'Anonymous' WikiLeaks Proponents Not So Anonymous

Giovane Moura writes "For a number of days the websites of MasterCard, Visa, PayPal and others are attacked by a group of WikiLeaks supporters (hacktivists). Although the group calls itself 'Anonymous,' researchers at the DACS group of the University of Twente (UT), the Netherlands, discovered that these hacktivists are easy traceable (PDF), and therefore anything but anonymous. The LOIC (Low Orbit Ion Cannon) software, which is used by the hacktivists, was analyzed by UT researchers, who concluded that the attacks generated by this tool are relatively simple and unveil the identity of the attacker. If hacktivists use this tool directly from their own machines, instead of via anonymization networks such as Tor, the Internet address of the attacker is included in every Internet message being transmitted. In the tools no sophisticated techniques are used, such as IP-spoofing, in which the source address of others is used, or reflected attacks, in which attacks go via third party systems.

Re:Using TOR?

[Anonymous Coward]

That was probably the intention of these so-called "researchers" (right, not CIA shills at all...) when they suggested such an alternative.

Obvious research

[Stellian]

Since the average internet troll can't IP spoof (he is limited to a /32 block) it's fairly obvious he will reveal his location. No need to use the source for that, Luke.
The idea behind a voluntary botnet is that the damage done by each participant does light damage, and is not effectively ddosing, while at the same time the aggregate damage is effective in delivering the desired mob justice. The legal effectiveness of that defense might vary.

Raw sockets and Windows

[Rijnzael]

As I recall, LOIC is for use with Windows machines. If that's the case, the likely reasoning behind not using any identity-concealing techniques is Windows raw socket restrictions [microsoft.com]. They're flooding web servers, and TCP packets can't be sent with raw sockets, so there's not much else to do other than repeatedly open valid connections (from the Windows platform).

Re:Raw sockets and Windows

[Xelios]

Or a reflected SYN attack [plynt.com], which is a little more potent. But the main problem in concealing your identity by forging the source IP is that most ISP's these days perform egress filtering, meaning those forged packets will simply be dropped before they leave your local network. You have to find the range of IP's allowed through your local network and restrict your spoofing to that range, which in the end doesn't conceal your identity very well anyway.

4chan was actually hit by a reflected SYN attack last year, which forced AT&T to black hole its domain [slashdot.org] for several hours. Apparently there are still some ISP's, particularly in Eastern Bloc countries, that don't bother to filter spoofed packets leaving their networks.

Re:Using TOR?

[Opportunist]

Finally an analogy that at least made me laugh. It's not much more accurate than the average car analogy, but at least I liked the picture it gave me.

Re:Don't coin dumb and inaccurate words

[Reziac]

"Activist" hasn't meant anything positive in a long time, ever since the basic philosophy of too many activist groups became "We'll make your lives miserable until you give in and do what WE want you to do." Thanks to groups like ALF/ELF and the money-making/laundering machines behind many others (see http://www.activistcash.com/ [activistcash.com] ), "activist" has almost become synonymous with "domestic terrorist".

It's the same unfortunate regression of meaning that "hacker" suffers from, for the same reasons -- too many black hats among the white hats.