Big Head Press


L. Neil Smith's
THE LIBERTARIAN ENTERPRISE
Number 598, December 5, 2010

"Government lies and secrets kill millions"


Previous Previous Table of Contents Contents Next Next

Anatomy of a DDOS
And Why It Matters To You
by William Stone III
[email protected]

Bookmark and Share

Exclusive to The Libertarian Enterprise

"Ok,so ten out of ten for style—but minus several million out of ten for good thinking."
—Zaphod Beeblebrox,The Hitchhiker's Guide To the Galaxy

As I write this, Wikileaks is fighting for its life. This is an important issue for several reasons, not the least of which is this:

It may be that your computer is attacking them.

Wikileaks has been undergoing a Distributed Denial of Service attack since the eve of their most recent release of over 250,000 U.S. State Department documents. In order to understand what's happening, it will be necessary to explain a DDOS and how your computer may be involved:

DDOS attacks usually rely on a computer virus distributed by apparently innocuous means. It could be in an email with an attachment that you double-clicked. It could be hidden away in the advertising of a Web site that you visited. It could be among the pop-up messages that are all too common on unprotected computers.

What does this virus do to you? In general, nothing. It simply sits on your computer, running in the background, and doing absolutely no harm.

Harming your computer isn't its purpose.

Instead, it waits until you're online (which these days means continuously) and logs into an IRC channel.

"IRC" stands for Internet Relay Chat and is the oldest instant messaging protocol on the Internet. When AIM, Yahoo Instant Messenger, and MSN were barely gleams in the eyes of their developers, IRC had existed for a decade.

It's an extraordinarily open protocol, allowing its users to choose any nickname they like at the moment of connection. There is no guarantee that the nickname you used the last time you were on IRC will be available the next time. If your name is "Bill"and you choose the nickname "Bill_123" and then disconnect, there's typically nothing to stop another user from choosing the exact same nickname when they log in.

Users may create chat rooms (called "channels" on IRC) which then disappear the moment its last participant leaves. There is a high level of anonymity, provided the user takes some precautions— which few users bother to do.

Use of what are called "bots" are common. These are programs typically used to hold a channel open when no one is in it, elevate user privileges (automatically making certain users channel operators, or "Ops") provide useful information to new users, etc.

However, because of its open nature and the ability to use bots for control, it provides a haven for DDOS attackers.

To return to the virus: it sits on your computer doing nothing but logging in to an IRC channel created for the sole purpose of housing these viruses. The virus simply sits there, awaiting orders.

At some point, a human user will arrive in the channel using a nickname is so complex as to be unlikely to have been used by a human being—but it's a nickname the virus was programmed to recognize as its boss. This user will then issue a command for the virus to begin attacking its target.

The virus receives its command, and that's when the DDOS begins.

The virus then makes extremely rapid, repeated requests for a Web page from the target. This causes the target to be flooded with more requests than it can handle.

The Web page requests are typically made in such a way as to keep the connection between the virus and the Web site open for a long period of time. This means that not only is the target flooded with requests, it's also got an enormous number them already in progress.

The reason it's called a Distributed Denial of Service attack is because if the human user has done their job well, the virus has been delivered to millions of computers worldwide. There is no single point of origin, just millions of Web page requests from computers whose users don't even know that it's happening.

The implications as to how this is being done to Wikileaks are interesting—and this is why it may apply to you:

One must consider the motive for such attacks. As a certified expert in Information Security, I've dealt with DDOS attacks on behalf of employers and clients. The first thing we want to know is who is doing it.

Immediately behind that is why since the motive will often point to the source.

Why would someone (or a group of people) wish to DDOS Wikileaks? Simple: to prevent the information that Wikileaks contains from being distributed. If Wikileaks is unable to cope with the millions of requests they're receiving, it inhibits the the release of information.

Who would have the most to benefit from Wikileaks being unable to distribute its information? The United States Federal Government.

The obvious conclusion is that some agent of the Federal Government is involved in the DDOS—either directly or indirectly.

This brings us to the ultimate impact on you, the user who's got the virus on your computer:

If it is the Federal Government carrying out this DDOS, then the Federal Government has released a virus for this purpose.

In short, the Federal Government intentionally put the virus on your computer.

It should be made clear that as of this writing, there is no concrete indication of the culprit. There are various rumors, and in fact one individual may have been arrested by local authorities. However, Wikileaks isn't sharing specific details and the press is notoriously ignorant of technical matters, so getting to the bottom of the mess is beyond the scope of this article.

I can, however, lend some advice to Wikileaks' security officers:

Were I Wikileaks' IT Security manager, I would concentrate on identifying some individually infected computers. With a DDOS, it's often possible to identify specific users and contact them.

I would do so, explain the situation, and ask for remote access to their computer. I would then install what's called a "packet-sniffer." A packet-sniffer simply watches all the inbound and outbound network traffic on the computer. It produces a log that trained individuals know how to interpret.

At some point, the virus will check in to its IRC channel for orders. At that point, the game is up for the perpetrator. It would then be possible to discover what IRC network is being used for control, what human user or users are issuing commands, and (assuming the user hasn't taken precautions against it, which most don't) find that user's IP address.

An IP address is a unique address that underpins the entire Internet. If you have a computer connected to the Internet, it has an IP address that it uses for communication. IP addresses are issued to you by your ISP the moment you connect to the Internet. The issuer is known and can be looked up using public search engines. Indeed, in some cases, the issuer will associate a name with the IP address that tells the ISP exactly to whom the IP address was issued.

I know from personal experience that this is an effective means to locate an attacker. In one instance, the attacker was issuing commands from a public library, something that was obvious the moment we knew the attacker's IP address.

In several other cases, it was clear that the attacker originated from directly within the Chinese Government. Indeed, most financial institutions and large businesses are under constant attack from the Chinese Government and have employed techniques designed specifically to prevent attacks from that source.

In this case, the Chinese Government would have nothing to gain from a DDOS attack on Wikileaks. Indeed, the only government that definitely stands to gain is the U.S. Federal Government.

However, it should also be noted that Wikileaks has been DDOS-ed before, and that these attacks have originated with malicious individuals apparently disassociated with a government. There's a reason for this:

In Information Security circles, Julian Assange(Wikileaks' founder) has an extremely poor reputation. He's repeatedly failed to pay employees. He's left both the site and his employees without direction or funding for months at a time. Indeed, the site has been moribund and unavailable due to his poor management for longer than it's been vibrant and available.

Further, he has demonstrated himself incapable of protecting his sources, his employees, and even himself. His most famous source, PFC Bradley Manning, rots in jail as of this writing. His employees have generally moved on to greener pastures rather than face no pay or government harassment. Assange protects himself only by using his millions to flee from country to country, keeping one step ahead of the governments that want his head.

While this is effective in the near term for a millionaire, it's impossible for a wage-earning employee. Even his habit of globe-trotting won't protect Assenge forever.Ultimately, someone in his own organization with a grudge (and they are legion) will betray him.

Finally, Assange is demonstrably a publicity-seeker. While Wikileaks' release of information may prove beneficial, the way in which he's done so has been explicitly designed to attract publicity.

If simply disseminating information is the goal, one doesn't announce it in advance. To do so provides one's enemies (government and otherwise) all the time necessary to plan and execute this kind of attack.

If Assange weren't interested in self-aggrandizement, he'd simply release it and let the world find out that it happened by virtue of visiting his site.

In any case, the technical aspects of Wikileaks are left to a few individuals. While one can admire their dedication, it's not enough to keep the site running and vibrant.

Wikileaks' engineers recently attempted to escape the ongoing DDOS by placing the site in Amazon's cloud. This was a technically sound idea, as it moved the site from a single point of failure in a single location to a distributed infrastructure worldwide.

Unsurprisingly, the U.S. Federal Government came calling at Amazon. Amazon wants its officers and employees rotting beside PFC Manning no more than Assange's former employees wish to be. Amazon summarily terminated Wikileaks with no notice.

Worse, Amazon certainly turned over the Wikileaks infrastructure to the Federal Government for inspection.

Given the speed with which the site was moved into Amazon's cloud, the only conclusion is that it was replicated wholesale from its original infrastructure. This means that the Federal Government now has a duplicate of the Wikileaks infrastructure from which to plan more attacks—this time, considerably more subtle (and damaging) than a simple DDOS.

As of this writing, Wikileaks' DNS information has been removed from its hosted servers, rendering access via URL (http://www.wikileaks.org) impossible.It is now only available by direct IP address at http://213.251.145.96/.

Other means are also available, as the information is now in Torrents and on file-sharing services.I highly recommend using a Bittorrent client to obtain and participate in the exchange of information.Bittorrent is a distributed, peer-to-peer file-sharing protocol that is essentially immune to government tampering.

While the installation and use of a Bittorrent client is beyond the scope of this article, I can recommend µTorrent for Windows and Mac users.Ubuntu Linux comes with Transmission preloaded.

All of this aside, there still remains the possibility that your computer is one of those participating in the DDOS against Wikileaks. You're probably wondering what, if anything, you can do about it?

There are several things you can do. They're steps you should take regardless of this particular DDOS attack and that I would recommend to any client or employer:

  1. If you run Windows, consider switching to Linux.

    The reason this is an effective first line of defense is because the majority of viruses target Windows. Windows is a highly-insecure operating system and viruses designed for it will neither install nor run under Linux.

    I strongly recommend Ubuntu Desktop Edition, as it's the version I've found most compatible with the majority of computers and peripherals. You may download it for free, try it without installing it, install it alongside Windows, or just replace Windows entirely.

  2. Obtain and run anti-virus software.

    Anti-virus software is explicitly designed to find and remove viruses, and this most certainly includes DDOS viruses.

    However, one needs to take care to do two things:

    First, make sure the software is configured to update its virus database daily. New viruses are constantly emerging, and the only way to stay safe is to allow it to update. Fortunately, most anti-virus software comes pre-configured to update, but it's a good idea to make sure that it does so by checking its settings.

    Secondly, allow scheduled anti-virus checks to run. Schedule it for a time when your computer is on but you won't be using it. An enormous number of individuals halt scans in progress because they tend to significantly decrease the performance of the computer while they run.

    If you don't let the scans run, it's utterly pointless to have the software at all.

    There are any number of good programs that will do the job. Anything on Best Buy's shelves is up to the task. If, however, you're on a budget and need something free, I recommend ClamWin. It's free, easy to install and configure, and is available for multiple platforms. If you run Ubuntu Linux, it's available from standard repositories.

  3. Obtain and run anti-spyware software.

    While some of the better anti-virus software includes anti-spyware, the free ones typically don't. If you buy from Best Buy's shelves, the likelihood is that the anti-virus and anti-spyware software are in the same package.

    However, if you're on a budget, I recommend Spybot Search and Destroy. Again, it's free and is hands-down one of the best products I've ever used.

    One note of caution: if you've never run an anti-spywa re software, the chances are that your computer is filled with them. Spyware is what causes the constant pop-ups you see on your computer. When you first run it, I strongly recommend halting it when it reaches approximately 300 spyware program found. The software tends to have difficulty beyond that point.

    The first time you use it, run it repeatedly, manually stopping it at 300. Allow it to delete anything it finds. Run it over and over until you get through two complete scans returning no results.

    You'll probably be surprised at the amount of spyware on your computer. My personal high-count is a customer whose computer had over 1700 spyware programs installed. In fact, spyware is a significantly larger problem than viruses.

    Again, the same rules apply to anti-spyware software as anti-virus software: allow it to update its database daily, and allow the scans to run.

  4. Install ad removal software into your Web browser.

    This will have three effects: firstly, you'll rarely (if ever) see an ad on a Web page again. Secondly, the majority of viruses and spyware are installed when users click what appears to be an innocuous advertisement. Lastly, it will increase the speed of your Internet browsing by not downloading ads.

    There are a number of such ad removal plug-ins available for browsers, and their installation will vary depending on your browser. For both Firefox and Google Chrome (the only browsers I use) Adblock is among the best. Use your browser's add-on or extension manager to download and install it. Again, it's free and has a facility to update its database of known advertisement sites.

You'll note I don't mention Macs or handhelds. This is largely because of my unfamiliarity with them. However, the same rules apply to Macs as Windows: install and run anti-virus, anti-spyware, and ad-blocker software. In any case, the majority of viruses and spyware is explicitly written to exploit Windows and won't install or run on a Mac.

Handhelds such as Android or iPhone/Pod/Pad are also a much smaller target, but there are anti-virus/spyware and ad removal products available in their markets. I strongly suggest installing them, merely as a preventative measure at this point.

In any case, it should be made clear that there is a high probability that the DDOS virus currently attacking Wikileaks was written and distributed by the U.S. Federal Government. No doubt the precise culprit will come to light as the situation progresses, but it cannot be argued that the Federal Government is the entity with the most to gain.


William Stone III is a Zero Aggression Principle philosopher andInformation Systems consultant who holds multiple degrees and certifications in information technology and security. You may learn more about his qualifications at his resume Web site, http://resume.wrstone.com.


TLE AFFILIATE


Help Support TLE by patronizing our advertisers and affiliates.
We cheerfully accept donations!

Big Head Press