Despite its improved attacks, HOIC still points an arrow straight back at the so

urce of the DDoS. And some of the targets Anonymous various #Ops are going after
arent suitable for straight-up HTTP attacks. So there are two other tools that ha
ve been tossed into Anons #Setup recommendations that arent exactly new to the sec
urity world: Hping and Slowloris, a pair of network security testing tools that
also have the potential to be used for evil.
Hping is a TCP/IP packet assembler and analyzer initially developed and now mainta
ined by Salvatore Sanfillipo, a Sicilian programmer. It uses a command-line inte
rface similar to that of the ping network utility, but it can do a lot more than
make ICMP echo requests. It can be used to throw high volumes of TCP requests a
t a target, while masking the source of the attack through spoofing, as Anonymou
s tutorial shows:
### Normal hping DoS attack:
hping3 -S -i u100 riaa.org
### Spoofed random source address attack:
hping3 -S -i u100 riaa.org rand-source
### Reflected attack(it looks like mpaa.org is DoSing riaa.org)
hping3 -S -i u100 riaa.org -a mpaa.org
Slowloris is a different sort of attack entirelya slow HTTP attack that uses part
ial HTTP requests to a server, making it wait for more chunks of the request and
slowly spooning them out to keep the IP socket on the server open. This type of
attack works best against low-traffic sites on Apache and a variety of other We
b servers by eating up available network ports on the server. Its ideal for attac
ks on servers in places where theres a concern about there being enough bandwidth
for a brute-force DDoS to succeed, or where theres concern about the collateral
damage to other users on the same network. Thats why Slowloris was used against I
ranian servers during the protests around the Iranian elections in 2009.
But Slowloris is not a tool for the masses. It requires Perl, and runs best on L
inux. The author of Slowloris, known as RSnake, said that Windows users will not
be able to successfully execute a Slowloris denial of service from Windowsbecause
Slowloris requires more than a few hundred sockets to work (sometimes a thousan
d or more), and Windows limits sockets to around 130, from what Ive seen.
However, a Python-based version of the exploit, PyLoris, gets around those limit
ations. It has a graphical interface, and can be used effectively from Windows;
Christopher Gilbert, the developer of PyLoris, claims hes tested PyLoris on Windo
ws with over 6000 connections, and [doesnt] see why it couldnt use more than that.
Screenshot: http://goo.gl/4OY7j
PyLoris also includes a feature called TOR Switcher, which allows attacks to be
carried out over the anonymized Tor Network and switch between Tor identities, cha
nging the apparent location the attack is coming from at user-defined intervals.
Used individually, these tools can be somewhat effective in slowing down many of
the sites that Anonymous targets. But as Curtis Wilson, a researcher with Arbor
Networks Security Engineering and Response Team, said to Ars in an interview, If
you use polymetric floods on top of specific application attacks [like Slowloris
], its a pretty powerful combination.
And just by the sheer number of attacking systems that Anonymous can bring aboar
d to launch these attacks when its members and friends are highly motivatedas in
the wake of the Megaupload shutdowneven the most basic of tools can cause problem
s for large websites.
Covering the trail

There is still the matter of being able to pull off these large attacks with vol
unteered computers and keeping those volunteers anonymous. While Hping can provi
de some obscuring of the source of an attack, the other tools point straight bac
k at their source. So Anons have been eager to find ways to keep their IP addres
ses concealed.
The problem is that freely available anonymizing networks generally arent up to t
he task of handling the bandwidth of DOS attacks. Attempting to launch HOIC or o
ther DDoS tools over Tor would amount to an attack on that network itselfand on t
he Anonymous members who use it to protect themselves. So with the exception of
Slowloris and PyLoris attacks, which demand relatively little bandwidth, the Ano
nymous edict is DO NOT DOS THROUGH TOR.
Some Anons have turned to a variety of proxy toolsincluding a fairly suspicious c
ommercial software package called AutoHideIP, which claims to anonymize users by
connecting them through proxies for a one-time fee, even selecting the country
from which their IP address appears to be located. Efforts by Ars to contact the
creators of AutoHideIP, Coolware Max, were unsuccessful.
But theres reason to be suspicious of the security of proxy services, and of othe
r anonymizing services such as VPNs, because they could be compelled by law enfo
rcement to turn over traffic logs. That was the case in the arrest of one allege
d LulzSec member, who was apprehended after VPN provider HideMyAss.com turned ov
er log data that helped trace him to Arizona.
For that reason, Anonymous best-practice advice for members is to stick to Anonin
e and VPNTunnel, two paid VPN-based anonymizing services based in Swedenwhere pri
vacy laws dont require providers to keep access logs (and in some cases prohibit
it).
Both of the services are based on OpenVPN, a GPL-based open source virtual priva
te network technology available on Windows, MacOS and Linux. However, as Anonine
has expanded service beyond Sweden, with servers available worldwide, some of i
ts servers have started to keep logs in accordance with local lawsso Anonymous mem
bers are warned to specifically configure their clients for Swedish servers.
Its doubtful that everyone in Anonymous plays by these rules. And thats probably a
good thing for Anonymous, because it would pose a strategic problemall that auth
orities would need to do to deflect Anonymous attacks is to refuse connections fr
om the blocks of IP addresses assigned to these two Swedish providers. And with
the European Union considering new EU-wide regulations that would standardize pr
ivacy rules across the continent, its not certain how much longer Sweden will be
a safe haven.