Anonymous: serious threat or mere annoyance?

doi:10.1016/S1353-4858(11)70004-6

Network Security

Volume 2011, Issue 1, January 2011, Pages 4-10

https://doi.org/10.1016/S1353-4858(11)70004-6 Get rights and content

For a couple of weeks in December 2010, the Wikileaks ‘Cablegate’ controversy was in danger of being overshadowed by another, related phenomenon – Distributed Denial of Service (DDoS) attacks launched by the so-called Anonymous movement against organisations they deemed to be contrary to Wikileaks' interests.

The attacks provoked a press frenzy that frequently exaggerated their effectiveness and missed at least one intriguing aspect – that they effectively relied on people infecting their own PCs. And by using their own computers, those doing the attacking were easily traceable. Steve Mansfield-Devine examines how these attacks work, how effective they are and their implications for the future.

The attacks provoked a press frenzy that frequently exaggerated their effectiveness and missed at least one intriguing aspect – that they effectively relied on people infecting their own PCs. So how did these attacks work, how effective were they, and what are the implications?

Section snippets

Who are Anonymous?

Anonymous originates from the 4chan.org message board, an ‘anything goes' website that allows users to post images and comments without registering. They can use names (any names) or they can post without identifying themselves, in which case the posting is labelled ‘Anonymous'.

The site became a rallying point for a series of (mostly juvenile) pranks and campaigns. Before the Wikileaks-related activities, Anonymous was best known for Operation Payback in which it attacked the Recording Industry

Wikileaks campaign

The campaign in support of Wikileaks came as something of a surprise to many. Anonymous wasn't known for engaging in sophisticated debates about freedom of information or transparency of government. The campaign was presented as ‘Operation Avenge Assange’ (in reference to Wikileaks leader Julian Assange), but most people continued to refer to it as Operation Payback. Via its websites, Anonymous issued the statement (though with rather more spelling mistakes):

. Anonymous indulged in some

DDoS tool

The tool of choice for Anons is the Low Orbit Ion Cannon (LOIC). This was originally developed by ‘Praetox Technologies' (a suitably anonymous coder), allegedly as a network stress-testing tool.⁴ The source code for LOIC is still available on the now-unmaintained Praetox website, but the version used by Anonymous has been updated and retrofitted with a crude command and control capability.

LOIC comes in two main forms – a Windows executable that Anons download and run from their own machines;

Cannon fodder

Given that the DDoS attacks mounted by Anonymous are unambiguously illegal in most countries (and all of the countries in which Anons are likely to have been operating), it's interesting to note that one thing the LOIC tool makes no attempt to do is conceal the identity of the attacker. The IP address of each attacker will be readily available in the victim's system logs, and it's a safe bet that at least some of the larger firms involved in the recent campaign will now be sitting on databases

Organisational channels

IRC was key to Operation Payback. Channels such as #loic and #target were used to direct LOIC clients to their victims. The #operationpayback channel was buzzing with frequently over-excited debate about who to attack and the effects of the campaign. Sometimes the chatter was so rapid that it was hard to read anything before it scrolled off the page. Twitter was also a key communications channel, mainly for directing Anons to IRC domains. This was desperately needed because Anonymous wasn't the

Damage assessment

While there were many claims – in the press and in IRC channels – that targets had been brought to a grinding halt, the effects of the Anonymous DDoS attacks were patchy to say the least. Frequently, there would be claims made on IRC that the target of the moment was ‘down’. In fact, it's highly likely that the Anon reporting victory was actually having his or her IP address blocked by the victim. A standard defence against DDoS is to identify IPs responsible for the attack (usually readily

Critical mass

The Anonymous attacks illustrated a fact of life known by any student of DDoS attacks – that it's all about numbers. Cybercrime gangs using DDoS as a blackmail tool, or state-sponsored hackers using it as a weapon of war, will deploy botnets comprising tens of thousands of machines focused on a single target. Even at the peak of the Anonymous attacks, the number of participants was in the low thousands, and most of the time there were only hundreds of LOIC clients firing at the same time at the

Continuing attacks

Although the first two weeks of December saw the main frenzy of activity, Anonymous hasn't stopped attacking sites in its support for Wikileaks. There were more attacks against MasterCard and other payment-processing firms. But when it became clear that the DDoS attacks simply weren't working, Anonymous switched briefly to a somewhat bizarre strategy of attempting to overload the fax machines of a number of organisations. When attacking a little-used technology from a previous era brought only

The future

Several pundits have speculated that we can expect to see more of this kind of hacktivism. And while, this time around, Anonymous was little more than an irritation, with more focused leadership and improved co-ordination, it could be a far more dangerous threat. That would make it a more viable target for legal action – by the authorities and victims. And if Anons were more frequently arrested and jailed, it would be interesting to see how much support Anonymous could muster: the experience of

Resources

PandaLabs maintained a blow-by-blow account of the Anonymous campaign, which makes for entertaining reading: <http://pandalabs.pandasecurity.com/tis-the-season-of-ddos-wikileaks-editio/>.

About the author

Steve Mansfield-Devine is the editor of Network Security and its sister publication Computer Fraud & Security. He is also a freelance author and journalist specialising in technology and security.

References (11)

‘Project Chanology'. Wikipedia. Accessed Jan 2011
Prolexic Technologies
J. Leyden
‘Second man jailed over Scientology DDoS attacks'. The Register, 25 May 2010. Accessed Jan 2011
‘Wall of sauce'. Source code for original LOIC tool. Praetox Technologies. Accessed Jan 2011
A Pras et al.
‘Attacks by “Anonymous” Wikileaks proponents not anonymous'. University of Twente, 10 Dec 2010. CTIT Technical Report 10.41

There are more references available in the full text version of this article.

Cited by (29)

AI techniques for IoT-based DDoS attack detection: Taxonomies, comprehensive review and research challenges
2024, Computer Science Review
Distributed Denial of Service (DDoS) attacks in IoT networks are one of the most devastating and challenging cyber-attacks. The number of IoT users is growing exponentially due to the increase in IoT devices over the past years. Consequently, DDoS attack has become the most prominent attack as vulnerable IoT devices are becoming victims of it. In the literature, numerous techniques have been proposed to detect IoT-based DDoS attacks. However, techniques based on Artificial Intelligence (AI) have proven to be effective in the detection of cyber-attacks in comparison to other alternative techniques. This paper presents a systematic literature review of AI-based tools and techniques used for analysis, classification, and detection of the most threatening, prominent, and dreadful IoT-based DDoS attacks between the years 2019 to 2023. A comparative study of real datasets having IoT traffic features has also been illustrated. The findings of this systematic review provide useful insights into the existing research landscape for designing AI-based models to detect IoT-based DDoS attacks specifically. Additionally, the study sheds light on IoT botnet lifecycle, various botnet families, the taxonomy of IoT-based DDoS attacks, prominent tools used to launch DDoS attack, publicly available IoT datasets, the taxonomy of AI techniques, popular software available for ML/DL modeling, a list of numerous research challenges and future directions that may aid in the development of novel and reliable methods for identifying and categorizing IoT-based DDoS attacks.
Are mobile botnets a possible threat? the case of SlowBot Net
2016, Computers and Security
Citation Excerpt :
In this section we present a performance study on the proposed botnet infrastructure. Our tests are focused on comparing the proposed SlowBot Net with the LOIC botnet infrastructure introduced above (Mansfield-Devine, 2011). Although the comparison with a single botnet may be considered as a limit, to the best of our knowledge, LOIC based botnets represent the most adopted infrastructure of the last years.
In virtue of the large-scale diffusion of smartphones and tablets, a possible exploitation of such devices to execute cyber-attacks should be evaluated. This scenario is rarely considered by cyber-criminals, since mobile devices commonly represent a target of attacks, instead of an exploitable resource. In this paper we analyze the possibility to execute distributed denial of service attacks from mobile phones. We introduce SlowBot Net, a botnet infrastructure designed to involve mobile agents, and we compare it with Low-Orbit Ion Cannon (also called LOIC), a well-known botnet adopted by cyber-hacktivists on the Internet. Results prove that SlowBot Net requires fewer resources to the attacker and it is effectively deployable on mobile nodes. Since research related to mobile botnets is still immature, the proposed work should be considered a valuable resource enriching the cyber-security field.
Network attacks: Taxonomy, tools and systems
2014, Journal of Network and Computer Applications
Citation Excerpt :
A large number of network security tools have been designed to launch, capture, visualize, and detect different types of attacks with multiple objectives. Example tools include LOIC (Pras et al., 2010), HOIC (Mansfield-Devine, 2011), Wireshark (Orebaugh et al., 2006), Gulp (Satten, 2007), Ntop (Deri et al., 2001), etc. These tools can be used for capture of live network traffic, preprocessing, feature extraction, vulnerability analysis, traffic visualization and actual detection of attacks.
To prevent and defend networks from the occurrence of attacks, it is highly essential that we have a broad knowledge of existing tools and systems available in the public domain. Based on the behavior and possible impact or severity of damages, attacks are categorized into a number of distinct classes. In this survey, we provide a taxonomy of attack tools in a consistent way for the benefit of network security researchers. This paper also presents a comprehensive and structured survey of existing tools and systems that can support both attackers and network defenders. We discuss pros and cons of such tools and systems for better understanding of their capabilities. Finally, we include a list of observations and some research challenges that may help new researchers in this field based on our hands-on experience.
Hacktivism: Assessing the damage
2011, Network Security
Citation Excerpt :
But this isn't to doubt the authenticity of their motivations or feelings. These were particularly evident during the pro-Wikileaks campaigns which, famously, brought minor grief to the likes of Mastercard and PayPal.1 Anonymous says it is leaderless, a claim that is both partially true and disingenuous.
With the rise to stardom of activists Anonymous and hacking group LulzSec, cyber-attacks have entered a new phase. There's nothing original in the technical exploits they're deploying – most are very basic. But unlike most attackers, these groups actually crave publicity and are eager to share the data they steal. They frequently claim that this is for the greater good, to encourage better security and a more responsible custodianship of personal data. These are issues close to the hearts of information security professionals; so will these attacks have an effect on organisations' attitudes to security? And has the infosecurity landscape changed forever?
This is an issue close to the hearts of information security professionals; so will these attacks have an effect on organisations' attitudes to security? And has the infosecurity landscape changed forever? Steve Mansfield-Devine explores the impact of these attacks and finds that although they have attracted a lot of attention, many organisations conclude they're little more than a nuisance.
Counterintelligence in a cyber world
2023, Counterintelligence in a Cyber World
The Illicit Ecosystem of Hacking: A Longitudinal Network Analysis of Website Defacement Groups
2023, Social Science Computer Review

View all citing articles on Scopus

About the author

View full text

FeatureAnonymous: serious threat or mere annoyance?

Section snippets

Who are Anonymous?

Wikileaks campaign

DDoS tool

Cannon fodder

Organisational channels

Damage assessment

Critical mass

Continuing attacks

The future

Resources

‘Project Chanology'. Wikipedia. Accessed Jan 2011

Prolexic Technologies

‘Second man jailed over Scientology DDoS attacks'. The Register, 25 May 2010. Accessed Jan 2011

‘Wall of sauce'. Source code for original LOIC tool. Praetox Technologies. Accessed Jan 2011

‘Attacks by “Anonymous” Wikileaks proponents not anonymous'. University of Twente, 10 Dec 2010. CTIT Technical Report 10.41

Feature
Anonymous: serious threat or mere annoyance?