With the current wikileak driven DDOS attacks I thought I'd have a closer look at the tool being used to conduct the attack.
The tool that is being distributed if you wish to partake in the attack (and no that is not an invitation or endorsement) is an application called javaLOIC a Java port of Low Orbit Ion Cannon. A tool that can be used to test a site's resilience to DOS attacks. But obviously if you point it at someone else's the effect can be quite damaging.
To be honest there isn't really much to the application. A pretty screen with some buttons to press and a flood module that crafts some packets to send to the target to deal with.
So in essence it is a whole bunch of people requesting a resource that is not available on the server. When you get enough people doing this, something has to give. In this case the web sites of the targets. If they have an IPS in place it may be as simple as looking for the above string to help slow the attack and keep the site up.
The twitter angle in this application piqued my interest, it is using the twitter API in a new and creative way, certainly one that hadn't readily occurred to me. However, I guess easy enough for twitter to deal with, but then it likely becomes a game of "wack-a-mole" of find the evil twitter account being used this time round.
Cheers
Mark H
|
Mark 392 Posts ISC Handler Dec 9th 2010 |
||
Thread locked Subscribe |
Dec 9th 2010 1 decade ago |
||
Re: "The twitter angle in this application peaked my interest" - should be "piqued", not "peaked". Thanks.
|
Anonymous |
||
Quote |
Dec 9th 2010 1 decade ago |
||
@pedantry - fixed, it is late
![]() |
Mark 392 Posts ISC Handler |
||
Quote |
Dec 9th 2010 1 decade ago |
||
"The tool that is being distributed if you wish to partake in the attack is an application called javaLOIC..."
We're not actually advocating that people partake in this illegal attack now, are we? :p |
Anonymous |
||
Quote |
Dec 9th 2010 1 decade ago |
||
I believe the C# version of the loic is also being used. Source code is available for this version. Looks like iptables rate limiting when properly configured could be a pretty good defense.
|
James 12 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
@sharpesecurity - only th3j35t3r is using XerXes and he stated that he will never release this tool - http://th3j35t3r.wordpress.com. He is also against wikileaks so won't be on the same side as anonymous.
|
James 4 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
could use a Snort sig to watch network traffic to see if anyone on your network is partaking in the DDoS activity
|
Chavez243 15 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
"if you wish to partake in the attack...". Does this statement meet the ethical standard for a certified security professional? From the GIAC certification candidate handbook "GIAC certification holders and those
attempting to obtain GIAC certification at any level must act in a lawful and ethical fashion for the benefit of the public, the profession and the companies to whom they provide professional services" |
Chavez243 2 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
Is the hardcoded URL for the Twitter API call known? Is it a range, list, or other set of IPs:ports? Like to know the easiest way of isolating this issue on my network
|
Chavez243 2 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
I seriously doubt the author's intention here is to suggest or recommend that he or any of us participate.
What I do like about this is that the end user is making a conscious decision to turn his or her computer over to the controller and become an active participant in an illegal activity. It's a voluntary botnet and the volunteer participant is now just as liable as the bot controller. Oh, and "whack"-a-mole I think is the proper spelling there. |
Al 4 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
Give Mark a break he's Australian
|
Al 9 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
Is the hardcoded URL for the Twitter API call known? Is it a range, list, or other set of IPs:ports? Like to know the easiest way of isolating this issue on my network
|
Al 2 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
Give Mark a break he's Australian
|
Al 9 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
I used to work with an organization that came under constant attack from anonymous and their LOIC tool. It's very easy to mitigate these DoS attacks as they're not particularly bandwidth intensive. Simply limiting the connections per IP per interval at the firewall was enough to thwart the attack. I believe properly configured Checkpoints are able to detect and drop these attacks altogether. But listening in to their IRC channel is the best way to stay one step ahead of this group. It's not often attackers broadcast their targets and vectors before firing.
All that said, this is much larger and more ambitious. I think the media attention will put pressure on law enforcement to make an example out of someone. |
Al 6 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
Nuke it from orbit. It's the only way to be sure.
|
Al 22 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
Seriously guys, lay off Mark and have some respect. Why does everyone get so judgmental anymore.
|
Matt Guza 5 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
@ M,
You seem to be forgetting that prominent U.S. politicians were calling for this guy to be assassinated and "hunted down" like a terrorist. Once you start talking about murdering people using aerial death drones, people get a little emotional. This whole thing is a circus and there are a few more acts to follow I'm sure. |
Matt Guza 22 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
No, I was referring to the way everyone just has nothing better to do then look for mistakes in Mark's post or pick it apart. Maybe you didn't notice that though. I don't see how be the grammar police or taking things out of context fixes any security issues.
|
Matt Guza 5 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
It's not a question of respect or Mark's nationality. The question is; Does Mark's statement that identifies the tool "if you wish to partake in the attack" violate the GIAC Code of Ethics? He doesn't identify the tool for the benefit of the public, our profession or so you can better protect the companies to whom you provide professional services. He statement says "if you wish to partake in the attack".
|
Matt Guza 2 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
||
I took it as Marks mind set was for thoose wrong doers that partake, here is what they use, how it works, etc.
|
Matt Guza 9 Posts |
||
Quote |
Dec 9th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!