Anonymous has never had the firepower to take down those three sites simultaneously using LOIC, so I'd be interested to see what the mechanism is. I suspect it's one or more of the Sabu-types firing their botnets. If this is the case, to what extant can this action be attributed to Anonymous? I'm sure there's likely broad support for it, but if it is just the actions of one or two botherders it makes attribution a bit of a grey area.
Edit: Add mpaa.org to the mix, as well as an attempt on fbi.gov. They'd have to have several gigs worth of bandwidth available to be able to hold all 4 sites down simultaneously. With average upload speeds in the hundreds of kilobits, that's a reasonably large botnet (50k-100k, as an pulled-from-ass guestimate).
I'm highly doubtful that that's all that's happening. I simply can't see a 5600-strong botnet (voluntary or not) holding down 4 independent domains simultaneously.
On a separate note, I would have thought they had learned their lesson re: LOIC after OP:Payback. I guess we'll be seeing another string of arrests in the coming months.
This! Apache is the first casualty when attacked by DOS. Default is way lower than 256 I think... You can change that parameter but it kills the optimization.
If you routed all your traffic through the VPN, LOIC would follow. That said, I know of no vpn that would allow it.
Basically, LOIC is a ticket to jail. The fact that it was used for so long without repercussions is that the Feds didn't care enough to do anything. That all changed with OP:Payback.
Intentionally disabling someone else's computer system (even just their website) is a crime. And LOIC has no anonymity measures, so your IP shows up on every single packet that arrives at the target computer. If you participate in an attack, it will be very easy to find and prosecute you.
In Europe this analogy has also been used by politicians (ones that are actually sitting in parliaments and not accused of crimes).
I'd also consider it a form of peaceful protest. Well, actually it's just data, nobody gets physically harmed so it's always peaceful. Anyways, you are not stealing data and you are not permanently harming the system. You basically do something the site is made for (serving requests). If you consider that a crime you could also consider telling a huge people to phone a company and complain about something a crime. I mean this certainly leads to a denial of service, because it makes it virtually impossible for others to use that service.
I for myself am a bit lazy for these kinds of protests. I actually prefer informing people so they draw their own conclusion, but I would never call something like that a crime. IMO it should be treated like a freedom. I know this can cause financial damage, but it's still not harming people. I mean every news article, every kind of information and just saying something like "Nike is child slavery" or "fast food from McDonalds is unhealthy" can make people not buy stuff there and therefore cause financial damage. In first place it's about an institution and we shouldn't consider an institution something that has human rights, because it devalues natural people.
The way I look at it is like having 100 of your friends all go to McDonalds and line up. One at a time you order a glass of water, and then go to the back of the line. Honest customers will enter and get in line. If they wait/keep trying for long enough they'll be able to fulfill a request but most will get fed up and quit trying.
Exactly. Who benefits the most from this attack? Anonymous or SOPA/PIPA supports who get to say "look what happened, we need stronger laws on the internet".
You don't necessarily need a lot of bandwidth to take a site down. Slowloris, hash collisions (http://isc.sans.edu/diary.html?storyid=12286), or simply a lot of HTTP requests to pages that consume a lot of CPU time are generally sufficient to take a site offline temporarily.
Which hash functions built into the web server would they attack?
I can't think of a specific time in a normal HTTP request that would use a user-supplied hash.
I would assume only a minority of pages on the average site would eat CPU so surely the sensible defense to this would be to impose a maximum CPU usage on these parts so the rest of the website continues to work.
good point, so the idea would be to supply something like:
page.php?x=1&y=1...
where the x and y keys are going to have the same hash value, so that when it uses those vars in a page it will hit the same hash bucket and become O(n) not O(1)?
Of course you would want to send a lot of different vars in.
Yup, though I'd probably pass those in using a POST request. A 5,000,000 character long log entry sticks out a bit, and most people aren't logging POST params by default.
Interesting. I wonder if the js version behaves identically to the .net one. If so, it could offer plausible deniability to any LOICers out there. I'm not condoning the practice, but it is a creative solution to having your primary tool be rendered toxic by the op payback arrests.
setInterval(function(){
var i = new Image();
i.src = target + randId + msg;
... // event handling
}, 0)
so you end up requesting an url every 0 ms the randId is just a simple `Date.now`, the message is an actual message taken from an input in the html. Source code: http://hastebin.com/gasitinafo.js
That's pretty nasty.
Surely defense against this kind of thing should be built into browsers although you would need to detect an unending loop causing HTTP requests so run into the halting problem I guess.
If they are tricking people into performing what is potentially a criminal act then they lose the limited amount of respect I did have for them.
Given the nature of both organizations are not too tech-savvy, I wouldn't be surprised if the sites in question were running an unpatched version of Apache and were susceptible to this:
riaa.org, mpaa.org, and universalmusic.com I could see being unpatched, but I would have thought justice.gov would have to be patched for compliance reasons.
That's a logical point. But compliance with what? All I can find after a quick google search is National Institue of Technology GUIDELINES, and the only laws mentioned seem to deal with user privacy.
In fact, the only compliance regulations I know of with government sites have to do with accessibility.
[EDIT] Wait, I might be wrong. The DoD guide seems to cite quite a few regs, some of which may apply to the Justice department. Too bad I can't check their site :P
> but I would have thought justice.gov would have to be patched for compliance reasons.
I don't think that's true. I'd imagine the server behind justice.gov has no connectivity to anything important for compliance reasons, so patching it isn't really a big deal.
I'd be surprised, if I had the funds these organizations do and I knew I would be a likely be a target for this kind of thing I'd at least hire a security consultant to check these things over for me.
I was under the impression that Anonymous was just kind of a brand that anyone who wanted to could assign credit to for their activities (since they have the publicity infrastructure in place)
I'm trying hard to think of what could be more counterproductive to the gains made in combating SOPA and PIPA over the last week than this, and I basically can't think of anything. Unbelievable.
So taking a few sites down for a short while is counterproductive, but completely destroying a business without due process is the normal civilized legal procedure?
It's time we realized that we are no longer in the warm embrace of freedom and democracy here. Sure, it's throwing stones while the other party is using heavy artillery, but that's how uneven struggles start.
If anything, this Megaupload episode shows (and not for the first time) that SOPA and PIPA are just a distraction, and there are no real gains to be made here. We've already lost, they already have all the power they need. Megaupload is gone, complete with the data (and personal information) of thousands of users worldwide. Any actual trial that may follow is just for show, just like the whole SOPA debate.
I'm a completely anti-copyright, pro-piracy, pro-megaupload person, but there was due process and complete legitimacy with them taking down megaupload.
Perhaps megaupload are not guilty of anything, but this entire episode was completely legal and proper. The owners were indicted and they served injunctions against the servers, and seized their domains. They have treaties with all of the countries involved to extradite the operators.
Regardless, this does not make it okay to DDoS government websites offline. It's really easy to download LOIC and DDoS whatever websites are mentioned in #anonops, but you relinquish all moral high ground in the process.
In fact, this rarely does anything. The websites usually just mitigate the attack within a couple hours, and in hindsight it just looks like a hissyfit that got nowhere.
Lets say you're completely right. What then would be the productive thing to do next?
To my mind the obvious answer to that is to work on gaining more support. Anonymous doesn't have anywhere near the power or support to change the world by themselves. They need other people.
But most other people respect private property (and would consider an organization's website private property). So random destructive acts don't help you gain support.
Note: I'm not saying they need to stay completely between the lines here. If Anonymous members put up a website stating their case and then hacked other sites with a relatively respectful message that makes their points and then links them to the Anonymous site for more information that would be productive.
Bottom Line: Making a difference means drawing people to the power of your ideas not the power of the technology you use to vandalize other sites.
While it's a bad way to protest in many ways, I somehow feel that it's pretty fair considering that Megaupload was taken down without a trial. Both sides taking the laws in their own hands, except that the media industry gets away with it.
(Yes, I do consider taking a site down without a trial an abuse of the system.)
> I do consider taking a site down without a trial an abuse of the system.
Agreed. Every other type of business gets to continue operating with the government just taking their books to investigate them and their practices. However any dotcom will have their entire business and profitability shut down the moment the government wants to investigate one iota of what they're doing/done. It also won't be returned for 3 years and when it is it will be in poor/unusable condition overlooking the fact that it's now likely technologically useless to a dotcom.
I'm not sure this is the kind of PR that SOPA opponents need right now. I'm not saying that attacking UM website is good or bad, but the timing is certainly awkward imho.
I thought the same. There couldn't be an easier way to say, "Look at the lawlessness of the internet. These pirates have to be stopped, oh, and they're also a threat to homeland security."
EDIT: I don't care about being downvoted, but I would like to know why anyone thinks this is a good idea? It accomplishes nothing and makes us look bad. I understand why people are upset, but this does not help.
I don't really want to get meta but it's possible you were downvoted not in disagreement but because someone felt your post contributed little more than a "+1" post.
That's irrelevant to the optics of the situation, however. SOPA's efficacy at preventing any of these acts wouldn't be a factor in its proponents' use of them to advocate in favour of it.
Seriously. They're taking down websites. If it was, like, eBay or Amazon or something, and 100% of business was conducted through their website, it would be meaningful. In this case, no business goes through the website, and it just seems like it would be an annoyance.
Also, unfortunately, a PR opportunity for the RIAA who can now point to the wild west of the internet and the fact that sites like Megaupload are supported by the most "dangerous" hackers in the world, the guys who took down the DOJ.
"Megaupload had been brought down by federal authorities and four people linked to the site, all outside of America, were arrested and charged with a conspiracy related to copyright infringement."
Are they also held in Guantanamo, or were they executed on the spot?
We probably have extradition treaties with those countries. And if those countries signed the Berne Convention, those jurisdictions must uphold US copyrights.
Not usually, since the act might not even be illegal in the jurisdiction where you are finally arrested. Usually you're brought back for a trial and sentencing.
I hate to be the guy who bemoans fun, but I'm sure this makes the Senators who changed their minds over SOPA lately feel great about who they're on the side of.
I just downloaded their page (not via browser) and saw that they've just taken this code: http://pastebin.com/grNdf3Mj (safe to visit, plaintext) and wrapped the js in a self invoking function. At the end of the function they included a call to another function which starts firing.
The original script required users to click the fire button but this does it by itself on load.
Strangely the current 'attack' page also features the google ad script, a twitter widget, kontextua ad script and whos.amung.us visitor tracking.
That's before expenses, depending on their hosting costs etc they could have lost money. IMO, profit may have been in the 10's of millions but copying them is unlikely to make you rich.
> “It was in retaliation for Megaupload, as was the concurrent attack on Justice.gov,” Anonymous operative Barrett Brown tells RT on Thursday afternoon.
Barrett Brown is neither a pseudonym, nor an operative. He was, at one time, a self-described spokesman for Anonymous. He since has said that he is no longer an active participant, but that he hangs out in IRC to keep abreast of goings-on.
It's just brute force. It's not like they're sneaking into the site and disabling the web server. They're just assaulting it from the front until it cracks under the pressure. In other words, they're taking down the site, but they're not gaining access to any of the source or data in the site, or gaining control over the servers.
Take HN commenters' infosec analysis with a large grain of salt. Their assumption is that everyone is a script kiddie, especially Anonymous. Even if there is a call for a DDOS, infiltration and gained access could likely precede or follow as a supplement to the attack.
Let us not forget that DOS attacks present potential for man-in-the-middle attacks. Its a perfect cover for their real hacking teams to infiltrate and gather further intelligence.
Well, let's see Anonymous host a website. I'm sure the DOJ or FBI could take it down, by legal or technical means. What is the point? There's no such thing as a webserver that "never goes down", or a network that is "always up". Things fail under stress, things are taken offline and put back online, and redundancy or rerouting usually covers it all up. Not all organisations put 100% of their efforts into maintaining an external public website that "stays up" 24/7. I doubt any member of the public is pounding their keyboard because they can't access the FBI, DOJ or UMG websites. How many visitors do you think those sites even normally receive?
Do you think these organizations are going to sit back and let their sites get shut down without a response? No, they're going to ramp up their security and network teams to subvert the attack and make sure the attack isn't covering a penetration. Bring down the firewall, bring down the company. It costs real money to keep a company running through a DDoS.
WARNING: It looks like these links actually cause your computer to attack sites. Don't click these if you have a problem with that, fear getting arrested, etc.
Edit: Add mpaa.org to the mix, as well as an attempt on fbi.gov. They'd have to have several gigs worth of bandwidth available to be able to hold all 4 sites down simultaneously. With average upload speeds in the hundreds of kilobits, that's a reasonably large botnet (50k-100k, as an pulled-from-ass guestimate).