- many. Anonymous wasn’t known for versy was in danger of being overshadowed by another, related phenomenon engaging in sophisticated debates about – Distributed Denial of Service (DDoS) attacks launched by the so-called freedom of information or transparency Anonymous movement against organisations they deemed to be contrary to of government. The campaign was pre- Wikileaks’ interests. The attacks provoked a press frenzy that frequently exag- sented as ‘Operation Avenge Assange’ gerated their effectiveness and missed at least one intriguing aspect – that they (in reference to Wikileaks leader Julian effectively relied on people infecting their own PCs. So how did these attacks Assange), but most people continued to work, how effective were they, and what are the implications? refer to it as Operation Payback. Via its websites, Anonymous issued the state- Who are Anonymous? services of Prolexic – a specialist in miti- ment (though with rather more spelling gating DDoS attacks.2 Two members of mistakes): Anonymous originates from the 4chan. Anonymous were subsequently jailed for “While we don’t have much of an affil- org message board, an ‘anything goes’ taking part in the attacks.3 iation with WikiLeaks, we fight for the website that allows users to post images same: we want transparency (in our case and comments without registering. They Wikileaks campaign in copyright) and we counter censor- can use names (any names) or they can ship. The attempts to silence WikiLeaks post without identifying themselves, The campaign in support of Wikileaks are long strides closer to a world where in which case the posting is labelled came as something of a surprise to we cannot say what we think and not ‘Anonymous’. The site became a rallying point for a series of (mostly juvenile) pranks and campaigns. Before the Wikileaks-related activities, Anonymous was best known for Operation Payback in which it attacked the Recording Industry Association of America (RIAA) and other organisations connected with copyright protection and music and software anti-piracy efforts. The anti-copyright activities of Operation Payback continue to this day, in a some- what spasmodic manner. The group then gained considerable notoriety for its attacks on the Church of Scientology with ‘Project Chanology’.1 Critics (and even some supporters) of Anonymous considered this campaign a mistake, as it enabled the Church of Scientology to claim religious persecu- tion, while the damage caused was mini- mal. The ‘church’ moved quickly to pro- tect itself from the Anonymous activities Figure 1: Anonymous indulged in some limited website defacement. by switching hosts and employing the
4 Network Security January 2011 FEATURE express how we feel. We cannot let this happen: that is why we will find out who is attacking WikiLeaks and with that find out who tries to control our world. What are we going to do when we find them? Except for the usual DDoSing, word will be spread that whoever tries to silence or discourage WikiLeaks, favours world domination rather than freedom and democracy.” The main targets of the Anonymous attacks over the first couple of weeks of
December 2010 were: Figure 2: JS-LOIC, the Javascript version of the LOIC DDoS tool. The precise appearance depends on • Financial organisations – such as how it is implemented by each site’s webmaster. MasterCard, Visa and PayPal – which blocked payments to Wikileaks. ‘Anons’ – join in or not as they see fit. also offers a ‘hive mind’ option in which • EveryDNS.com, which removed This apparently anarchic nature is both a it will attempt to discover the current Wikileaks' DNS record. strength and a weakness, as we’ll see. target from an IRC channel (with the • The website of Joe Lieberman (lieber- IRC server and channel specified by the man.senate.gov), the US senator who DDoS tool user). This makes it even easier for the wants Assange to be tried under espio- user, who simply has to start the pro- nage laws. The tool of choice for Anons is the gram running. Knowledgeable users can • US politician Sarah Palin, who called Low Orbit Ion Cannon (LOIC). This select a variety of options, such as type for Assange to be treated like a terror- was originally developed by ‘Praetox of packets sent (TCP, UDP or HTTP), ist, also found her website (sarahpac. Technologies’ (a suitably anonymous port numbers and so on. com) under attack from some Anons, coder), allegedly as a network stress-test- In hive mind mode, operation of but only a minority. ing tool.4 The source code for LOIC is LOIC clients is controlled by plain • The Swedish law firm (www.advbyra. still available on the now-unmaintained text messages posted in the topic of the se) representing the two women who Praetox website, but the version used chosen IRC channel. In their analysis have made allegations of sexual mis- by Anonymous has been updated and of LOIC, researchers Pras et al give the conduct against Assange. retrofitted with a crude command and following example of a command that • The Swedish prosecutor’s office control capability. initiates an attack and provides various responsible for the case (aklagare.se). LOIC comes in two main forms – a parameters, such as target:5 • Swiss bank PostFinance (postfinance. Windows executable that Anons down- ch), which suspended Assange’s load and run from their own machines; !lazor default targethost=www. defence fund account. and a Javascript-based version (JS-LOIC) moneybookers.com subsite=/ Other targets would emerge – among designed to be integrated into a web page speed=3 threads=15 method=tcp them online retailer Amazon which, in and therefore usable by anyone who visits wait=false random=true checked=false spite of it kicking Wikileaks out of its S3 the site. (Other ports of the tool are avail- message=Sweet_dreams_from_AnonOPs cloud storage service, initially remained able but appear little used so far.) port=80 start immune from retaliation. Anonymous Distribution of the tool is widespread also indulged in some website deface- – you can find it in any number of loca- LOIC sends repeated messages con- ment, although the number of sites tions and there is no attempt to verify taining a string defined by the user to affected was very small and they were the authenticity of the code. There the target machine, opening several con- mostly easy targets. is nothing to stop someone injecting nections. With TCP and UDP attacks, Anonymous claims to be an amor- malware into the tools and making the the packets sent consist of just the plain phous entity. This is not entirely true, malicious version available in multiple text of the message: in HTTP attacks, but it is true that anyone can join in. places on the net: most users would be the string is included in a GET request. The group’s activities are organised entirely unaware as the technical sophis- The Javascript variant only uses HTTP primarily via IRC chatrooms and, to tication of Anons tends to be very low. but attempts to make the attack more a lesser extent, Twitter and Facebook. No skill is required to use LOIC. The effective by including random numbers Because there is no formal structure and Javascript version just needs the user in the URLs it generates, in an effort to no overt or admitted leadership, it’s diffi- to enter a target address and click the prevent caching. cult to pin down exactly how the group’s ‘fire’ button, although there are some Other, more sophisticated tools have activities come about. Ideas are seeded optional settings. The Windows execut- appeared. The High Orbit Ion Cannon in the IRC channels and members – or able can be equally simple to use, and (HOIC) claims a number of advanced
5 January 2011 Network Security FEATURE
features, including high-speed, multi- threaded HTTP flooding, the ability to attack up to 256 websites at once and scripting.6 Code for the Geosynchronous Orbit Ion Cannon (GOIC) variant appeared on the web in the middle of December 2010.7 But neither HOIC nor GOIC played any significant part in the Operation Payback campaign. An updated version of the original tool, LOIC2, has also appeared which can use Twitter, Facebook and RSS as command and control channels and can employ slow HTTP transactions to over- burden servers. Cannon fodder
Given that the DDoS attacks mounted by Figure 3: IRC chatrooms are used by Anonymous for both command and control and discussion of Anonymous are unambiguously illegal in topics such as the next target. most countries (and all of the countries in which Anons are likely to have been operating), it’s interesting to note that one thing the LOIC tool makes no attempt to do is conceal the identity of the attacker. The IP address of each attacker will be readily available in the victim’s system logs, and it’s a safe bet that at least some of the larger firms involved in the recent campaign will now be sitting on databases of attacker IPs. LOIC cannot be used via proxies (including anonymising systems such as TOR) because that would just end up DDoSing the proxy. Inevitably, some Anons will have used the tool on other people’s machines – perhaps at school and, for those old enough, at work. This should give pause for thought for corpo- rate infosec practitioners: do your secu- rity policies properly cover such misuse?
“Most of them are script kiddies caught up in the excitement and the prospect of being able to create havoc with no apparent consequences”
The attacks mounted by Javascript ver- sions of LOIC will be easily traced to the websites on which the tool was hosted. In most cases, however, the logged IPs will point to the personal computers of individual Anons. Figure 4: Network status (as of 10 Dec 2010) showing the effects of retaliatory strikes by the It’s quite probable that the majority of authorities and ‘patriot’ hackers. Anons have no idea that this is the case.
6 Network Security January 2011 FEATURE
Most of them are script kiddies caught up in the excitement and the prospect of being able to create havoc with no apparent consequences. They are, in fact, little more than cannon fodder for the Anonymous campaign. Some are aware of the dangers, but there is a dangerously high level of naive- ty present. On IRC channels and web- sites affiliated to Anonymous, advice on how to protect yourself includes claim- ing your computer was infected with a virus and setting your wifi router to be open so that you can claim someone else used it – neither of which would stand up in court. Some Anons suggest that the authorities would be unable to pros- Figure 5: Twitter was used to co-ordinate attacks, although accounts associated with Anonymous ecute such a large number of people. But were quickly shut down. they wouldn’t have to. A few test cases would probably be enough to discourage Anonymous IRC servers and websites to suppression. In fact, the constant people from joining in – at least, enough became unusable. The domains also came domain-shifting and problems with people so that Anonymous wouldn’t get under regular DDoS assaults themselves Twitter proved to be a major weakness the volume of DDoS traffic required – notoriously by so-called ‘patriot’ hackers for Anonymous. Anons were forced into to be successful. At the time of writ- (including the relentlessly self-promoting hunting around for the address of the ing, two teenagers had been arrested in ‘Jester’, or ‘th3j35t3r’ if you prefer).9 current IRC server, dramatically reduc- the Netherlands in connection with the ing the number who could participate recent attacks, and in the US, the FBI “As soon as one account was in the DDoS attacks at any one time. seized a server.8 shut down, another popped Often, Anons would attack different That said, there is reason to believe up – like a game of cyber targets, misled by ‘unofficial’ Twitter that the majority of Anons are probably whack-a-mole” accounts or websites or by out-of-date safe. Most authorities, and victims, are information. The result was a significant likely to have little interest in prosecut- The result was that Anonymous was watering down of the group’s efforts. ing script kiddies, especially with the constantly having to find new homes for To any visitor to the IRC chan- complications involved in pursuing peo- its IRC and web servers. The anonops- nels (and the number of press visitors ple in foreign jurisdictions. irc.org domain was one of the early prompted the IRC operators to set up a casualties. The group switched to .eu dedicated #journalists channel) it quickly Organisational channels domains (eg, anonops.eu), which didn’t became clear that Anonymous does have last long, then to .tk addresses (eg, leaders. Only operators can set the top- IRC was key to Operation Payback. anonymous-payback.tk) and even anon- ics of the channels that direct Anons Channels such as #loic and #target were ops.ru. For most of the time, users could to their next target. The ‘discussions’ used to direct LOIC clients to their vic- connect to IRC servers only by using IP in channels such as #operationpayback tims. The #operationpayback channel addresses. verged on the rabid and unintelligible. was buzzing with frequently over-excited Twitter also closed one Anonymous Picking any kind of consensus out of this debate about who to attack and the account after another. Naturally, as soon anarchy would have been impossible. To effects of the campaign. Sometimes the as one account was shut down, another say that the ‘group’ decided on the next chatter was so rapid that it was hard to popped up – like a game of cyber target is not credible. Somewhere, a per- read anything before it scrolled off the whack-a-mole. However, it was often son or small group of people, made that page. Twitter was also a key commu- impossible to tell the difference between decision. Perhaps they were guided by nications channel, mainly for directing accounts opened by people with a genu- what they’d read in the channel. It seems Anons to IRC domains. This was desper- ine connection to the Anonymous lead- more likely that they seeded the channel ately needed because Anonymous wasn’t ership and those of fellow-travellers and with their own ideas for targets and used the only group on the attack – others people just in it for fun. the eagerness of the members to launch were fighting back. The apparent resilience of these ‘fire attacks as a justification. Anonymous Some of the retaliation was by the and reposition’ tactics was hailed by later issued a press release – another sign authorities. DNS listings were with- Anonymous as proof that its amorphous, of leadership: anarchic mobs don’t write drawn, so that domain names used for allegedly leaderless structure is immune press releases.
7 January 2011 Network Security FEATURE
law firm, are likely to have had all their Internet-based activities disrupted by the over-stressing of their web servers, the impact on the primary operations of larger firms, such as MasterCard, is likely to have been minimal. In addition, those transac- tions that were affected were most likely only delayed. For example, someone trying to make a PayPal payment probably just waited an hour and tried again. Figure 6: Netcraft uptime stats show periods of unavailability for MasterCard’s website. Visa was hit with similarly short spells of downtime. Critical mass
Damage assessment “The impact on the primary The Anonymous attacks illustrated a fact operations of larger firms, such of life known by any student of DDoS While there were many claims – in the as MasterCard, is likely to have attacks – that it’s all about numbers. press and in IRC channels – that targets been minimal” Cybercrime gangs using DDoS as a had been brought to a grinding halt, the blackmail tool, or state-sponsored hackers effects of the Anonymous DDoS attacks There are no available figures with which using it as a weapon of war, will deploy were patchy to say the least. Frequently, to measure the damage done by Operation botnets comprising tens of thousands of there would be claims made on IRC that Payback. Netcraft statistics for uptime give machines focused on a single target. Even the target of the moment was ‘down’. a clue and show that some major organisa- at the peak of the Anonymous attacks, In fact, it’s highly likely that the Anon tions saw short periods of downtime while the number of participants was in the low reporting victory was actually having his others suffered outages of a day or more. thousands, and most of the time there or her IP address blocked by the victim. Given that availability is critical to were only hundreds of LOIC clients fir- A standard defence against DDoS is to organisations that process financial transac- ing at the same time at the same target. identify IPs responsible for the attack tions, any amount of downtime is likely There were reports that the LOIC tool (usually readily identifiable given the clas- to be expensive. However, Anonymous had been downloaded at least 40,000 sic behaviour of making repeated requests succeeded in attacking only minor parts times by mid-December. But there’s no in a short space of time) and filter them. of those companies – in the case of way of telling how many of these down- The site would appear to be down to any PayPal, for example, the initial attack loads were used in anger. And, of course, such attacker but would work normally was just against the site’s blog. While the they have to be used at the same time to for everyone else. smaller organisations, such as the Swedish achieve the proper DDoS effect.
“Even a little time spent in the IRC channels is enough to convince you that trying to organise Anons is like herding cats”
Co-ordination was a big problem. Botnets are automated: with the LOIC- based Anonymous DDoS, you’re relying on individuals who must be available and willing at the same time, and who must all have their clients configured to fire at the same target (only those clients set to hive mind mode benefited from any degree of automation). We’ve already seen how the constant disruption to IRC hosting and Twitter accounts played havoc with co-ordination efforts. And while Anonymous clearly has some degree of central control, even a little time spent in the IRC channels is enough to convince you that trying to Figure 7: Anonymous targets the Bank of America. organise Anons is like herding cats.
8 Network Security January 2011 FEATURE
On 10 December, Anonymous issued sites in its support for Wikileaks. There cyberwar has begun – between Anons a press release – partly, it seems, to put a were more attacks against MasterCard on one side and a strange alliance of face-saving spin on its failures. Famously, and other payment-processing firms. authorities, corporates and ‘patriot’ these failures included an abortive attack But when it became clear that the hackers on the other. Like much of against Amazon. Many Anons wanted DDoS attacks simply weren’t working, what comes out of Anonymous (includ- to attack Amazon.com for booting out Anonymous switched briefly to a some- ing its press release and hilariously pre- Wikileaks from its S3 service, and there what bizarre strategy of attempting to tentious YouTube videos) that’s so much is some evidence that some Anonymous overload the fax machines of a number self-aggrandising hyperbole. But this members mounted just such an attack. of organisations. When attacking a campaign did point to a line of tension Certainly, there was an attack against little-used technology from a previous running through the Internet that is Amazon.co.uk for selling an e-book con- era brought only derision, it went back likely to produce many entertaining – taining some of the Cablegate memos. to DDoS assaults. The Bank of America and perhaps dangerous – incidents in This attack had no effect. was briefly inconvenienced because, like the future. In part, the press release read: Visa and MasterCard, it stopped process- “While it is indeed possible that ing payments for Wikileaks – partly About the author Anonymous may not have been able because it believed itself to be the next Steve Mansfield-Devine is the editor of to take Amazon.com down in a DDoS subject of leaked memos. Network Security and its sister publica- attack, this is not the only reason the Anonymous has also turned its atten- tion Computer Fraud & Security. He is attack never occurred [sic]. After the attack tion to countries that have tried to also a freelance author and journalist spe- was so advertised in the media, we felt that impose restrictions on Internet use cialising in technology and security. it would affect people such as consumers in following embarrassing revelations in a negative way and make them feel threat- Wikileaks cables – including Zimbabwe Resources ened by Anonymous. Simply put, attack- and Tunisia.10,11 We can expect this PandaLabs maintained a blow-by-blow ing a major online retailer when people are campaign to continue for some time, account of the Anonymous campaign, buying presents for their loved ones, would but without the press attention it had in which makes for entertaining reading: be in bad taste. early December.
9 January 2011 Network Security FEATURE
7. Geosynchronous Orbital Ion 9. ‘Jester’s Court’.
Edward G Amoroso, AT&T
In this excerpt from his book, Cyber Attacks: Protecting National Infrastructure, • Global threats: any political or glo- cyber-security expert Edward G Amoroso looks at how you detect infrastructure bal threats that might be present at attacks, manage vulnerability information and manage risk. a given time will certainly have an impact on an organisation’s situational Real-time understanding ences are often a rich source of new security posture. This must be moni- vulnerability data. tored carefully in regions where an ‘Situational awareness’ refers to the • Security infrastructure: understand- organisation might have created a collective real-time understanding ing the state of all active security partnership or outsourcing arrange- within an organisation of its security components in the local environment ment. Because outsourcing tends to risk posture. Security risk measures the is required for proper situational occur in regions that are remote to the likelihood that an attack might pro- awareness. This includes knowledge organisation, a global threat posture duce significant consequences to some of security software versions for integ- has become more significant. set of locally valued assets. A major rity management and anti-malware • Hardware and software profiles: an challenge is that the factors affect- processing, signature deployments accurate view of all hardware and ing security risk are often not locally for security devices such as intrusion software currently in place in the controlled and are often deliberately detection systems, and monitoring organisation is also essential to situa- obscured by an adversary. To optimise status for any types of security collec- tional awareness. A common problem situation awareness, considerable time, tion and processing systems. involves running some product ver- effort and even creativity must be • Network and computing architec- sion that is too old to properly secure expended. ture: knowledge of network and com- through a programme of patching or Sadly, most existing companies and puting architecture is also important security enhancement. A correspond- agencies with responsibility for national to understanding an organisation’s ing problem involves systems that infrastructure have little or no disci- situational security posture. An accu- are too new to properly characterise pline in this area. This is surprising, rate catalogue of all inbound and out- their robustness against attack. In as a common question asked by senior bound services through external gate- practice, an optimal period of product leadership is whether the organisation is ways is particularly important during operation emerges between the earli- experiencing a security risk or is ‘under an incident that might be exploiting est installation period, when a product attack’ at a given time. specific ports or protocols. or system is brand new, and the latter Awareness of security posture requires • Business environment: security pos- stages of deployment, when formal consideration of several technical, opera- ture is directly related to business support from a vendor might have tional, business and external or global activities such as new product launch- lapsed (see Figure 1). factors. These include the following: es, new project initiation, public rela- Each of these factors presents a set of • Known vulnerabilities: detailed tions press releases, executive action unique challenges for security teams. knowledge of relevant vulnerabilities involving anything even mildly con- An emerging global conflict, for exam- from vendors, service providers, gov- troversial, and especially any business ple, will probably have nothing to do ernment, academia and the hacking failures. Any types of contract nego- with the vulnerability profile of soft- community is essential to effective tiations between management and ware running locally in an enterprise. situational awareness. Specific events employee bases have a direct impact There are, however, clear dependencies such as prominent hacking confer- on the local situational security status. that arise between factors in practice
10 Network Security January 2011