Anonymous and DDoS: I predict a riot

The recent denial-of-service attacks on MasterCard and PayPal may be a mere taste of what is to come, says Rik Ferguson

The online attacks on MasterCard and PayPal attributed to the Anonymous activist group could be a portent of more serious developments. In fact, we could soon see the first global digital riot, says Rik Ferguson.

Is this is the new revolution? Are online protests happening on a huge scale, involving tens of thousands of volunteers? I am talking about the actions taken by Anonymous, the loose online collective and its growing army of hangers-on and coattail-riders.

Something that began on message boards such as the infamous 4chan, for the purposes of attacking the Church of Scientology, has with generous media coverage evolved into a bigger deal. Tens of thousands of volunteers are downloading tools that enable them to participate in the global assault on businesses with which they feel personally aggrieved.

The latest version of this tool includes functionality that means the user can hand of control of their weaponised computer to a central authority to direct and control the attacks.

In addition to the Low Orbit Ion Cannon, or Loic, other variants are being developed and released, including JS-Loic, a JavaScript version; a completely rewritten version called Loic-2, which supports alternative command-and-control methods such as RSS, Twitter and Facebook; and the Hoic and Goic versions that support more sophisticated attack methods, designed for simultaneous attacks on multiple victims and a plug-in architecture.

Clearly cause for concern
With the right tools it doesn't take more than a couple of hundred well connected hosts to overwhelm most mid-sized web farms. So although the statistics on the real size of these recent attacks are not yet worthy of the "cyberwar" headlines they have attracted, this new trend is clearly cause for concern.

These electronic attacks are no different to attacks on physical infrastructure. The attacks are designed to inconvenience and to disrupt; to cause financial impact to the victim and to anyone relying on that victim's services. In the real world we would call such attacks terrorism, and in the digital world, as in meatspace, terrorist attacks are far easier to launch than they are to defend against.

A DDoS attack, despite being nothing new, is still one of the trickiest attacks to mitigate. The resources of the victim are finite, the resources of the attacker, while not limitless, are exponentially greater, especially with a growing army of volunteer zombies.

What does this issue mean to you, me and that shady concept, internet freedom?...

...Until now, DDoS attacks have been almost exclusively the province of cybercriminals using networks of compromised computers in an attempt to generate cash.

Development in sophistication of attack tools
The game has changed. Right now we are looking at the online equivalent of a student sit-in, but the wide availability and the rapid development in sophistication of attack tools is concerning. The widespread willingness of volunteers means it is possible that we will see the first global digital riot before long.

In many countries, participation in DDoS attacks is explicitly illegal. The current generation of volunteer attack tools do not allow spoofing or hiding of source IP addresses, making the possibility of prosecution all the more real. You can be sure that the next generation of tools will include this functionality, making them even more acceptable to the wider internet at large.

Another point of concern is the possibility of external compromise of this growing volunteer botnet. There's nothing criminals love more than a monoculture. There are already tens of thousands of downloads of the attack tool.

What would happen if criminals were able to exploit a vulnerability in Loic, either to compromise each zombie or to usurp the command-and-control infrastructure to perpetrate more familiar cybercrimes? Would every user still be such a willing zombie?

Rik Ferguson is senior security adviser for Trend Micro. He has over 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.