I was surprised the other day talking to some tech friends who weren’t aware of Anonymous and especially were intrigued about how they managed to take down the sites of both MasterCard and Visa in response to their blocking funds (in my opinion, unethically, since Wikileaks nor Julian Assange have been convicted of any crimes) to Wikileaks. The friends hadn’t heard about the campaign Anonymous had conducted against Scientology and the RIAA either or, more importantly, the all powerful weapon in their arsenal, the Low Orbit Ion Cannon< or LOIC.
Sounds bad ass, doesn’t it? Basically, LOIC allows you to download a big can of hacking whoop-ass you can open up on someone, even if you have absolutely no clue how to hack. LOIC is a push button, centrally directed application that launches a flood of garbage internet requests against a website with virtually no risk to the user. On its own, LOIC is a push-button simple way to launch a DoS denial of service attack (or, ahem… network stress test) on a particular web site or IP address. Now, that’s not that impressive, there are loads of little apps out there that due similar things, and technically, it’s not that hard to block a single address slamming your web site. Most commercial sites worth their salt have special hardware or server configurations in place to handle but the innovation.
What makes LOIC so deadly to websites annoying geeks is the addition of a “hivemind” feature that allows the tool (which is open source by the way if you want to take a look at it), to be pointed at an IRC channel, RSS feed or twitter stream and be remotely directed by someone en masse. Imagine thousands of orbiting ion cannons, perched peacefully orbiting over thousands of locations all over the earth suddenly slowly swinging to come to bear on a single house somewhere in mid-town Manhattan. Then they fire simultaneously. You’ve pretty much got the idea of how LOIC works. So, if you don’t know anything but that you support Anonymous’ attack, you just download the software, click the HiveMind button and your ion cannon is on fire free mode orchestrated by someone at Anon central. Instructions on how to get started on Operation Payback are here (ignore warning, the link is fine.).
So, not such a problem for websites if there are just four people with the software hitting it, but add in 10,000 or 100,000 people with this tool and all hammering the same site and suddenly you have a distributed Denial of Service attack - a DDoS if you will. If you’re running that site you’ve got trouble. If you’re Visa or Mastercard you might as well shut the web site down and ride out the storm. And let’s face it, it’s an appealing app for the people it’s designed for. The name, the idea, the fact Anon is sticking it to some pretty sketchy people and, my personal favourite part, the app has a big unmistakeable “Go” button marked “IMMA CHARGIN MAH LAZER”
What’s the defence against it if you’re running a site? Well, don’t be evil enough you piss off geeks. Fact is, there isn’t really any defence. When an attack is so distributed it’s virtually impossible to distinguish good traffic from bad and basically, at some point, (though I’d love to see what happens with auto-scaling sites like on Amazon), your site is going down.
Which is why it’s such an effective tool for protest.campaigning