Daily Archives: 10/08/2011

#RefRef : Anonymous testing LOIC replacements – new tool uses server exploits

( Anonymous is developing a new DDoS tool. So far, what they have is something that is platform neutral, leveraging JavaScript and vulnerabilities within SQL to create a devastating impact on the targeted website. But will the tool last, and will it make law enforcement’s job harder in the long run?

Previously, Low Orbit Ion Canon (LOIC) was the go to weapon for Anonymous supporters during protests against dictators in North Africa, and Operation: Payback. However, LOIC is also the reason scores of people have been arrested in the last year, so many feel its time is at an end.

The new tool, called #RefRef, is set to be released in September, according to an Anon promoting it on IRC this afternoon. Developed with JavaScript, the tool is said to use the target site’s own processing power against itself.

In the end, the server succumbs to resource exhaustion due to #RefRef’s usage. An attack vector that has existed for some time, resource exhaustion is often skipped over by attackers who favor the brute force of a DDoS attack sourced from bots or tools such as LOIC.

As seen in the image above, the tool uses a simple GUI to operate. Yet, the JavaScript driving the tool is where the unusual power comes from. Testing the code, the Anon who explained its usage reported that a test of 17 seconds led to a 42 minute outage early Friday morning on, an outage confirmed by Pastebin on Twitter.

“Imagine giving a large beast a simple carrot, [and then] watching the beast choke itself to death,” explained the Anon promoting the tool.

Based on the screenshots presented of the tool, as well as passive comments by its promoter, we asked how it was different from a script that automates a person simply pressing F5 continuously.

We were told that the tool itself exploits server vulnerabilities, and will work as long as the target server supports JavaScript and some type of SQL. Based on the vague comments by the Anon who explained the tool, the vulnerabilities being exploited are somewhere within the SQL side of things.

As it turns out, the attack is launched client side, and will send a separate script in the connection request made to the target server. This request is actually the exploit itself, and once the server renders the code, it will continue to render it until crashing. In essence, the stronger the server, the faster it crashes.

Asked if the vulnerability being exploited could be patched, the Anon responded that it could, but added that administrators would have to “mass-patch” a file that actually affects many services.

So patching is unlikely to stop it because, “most SQL servers are pulling from a master SQL host” and the tool itself targets “one of the most common SQL services, but also one of the most widespread,” the Anon added, but would not get into further details.

Read more: