THE LIBERTARIAN ENTERPRISE Number 598, December 5, 2010 "Government lies and secrets kill millions"
Anatomy of a DDOS
Exclusive to The Libertarian Enterprise "Ok,so ten out of ten for stylebut minus several million out of ten for good thinking." As I write this, Wikileaks is fighting for its life. This is an important issue for several reasons, not the least of which is this: It may be that your computer is attacking them. Wikileaks has been undergoing a Distributed Denial of Service attack since the eve of their most recent release of over 250,000 U.S. State Department documents. In order to understand what's happening, it will be necessary to explain a DDOS and how your computer may be involved: DDOS attacks usually rely on a computer virus distributed by apparently innocuous means. It could be in an email with an attachment that you double-clicked. It could be hidden away in the advertising of a Web site that you visited. It could be among the pop-up messages that are all too common on unprotected computers. What does this virus do to you? In general, nothing. It simply sits on your computer, running in the background, and doing absolutely no harm. Harming your computer isn't its purpose. Instead, it waits until you're online (which these days means continuously) and logs into an IRC channel. "IRC" stands for Internet Relay Chat and is the oldest instant messaging protocol on the Internet. When AIM, Yahoo Instant Messenger, and MSN were barely gleams in the eyes of their developers, IRC had existed for a decade. It's an extraordinarily open protocol, allowing its users to choose any nickname they like at the moment of connection. There is no guarantee that the nickname you used the last time you were on IRC will be available the next time. If your name is "Bill"and you choose the nickname "Bill_123" and then disconnect, there's typically nothing to stop another user from choosing the exact same nickname when they log in. Users may create chat rooms (called "channels" on IRC) which then disappear the moment its last participant leaves. There is a high level of anonymity, provided the user takes some precautions which few users bother to do. Use of what are called "bots" are common. These are programs typically used to hold a channel open when no one is in it, elevate user privileges (automatically making certain users channel operators, or "Ops") provide useful information to new users, etc. However, because of its open nature and the ability to use bots for control, it provides a haven for DDOS attackers. To return to the virus: it sits on your computer doing nothing but logging in to an IRC channel created for the sole purpose of housing these viruses. The virus simply sits there, awaiting orders. At some point, a human user will arrive in the channel using a nickname is so complex as to be unlikely to have been used by a human beingbut it's a nickname the virus was programmed to recognize as its boss. This user will then issue a command for the virus to begin attacking its target. The virus receives its command, and that's when the DDOS begins. The virus then makes extremely rapid, repeated requests for a Web page from the target. This causes the target to be flooded with more requests than it can handle. The Web page requests are typically made in such a way as to keep the connection between the virus and the Web site open for a long period of time. This means that not only is the target flooded with requests, it's also got an enormous number them already in progress. The reason it's called a Distributed Denial of Service attack is because if the human user has done their job well, the virus has been delivered to millions of computers worldwide. There is no single point of origin, just millions of Web page requests from computers whose users don't even know that it's happening. The implications as to how this is being done to Wikileaks are interestingand this is why it may apply to you: One must consider the motive for such attacks. As a certified expert in Information Security, I've dealt with DDOS attacks on behalf of employers and clients. The first thing we want to know is who is doing it. Immediately behind that is why since the motive will often point to the source. Why would someone (or a group of people) wish to DDOS Wikileaks? Simple: to prevent the information that Wikileaks contains from being distributed. If Wikileaks is unable to cope with the millions of requests they're receiving, it inhibits the the release of information. Who would have the most to benefit from Wikileaks being unable to distribute its information? The United States Federal Government. The obvious conclusion is that some agent of the Federal Government is involved in the DDOSeither directly or indirectly. This brings us to the ultimate impact on you, the user who's got the virus on your computer: If it is the Federal Government carrying out this DDOS, then the Federal Government has released a virus for this purpose. In short, the Federal Government intentionally put the virus on your computer. It should be made clear that as of this writing, there is no concrete indication of the culprit. There are various rumors, and in fact one individual may have been arrested by local authorities. However, Wikileaks isn't sharing specific details and the press is notoriously ignorant of technical matters, so getting to the bottom of the mess is beyond the scope of this article. I can, however, lend some advice to Wikileaks' security officers: Were I Wikileaks' IT Security manager, I would concentrate on identifying some individually infected computers. With a DDOS, it's often possible to identify specific users and contact them. I would do so, explain the situation, and ask for remote access to their computer. I would then install what's called a "packet-sniffer." A packet-sniffer simply watches all the inbound and outbound network traffic on the computer. It produces a log that trained individuals know how to interpret. At some point, the virus will check in to its IRC channel for orders. At that point, the game is up for the perpetrator. It would then be possible to discover what IRC network is being used for control, what human user or users are issuing commands, and (assuming the user hasn't taken precautions against it, which most don't) find that user's IP address. An IP address is a unique address that underpins the entire Internet. If you have a computer connected to the Internet, it has an IP address that it uses for communication. IP addresses are issued to you by your ISP the moment you connect to the Internet. The issuer is known and can be looked up using public search engines. Indeed, in some cases, the issuer will associate a name with the IP address that tells the ISP exactly to whom the IP address was issued. I know from personal experience that this is an effective means to locate an attacker. In one instance, the attacker was issuing commands from a public library, something that was obvious the moment we knew the attacker's IP address. In several other cases, it was clear that the attacker originated from directly within the Chinese Government. Indeed, most financial institutions and large businesses are under constant attack from the Chinese Government and have employed techniques designed specifically to prevent attacks from that source. In this case, the Chinese Government would have nothing to gain from a DDOS attack on Wikileaks. Indeed, the only government that definitely stands to gain is the U.S. Federal Government. However, it should also be noted that Wikileaks has been DDOS-ed before, and that these attacks have originated with malicious individuals apparently disassociated with a government. There's a reason for this: In Information Security circles, Julian Assange(Wikileaks' founder) has an extremely poor reputation. He's repeatedly failed to pay employees. He's left both the site and his employees without direction or funding for months at a time. Indeed, the site has been moribund and unavailable due to his poor management for longer than it's been vibrant and available. Further, he has demonstrated himself incapable of protecting his sources, his employees, and even himself. His most famous source, PFC Bradley Manning, rots in jail as of this writing. His employees have generally moved on to greener pastures rather than face no pay or government harassment. Assange protects himself only by using his millions to flee from country to country, keeping one step ahead of the governments that want his head. While this is effective in the near term for a millionaire, it's impossible for a wage-earning employee. Even his habit of globe-trotting won't protect Assenge forever.Ultimately, someone in his own organization with a grudge (and they are legion) will betray him. Finally, Assange is demonstrably a publicity-seeker. While Wikileaks' release of information may prove beneficial, the way in which he's done so has been explicitly designed to attract publicity. If simply disseminating information is the goal, one doesn't announce it in advance. To do so provides one's enemies (government and otherwise) all the time necessary to plan and execute this kind of attack. If Assange weren't interested in self-aggrandizement, he'd simply release it and let the world find out that it happened by virtue of visiting his site. In any case, the technical aspects of Wikileaks are left to a few individuals. While one can admire their dedication, it's not enough to keep the site running and vibrant. Wikileaks' engineers recently attempted to escape the ongoing DDOS by placing the site in Amazon's cloud. This was a technically sound idea, as it moved the site from a single point of failure in a single location to a distributed infrastructure worldwide. Unsurprisingly, the U.S. Federal Government came calling at Amazon. Amazon wants its officers and employees rotting beside PFC Manning no more than Assange's former employees wish to be. Amazon summarily terminated Wikileaks with no notice. Worse, Amazon certainly turned over the Wikileaks infrastructure to the Federal Government for inspection. Given the speed with which the site was moved into Amazon's cloud, the only conclusion is that it was replicated wholesale from its original infrastructure. This means that the Federal Government now has a duplicate of the Wikileaks infrastructure from which to plan more attacksthis time, considerably more subtle (and damaging) than a simple DDOS. As of this writing, Wikileaks' DNS information has been removed from its hosted servers, rendering access via URL (http://www.wikileaks.org) impossible.It is now only available by direct IP address at http://213.251.145.96/. Other means are also available, as the information is now in Torrents and on file-sharing services.I highly recommend using a Bittorrent client to obtain and participate in the exchange of information.Bittorrent is a distributed, peer-to-peer file-sharing protocol that is essentially immune to government tampering. While the installation and use of a Bittorrent client is beyond the scope of this article, I can recommend µTorrent for Windows and Mac users.Ubuntu Linux comes with Transmission preloaded. All of this aside, there still remains the possibility that your computer is one of those participating in the DDOS against Wikileaks. You're probably wondering what, if anything, you can do about it? There are several things you can do. They're steps you should take regardless of this particular DDOS attack and that I would recommend to any client or employer:
You'll note I don't mention Macs or handhelds. This is largely because of my unfamiliarity with them. However, the same rules apply to Macs as Windows: install and run anti-virus, anti-spyware, and ad-blocker software. In any case, the majority of viruses and spyware is explicitly written to exploit Windows and won't install or run on a Mac. Handhelds such as Android or iPhone/Pod/Pad are also a much smaller target, but there are anti-virus/spyware and ad removal products available in their markets. I strongly suggest installing them, merely as a preventative measure at this point. In any case, it should be made clear that there is a high probability that the DDOS virus currently attacking Wikileaks was written and distributed by the U.S. Federal Government. No doubt the precise culprit will come to light as the situation progresses, but it cannot be argued that the Federal Government is the entity with the most to gain.
TLE AFFILIATE
|