Operation 'Avenge Assange': How anonymous is 'Anonymous'?

A report by the University of Twente, Netherlands, proves that 'Anonymous' attackers who hit Visa, Mastercard and PayPal, are not at all anonymous due to the lack of IP-spoofing capabilities in the software used to carry out the attacks.

A new study by the University of Twente (UT) discovered that those conducting distributed denial-of-service attacks against major organisations, including Mastercard, Visa, and PayPal, though describe themselves as 'Anonymous', they are not in fact anonymous.

The 'Low Orbit Ion Cannon' (LOIC) application used to conduct the distributed denial-of-service attack makes no attempt to block the originating IP address and can unveil the identity of individual attackers, the report says.

Image via Flickr.

One of the attacks originated from a Twitter account, @Anon_Operation which tweeted the link to take out Visa.com. In the short space of time, over 38,000 people accessed the site with the setup utility and instructions, causing the massive attack to cripple the site.

The report summarises its finding by stating that, "It became clear, already with the first analysis, that [LOIC] does not take any precautions to obfuscate the origin of the attack."

Perhaps more worryingly for attackers, the report states quite clearly that the attackers behind the DDoS attacks are vulnerable to detection not only for the duration of the attack, but even longer.

"In this report we present an analysis of the two versions of the tool named LOIC (Low Orbit Ion Cannon, which is used by the hacktivists to perform their attacks. The main conclusion is that the attacks generated by the tool are relatively simple and unveil the identity of the attacker. Therefore, the name of this hacktivists group, "Anonymous", is misleading: the hacktivists' original IP address is shown in clear."

Describing the data that can be retrievedfrom ISP's servers:

"The European directive on "the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks" (Directive 2006/24/EC) reports that, taking into account privacy legislation, telecommunication data must be "retained for periods of not less than six months and not more than two years from the date of the communication".

Such data should be made available 'for the purpose of the investigation, detection and prosecution of serious crime'. This means that data are technically available, but only to public forces in case that they need to undertake an investigation."

One of the snippets from the research shows a Wireshark trace of a LOIC operation, and how simple it is to retrace the steps back to the attacker:

4chan and Anonymous are not mutually exclusive, as Christopher Poole ('moot') explained to me last year:

"'Anonymous' imageboard culture started with 4chan. 'Anonymous' the group traces its roots to 4chan, but splintered off after the whole Scientology thing. 4chan's '/b/' board in relation to 'Anonymous' the group; they aren't the same thing. I can’t speak for the 'Anonymous' group."

As Violet Blue describes it:

"It's important to note that Operation Payback and Anonymous are not the same thing, and they are also not the same as 4chan, nor do they act as Wikileaks or Pirate Bay. This confuses mainstream media, who is used to simple, take-me-to-your-leader answers - but distributed and decentralized are not simple concepts."

So how anonymous are 'Anonymous'? Not very, it seems.