The Changing Face of Hacktivism
The term "hacktivism" often conjures up images of small groups of left-wing hackers defacing Web sites of political parties in an expression of outrage, coupled with demands of truth and justice for the down-trodden. This may have been the case ten years ago, but more recently hacktivism has broken the predefined mold in more ways than one.
The features of the Internet that make it such an invaluable tool for communicating with the global population also provide an avenue for disgruntled groups to voice their options, send messages of unity to the like-minded at great speed, and coordinate electronic attacks. The development of distributed denial-of-service kits, combined with their ease of use and the ability to globally distribute them in minutes, effectively means that an entire country can mobilize a group of dedicated attackers, numbering in the millions, in a relatively short time. Though a vast proportion of these 'net warriors are not security experts, the architecture of distributed denial-of-service attacks do not require sophisticated skills or a strong understanding of computer networks. Even a group of fairly novice computer users can, with some management, pull off a devastating attack. The activities of hacktivists include email bombs, spam, virtual blockades, and sit-ins (denial-of-service attacks). These are in addition to general hacker activities, such as Web hacking, defacement, and malicious code attacks.
The denial-of-service attack against Estonia in April 2007 is probably the most famous in recent history. A distributed attack lasting three weeks targeted some of Estonia's critical infrastructure, resulting in the inability to perform credit card transactions and cutting access to a range of services both within and external to the country. Spam was also used in an attempt to generate further support both politically and financially. The Estonian government insinuated that the attack was a state-sponsored response by Russia to the relocation of a Russian memorial statue in Estonia; however, computer security experts have suggested that the attacks more closely resembled that of smaller and coordinated, yet independent, groups.
More recently a poll was conducted by "Capital," a French business magazine, asking readers whether or not a boycott of the Beijing Olympics opening ceremony as a protest against Chinese rule over Tibet was appropriate. Three-hundred responses were recorded on the first day of polling, with around 80% in favor of a boycott. Results for the second day recorded approximately 20,000 responses, with 80% opposing a boycott. Magazine editor Jean-Joel Gurviez confirmed that the source of the spike of votes on the second day of polling originated from Chinese address space. Over the next few days intrusion attempts were carried out, also from Chinese address space, resulting in the temporary closure of the Web site.
One of the main problems in countering distributed denial-of-service attacks is accurately distinguishing between legitimate and attack traffic. While ICMP and UDP floods may be easier to identify and filter, attacks against Web servers are more difficult to mitigate. After all, a denial-of-service attack may occur in the form of significantly increased legitimate HTTP requests. What would be the result if your Web server experienced an extra million requests per hour? The financial cost alone of a single-day denial-of-service attack against a large business can run into the millions.
While traditional activist groups face the prospect of arrest during staged demonstrations if things get out of hand, their electronic counterparts enjoy a mostly threat-free existence. The average hacktivist who runs a pre-compiled denial-of-service application as part of a coordinated attack can sleep easy at night without fear of the FBI breaking down their door the next morning. The inclusion of sophisticated anonymity techniques, such as onion routing and proxy chaining, into these distributed denial-of-service applications increases the difficulty in tracking down those responsible.
As researchers continue to discuss the size and strength of botnets currently operating in the wild, it is important to view netizen hacking in a similar context. Although disparate to the operation and management paradigm of a traditional botnet, the most obvious difference being the "opt-in" membership, there are some strong similarities. Distributed denial-of-service functionality and the coordination and control of nodes (of some form) provide the architects of these opt-in botnets comparable functionality to that of an uncomplicated yet powerful botnet.
So what’s the solution? In terms of protection against denial-of-service, the same rules apply to that of traditional attacks, including the implementation of SYN caching and SYN cookies, and RST tuning though kernel and registry hardening. Upstream support should also be investigated, so that service providers can assist in defending against flood or resource starvation attacks from their end. As has been demonstrated time and time again, there is no silver bullet for computer and network security. Best practice security principles exist for a reason, and all organizations regardless of size should be familiar with them.
Without doubt, hacktivism will continue to be a challenge faced by many individuals, communities, businesses and government organizations both now and into the future. It is important to consider the ramifications of hacktivism as it takes a more active role in the threat landscape. While not identical to a traditional botnet in structure and operation, hacktivist networks should be recognized as the threat they are and managed as such.