Anonymous: how to defend against DoS Attacks

Summary

The author directly witnessed a hacker attack led by the hacker organization Anonymous. Here we mainly describe the main attack weapons they use and some countermeasures.

One reason for hacking to gain greater visibility recently is that it is now easy to get and use attack tools, especially in DoS attacks. Hackers usually aim to protest or contribute to a special political issue, but these days everyone becomes the target of an attack, even if they claim that "this is just for Lulz (a hacker group) ". Recently, the author has the opportunity to witness a hacker's DDos attack (notified in advance). Here, I would like to share their hacking tools and skills and prevent such attacks.

Hacker attack tools

Denial-of-service attacks are basically attempts to stop users from providing services or accessing resources (usually a network server ). Distributed Denial of attack allows you to easily coordinate processes from multiple computers. This can guide a lot of Dos attacks. Now let's look at the most common denial-of-service attacks:

· LOIC (Low Orbit Ion Cannon) is perhaps the most well-known attack tool. It is widely used by hacker organizations Anonymous and other hackers for DDos attacks. LOIC was used as a legal stress testing tool, but is now widely used as a DOS tool. With its popularity, the JavaScript version has been created to launch attacks from Web browsers and easily allow their followers (OR) careless visitors to join their attacks.

· HPing is a TCP/IP packet assembly/analysis tool used in command lines. Its command mode is similar to the ping command, but it has many more advanced functions. It can be used to establish a large number of TCP packets. Perhaps the most important feature for attackers is the ability to conceal the attack source through deception.

· Another attack tool, Slowloris, sends some HTTP requests with a small amount of data, establishes an IP sockets connection to open the server, and eventually consumes all available network ports. Slowloris is a Perl program that requires a Perl interpreter to run and can be used better in Linux. Therefore, Slowloris may not be a common user tool.

For them, each tool is an effective method to attack the network server. However, if these tools are used for combined attacks, they will have a more powerful and unstoppable potential.

As many attackers who want to become hackers know, LOIC cannot protect the identity of the attack source. Therefore, the hacker organization Anonymous has widely promoted the use of the VPN service as a method to mask the real attack source. This may no longer be the best way to mask attacks; the arrest of LulzSec members of the hacker group indicates the VPN service provider (who used the HideMyAss.com Service) the Lulzsec hacker's use logs may be submitted according to court orders.

Countermeasure

Many companies have to prepare for possible Dos attacks. The following are some basic strategies that can be used to defend against attacks.

· Configure your router and firewall to block invalid IP addresses and filter out unnecessary protocols. Some firewall and router functions can prevent TCP/UDP packets. In addition, ensure that log records are enabled on all devices and can be reliably checked to determine the attack source. If necessary, they can be handed over to law enforcement for processing.

· The intrusion detection/Defense System (IDS/IPS) can monitor abuse of effective protocols as attack media. The system automatically blocks attack traffic based on product and network configurations.

· Obtain help from suppliers. In this way, attack traffic can be blocked from approaching its resources before blocking the company's bandwidth.

· Emergency plans for accidents should be prepared and activated at any time. In the case of an attack, everyone should know how to respond and who should contact the outside of the company (such as administrative law enforcement ).

· Ensure that you have smooth communication with your users or customers. Be as honest as possible about what happened.

You must pay attention to some issues that may damage your defense policy:

· Make sure that you spend a certain amount of time adjusting your IDS/IPS to the optimal state. They can monitor the latest digital signatures. If you cannot guarantee its monitoring (because you will get many false positives and false negatives), you will not be able to rely on it to help you block network attacks.

· You need to specify the service project and support level of the supplier. If the attack occurs outside of business hours, you may only receive a 24-hour wait voice mailbox or ticket system. Ideally, you should have emergency support personnel with professional knowledge and authorize them to help you.

· A timely and open communication attitude is very important. For example, in a large company, different departments authorize different devices, such as routers and firewalls. Finally, the company needs to deal with hacker attacks in a timely manner. Sometimes the response may be affected by latency due to intranet reasons.

· Do not underestimate the role of communications between different departments within the company (human resources departments, legal departments, etc. The relationship between the company and the media is very important. The CEO of the company may unconsciously or hide the facts, which may potentially damage the company's image and surpass the influence of the incident itself.

Consequence

I found that the "protest" incident was heavily reported by the media. Therefore, Anonymous, a hacker organization, was attacked to attract public attention. A few hours later, they apparently succeeded in conquering a target website and successfully accessing two or three other websites.

Only time will tell us the serious consequences of this attack.