FBI acts against 40 Anons

The execution of 40 search warrants by the FBI against alleged members of Anonymous is part of a co-ordinated operation with the UK’s Metropolitan Police Service, which made five arrests yesterday.

The FBI hasn’t announced any arrests yet and isn’t giving up much information about its targets. Its press release is pretty clear, however, that it is treating the DDoS attacks amounted by Anonymous as criminal acts. In part, the release says:

“The FBI also is reminding the public that facilitating or conducting a DDoS attack is illegal, punishable by up to 10 years in prison, as well as exposing participants to significant civil liability.”

The FBI also points out that it is not acting alone.

“The FBI is working closely with its international law enforcement partners and others to mitigate these threats. Authorities in the Netherlands, Germany, and France have also taken their own investigative and enforcement actions. The National Cyber-Forensics and Training Alliance (NCFTA) also is providing assistance.”

For its part, Anonymous, bless ‘em, have decided to up the ante by declaring war on the UK Government. It’s worth reading the open letter in full, for entertainment if nothing else. It attempts to characterise the DDoS attacks as a hip form of civil protest, but we’ve already seen the authorities are having none of that.

The letter also attempts to excuse the DDoS attacks by pointing out how little damage they did - in other words, Anonymous is making a virtue out of its own ineffectiveness. Why not take this at face value? Well, simply because of my experiences in the Anonymous IRC channels. The Anons participating in the attacks and reporting back via IRC were clearly intent on damaging their targets - they said so in no uncertain terms.

The Internet has a major part to play in civil protest - that’s being demonstrated in Tunisia and Egypt, and is why the governments of those countries are attempting to shut down services such as Twitter and Facebook. But the Anonymous attacks are not in this class. These are over-excited teenagers who’ve watched the Matrix too many times and are keen on a bit of cyber-vandalism because they think there are no consequences. I think they’re in the process of being disillusioned on that last point.

There’s nothing wrong with ‘hacktivism’. People have a right to protest and the Internet has provided a new channel for organising and executing these activities. But when you break the law in order to make your feelings known, you need to be sure that your motives are good, your targets are legitimate and your methods are warranted. Anonymous attacks against the Egyptian Government arguably fall into this category. Its attacks on PayPal, MasterCard et al did not.

Anonymous arrests

Five young men have been arrested in the UK in connection with DDoS attacks mounted by the Anonymous group, according to a report by the BBC. The five range in age from 15 to 26.

This was predictable - up to a point. Anonymous takes a fairly callous ‘cannon fodder’ attitude to its ‘members’ (if you can call them that).

The Low Orbit Ion Cannon (LOIC) software - the weapon of choice for most Anons - is a fairly crude tool. Originally developed by ‘Praetox Technologies’ (a suitably anonymous coder) as a network stress-testing tool, it fires HTTP, TCP or UDP packets directly at the target. It’s not possible to operate via proxies because that could simply DDoS the proxies themselves.

Most Anons will have run LOIC from their own machines, although there is also a Javascript version that can be hosted on websites. But no version of LOIC makes any attempt to spoof or obscure the originating IP.

A standard defence against DDoS is to monitor the IPs from which large numbers of packets are originating, and then filter those addresses. In the process, of course, you build an effective database of attacker IPs. Get a court order and match those against ISP server logs and you have the identities of the attackers.

Normally, this isn’t of much use: in a botnet-based DDoS attack, the attacker IPs belong to innocent (if sometimes careless) PC owners whose machines have become infected. In the case of Anonymous and LOIC, the IPs identify the attackers themselves - or websites that have made the Javascript version available (which could make both the website owner and the hosting company liable).

It’s quite probable that the majority of Anons have no idea that this is the case. Most of them are script kiddies caught up in the excitement, and the prospect of being able to create havoc with no apparent consequences.

Some are aware of the dangers, but there is a dangerously high level of naivety at work. On IRC channels and websites affiliated to Anonymous, advice on how to protect yourself includes claiming your computer was infected with a virus and setting your wifi router to be open so that you can claim someone else used it. Neither of these would stand up in court. 

The UK arrests aren’t the first. While Anonymous attacks related to Wikileaks were still in progress, two teenagers were arrested in the Netherlands, and in the US, the FBI seized a server. Two Anons are currently serving time in jail for earlier attacks against the ‘church’ of Scientology.

Some Anons suggest that the authorities would be unable to prosecute the large number of people involved in their attacks. But, of course, they wouldn’t have to. A few test cases would probably be enough to discourage people from joining in — at least, enough people so that Anonymous wouldn’t get the volume of DDoS traffic required to be successful.

Claiming that these attacks were mounted as part of a social protest is unlikely to carry much weight outside of the Anonymous IRC channels (where the debate rarely rises above adolescent levels). DDoS attacks against legitimate companies going about their lawful business are unambiguously illegal in most countries - and pretty much all countries in which Anons are likely to have been operating.

Operation Payback - success or failure?

Just how successful were the Anonymous Operation Payback DDoS attacks? Now that the hysterical press coverage has died down, it’s time to take stock.

It’s important to understand the nature of Anonymous: it’s not like a cybercrime gang aiming a botnet at a blackmail target. Nor is it like the Chinese attempting to take down Google.

Anonymous is more amorphous. The group (and we have to have some word for it, so ‘group’ will have to do), likes to present itself as leaderless and totally decentralised. This isn’t true, but what leadership exists is very effectively masked by the ‘anyone can join in’ nature of its activities. There is some guidance, and there are some people taking decisions, but all are encouraged to participate and there is at least a veneer of anarchy even if the reality is somewhat different.

What this means is that objectives are often surprisingly vague. Sometimes you think you know what Anonymous is trying to achieve, but you can’t be sure. This proved to be very useful to the group itself, and we’ll look at that in a moment.

The other difference between an Anonymous DDoS campaign and a botnet-based attack is one of scale. The average botnet might control 30,000 machines. Notwithstanding media exaggerations and boasts by Anonymous itself, the group rarely managed to have more than a few hundred machines flooding its targets at any one time.

Target for today

What were those targets? PayPal came in for some of the most intensive attacks. MasterCard and Visa suffered. Anonymous also went after the law firm representing the two women who made allegations against Julian Assange, the Swedish prosecutor’s office and a number of other sites run by people or organisations deemed to be against Wikileaks or the best interests of Assange.

Twitter - which repeatedly shut down accounts used by Anonymous for co-ordinating the attacks and broadcasting news and information - remained immune. It was obvious from the chat in IRC channels that Anonymous members (‘Anons’) are just too geeky to want to be without one of their favourite toys. There is, of course, hypocrisy in this. But then if you adopt a basically anarchic system of choosing targets and mounting attacks, there is no possibility of sophisticated analysis or reasoned debate. It’s the rule of the mob.

Not much thought seems to have been given to collateral damage. Not that everyone was indifferent: indeed, there were some unhappy voices raised in the IRC channels about the blocking of PayPal affecting ordinary site owners - small businesses, bloggers and so on. One point I didn’t see raised was how attacking the Swedish law firm might affect its ability to support its other clients, with potential for real harm to their lives.

The IRC channels were frenzied, almost hysterical. Voices of reason were shouted down or banned. In its fight for free speech, it seems, Anonymous is fairly intolerant of those who do not share its views.

It became quickly obvious that many Anons were there for the sheer love of the fight. During quiet periods, when no target was defined, you could see calls like “target please” and “let’s attack *something*” from those motivated more by the excitement of irresponsible action without consequences than by any ideological bent. What proportion of Anons just like attacking stuff, as opposed to those who actually have a firm grasp of the often complex issues at stake, is impossible to say.

And let’s not forget that - unlike the Wikileaks issue - the mounting of DDoS attacks by Anonymous is unambiguously illegal. I saw many justifications for this in the IRC channels, but none that rose above the average quality of teenage rebellion.

Naturally, Amazon fell into the sights of Anonymous. The company had kicked Wikileaks from its servers. And just to add fuel to the fire, someone had the nerve to publish a Kindle e-book via Amazon.co.uk containing some of the Cabelgate memos. (The description of the book was later changed to claim that it contained only a discussion of the memos, and the book was soon withdrawn anyway.) This was doubtless a case of Amazon not knowing what was being published via its Digital Text Platform service (it doesn’t read & approve every book), but the Anons took this as an affront by the company, rather than the book’s author. And so Amazon was attacked.

Final results

So, how did Anonymous do? Truth be told, its attacks probably amounted to little more than a nuisance as far as the big corporations go. These are organisations with highly distributed systems, most of them designed to withstand DDoS attacks.

There were frequent cheers of victory in the IRC channels, as various Anons declared the current target to be down. In most cases, this was likely due to that particular Anon having his/her IP address blocked by the target. That’s how anti-DDoS systems operate: they identify IPs sending too many requests in too short a time and blacklist them.

Nevertheless, PayPal, MasterCard and Visa did all suffer brief periods of downtime, at least on small parts of their networks (see the Netcraft graphs for MasterCard, above, and Visa, below). The question is, how much did they suffer? My guess is, not much.

Admittedly, financial organisations like this don’t like downtime - they spend a lot of money and go to great trouble to avoid it, with highly available systems. Nevertheless, some downtime is a fact of life and - viewed in the context of their business over a quarter or a year - the disruption caused by Anonymous will show up as little more than a blip.

Writing on the Forbes site, Matt Schifrin reported that, while MasterCard’s share price took a slight dip while it was being attacked, by the end of the day it had rallied again and was only slightly down on the previous day (which could be the result of any number of factors). Visa’s share price also took a dip when Anonymous attacked, but actually finished higher at the end of the day.

Schifrin goes as far as to say that an attack by Anonymous might present traders with a short-term opportunity. (He didn’t proceed to the obvious conclusion: given that anyone can join Anonymous and rally forces to attack a company, this could be a way for unethical traders to manipulate the market!)

The smaller organisations that got hit - such as the law firm - probably suffered more. Whether this suffering is in any way justified, I leave for you to decide. Internet-based vigilantism is going to become an ever-bigger issue.

Failed attack

Anonymous failed to bring down Amazon, and this was significant not only in the failure itself but in the way Anonymous handled it. The reason was simple lack of firepower. Several hundred individuals firing their Low Orbit Ion Cannon (LOIC) DDoS tool were no match for Amazon’s cloud-based infrastructure - a point noted, I imagine, by many organisations considering a move to the cloud. Amazon brushed off the Anons like so many fleas.

Later, when Anonymous had called off its attacks, it issued a press release (a sign that it isn’t a decentralised as it would like you to think: mobs don’t write press releases). In part, this said:

While it is indeed possible that Anonymous may not have been able to take Amazon.com down in a DDoS attack, this is not the only reason the attack never occured [sic]. After the attack was so advertised in the media, we felt that it would affect people such as consumers in a negative way and make them feel threatened by Anonymous. Simply put, attacking a major online retailer when people are buying presents for their loved ones, would be in bad taste.

This is, of course, simply dripping with hypocrisy. The attacks on PayPal, MasterCard and Visa were all capable of affecting “people such as consumers” every bit as much as an attack on Amazon. Quite how an illegal attack on one commercial organisation is “bad taste” while attacks on others are fine isn’t explained.

The reality is, of course, that Anonymous simply failed and is desperately trying to spin the facts to save face - much like a pouting teenager muttering, “I didn’t really want to do it anyway, so there!”. So much for championing transparency and truth.

This spinning continued even in on IRC. The topic of the #operationpayback channel announced: “Mission acomplished” [sic]. I’m not sure if the reference to George W Bush was intentional: either way, it’s unfortunate.

Ironically, Amazon did go down. Its European operation was offline for half-an-hour. I happened to be in the #operationpayback channel when it happened and the result was entertaining. Anons joining the channel would ask “are we attacking Amazon again?”. Others simply crowed “Amazon’s down!”, assuming Anonymous was the reason. Best of all, though, were the many voices calling for Anonymous to take credit, even though they knew it was nothing to do with them (Amazon later said it was a hardware failure). One member even reported having contacted CNN to report that Anonymous had knocked the retailer offline.

Raising awareness

If Anonymous failed to wreak any real damage, does this mean the campaign itself was a failure?

Well, no. In the same press release, Anonymous insists that its main goal was raising awareness. That is partly spin: the members of the IRC channel clearly wanted to cause damage. I’m sure many of them wouldn’t have participated in a campaign with aims as wimpy as ‘awareness’. But there is also truth in it.

And raise awareness they did. Thanks to a press frenzy, which managed to greatly overstate Operation Payback’s effects, everyone now knows about Anonymous, about DDoS attacks and about the frailty of the net.

Whether this added anything to the complex and difficult debate surrounding Wikileaks is a moot point. At the very least, in the minds of the general public, Anonymous has managed to associate Wikileaks and its campaign for information transparency with illegal, irresponsible and faceless vigilantism. Is that good?