Categories: SecurityWorkspace

Researchers: ‘Operation Payback’ Attack Tool Leaves Participants Traceable

Those participating in denial-of-service attacks in support of WikiLeaks may not be as anonymous as they think.

According to an analysis (PDF) of the Low Orbit Ion Cannon (LOIC) tool by researchers from the University of Twente in the Netherlands, the tool does not protect the Internet Protocol (IP) address of its users. The revelation could be bad news for those participating in the opt-in botnet believed to have taken down a number of high-profile websites in an effort dubbed ‘Operation Payback’.

‘Hive Mind’

LOIC was first developed as a network load-testing tool. The program, the researchers note, performs a denial-of-service attack by sending a sequence of TCP (Transmission Control Protocol), UDP (User Datagram Protocol) or HTTP (Hyper-Text Transfer Protocol) requests to a target site. The original version allows the user to select a target host, their method of attack and other parameters to customise the requests to be sent.

The version being used in Operation Payback includes an additional ‘Hive Mind’ mode that enables it to be remotely controlled via the Internet Chat Relay (IRC) protocol, thereby making the user part of a botnet. A third, web-based version of LOIC was released last week and runs in any browser that supports JavaScript.

“The tool…does not attempt to protect the identity of the user, as the IP address of the attacker can be seen in all packets sent during the attacks,” the researchers wrote. “Internet Service Providers can resolve the IP addresses to their client names, and therefore easily identify the attackers. Moreover, web servers normally keep logs of all served requests, so that target hosts also have information about the attackers.

Operation Payback is the work of Anonymous, and can claim sites belonging to MasterCard, PayPal and PostFinance among its victims. There hasn’t been much in the way of law enforcement actions against the attackers, but Dutch authorities did arrest a 16-year-old in connection with the attacks on 8 December.

Covering tracks

The researchers note that the attackers can cover their tracks through anonymisation networks such as Tor. Those not using such services will have their real Internet address included in every Internet message being transmitted, the researchers wrote.

“We also found that these tools do not employ sophisticated techniques, such as IP-spoofing, in which the source address of others is used, or reflected attacks, in which attacks go via third party systems,” according to the paper. “The current attack technique can therefore be compared to overwhelming someone with letters, but putting your real home address at the back of the envelop.”

HD Moore, chief security officer at Rapid7, said he came to the same conclusion in his own testing of LOIC.

“Anyone whose IP address shows up in multiple targets’ logs is going to have a lot of trouble avoiding charges, or at least pressure to expose other folks,” he said.

Gunter Ollmann, vice president of research at Damballa, told eWEEK in an interview on 9 December that LOIC is just one of “hundred and hundreds of tools and almost all are freely downloadable”.

“Simple Google searches will reveal their location(s),” he said. “In addition, social networking groups focused upon a particular protest will often include links and command and control configuration details – so, in that sense, if you’re interested in joining a particular protest, access to the optimal tools is trivial. Some DDoS agents are available in commercial versions – and are usually purchased by professional on-demand DDoS service providers.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago