Researchers: ‘Operation Payback’ Attack Tool Leaves Participants Traceable

A study has found that the DDoS tool used in the WikiLeaks payback attacks leaves users’ IP addresses exposed

Those participating in denial-of-service attacks in support of WikiLeaks may not be as anonymous as they think.

According to an analysis (PDF) of the Low Orbit Ion Cannon (LOIC) tool by researchers from the University of Twente in the Netherlands, the tool does not protect the Internet Protocol (IP) address of its users. The revelation could be bad news for those participating in the opt-in botnet believed to have taken down a number of high-profile websites in an effort dubbed ‘Operation Payback’.

‘Hive Mind’

LOIC was first developed as a network load-testing tool. The program, the researchers note, performs a denial-of-service attack by sending a sequence of TCP (Transmission Control Protocol), UDP (User Datagram Protocol) or HTTP (Hyper-Text Transfer Protocol) requests to a target site. The original version allows the user to select a target host, their method of attack and other parameters to customise the requests to be sent.

The version being used in Operation Payback includes an additional ‘Hive Mind’ mode that enables it to be remotely controlled via the Internet Chat Relay (IRC) protocol, thereby making the user part of a botnet. A third, web-based version of LOIC was released last week and runs in any browser that supports JavaScript.

“The tool…does not attempt to protect the identity of the user, as the IP address of the attacker can be seen in all packets sent during the attacks,” the researchers wrote. “Internet Service Providers can resolve the IP addresses to their client names, and therefore easily identify the attackers. Moreover, web servers normally keep logs of all served requests, so that target hosts also have information about the attackers.

Operation Payback is the work of Anonymous, and can claim sites belonging to MasterCard, PayPal and PostFinance among its victims. There hasn’t been much in the way of law enforcement actions against the attackers, but Dutch authorities did arrest a 16-year-old in connection with the attacks on 8 December.

Covering tracks

The researchers note that the attackers can cover their tracks through anonymisation networks such as Tor. Those not using such services will have their real Internet address included in every Internet message being transmitted, the researchers wrote.

“We also found that these tools do not employ sophisticated techniques, such as IP-spoofing, in which the source address of others is used, or reflected attacks, in which attacks go via third party systems,” according to the paper. “The current attack technique can therefore be compared to overwhelming someone with letters, but putting your real home address at the back of the envelop.”

HD Moore, chief security officer at Rapid7, said he came to the same conclusion in his own testing of LOIC.

“Anyone whose IP address shows up in multiple targets’ logs is going to have a lot of trouble avoiding charges, or at least pressure to expose other folks,” he said.

Gunter Ollmann, vice president of research at Damballa, told eWEEK in an interview on 9 December that LOIC is just one of “hundred and hundreds of tools and almost all are freely downloadable”.

“Simple Google searches will reveal their location(s),” he said. “In addition, social networking groups focused upon a particular protest will often include links and command and control configuration details – so, in that sense, if you’re interested in joining a particular protest, access to the optimal tools is trivial. Some DDoS agents are available in commercial versions – and are usually purchased by professional on-demand DDoS service providers.”