LOIC?
Nothing to write home about, really.
Also, verboten to download in the UK I hear.
Tools designed for testing server and network defences are being snapped up by hacktivists to launch denial-of-service attacks on websites. More and more assaults are concentrating on knackering web apps and the HTTP server software running it, rather than simply flooding the underlying stack with bogus traffic to exhaust …
I see no reason why either possessing LOIC or using it against a target you either own or have permission to stress is against the law.
In fact it would be a rather depressing & dire state of affairs if that were true, as it would make other penetration & stress testing tools illegal too, many of which are used for a variety of legal purposes.
IIRC it was something they discussed though, and ISTR have actually implemented in Germany. Certain tools require a license.
Of course, it only really affects those who are using the tools legitimately. If you're potentially at risk of being done under the Computer Misuse Act anyway, why would you care about what the Naughty Boy Tools Act anyway?
Not to mention that if the only people who have them are the bad-guys, the good-guys can't check their networks so are actually more at risk.
To be honest this article sounds half like a puff piece for Imperva, and half like someone trying to give the Govt another excuse to foolishly try and outlaw testing tools for our 'own safety'
To be honest this article sounds half like a puff piece for Imperva, and half like someone trying to give the Govt another excuse to foolishly try and outlaw testing tools for our 'own safety'.... Ben Tasker Posted Thursday 20th September 2012 17:02 GMT
Do some folk still listen to corrupt self-serving governments today and expect them to be looking out for their better interests and working for them, BT? How very weird and sad and mad and bad. Don't they follow the news and trash television?
Its not always a case of being corrupt and self-serving. In fact when it comes to the more technical areas it seems to be more of a case of politicians writing bills without any understanding of the subject matter. Much like you writing about the population of Venus, if certain books are to be believed.
Those watching the truly trashy TV on anything but a day off sick probably don't have much interest in what the govt does or doesn't do, aside from the odd DM style rant about immigration or similar imho.
As for what they're using for brains, I do sometimes wonder if its an approximate mix of treacle and mashed potato. Not that the two should ever meet mind.
"organisations can mitigate these effects by learning how to identify and protect against malicious traffic."
Can they really escape a DDoS attack just by doing that? Last time I checked you needed to spread your infrastructure across different upstreams. Not the kind of resources available to your run-of-the-mill website.
Indeed, unless you're able to filter upstream from your infrastructure a big attack can still saturate your bandwidth even if you're then dropping every single packet that's received.
Where it can be of use, though, is where the DDoS isn't just about swamping the server with packets. Some 'smaller' DDoS attacks (in terms of the amount of traffic) work by opening numerous connections to the server in an attempt to exhaust the available resources. Filtering these can be really effective, but you do still run the risk of bandwidth saturation if the number of bots trying to connect is too high.
What makes it worse is that you don't even really need a botnet nowadays. There are 'cloud' based organisations that will allow you to run your own DDoS load test using their services. One of our customers got hit hard by 80legs a while back. Despite claims on their website of obeying this, that and the other the only way we managed to mitigate the effects was to create a rule that would identify their UA and redirect the traffic back to 80legs. Being cloud based, the connections came from a shit-load of different IP's and as soon as you'd blocked one another sprang up. Never did hear back from the snot-o-gram I sent them suggesting that they implement a mechanism to verify the 'customer' owned the tested domain before they could launch a test (create a file with this name would be sufficient in most cases IMHO).
It's interesting seeing the different targets of attacks (even if it is a pain in the arse dealing with the attack itself). Sometimes it's bad luck, other times the victim is targeted along with others in a similar category (say games sites for example).
Well, that explains why I have bollards and yellow/black safety tape around my desk. Hi-visibility jacketed people everywhere controlling the scene so it does not get out of hand.
Oh, look. A modified speed camera pointing at my desk that goes off whenever I send out more than 1000 SYN requests per second.
Neither the tools, nor the blackhats use of them, is anywhere near "new" - it's been going on for years, since the tools were first published online.
As for mitigating them, unless you can spread your servers and such over a ton of different upstreams, you've got no hope of ever stopping such an attack, either saturating them to the point of uselessness, or taking them down completely.
I believe this is news from approximately 12 years ago, back in the days of Sasser, Netbus etc.
How can an antivirus determine the difference between legitimate or illegitimate access? Some anti-viruses could even be labelled as illegitimate themselves, as they have provenly damaged systems before?
Wheres the line... Application based injection is an attack method... and isnt anything new (refer to the OSI model)
DDoS is purely a culmatively widespread exhaustion of resources...