Anonymous has launched OpLGBT, a DDoS campaign targeting the state of North Carolina and its governmental institutes in response to controversial legislation passed by the state’s General Assembly - House Bill 2 (known as the “bathroom law”). The bill bans people from using public bathrooms that do not correspond to their biological sex and has sparked debate regarding LGBT (lesbian, gay, bisexual, transgender) rights.

To date, attackers have struck North Carolina’s website, IT network and cloud-hosted services (see Figure 1). The objective of OpLGBT is to target any government or group (see Figures 2 & 3) that are directly or indirectly related to anti-LGBT legislation or hate – a hint this cyber assault may turn into an ongoing operation that requires the additional preparation. Increasing traction amongst the hacktivist community could result in OpLGBT evolving in volume and sophistication, including DDoS bursts, web intrusion and data theft attempts, thus becoming a persistent attack



Attack Vectors

TCP Flood - This is one of the oldest and most popular Denial of Service (DoS) attacks. It involves sending numerous SYN packets to the victim. In many cases, attackers will spoof the SRC IP so the reply (SYN+ACK packet) will not return, thus overwhelming the session/connection tables of the targeted server or one of the network entities on the way (typically the firewall). Servers need to open a state for each SYN packet that arrives and they store this state in tables that have limited size. As big as this table may be, it is easy to send sufficient amount of SYN packets that will fill the table. Once this occurs, the server starts to drop a new request, including legitimate ones. Similar effects can happen on a firewall which also has to process and invest in each SYN packet. Unlike other TCP or application-level attacks, the attacker does not have to use a real IP - this is perhaps the biggest strength of the attack.

SQL Injection - Exploiting poor coding of web application where the inputs are not sanitized therefore exposing application vulnerabilities. SQL injection is the most common type of injection attack which also count LDAP or XML injections. It is by far the number one vulnerability listed in OWASP Top 10. The idea behind a SQL injection is to modify an application SQL (database language) query in order to access or modify unauthorized data or to run malicious programs. Most web applications rely on databases where the application data is stored and being accessed by SQL queries and modifications of these queries could mean taking control of the application.

Targets of Operation LGBT

North Carolina Government:

Supporters of House Bill 2:


Solution Criteria for Organizations Under Threat:

Protection from TCP Floods and other DDoS attacks:

Protection from SQL injections and web application vulnerabilities:

Radware's hybrid attack mitigation solution provides a set of patented and integrated technologies designed to detect, mitigate and report the most advanced threats. Dedicated hardware and cloud solutions protect against attacks in real time and help ensure service availability.