Sam Bowne from City College of San Francisco shares his expertise in the history of denial-of-service attacks, their technical aspects, and the major groups of hacktivists who use those for various purposes. This Defcon presentation starts with the classification of DoS attacks and the analysis thereof in terms of Jester, Anonymous and LulzSec attackers’ activity.
I am Sam Bowne, I teach at City College, San Francisco. I am here to talk to you about DoS attacks. I am gonna talk a little bit about the hacktivists who’ve used DoS attacks because I find them interesting, and they have dramatized how much damage you can do with the various kinds of DoS attacks, at the parallel of going to prison themselves for it, which is a drag, but anyway, it helps the rest of us sell security appliances, and it helps me entertain the students and keep them interested in knowing how these acts of defenses work.
So you’ll be participating as victims. Now, how many people brought a device to get killed? One, two, three – yeah, not very many, okay. That’s kind of what I thought, because Ryan who is setting up a wireless network says he probably cannot connect more than 40 or 50. I didn’t think there would be that many volunteers to get their device killed.
However, I was trying in the speaker room, and I believe this attack could be used to kill every machine at Defcon, from peer. I was gonna demonstrate a version of that – not so lethal – on the stage, but it wouldn’t connect it all in the prep room, so I decided to skip that for the moment. But if any of you are unscrupulous, you can try it.
I’ve got two guests with me: I’ve got Matthew Prince here who is gonna talk about his inside dealings with LulzSec1, which I am very pleased to have. In fact, I met him because both of us were deplored as immoral evil people for helping LulzSec, because I retweeted some LulzSec tweets that pointed to stolen data which I thought was important. And he ran a service that they used to protect themselves from attacks. Another one of my guests – Ryan Carter – is gonna set up the network and ‘kill’ people who wish to volunteer to be DoS’ed with this attack, because we could learn some new vulnerabilities here. Now, they are not zero-days, because this – the attack I am using here – wasn’t written by me and it’s not new. It’s been known for a year. It’s just that an awful lot of people who manufacture devices don’t care and have not patched it. So, if anybody has exotic devices, it would be interesting to see if they are vulnerable.
Anyway, I’ll briefly outline what I want to show you. The DoS circus is about the history of this stuff and the attackers who have been using it. And then, I’ll talk about the three kinds of DoS: Layer 4 DDoS, where you use thousands of attackers to bring down one machine, usually distributed denial-of-service; Layer 7 DoS, where one attacker can bring down one server or more; and the Link-Local IPv62 router advertisement attack. I talked to you last year about IPv6, and I said it was gonna bring a lot of security problems – and so it has.
It has given us a time warp when a bunch of things designed in 1993 are now back on our networks, so the old tricks work again. This is not really an old trick, but it’s devastating and I’ll show it to you. You can kill all the Windows machines on a network from one attacker. And again, you only need a few packets per second to do it.
So, Julian Assange stirred everybody up by leaking U.S. secrets. He published this mysterious encrypted file as his insurance. And if he ever gets irritated enough at the fact that he is being held in a house arrest and perhaps gonna be deported and stuff, he can release the secret key and reveal something terrible, not yet specified.
So, this stirred up these Anonymous3 people that had gotten tired of just posting pictures of cats on 4chan, and decided to save the world through denial-of-service, which makes a lot of sense to them all, but not to me. So they started attacking. If there was anybody they could all agree to hate, they would blow them away. So they started with Scientology because it’s pretty easy to hate the scientologists.
Then it went on to other people – and eventually HBGary Federal4. This company’s CEO Aaron Barr was supposed to be here but he was issued a court order about 3 days ago, forcing him to not speak at the Panel and tell what really happened for the inside story here.
But anyway, in order to publicize his new government security contracting company, Aaron Barr said that he could find the people running LulzSec and expose them by doing a correlation of social networking. So what appeared in Twitter, he would correlate with what appeared in Facebook and elsewhere. And so, they decided to take him down, and it was extremely easy.
They got a team of Anonymous members. Now, Anonymous was a low-tech group, usually using really primitive tools. But a small number of them got together, who were relatively skilled compared to the others. And they decided to take these guys down. They found an SQL injection5 and took over the email server, and then they sent emails pretending to come from the owner of the company, asking him to please change the password, change the username and turn off the firewall. Thanks, that’s working now!
And once they were in, they took all the emails and dumped them on the Web, because the whole thing about these guys who later became LulzSec was complete irresponsibility. The fun thing is to take everything you were told not to do, and just do it, and then you laugh – ha, ha, ha!
So, what would happen if I just dumped your whole email log out, everything personal, hurting who knows how many innocent people that just had something to say about their medial conditions? So that would be a lot of fun, so that’s what they did. And they found a lot of real dirt in there. It looked like they were planning to do a lot of really nasty things from HBGary.
Then Anonymous decided to attack the Chamber of Commerce, having found out that they had a Drupal exploit, again showing more intelligence technically than the Anonymous had before, which had just used that Low Orbit Ion Cannon6, which is pretty primitive.
So the Jester (th3j35t3r) gets in here, using the demonstration of the power of a Layer 7 attack, although no one knows exactly what he does, he is truly secret, and I am guessing what he does. But from people who have been attacked and kept logs of his packets, they’ve told me that I am correct, that what he was doing is essentially using a SlowLoris7 attack with some variations.
His plan here is to be right-wing essentially, where Anonymous and LulzSec are left-wing. He is pro-military, he comes from the military, and he tries to punch back at anybody that he regards is endangering soldiers, like Julian Assange and Jihadist recruiting websites.
And he brings websites down with his tool, and then tweets about it. He is prominent on social networking, you can go chat with him, I’ve chatted with him. But he doesn’t have any partners, unlike LulzSec. He works alone, and therefore he hasn’t been caught yet. He understands military operational security. Nobody can betray him – something that LulzSec forgot.
Anyway, he brought down WikiLeaks single-handedly and held it down for more than a day. To prove it, I was chatting with him on IRC and he said: “Look, I can turn off the attack and let it come back up”. And it came back up. Then he said: “Now, I am taking it down again”. And it went down again. So that convinced me that he was really in control of the attack. Here is the Netcraft map of WikiLeaks going down for more than a day, thanks to the Jester (see image).
So that was his game, and then he decided to fight with Anonymous because Anonymous didn’t like him taking down WikiLeaks, and he has been focusing on them for about the last year, Anonymous and LulzSec blasting each other apart with the variety of tricks; he was putting on them denial-of-service.
And then, the Jester got mad at Westboro Baptist. Now, these guys are also pretty easy to hate. They have some ridiculous hatred of homosexuals, and they also picket funerals – basically, their profit method seems to be about being annoying until someone finally punches them in the face, and then sue. But the Jester decided to take them down, so he took down four websites with his tool, which he had ported to a cell phone. And from the single 3G cell phone, he says, he held down four websites for two months straight.
And I don’t doubt that because I know I can do it, and any of my students could do it, and you could do it if you just pay attention to this talk. It’s not hard. The SlowLoris attack runs on Windows, it’s not hard to do at all. And that’s how it goes.
Now, LulzSec continued on a rampage, hacking everybody in sight. At one point, they just opened up a telephone line and you could call them, and they would hack anybody you wanted. They hacked U.S. Government, Military, NATO, British Government sites. They dumped the contents of the Booz Allen Hamilton database. When the dumped out the Arizona cops is when I got really mad, because that was really important, they dumped out their names and password hashes and the logins for their emails.
And when they dumped out Booz Hamilton8 password hashes, that struck me as outrageous: 150,000 password hashes, half of them were cracked by the next day. So, all the top military, their names and passwords are now out there where anybody can use them, and they didn’t think much of that.
However, they also took down some game websites, which I didn’t even notice, but it seemed to be what really caused trouble for them.
They put up a website to announce all the stuff they took down and all the stolen data (see image). And then, they hacked PBS9 website and put up a silly thing there. I was pretty irritated by that, like – why would you hack PBS? Come on guys…
Anyway, now they’ve been caught, largely. Ryan Cleary was one guy kind of on the periphery of LulzSec, they caught him in June. Shortly after that, they caught T-Flow (see screenshot of news report excerpt) who was much more important to LulzSec. At the end of July 2011, they caught Topiary. So, they really are just British teenagers, and the attitude of taking down everything just for fun, you know, comes from just childish immaturity. You might wonder what makes them do this – they are just young and foolish, that’s why they think they can just take down every government website just for fun.
By the way, Jester and Sabu are supposed to be both here, they are both on Twitter claiming to be here, and they said they were at the pool yesterday. The Jester said he was here and Sabu said he was here. I kind of doubt it, but maybe they are, who knows.
Sabu is the main LulzSec person still at large. And why they assume to be on the way down is because his friends have are already been arrested, and this is what always happens: after they get the first one, they would find the rest, because they don’t have much of operational security.
1 – LulzSec (abbreviation of Lulz Security) was a computer hacker group that claimed responsibility for several high profile attacks.
2 – IPv6 (Internet Protocol version 6) is a version of the Internet Protocol (IP) intended to succeed IPv4, which is the protocol currently used to direct almost all Internet traffic. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with IPv4 address exhaustion.
3 – Anonymous (used as a mass noun) is an Internet meme that originated in 2003 on the imageboard 4chan, representing the concept of many online and offline community users simultaneously existing as an anarchic, digitized global brain.
4 – HBGary Federal is a technology security company which sold its products to the US Federal Government. HBGary Federal is defunct as of 2012.
5 – SQL injection is a frequently used technique to attack databases through a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker).
6 – Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack application, written in C#.
7 – SlowLoris is a piece of software written by Robert “RSnake” Hansen which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports.
8 – Booz Hamilton (Booz Allen Hamilton Inc.) is an American consulting firm headquartered in McLean, Fairfax County, Virginia, with 80 other offices throughout the United States. Founded in 1914 by Edwin Booz, the company is one of the oldest management consulting firms in the world.
9 – PBS (Public Broadcasting Service) is a non-profit American public broadcasting television network with 354 member TV stations in the United States which hold collective ownership. Its headquarters is in Arlington, Virginia.