DDoS attacks by the “Anonymous” group regularly make headlines. In order for the digital protest to succeed, the activists put DDoS programs online free of charge, with which even technical laymen can participate in such an attack without any problems. The Link11 Security Operation Center (LSOC) has examined one of the tools.
Analysis of the Anonymous DDoS Ping Attack Tool
Launching Denial of Service attacks is easily possible nowadays even for beginners and technical laymen. This is because many groups put attack tools on the Internet for free. The Anonymous group has been making its DoS programs available to the general public for years.
One of these tools is the “Anonymous Ping Attack” program, which is freely available on the web and free to download. It belongs to a set of tools including tutorials that allow any Internet user to launch denial-of-service attacks against any target. Link11 Security Operation Center (LSOC) has investigated how it works and what danger the attacks pose.
The name of the program refers to ping attacks, a special form of DoS attacks. Actually, PINGs are used to check the reachability of other systems and give an indicator of the transmission time. PINGs are used in everyday life to analyze connection problems and other incidents. Unfortunately, this traffic can also be misused for attacks.
Easy handling of the Denial of Service tool
After downloading and unpacking the Anonymous ZIP archive, the program named “Anonymous Ping Attack.exe” is quickly installed. A simple double-click on the icon starts the DoS weapon. The user interface has nothing in common with earlier command line tools with hundreds of options, but comes in a modern design and is easy to use.
The workload for the user is reduced to a minimum. The only information he has to enter is the FQDN (Fully Qualified Domain Name) of the target, for example the corresponding website. For test purposes, LSOC maintains the domain www.dosme.de. Clicking the “LOCK ON” button will determine the IP address of the target.
Your own understanding of how to resolve DNS names is thus no longer necessary. After that, the strength of the attack can be set via a slider. The scale ranges from 100 to 65000 and determines the size of the data within the PING request in bytes.
The attack is finished by clicking the “Send” button. Each send starts an ICMP flood to the selected destination, the rest is done by the program. Each click on the “Send” button opens a CLI window. A technically skilled person will recognize that a PING is executed here, which transmits 100 bytes of data. If the attack strength is increased to 65000, there are PINGs with 65000 data bytes each.
A single PING does not cause a server to falter. From the attacker, 44 data packets are sent in the direction of the target per PING (ICMP echo request). The target sends the same number of data packets as an ICMP echo reply in the direction of the attacker, as can be seen in the figure in the image gallery. If the attacker starts several attacks in parallel by pressing “SEND” several times, thousands of packets per second quickly pelt the target.
Reliably eliminate mass attacks with DoS
As a single attacker, the LSOC can generate approximately 2 Mbps of attack traffic. Considered as a single event, that’s not much of a problem. However, as soon as a larger grouping of individuals collectively torpedoes a target, attack volumes of hundreds of megabits per second are quickly generated. It is then important to separate the attack traffic cleanly from regular Internet access.
If there are too many requests, a firewall is quickly overloaded. DDoS filter clusters from specialized protection providers such as Link11, on the other hand, have sufficient resources to fend off even large-volume and long-lasting DoS attacks.
