When Operation Payback adopted WikiLeaks as its own cause last week and began launching DDoS attacks against any organization that had cut off their support to the “new media non-profit organization” or its spokesperson, Julian Assange, support began to grow quickly. Tens of thousands of people per day were, and still are, joining in on the ranks of Anonymous “hactivism” by downloading and using the group’s recommended Low Orbit Ion Cannon (LOIC) software. At the same time, however, authorities began apprehending their first suspects in connection with Operation Payback’s activities, and reports are now surfacing about legal investigations into Anonymous developing in several countries worldwide.
Even before Operation Payback drew worldwide attention for defending WikiLeaks, the FBI had already launched an investigation into DDoS attacks that had been carried out against antipiracy advocates, including the US Copyright office, since September. Now, the UK’s Metropolitan Police Service, the Dutch Attorney General’s office and Scotland Yard have all announced their own investigations and more are sure to follow.
Unfortunately for many of these new “hactivists”, authorities aren’t going to have many problems tracing the DDoS attacks back to their sources, according to a paper just released by researchers at the University of Twente in the Netherland, who studies the LOIC tool used in the attacks.
"The tool … does not attempt to protect the identity of the user, as the IP address of the attacker can be seen in all packets sent during the attacks. Internet Service Providers can resolve the IP addresses to their client names, and therefore easily identify the attackers,” the researchers wrote. " Moreover, Web servers normally keep logs of all served requests, so that target hosts also have information about the attackers."
And that’s not all:
"We also found that these tools do not employ sophisticated techniques, such as IP-spoofing, in which the source address of others is used, or reflected attacks, in which attacks go via third party systems," the study says. "The current attack technique can therefore be compared to overwhelming someone with letters, but putting your real home address at the back of the envelope."
HD Moore, a vulnerability management and penetration testing expert for Rapid7, came to the same conclusions during his own testing of the tool.
"Anyone whose IP address shows up in multiple targets' logs is going to have a lot of trouble avoiding charges, or at least pressure to expose other folks," Moore told eWeek.com.
Some Anonymous members have also made other simple mistakes which have lead authorities their way. Alex Tapanaris, a designer of some of the PDF press releases released by Anonymous, was detained this week after his name was found in the metadata contained within the files.
We’ll undoubtedly find out over the next several months just how seriously authorities are going to take the task of hunting down DDoS attack participants. Until then, if you plan on taking part in any acts of rouge “hactivism”, do so at your own risk.
