Anonymous rules out SOPA & PIPA

The newly proposed legislation acts SOPA (Stop Online Piracy Act) and PIPA (Protect Intellectual Property Act) are very much controversial and are potentially bound to damage the freedom of Internet. US department of Justice shut down megaupload.com under the SOPA legislation and alleged copyright infringement. To oppose these acts many sites including Wikipedia, GoDady, took part in the blackout.

However, hacktivist group Anonymous carried out a DDoS attack against US Department of Justice website (www.justice.gov) using a very novel to display their protest. This time instead of using their favorite standalone LOIC (Low Orbit Ion Cannon) tool and calling supporters to launch attacks, they used Web based LOIC also known as JS LOIC.

JS LOIC looks exactly like standalone LOIC tool without any setup or installer. This saved multiple users from installing the tool on their machines and participating in the protest.

JS LOIC in action

They also attracted innocent users to unknowingly participate in the protest using SEO poisoning and many similar techniques.

Modus Operandi:

  • The address of web server which hosted JS LOIC was advertised via social networking sites, micro blogging sites and text sharing sites like pastebin.
  • Users who wanted to get involved in the protest against SOPA and PIPA were only requested to click on the advertised URL.
  • It took them to http://pastehtml.com/view/blakyjwbi.html where JS LOIC was hosted.
  • Once the page was loaded, target website address (justice.gov) was auto-populated in the target box and attack started by sending large number of HTTP requests containing  the message “somos legion!” which translates to “We are legion!”
  • In order to prevent browser crash, the tool was rate limited to 1000 packets per second.

It is claimed that more than 5500 users were involved in using this JS LOIC tool to support this movement against legislation.

Detection of Wire:

The request generated by the tool comprised of “?id=<13 digits>&msg=<user specified message of variable lenght>” URI parameters.  This pattern can be detected using below simple SNORT rules.

1
alert tcp $EXTERNAL_NET any -&gt; $HOME_NET $HTTP_PORTS (msg:"Attempted DoS using JS LOIC DoS Tool"; flow: established,to_server ; pcre:”/&amp;id=\d{13}&amp;msg=/Uis”; threshold: type threshold, track by_src, count 400 , seconds 5 ; classtype:misc-attack; sid:1000005; rev:1;)

A year back, I had written below 2 rules to detect the latest version of standalone LOIC tool V1.0.6.35.

1
alert tcp $EXTERNAL_NET any -&gt; $HOME_NET $HTTP_PORTS (msg:"LOIC DoS Tool v1.0.6.35 (TCP Mode)  - Behavior Rule (tracking/threshold)"; flow: established,to_server;  flags:S; seq:0; window:64240;threshold: type threshold, track by_src, count 400 , seconds 2; classtype:misc-attack;sid:1000006;rev:1;)
1
alert tcp $EXTERNAL_NET any -&gt; $HOME_NET $HTTP_PORTS (msg:"LOIC DoS Tool v1.0.6.35 (HTTP Mode)"; flow: established,to_server; content:"|47 45 54 20 2f 20 48 54 54 50 2f 31 2e 30 0d 0a 0d 0a 0d 0a|"; threshold: type threshold, track by_src, count 400 , seconds 2;classtype:misc-attack;sid:1000005; rev:1;)

Conclusion:

Both new proposed legislations are facing lot of controversy and opposition, some are protesting by blackout while others by DDoS. Which way you are going?

 

 

Rating 4.33 out of 5

One Response to “Anonymous rules out SOPA & PIPA”

  1. vikas Says:
    January 25th, 2012 at 11:38 pm

    I guess I already did it my way… lol ;)

Leave a Reply

This entry was posted on Monday, January 23rd, 2012 at 1:25 pm and is filed under Information Security, Snort Signature. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes