Anonymous attackers not so untraceable

The tool of choice in the ongoing pro-WikiLeaks DDoS attacks by digital vigilante group Anonymous may leave its users open to prosecution, failing as it does to adequately protect their identity.

That's the claim of the Design and Analysis of Communication Systems Group at the University of Twente, which recently released a report into the Low-Orbit Ion Cannon, or LOIC, distributed denial of service tool favoured by Anonymous for attacking corporate websites by which it feels aggrieved.

In the report, the researchers claim that "even though the group behind the attacks claims to be anonymous, the tools they provide do not offer any security services, such as anonymisation. As a consequence, a hacktivist that volunteers to take part in such attacks, can be traced back easily" - and that means a possible prosecution under local computer crime laws.

The team looked at two versions of the LOIC software, a desktop version that requires a download and a web-based version written in JavaScript. Both versions, the researchers claim, make no effort to hide the IP address of the attacking system - meaning that every packet that is sent to a target site is tagged with a unique identifier.

The main security in such attacks, as with the meatspace equivalent of a riot, is in numbers: while your packets are tagged with your IP address, the DDoS attack features hundreds or even thousands of attackers - making it hard for a company to trace back a single source IP during a prolonged attack.

The researchers, however, warn that this is not enough, thanks to the European Directive on The Retention of Data Generated or Processed in Connection With the Provision of Publicly Available Electronic Communication Systems - also known as Directive 2006/24/EC. This Directive requires communications providers, including ISPs, to hold data for no less than six months and no more than two years - meaning that ISPs will hold a way of tracking back which subscriber was assigned which IP address for up to six months after the attack took place.

That's bad news for Anonymous and its LOIC-wielding army: anyone participating in the DDoS attacks in support of file sharing and more recently WikiLeaks could potentially find themselves in court on pretty serious charges - and with targets such as MasterCard, Visa, and PayPal able to easily prove monetary damages from the attacks, a police investigation seems all but assured.