Profile of a failed Anonymous attack

Profile of a failed Anonymous attack

Summary: Security firm Imperva says it was able to witness a failed 25-day assault by the group and use its surveillance to map out Anonymous' attack methods.

TOPICS: Security

Data-protection firm Imperva has undertaken an analysis of an Anonymous attack, claiming that it was able to witness a failed 25-day assault by the group and use its surveillance to map out Anonymous' attack methods.

The report (PDF) covers the three phases that it believes Anonymous uses over its 25-day hacking period, as well as the expected structure of the group, the tools that Anonymous members are suspected of using and the techniques used in the attack.

According to Imperva, the first phase of this attack was to begin recruitment and communications. In the attack, Anonymous uploaded a video to YouTube and used Facebook and Twitter to further promote it.

"This is really the essence of all hacktivism campaigns," the report said. "The raison d'être of hacktivism is to attract attention to a cause, so this phase is critical."

Imperva said that Twitter and Facebook were used to bring attention to the cause, and the video was used to rationalize the attack. Promotional material was also used to set the date and convey target details for a future distributed denial-of-service (DDoS) attack. This communication phase lasted about 18 days.

This infographic shows the profile of an Anonymous attack (Credit: Imperva)

The second phase of the operation was a quick reconnaissance and application attack, aimed at surveying the target's state of security and identifying any vulnerabilities ahead of the scheduled attack that might aid in increasing the effectiveness of an attack.

Imperva's analysis of the attackers indicates that Anonymous had knowledge of hacking tools, used anonymity services to hide its members' tracks and kept a low profile to avoid being detected. According to Imperva's report, a small group of attackers of no more than 10 to 15 individuals scanned the target for web-application vulnerabilities, such as cross-site scripting, SQL injection and directory-traversal vulnerabilities, but they were unable to identify any opportunities for a more effective attack.

By examining the victim's firewall logs, Imperva identified that the attackers used at least three off-the-shelf products rather than software specifically created for the attack. These products were Havij, an automated SQL-injection tool; Acunetix Scanner, an automated scanner that was used to look for remote file-inclusion vulnerabilities; and Nikto Scanner, which looks for outdated server software and tests for dangerous scripts.

"Only when failing to find such vulnerabilities, the attackers resorted to searching a resource suitable for DDoS. Such resources involve actions which are time and resource consuming, and might lead to exhaustion of the server resources. Eventually, attackers spotted a specific URL that was later used in the attack itself," the report said.

This URL resulted in the server fetching data from a database, which takes up more resources than a regular web-page request and could potentially be used to deny services. By this stage, over 72,000 hits had been registered on the promotional video released as part of the communications phase.

In the final phase of the operation — the scheduled attack — those participating in the attack visited a website created by Anonymous, which contained JavaScript code intended to loop for as long as the page was open in the user's browser. Within the looping code was a request to the victim's site, pre-crafted to attack the specific URL that Anonymous had identified previously.

Imperva said that since the code was written in JavaScript, any device with a browser could be used to launch the attack. This included mobile devices, of which Imperva saw evidence. Imperva estimated that a regular computer would be capable of achieving 200 requests for information per second.

Although the core team behind the attack was relatively careful in hiding its tracks, Imperva noted that a majority of the actual attackers didn't bother or didn't know how to disguise their identities.

Although these combined efforts was not enough to bring down the victim, Imperva offered advice for anyone who thinks that they might be a target. It recommends monitoring social media, due to the fact that groups like Anonymous often announce their targets before attacking. It also believes that a DDoS attack actually represents the hacker's last resort when they're unable to identify vulnerabilities during the reconnaissance phase.

This story was originally posted on ZDNet Australia.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Seems more like propaganda looking for customers.

  • Revolution

    I understand that some people are viewing these attacks as "terrorism" and such, but in all reality, it's a form of revolution, for the entire planet. The Founding Fathers themselves said in the Declaration "That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, ??? That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness." The rights they mentioned are Life, Liberty, and the pursuit of Happiness. Our own government can't even keep us safe from ourselves, let alone other countries! The most our government seems to do is involve us in international affairs without being needed, and the politicians sit and talk and talk and talk, but never get ANYTHING real done. Okay, so we got Bin Laden, woohoo. But during that manhunt, thousands of lives were being lost, completely unrelated to the terrorist! We think we're right to go save other countries, when we can't even save ourselves! We have been overdue for a revolution, and Anonymous has spearheaded the campaign for it! GET A CLUE UNITED STATES, WE ARE DROWNING OURSELVES!
    • Unreal

      1) If Afghanistan and later Pakistan had turned Bin Laden over to us a lot fewer innocents would have died. He attacked us, killed 3,000 innocent Americans, your brothers and sisters for God's sake! He had to pay for his crimes, period.

      2) Your analogy to the Founding Fathers of the US is flawed. The heart of the Colonists gripe against their government was that they were being taxed without representation. Guess what? You do have a voice! The 2000 election showed us that every vote matters!

      If you want change convince people of your position and have them vote you into office and pass new laws.
    • Wow...

      Ever heard of paragraphs?
      Hallowed are the Ori
    • Disagree

      I don't think there is a revolution going on here. Nailing down the exact reasons why they are attacking is like nailing jello to a wall. They talk in vague, sweeping generalities that are difficult to prove. There is no focus, just hate. Thus, I believe them to be terrorists, not activists.


      How about they give us a clue as to what exactly they're fighting about sometime? And how about fighting in a way that's effective, rather than a way that gets them branded as terrorists? Yeah, they're the ones that really need to get a clue.