Operation Payback - success or failure?
Just how successful were the Anonymous Operation Payback DDoS attacks? Now that the hysterical press coverage has died down, it’s time to take stock.
It’s important to understand the nature of Anonymous: it’s not like a cybercrime gang aiming a botnet at a blackmail target. Nor is it like the Chinese attempting to take down Google.
Anonymous is more amorphous. The group (and we have to have some word for it, so ‘group’ will have to do), likes to present itself as leaderless and totally decentralised. This isn’t true, but what leadership exists is very effectively masked by the ‘anyone can join in’ nature of its activities. There is some guidance, and there are some people taking decisions, but all are encouraged to participate and there is at least a veneer of anarchy even if the reality is somewhat different.
What this means is that objectives are often surprisingly vague. Sometimes you think you know what Anonymous is trying to achieve, but you can’t be sure. This proved to be very useful to the group itself, and we’ll look at that in a moment.
The other difference between an Anonymous DDoS campaign and a botnet-based attack is one of scale. The average botnet might control 30,000 machines. Notwithstanding media exaggerations and boasts by Anonymous itself, the group rarely managed to have more than a few hundred machines flooding its targets at any one time.
Target for today
What were those targets? PayPal came in for some of the most intensive attacks. MasterCard and Visa suffered. Anonymous also went after the law firm representing the two women who made allegations against Julian Assange, the Swedish prosecutor’s office and a number of other sites run by people or organisations deemed to be against Wikileaks or the best interests of Assange.
Twitter - which repeatedly shut down accounts used by Anonymous for co-ordinating the attacks and broadcasting news and information - remained immune. It was obvious from the chat in IRC channels that Anonymous members (‘Anons’) are just too geeky to want to be without one of their favourite toys. There is, of course, hypocrisy in this. But then if you adopt a basically anarchic system of choosing targets and mounting attacks, there is no possibility of sophisticated analysis or reasoned debate. It’s the rule of the mob.
Not much thought seems to have been given to collateral damage. Not that everyone was indifferent: indeed, there were some unhappy voices raised in the IRC channels about the blocking of PayPal affecting ordinary site owners - small businesses, bloggers and so on. One point I didn’t see raised was how attacking the Swedish law firm might affect its ability to support its other clients, with potential for real harm to their lives.
The IRC channels were frenzied, almost hysterical. Voices of reason were shouted down or banned. In its fight for free speech, it seems, Anonymous is fairly intolerant of those who do not share its views.
It became quickly obvious that many Anons were there for the sheer love of the fight. During quiet periods, when no target was defined, you could see calls like “target please” and “let’s attack *something*” from those motivated more by the excitement of irresponsible action without consequences than by any ideological bent. What proportion of Anons just like attacking stuff, as opposed to those who actually have a firm grasp of the often complex issues at stake, is impossible to say.
And let’s not forget that - unlike the Wikileaks issue - the mounting of DDoS attacks by Anonymous is unambiguously illegal. I saw many justifications for this in the IRC channels, but none that rose above the average quality of teenage rebellion.
Naturally, Amazon fell into the sights of Anonymous. The company had kicked Wikileaks from its servers. And just to add fuel to the fire, someone had the nerve to publish a Kindle e-book via Amazon.co.uk containing some of the Cabelgate memos. (The description of the book was later changed to claim that it contained only a discussion of the memos, and the book was soon withdrawn anyway.) This was doubtless a case of Amazon not knowing what was being published via its Digital Text Platform service (it doesn’t read & approve every book), but the Anons took this as an affront by the company, rather than the book’s author. And so Amazon was attacked.
Final results
So, how did Anonymous do? Truth be told, its attacks probably amounted to little more than a nuisance as far as the big corporations go. These are organisations with highly distributed systems, most of them designed to withstand DDoS attacks.
There were frequent cheers of victory in the IRC channels, as various Anons declared the current target to be down. In most cases, this was likely due to that particular Anon having his/her IP address blocked by the target. That’s how anti-DDoS systems operate: they identify IPs sending too many requests in too short a time and blacklist them.
Nevertheless, PayPal, MasterCard and Visa did all suffer brief periods of downtime, at least on small parts of their networks (see the Netcraft graphs for MasterCard, above, and Visa, below). The question is, how much did they suffer? My guess is, not much.
Admittedly, financial organisations like this don’t like downtime - they spend a lot of money and go to great trouble to avoid it, with highly available systems. Nevertheless, some downtime is a fact of life and - viewed in the context of their business over a quarter or a year - the disruption caused by Anonymous will show up as little more than a blip.
Writing on the Forbes site, Matt Schifrin reported that, while MasterCard’s share price took a slight dip while it was being attacked, by the end of the day it had rallied again and was only slightly down on the previous day (which could be the result of any number of factors). Visa’s share price also took a dip when Anonymous attacked, but actually finished higher at the end of the day.
Schifrin goes as far as to say that an attack by Anonymous might present traders with a short-term opportunity. (He didn’t proceed to the obvious conclusion: given that anyone can join Anonymous and rally forces to attack a company, this could be a way for unethical traders to manipulate the market!)
The smaller organisations that got hit - such as the law firm - probably suffered more. Whether this suffering is in any way justified, I leave for you to decide. Internet-based vigilantism is going to become an ever-bigger issue.
Failed attack
Anonymous failed to bring down Amazon, and this was significant not only in the failure itself but in the way Anonymous handled it. The reason was simple lack of firepower. Several hundred individuals firing their Low Orbit Ion Cannon (LOIC) DDoS tool were no match for Amazon’s cloud-based infrastructure - a point noted, I imagine, by many organisations considering a move to the cloud. Amazon brushed off the Anons like so many fleas.
Later, when Anonymous had called off its attacks, it issued a press release (a sign that it isn’t a decentralised as it would like you to think: mobs don’t write press releases). In part, this said:
While it is indeed possible that Anonymous may not have been able to take Amazon.com down in a DDoS attack, this is not the only reason the attack never occured [sic]. After the attack was so advertised in the media, we felt that it would affect people such as consumers in a negative way and make them feel threatened by Anonymous. Simply put, attacking a major online retailer when people are buying presents for their loved ones, would be in bad taste.
This is, of course, simply dripping with hypocrisy. The attacks on PayPal, MasterCard and Visa were all capable of affecting “people such as consumers” every bit as much as an attack on Amazon. Quite how an illegal attack on one commercial organisation is “bad taste” while attacks on others are fine isn’t explained.
The reality is, of course, that Anonymous simply failed and is desperately trying to spin the facts to save face - much like a pouting teenager muttering, “I didn’t really want to do it anyway, so there!”. So much for championing transparency and truth.
This spinning continued even in on IRC. The topic of the #operationpayback channel announced: “Mission acomplished” [sic]. I’m not sure if the reference to George W Bush was intentional: either way, it’s unfortunate.
Ironically, Amazon did go down. Its European operation was offline for half-an-hour. I happened to be in the #operationpayback channel when it happened and the result was entertaining. Anons joining the channel would ask “are we attacking Amazon again?”. Others simply crowed “Amazon’s down!”, assuming Anonymous was the reason. Best of all, though, were the many voices calling for Anonymous to take credit, even though they knew it was nothing to do with them (Amazon later said it was a hardware failure). One member even reported having contacted CNN to report that Anonymous had knocked the retailer offline.
Raising awareness
If Anonymous failed to wreak any real damage, does this mean the campaign itself was a failure?
Well, no. In the same press release, Anonymous insists that its main goal was raising awareness. That is partly spin: the members of the IRC channel clearly wanted to cause damage. I’m sure many of them wouldn’t have participated in a campaign with aims as wimpy as ‘awareness’. But there is also truth in it.
And raise awareness they did. Thanks to a press frenzy, which managed to greatly overstate Operation Payback’s effects, everyone now knows about Anonymous, about DDoS attacks and about the frailty of the net.
Whether this added anything to the complex and difficult debate surrounding Wikileaks is a moot point. At the very least, in the minds of the general public, Anonymous has managed to associate Wikileaks and its campaign for information transparency with illegal, irresponsible and faceless vigilantism. Is that good?
