Anonymous has never had the firepower to take down those three sites simultaneously using LOIC, so I'd be interested to see what the mechanism is. I suspect it's one or more of the Sabu-types firing their botnets. If this is the case, to what extant can this action be attributed to Anonymous? I'm sure there's likely broad support for it, but if it is just the actions of one or two botherders it makes attribution a bit of a grey area.
Edit: Add mpaa.org to the mix, as well as an attempt on fbi.gov. They'd have to have several gigs worth of bandwidth available to be able to hold all 4 sites down simultaneously. With average upload speeds in the hundreds of kilobits, that's a reasonably large botnet (50k-100k, as an pulled-from-ass guestimate).
I'm highly doubtful that that's all that's happening. I simply can't see a 5600-strong botnet (voluntary or not) holding down 4 independent domains simultaneously.
On a separate note, I would have thought they had learned their lesson re: LOIC after OP:Payback. I guess we'll be seeing another string of arrests in the coming months.
This! Apache is the first casualty when attacked by DOS. Default is way lower than 256 I think... You can change that parameter but it kills the optimization.
If you routed all your traffic through the VPN, LOIC would follow. That said, I know of no vpn that would allow it.
Basically, LOIC is a ticket to jail. The fact that it was used for so long without repercussions is that the Feds didn't care enough to do anything. That all changed with OP:Payback.
Intentionally disabling someone else's computer system (even just their website) is a crime. And LOIC has no anonymity measures, so your IP shows up on every single packet that arrives at the target computer. If you participate in an attack, it will be very easy to find and prosecute you.
In Europe this analogy has also been used by politicians (ones that are actually sitting in parliaments and not accused of crimes).
I'd also consider it a form of peaceful protest. Well, actually it's just data, nobody gets physically harmed so it's always peaceful. Anyways, you are not stealing data and you are not permanently harming the system. You basically do something the site is made for (serving requests). If you consider that a crime you could also consider telling a huge people to phone a company and complain about something a crime. I mean this certainly leads to a denial of service, because it makes it virtually impossible for others to use that service.
I for myself am a bit lazy for these kinds of protests. I actually prefer informing people so they draw their own conclusion, but I would never call something like that a crime. IMO it should be treated like a freedom. I know this can cause financial damage, but it's still not harming people. I mean every news article, every kind of information and just saying something like "Nike is child slavery" or "fast food from McDonalds is unhealthy" can make people not buy stuff there and therefore cause financial damage. In first place it's about an institution and we shouldn't consider an institution something that has human rights, because it devalues natural people.
The way I look at it is like having 100 of your friends all go to McDonalds and line up. One at a time you order a glass of water, and then go to the back of the line. Honest customers will enter and get in line. If they wait/keep trying for long enough they'll be able to fulfill a request but most will get fed up and quit trying.
Exactly. Who benefits the most from this attack? Anonymous or SOPA/PIPA supports who get to say "look what happened, we need stronger laws on the internet".
You don't necessarily need a lot of bandwidth to take a site down. Slowloris, hash collisions (http://isc.sans.edu/diary.html?storyid=12286), or simply a lot of HTTP requests to pages that consume a lot of CPU time are generally sufficient to take a site offline temporarily.
Which hash functions built into the web server would they attack?
I can't think of a specific time in a normal HTTP request that would use a user-supplied hash.
I would assume only a minority of pages on the average site would eat CPU so surely the sensible defense to this would be to impose a maximum CPU usage on these parts so the rest of the website continues to work.
good point, so the idea would be to supply something like:
page.php?x=1&y=1...
where the x and y keys are going to have the same hash value, so that when it uses those vars in a page it will hit the same hash bucket and become O(n) not O(1)?
Of course you would want to send a lot of different vars in.
Yup, though I'd probably pass those in using a POST request. A 5,000,000 character long log entry sticks out a bit, and most people aren't logging POST params by default.
Interesting. I wonder if the js version behaves identically to the .net one. If so, it could offer plausible deniability to any LOICers out there. I'm not condoning the practice, but it is a creative solution to having your primary tool be rendered toxic by the op payback arrests.
setInterval(function(){
var i = new Image();
i.src = target + randId + msg;
... // event handling
}, 0)
so you end up requesting an url every 0 ms the randId is just a simple `Date.now`, the message is an actual message taken from an input in the html. Source code: http://hastebin.com/gasitinafo.js
That's pretty nasty.
Surely defense against this kind of thing should be built into browsers although you would need to detect an unending loop causing HTTP requests so run into the halting problem I guess.
If they are tricking people into performing what is potentially a criminal act then they lose the limited amount of respect I did have for them.
Given the nature of both organizations are not too tech-savvy, I wouldn't be surprised if the sites in question were running an unpatched version of Apache and were susceptible to this:
riaa.org, mpaa.org, and universalmusic.com I could see being unpatched, but I would have thought justice.gov would have to be patched for compliance reasons.
That's a logical point. But compliance with what? All I can find after a quick google search is National Institue of Technology GUIDELINES, and the only laws mentioned seem to deal with user privacy.
In fact, the only compliance regulations I know of with government sites have to do with accessibility.
[EDIT] Wait, I might be wrong. The DoD guide seems to cite quite a few regs, some of which may apply to the Justice department. Too bad I can't check their site :P
> but I would have thought justice.gov would have to be patched for compliance reasons.
I don't think that's true. I'd imagine the server behind justice.gov has no connectivity to anything important for compliance reasons, so patching it isn't really a big deal.
I'd be surprised, if I had the funds these organizations do and I knew I would be a likely be a target for this kind of thing I'd at least hire a security consultant to check these things over for me.
I was under the impression that Anonymous was just kind of a brand that anyone who wanted to could assign credit to for their activities (since they have the publicity infrastructure in place)
Edit: Add mpaa.org to the mix, as well as an attempt on fbi.gov. They'd have to have several gigs worth of bandwidth available to be able to hold all 4 sites down simultaneously. With average upload speeds in the hundreds of kilobits, that's a reasonably large botnet (50k-100k, as an pulled-from-ass guestimate).