As with everything I've seen from "Anonymous" so far, it's a completely unsophisticated attack. All it does is create an image object in JS and set the src of the image object to the URL to be attacked, with some random garbage appended to confuse naive caching systems. It initially attempts to do this about once every millisecond, but it looks like it will shut itself down if there are too many failed requests.
It's pretty lame. I mean, they're not targeting an especially bandwidth-heavy thing. They're not submitting forms to flood a database or crash an email server. They're not attempting to exploit any vulnerabilities at all. They're literally just trying to spam it for as long as their attention span lasts.
The only thing a network monkey needs to do to mitigate an attack like this one is mount a few nginx proxies to handle anything with the garbage URL attached and then immediately close the connection while letting everything else through.
edit: Hah! The biggest single element on the justice.gov home page is the jquery script it includes, which is almost twice the size of the index page. Anon could have doubled their effectiveness just by sending requests for jquery instead. :-)
In any event, the traffic from a web browser is going to look different from traffic generated by LOIC. A web browser is a very high-level tool with lots of constraints to keep web pages from doing "bad things". These constraints would make it pretty easy to profile traffic from web browsers vs LOIC. Granted, LOIC could mimic these constraints, but that would significantly diminish its operating capabilities.
The whole conversation surrounding LOIC and this new web based tool is full of bad information and misunderstandings.
It works like this: Your computer asks to open a TCP connection by sending a SYN packet to the server. The server responds with SYN/ACK. Your computer is expected to send ACK to complete the 3-way-handshake and to establish the connection. Except for, in this attack, your computer never sends ACK.
The server usually reserves a few resources to maintain that half-open connection, such as a socket and a thread that waits for the connection to finish.
If enough people do this, the server runs out of resources rather quickly and it's practically impossible to block it without a server farm. Even if a firewall-script prevents the server from crashing by limiting the number of open (half-open) connections, by blocking attacking IP addresses and by reducing their timeout, it can't be distinguished between legitimate traffic and DoS-traffic.
So, given that a single computer easily pumps out several hundred or even thousand requests per second, the amount of traffic quickly grows when many users are involved.
By the way, with a single computer, it is more or less impossible to take down a server with only SYN flooding, as your computer requires more or less the same computational power to establish the connection and most servers have more RAM and a bigger connection to the internet.
It really gets messy, when you use encryption, where the server has to do more computational work than a client. Then, you can easily DoS a server from a single computer. However, this is NOT done with the LOIC, but there was a tool recently that performs this kind of attack against, I forgot, I think Apache with a vulnerable OpenSSL version.
So, this whole attack is on OSI layer 4 and is indeed a TCP-based attack. HTTP traffic is on layer 5+ and it's not possible to achieve half-open TCP connections with a browser.
Nevertheless, a DoS is still possible. There are two ways:
1. Many clients ask simultaneously for a computational expensive operation. For example, some sort of filtering mechanism for the member list of a community site. Depending on the database backend, such a request can cause a more or less sophisticated SQL query.
These are usually the places where programmers should optimize their queries (or use caching etc.) to prevent the server from crashing.
2. Simply ask for a resource like an image or a larger JS-file, but do this often with many clients. This happens also, when a small blog writes a good article and is linked on HN or reddit. The incoming traffic is too big be handled.
Generally speaking, it depends heavily on the server's environment regarding caching, optimization, load balancing, a firewall script, an Intrusion Detection/Prevention System etc. whether or not a browser-based attack can be successful.
I see what they are trying to do. They want to show that the will of a few can control the masses...but hijacking a bystander's browser will only make Anonymous look like a bunch of assholes. This tactic will give the media and/or government a way to paint Anonymous in a different light.
Since anon is basically reduced to tearing down posters they may as well tear down the posters with functionality built in.
This type of behavior isn't insignificant; it's dangerous. The fact of the matter is that most people have no idea what programmers are capable of, and what makes one attack sophisticated and dangerous or another one benign. These high-visibility, low-value attacks do absolutely no damage to "the establishment". On the contrary, the visibility of the attacks makes this type of behavior doublespeak fodder.
Computer hackers broke into government computers last night, disabling government communication. What can hackers do to your Facebook profile? Does your child have a Facebook profile, and are they safe? Tune in at ten and find out how you can protect your children.
Etc. All closing civilizations invoke a powerful and unseen enemy. What is more powerful and unseen than The Internet? We must be careful, as a collective, to draw the line in how we protest. "terrorists" were the last great invisible enemy, but people are getting tired of hearing about "terrorists". They're just not scary like they used to be. Will "hackers" be the next great invisible enemy? Why not? Everyone has a computer; a little fright center in their living room, or held up to their head. We get up in arms about location tracking in iPhones, but:
Law enforcement officials say that the tracking technology was put in there to help locate lost children or assist in the pursuit of known criminals. But now, officials say, computer hackers have found a way to get to this information, tracking you wherever you go. What information is your phone sending that you can't afford not to know about? Find out at ten.
There's a right way and a wrong way to defend Net Neutrality. This is not the right way.
Here's what it looks like w/o the JS attack code: http://pastehtml.com/view/bloqs5aae.html
d0z.me (http://d0z.me/) is similar in effect to this, although not the same.
