Inside Anonymous DDoS Code

written by Alex Holden, Cyopsis Director of Enterprise Security

Distributed Denial of Services (DDoS) is not a new concept and has been an effective way to get attention.  DDoS is simple to orchestrate and rather difficult to defend against.  Recently, I came across the code which allegedly has been used by Anonymous to carry out some attacks on their targets.  The code itself is straightforward, generating the desired effect at will without the need to control a large number of systems.

Many think of DDoS as a computer network such as a bot network of rogue or infected machines which carry out the orders of whoever controls them.  In the case of this specific code, Anonymous only needed to control a single system to begin the attack.  The rest is carried out by unwitting accomplices performing their standard functions in a slightly modified fashion.

How is it done?  Simple!  First we need a Layer 3 protocol where we can fake the source of our directive so it is set as a target (destination for a reply).  Second, we need to pick a Layer 4 protocol that can take a small request and generate a large or potentially even massive response.

Anonymous chose to use just that.  Using the Simple Network Management Protocol (SNMP) it is easy to generate a request for information and get a large amount of data back.  All you need to know is a read-only community string.  How many devices are out the on the Internet that listen on the default community strings?  Since read-only SNMP string is not considered to be dangerous to the device and many devices (printers, routers, etc.) rely on SNMP public community string as a discovery or management protocol, there are literary thousands upon thousands of devices that are open.

Based on these facts, I think Anonymous had the right formula.  A basic internet scan can reveal tons of systems accessible via SNMP on the Internet.  Many will have the default read-only community string enabled.  All Anonymous needed to do was to create a UDP packet with an SNMP request on oid=1.3.6.1 (return all the data) and send it to the list of the systems.  The source IP of SNMP packet is switched to the target for the attack and voila!  In this type of SNMP Reflected Denial of Services attack, a single packet with such a request can generate many megabytes of data in response.  This amplification effect can be -- and was -- devastating even to targets with an incredible amount of Internet bandwidth.