Emergent Digital Warfare: Swarming; A Further Look at C2
The Hive Mind
In my last post I talked about the “swarming” tactics that were being employed by Anonymous and elements of 4chan to DDoS sites in their “operations” This post is going to deal with more of what can be tactically done to respond to not only the tactic of swarming (via electronic DDoS as opposed to in a real battlefield) but also the DDoS as a vector of attack itself. I have been Googling quite a bit and have turned up some interesting papers on the subjects and this topic has had me thinking quite a bit for a while now.
What has been at the back of my mind all of this time has been the claims that Anonymous is a “collective” of people that perform a hive mind style of Athenian Democracy (that’s the media’s dubbing there, not mine) inside the digital domain of IRC to choose their targets and launch their attacks. However, I would like to correct this statement and state that I believe it to be dissembling on the part of Anonymous to say that it is truly a leaderless aggregation of entities. Instead, I believe that there are a core group of individuals who comprise the C2 structure that then in turn guides others to the hive mind.
Why do I say this? Well, lets look at it from the perspective of bees. Bee’s are a hive mind, however, they have a queen do they not? It is that queen who runs the hive and not an Athenian black marble in a jar of white one’s kind of way. The worker bee’s have no say in the actual targeting of anything, but a chemical signal and dance from another will set them off to attack or to go to a specific place rich in flowers to pollinate. In short, the bees do not have frontal lobes and large brains, so there is a more complex system of decision making that goes into higher brain function individuals on an IRC channel than there is in a chemical signal to a bee to attack something.
So, in the case of the IRC channels and the C2 (command & control) of the Anonymous Operations, I say that there is a more complex system at play and that they, by their very nature, require a command and control structure that requires key players to facilitate them.
Cells and Compartments
There have been reports that there are a core group of hackers who are at the heart of this C2 architecture and I would tend to agree that they may indeed be hackers (the loose term by way of technically savvy individuals) and they in fact have at their disposal systems such as IRC servers and channels that they either fully control themselves, or that they are loaned time on. I believe that there is a more hierarchical structure to the Anonymous group than they would like to admit, and as such, they are in a much more precarious position than they might indeed think tactically. Sure, they have plenty of cannon fodder out there using the LOIC, but, the core cabal still hold the digital strings. In this case, we have many skiddies out there, so who are the brains behind the coding and implementation?
Just as well, take a look at the collective press releases that have been made on piratepad etc. Last one I saw had 16 authors working on the whole… 16 is not legion… 16 is “finite” So, sure, at present you have LOIC which is not obfuscating IP addresses of end users, and you have kids out there just doing this for shits and giggles, but elsewhere, you have the likes of those who hacked Gawker. Those weren’t skiddies, just how many were there and were they working in completely compartmented cells? If not, then eventually the cells will be broken.
Think about it this way… Everyone that you bring into this venture has the potential of being from the opposition. All it takes is one agent provocateur to bring a network down.
The Technologies of DDoS Swarming
The IRC systems that the hive mind and Anonymous operations have been using so far, have started to be targeted by the federal authorities of not only the US but other countries in hopes of gathering logs and decommissioning them for C2 use. The current server irc (anonops.ru) sits in Russia, and in fact is likely to be a bit safer out there at present, but, note that they moved it to Russia in order to prevent being taken down and seized. This is the fatal flaw in the system that Anonymous has yet to really come to grips with. By announcing their targets and their channels to connect to the C2 network, they give up their tactical advantage for not getting popped. When the authorities know where the systems are that are the actual C2 mechanism, then they will use any and all force to go after those nodes and take them down.
A more fully working and secure system would be the traditional botnet approach though for this type of sustained attacks. By using botnets of infected machines, Anonymous would have a better chance at not actually getting pinched as easily as they might because they in the open with their C2 channels and their methodologies (i.e. LOIC) After all, once the warrants go out on all those kids like the ones in Germany, then there will be a bit more of a call for the commanders to create more “secure” technologies than LOIC to perform the DDoS won’t there? Or are they not planning that far ahead?
You see where I am going with this? You still have a single point of failure in the IRC and the LOIC’s insecure natures. Eventually, no one will want to play unless they can be assured that they are protected by IP obfuscation.
My recommendation? Use the botnets and forget the skiddie stuff. Sooner or later, you all will piss off the wrong folks and your single point of failure in the “hive” system will bring you all down. All it would really take at the present moment would be for the authorities in .ru (cough KGB cough) to backdoor the system and audit all of the traffic on it. Unless you are shelled in with a proxy (funny, how anon doesn’t allow TOR on their IRC) then its highly likely someone would be on your doorstep soon enough breaking it down.
For that matter, the KGB just might like to get in there and use you all for their own ends.. Anonymous would make a nice patsy wouldn’t you?
Countermeasures for DDoS
Meanwhile, all of these events have brought the specter of DD0S to the fore again for the greater community at large doing business on the internet. DD0S is such a simple idea but it seems to be a daunting task to differentiate the traffic and mitigate an attack of this type. Because all of the traffic is ostensibly authentic according to the routers and servers, the problem becomes either how to determine if indeed it is truly authentic traffic or an attack vector. Therein we have the swarming that I spoke of before, the server is swarmed over with connection attempts.
The Military has been working on the DDoS issue for some time now and there are some good papers on the subject:
It looks as though the best means so far discussed have to do with a type of packet filtering approach that could potentially differentiate good from bad traffic, but that would take another stratification of traffic (network layer) and likely would be costly and perhaps not so good for net neutrality. As yet though, no one seems to have a good solution to the problem… So, there will always be the potential for a large scale attack on any site that will take it offline and perhaps overtax the servers themselves overhead wise. These though, are only one form of direct attack DOS on a site… What about DDoS on say a router or the main DNS servers out there on the net?
The time of Anonymous is upon us. I wonder however, just how long that will be though, because I fear that they have awakened the sleeping giant just as it has become technologically self aware. I am sure that in 2011 there will be arrests and dismembering of Anonymous and groups like them when they poke the badger one too many times.. That is, there will be more of them popped unless they get a bit smarter about their OPSEC.
The technologies out there now are going to be worked on and sometime in the near future, I suspect there will be some more mitigations offered by the likes of CISCO etc for DDoS. Until that time, the LOIC and its progeny will continue on DoS’ing sites offline as a protest or just for the lulz. I wonder though, if the Anonymous C2 will realize that what I have said above is true, and work on some obfuscation techniques for their networks and end users…
Time will tell…
In truth, 2011 will be the year of the cyber war and we are in for a ride folks.