by Jan-Keno Janssen, Jürgen Kuri, Jürgen Schmidt

Who is behind the attacks on financial service providers that blocked the accounts and transactions for whistle-blower platform Wikileaks? Called "Operation Payback", the campaign is being conducted by a loosely knit group of people associated with the 4Chan Imageboard and Anonymous, who made a name for themselves with attacks on Scientology servers. "Operation Payback" has admitted being behind the successful DDoS (Distributed Denial of Service) attacks on the web sites of Mastercard, Switzerland's Postfinanz bank, and the Swedish state prosecutor. Most recently, Visa's web site was also attacked.

Since the attacks began, the activists' own web site has also been off-line, with a display merely speaking of heavy DDoS attacks. The activists have also published "ANON OPS: A Manifesto", in which they make it clear that their attacks are not intended to disturb their victims' critical infrastructure. Rather, the attacks focus on corporate web sites in the public eye. "Anarchy for the Lulz" (or, in plain English, anarchy just for fun) is reportedly not the goal of "Operation Payback". This, at least to some extent, contradicts criticism voiced by John Perry Barlow, co-founder of the Electronic Frontier Foundation, author of the legendary "Declaration of Independence for Cyberspace" and WikiLeaks supporter. Barlow had previously tweeted, "Sorry, but I don't support DDoSing Mastercard.com. You can't defend The Right to Know by shutting someone up."

Just after the attack on Visa's Web server, Twitter blocked the group's account, and Facebook shut down the "Operation Payback" site. The activists are currently tweeting as @AnonOpsNet.



You don't have to be an expert hacker to use the LOIC DDoS tool. The activists behind "Operation Payback" use a tool called LOIC ("Low Orbit Ion Cannon") for their DDoS attacks, which was originally developed for Anonymous' protests against Scientology. The program, which is extremely easy to use, can not only be employed in DDoS attacks on Web servers, but also for joint coordinated attacks. Users of LOIC enter the address of an "Operation Payback" coordination server and then leave controls up to the commanders – a bit like a voluntary bot network. The Windows version of LOIC uses an IRC server as its commander, while the Java version for Linux and Mac can be remotely controlled via a Twitter account.



The DDoS overloads the target server with meaningless requests. As a standard action, the tool opens a TCP connection at the target server's port 80, from which it transmits freely variable chains. In other words, it does not speak HTTP, but merely overloads the server with meaningless requests. As a result, you get such error messages as

[Thu Dec 09 13:57:05 2010] [error]

[client 10.22.240.70] request

failed: URI too long (longer than 8190)

in the Web server's log files. However, the tool can also create valid HTTP queries and even includes an option for UDP packets. The latter are especially useful for DDoS attacks that take down network infrastructure.

The "operation" apparently has a lot of participants. While the LOIC group behind the attack on Postfinanz apparently only consisted of 400 computers, several thousand computers were involved in the attacks on Visa. From the early morning until noon, Wikileaks supporters sought their revenge on Paypal.com in the form of queries, and Paypal's API is apparently now also under attack. However on occasion, the activists' complete infrastructure failed. Both the IRC server where the attacks are coordinated and the LOIC control server were no longer reachable. At times, the names of the servers used could no longer be resolved via DNS. The attacks are now using a new infrastructure.

It is almost certain that "Operation Payback" was at least responsible for the Web server standstill at Visa. At exactly 9 PM GMT, Visa's web site was no longer reachable, and at the same moment the attack on Visa was announced in the group's IRC channel.

While the "Payback" participants agree that DDoS attacks on credit card firms are a legitimate form of protest, the intentional disinformation on the activists' IRC channel is a hot topic; after all, WikiLeaks does not wish to become known as a source of lies. Nonetheless, "Operation Bank-Troll" is currently propagating the unfounded claim that lots of credit card numbers were stolen during the DDoS attack.

See also:

Cablegate: Clinton allegedly told diplomats to spy, a report from The H.

(trk)