Previously, Low Orbit Ion Canon (LOIC) was the go to weapon for Anonymous supporters during protests against dictators in North Africa, and Operation: Payback. However, LOIC is also the reason scores of people have been arrested in the last year, so many feel its time is at an end.
The new tool, called #RefRef, is set to be released in September, according to an Anon promoting it on IRC this afternoon. Developed with JavaScript, the tool is said to use the target site’s own processing power against itself.
According to Developer "RefRef is a revolutionary DoS java site. Basically, by using an SQL and .js vulnerability, you can send a page request packet from your home computer with embedded .js file, because of the vulnerability in the SQL/Javascript engine on MOST websites, the site actually TEMPs the .js file on its own server. So now the .js is in place on the host of the site. Next since you still have the request, it picks up the .js file, and all of the requesting for packets power happens on the server, not the requestee. I send two packets from my iphone, and everything else happens on the server. Basically eats itself apart, because since both are on the server, its all a local connection."
The new tool, called #RefRef, is set to be released in September, according to an Anon promoting it on IRC this afternoon. Developed with JavaScript, the tool is said to use the target site’s own processing power against itself. In the end, the server succumbs to resource exhaustion due to #RefRef’s usage. An attack vector that has existed for some time, resource exhaustion is often skipped over by attackers who favor the brute force of a DDoS attack sourced from bots or tools such as LOIC.
The tool is very effective, a 17-seconds attack from a single machine resulting in a 42-minute outage on Pastebin yesterday. As expected, the Pastebin admins weren't very happy with their platform being used for such tests and tweeted "Please do not test your software on us again."
The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe organizations will rush to patch this flaw en masse before being hit.
This means there are a lot of possible targets out there that will be hit at least once. "This tool only makes you vulnerable if you don't keep your systems patched, perform the basic security, which is how Sony got caught with it's pants down," the RefRef developers said.
The tool works by turning the servers against themselves. It sends malformed SQL queries carrying the payload which in turn forces the servers to exhaust their own resources. However, the tool's GUI does have a field for inputting the refresh interval so it might combine traditional forms of HTTP hammering with the new technique.
Some security experts have been skeptical that the success of Anonymous's DDoS attacks can be explained through LOIC alone. They proposed that some of the group's supporters also have access to botnets, a theory that has partially proven to be correct.
In the end, the server succumbs to resource exhaustion due to #RefRef’s usage. An attack vector that has existed for some time, resource exhaustion is often skipped over by attackers who favor the brute force of a DDoS attack sourced from bots or tools such as LOIC.
We will keep you posted here on ps3endusers.blogspot with any updates as they come looking forward to the new freedom fighters weapon-o-choice :)
Hacktivism Will Never Die!
We will keep you posted here on ps3endusers.blogspot with any updates as they come looking forward to the new freedom fighters weapon-o-choice :)
Hacktivism Will Never Die!
Source:
http://anonops.blogspot.com/
Developer Source Site:
http://anonworldunited.wordpress.com/2011/07/30/i-hate-asking/
I Hate Asking, But Its For The Team – Get #RefRef 2 Weeks Early!
Hello All! Short and Sweet. We need a new server rack to get #RefRef working fully, safely, and correctly. We have set up a BitCoin wallet. 16XhDyzNeHW1FKzmN4HrhdE1CdGF1YM9CW – Thank you for helping out financially to our cause. Also, for everybody who has donated via BitCoin – You will be given the software on August 13, 2011, or when we are ready to release. There will be a 3 week block between final production day until DropDay. Thank you so much for understanding. — 16XhDyzNeHW1FKzmN4HrhdE1CdGF1YM9CW —Developer Source Site:
http://anonworldunited.wordpress.com/2011/07/30/i-hate-asking/
No comments:
Post a Comment