One of the reasons hacktivism has gained greater visibility recently is that it’s now very easy to obtain and use attack tools, especially those that perform denial-of-service (DoS) attacks. The goal of hacktivists is usually to protest or promote a particular political issue, but these days anyone can become a target of theses types of attacks, even if it’s “just for the lulz”. I recently had the opportunity to witness a hacktivist DDoS attack (announced by Anonymous in advance) and here, I’ll share the tools they used and some tips on how to defend against these types of incidents.

The attack tools

A denial of service attack is basically an attempt to negate access to a resource (usually a web server) to its users. A distributed denial of service attack involves multiple machines performing the attack in concert. There are many tools that can be used to launch DoS attacks, but let’s just take a look of the most popular right now:

  • The Low Orbit Ion Cannon (LOIC) is perhaps the most well-known tool used by Anonymous and other hacktivists for performing DDoS attacks. The LOIC might have legitimate uses as a stress-testing tool but it became more widely used as a DoS tool. It’s popularity led to the creation of a JavaScript version, enabling attacks from a web browser and allowing attackers to easily get their followers (or unwary visitors) to join the attack.
  • HPing is a command line utility similar to the ping command, but has many more advanced capabilities. It can be used to create huge amounts of TCP traffic and perhaps the most important characteristic for attackers is the ability to mask the source of an attack via spoofing.
  • Slowloris on the other hand, performs DoS attacks by making slow, partial HTTP requests, keeping IP sockets open on the server and eventually consuming all of its available network ports. This tool requires Perl and runs better on Linux, so it might not be a tool for regular users.

On their own, each of these tools can be an effective way of taking down web servers. An attack using a combination of these tools however, has the potential of being very powerful and difficult to stop.

As many would-be attackers have learned, a tool like the LOIC does nothing to protect the identity of the source of the attack. Anonymous promotes the use of VPN services as a way to cover the true source of the attacks. This might no longer be the best way to cover their tracks; the arrest of an alleged LulzSec member shows that VPN service providers (like the one he used, can and will turn over log data to the authorities.

The countermeasures

Organizations have to be ready to face possible DoS attacks. Here are some basic strategies that can be used to defend against an attack:

  • Configure your routers and firewalls to stop invalid IP addresses and filter out protocols that are not needed. Some firewalls and routers include features to prevent TCP/UDP floods. Also, make sure that logging is enabled in all your devices and that you can reliably examine them to identify attacks and if needed, turn them over to law enforcement authorities.
  • An intrusion-detection/prevention system (IDS/IPS) can detect the misuse of valid protocols as attack vectors. Depending on the products and your network configuration, it’s possible to automatically block the attack traffic.
  • Get help from your provider. This way, attack traffic can be blocked closer to its source before it can clog your organization’s bandwidth.
  • You should have an incident response plan in place and be ready to activate it. If an attack comes, everyone should know how to respond and who to contact both inside and outside the organization (law enforcement for instance).
  • Ensure that you have means of communicating with your users and/or customers. Be as honest and forthcoming as you can about the incident.

You must also be aware of some issues that can derail your defense strategies:

  • Make sure you’ve taken the time to properly tune your IDS/IPS and that its detection signatures are up to date. If you can’t trust its detections (either because you get too many false positives or false negatives) you will not be able to rely on it to help you block an attack.
  • You need to be clear on your provider’s terms of service and support levels. If an attack occurs outside regular business hours, it’s possible that your support will be a voice-mail inbox or a ticketing system with a 24-hour waiting period. Ideally, you should have access to emergency support personnel that have the expertise and/or authority to help you.
  • Timely and open communications are extremely important. For instance, in larger organizations it’s possible that authority over different components such as routers and firewalls lie within different groups, and the last thing an organization needs when dealing with an attack is to delay its responses because of internal “walls”.
  • Communication with other units in the organization (HR, Legal, etc.) must not be underestimated. It’s not unusual for the media to contact someone from the affected organization and having your CEO caught unaware or clueless could potentially damage your organization’s image even more than the incident itself.

The fallout

The events that triggered the “protest” that I observed were already heavily covered by the media, so for this group of “Anonymous” hacktivists, the obvious result of the attack was publicity for themselves. After a few hours, they were apparently successful in knocking down one target site and slowing access to two or three other sites.

Only time will tell if this attack might have other, more serious consequences for those involved.