A new study finds that a tool used to carry out distributed denial of service (DDoS) attacks on behalf of whistle blower Web site Wikileaks may, itself, leak the identity of those running the software.
Researchers from the University of Twente, Netherlands, looked at the Low Orbit Ion Cannon (LOIC), a DDoS tool being used by the umbrella group Anonymous and found that the tool fails to shield the Internet Protocol (IP) address of computers running the tool, according to a published research paper. That could allow authorities to round up DDoS participants merely by analyzing the source of the junk traffic their computers sent to target Web pages, including those of Paypal, Mastercard and Visa.
The LOIC was initially developed as a stress testing application. The program works by sending a series Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Hyper-Text Transfer Protocol (HTTP) requests to a target host. The tool allows the user to select a target, a method of attack as listed above, and ways to customize the specific request. Most anti malware firms categorize LOIC as a hacking tool and will warn of its presence on systems they protect.
Anonymous, a loose affiliation of hackers and online libertarian activists has engaged in a spirited online defense of Wikileaks since payments vendors and others began taking steps to isolate the organization. Denial of service attacks were Anonymous’s weapon of choice, with LOIC providing a way for non-technical users to take part in the attacks.
Anonymous uses a modified version of the tool with two modes of operation. The tool can be controlled manually, where the target and method of attack are determined by the user and launched from their personal computer. However, the tool may also be used automatically, where a user runs the program on their computer, but allows third parties to control it, utilizing their computing resources to launch DDoS attacks remotely. In essence, the automatic option allows users to voluntarily join a botnet.
Savvy Internet users may avoid detection by running the LOIC tool through an anonymization service that conceals their IP address, such as Tor. But researchers found that the LOIC tool itself has no built in mechanism for obscuring a user’s IP address. That means users who decided to weigh in on behalf of Anonymous were doing so without enjoying anonymity, themselves. And that could make them targets of prosecution now or in the future.
International data retention laws require that commercial Internet providers store Internet usage data for at least six months. So even for those who are no longer actively participating in an attack, there is still a record of them having done so in the past. To date, there has only been one arrest directly linked to the DDoS attacks in defense of WIkileaks. On December 9, Dutch officials arrested a 16 year old boy in The Hague and charged him with taking part in the attacks. It is not known whether the boy, who confessed to participating in the DDoS attack organized by Anonymous, was using the LOIC program.