FeatureAnonymous: serious threat or mere annoyance?
Section snippets
Who are Anonymous?
Anonymous originates from the 4chan.org message board, an ‘anything goes' website that allows users to post images and comments without registering. They can use names (any names) or they can post without identifying themselves, in which case the posting is labelled ‘Anonymous'.
The site became a rallying point for a series of (mostly juvenile) pranks and campaigns. Before the Wikileaks-related activities, Anonymous was best known for Operation Payback in which it attacked the Recording Industry
Wikileaks campaign
The campaign in support of Wikileaks came as something of a surprise to many. Anonymous wasn't known for engaging in sophisticated debates about freedom of information or transparency of government. The campaign was presented as ‘Operation Avenge Assange’ (in reference to Wikileaks leader Julian Assange), but most people continued to refer to it as Operation Payback. Via its websites, Anonymous issued the statement (though with rather more spelling mistakes):
DDoS tool
The tool of choice for Anons is the Low Orbit Ion Cannon (LOIC). This was originally developed by ‘Praetox Technologies' (a suitably anonymous coder), allegedly as a network stress-testing tool.4 The source code for LOIC is still available on the now-unmaintained Praetox website, but the version used by Anonymous has been updated and retrofitted with a crude command and control capability.
LOIC comes in two main forms – a Windows executable that Anons download and run from their own machines;
Cannon fodder
Given that the DDoS attacks mounted by Anonymous are unambiguously illegal in most countries (and all of the countries in which Anons are likely to have been operating), it's interesting to note that one thing the LOIC tool makes no attempt to do is conceal the identity of the attacker. The IP address of each attacker will be readily available in the victim's system logs, and it's a safe bet that at least some of the larger firms involved in the recent campaign will now be sitting on databases
Organisational channels
IRC was key to Operation Payback. Channels such as #loic and #target were used to direct LOIC clients to their victims. The #operationpayback channel was buzzing with frequently over-excited debate about who to attack and the effects of the campaign. Sometimes the chatter was so rapid that it was hard to read anything before it scrolled off the page. Twitter was also a key communications channel, mainly for directing Anons to IRC domains. This was desperately needed because Anonymous wasn't the
Damage assessment
While there were many claims – in the press and in IRC channels – that targets had been brought to a grinding halt, the effects of the Anonymous DDoS attacks were patchy to say the least. Frequently, there would be claims made on IRC that the target of the moment was ‘down’. In fact, it's highly likely that the Anon reporting victory was actually having his or her IP address blocked by the victim. A standard defence against DDoS is to identify IPs responsible for the attack (usually readily
Critical mass
The Anonymous attacks illustrated a fact of life known by any student of DDoS attacks – that it's all about numbers. Cybercrime gangs using DDoS as a blackmail tool, or state-sponsored hackers using it as a weapon of war, will deploy botnets comprising tens of thousands of machines focused on a single target. Even at the peak of the Anonymous attacks, the number of participants was in the low thousands, and most of the time there were only hundreds of LOIC clients firing at the same time at the
Continuing attacks
Although the first two weeks of December saw the main frenzy of activity, Anonymous hasn't stopped attacking sites in its support for Wikileaks. There were more attacks against MasterCard and other payment-processing firms. But when it became clear that the DDoS attacks simply weren't working, Anonymous switched briefly to a somewhat bizarre strategy of attempting to overload the fax machines of a number of organisations. When attacking a little-used technology from a previous era brought only
The future
Several pundits have speculated that we can expect to see more of this kind of hacktivism. And while, this time around, Anonymous was little more than an irritation, with more focused leadership and improved co-ordination, it could be a far more dangerous threat. That would make it a more viable target for legal action – by the authorities and victims. And if Anons were more frequently arrested and jailed, it would be interesting to see how much support Anonymous could muster: the experience of
Resources
PandaLabs maintained a blow-by-blow account of the Anonymous campaign, which makes for entertaining reading: <http://pandalabs.pandasecurity.com/tis-the-season-of-ddos-wikileaks-editio/>.
About the author
Steve Mansfield-Devine is the editor of Network Security and its sister publication Computer Fraud & Security. He is also a freelance author and journalist specialising in technology and security.
References (11)
‘Project Chanology'. Wikipedia. Accessed Jan 2011
Prolexic Technologies
‘Second man jailed over Scientology DDoS attacks'. The Register, 25 May 2010. Accessed Jan 2011
‘Wall of sauce'. Source code for original LOIC tool. Praetox Technologies. Accessed Jan 2011
- et al.
‘Attacks by “Anonymous” Wikileaks proponents not anonymous'. University of Twente, 10 Dec 2010. CTIT Technical Report 10.41
Cited by (29)
AI techniques for IoT-based DDoS attack detection: Taxonomies, comprehensive review and research challenges
2024, Computer Science ReviewAre mobile botnets a possible threat? the case of SlowBot Net
2016, Computers and SecurityCitation Excerpt :In this section we present a performance study on the proposed botnet infrastructure. Our tests are focused on comparing the proposed SlowBot Net with the LOIC botnet infrastructure introduced above (Mansfield-Devine, 2011). Although the comparison with a single botnet may be considered as a limit, to the best of our knowledge, LOIC based botnets represent the most adopted infrastructure of the last years.
Network attacks: Taxonomy, tools and systems
2014, Journal of Network and Computer ApplicationsCitation Excerpt :A large number of network security tools have been designed to launch, capture, visualize, and detect different types of attacks with multiple objectives. Example tools include LOIC (Pras et al., 2010), HOIC (Mansfield-Devine, 2011), Wireshark (Orebaugh et al., 2006), Gulp (Satten, 2007), Ntop (Deri et al., 2001), etc. These tools can be used for capture of live network traffic, preprocessing, feature extraction, vulnerability analysis, traffic visualization and actual detection of attacks.
Hacktivism: Assessing the damage
2011, Network SecurityCitation Excerpt :But this isn't to doubt the authenticity of their motivations or feelings. These were particularly evident during the pro-Wikileaks campaigns which, famously, brought minor grief to the likes of Mastercard and PayPal.1 Anonymous says it is leaderless, a claim that is both partially true and disingenuous.
Counterintelligence in a cyber world
2023, Counterintelligence in a Cyber WorldThe Illicit Ecosystem of Hacking: A Longitudinal Network Analysis of Website Defacement Groups
2023, Social Science Computer Review
About the author
Steve Mansfield-Devine is the editor of Network Security and its sister publication Computer Fraud & Security. He is also a freelance author and journalist specialising in technology and security.