The Lesson To Be Learnt From Anonymous

The DDoS attacks on WikiLeaks’ opponents contain a serious lesson that should be heeded by every website owner, says Eric Doyle

One thing the WikiLeaks-related distributed denial of service (DDoS) attacks has shown is just how fragile web presence can be. The fact that major sites like MasterCard and Visa can be blocked through concerted effort should be a warning, and a worry, for any other online sites owned by companies or governments.

The Anonymous Operations’ (AnonOps) attempts to punish those who take action against WikiLeaks have been successful and, so far, have evaded law enforcement agencies. This is no organised army of hackers fighting an online war but a loosely-organised team of guerrillas battling what it sees as a perceived threat to liberty and freedom.

Economic and political damage limitation

The whole episode is an example of extremism gone unchecked – the Internet equivalent of Muslim Jihadists trying to cause social disruption with bombing attacks. Fortunately, the web equivalent has not, so far, cost any lives.

The WikiLeaks exploits are timely in that they have hit when governments appear to be waking up to the threat of virtual campaigns being waged to cause econo-political damage. If the UK government had already gone ahead with centralising its disparate domains and putting essential payment and public services online, how would it have fared if the Operation:Payback fanatics had turned their Low Orbit Ion Cannons – the DDoS weapon of choice – against the DirectGov site?

What if, in the future, a fanatical foreign government incites its citizens and overseas supporters to arm themselves for an attack on a foreign power? How would the Internet infrastructure cope?

The code of secrecy which Internet service providers (ISPs) guard so heavily is a double-edged sword. It protects the average citizen from snooping government departments but it also protects the DDoS guerrillas from prosecution. The web is not as anonymous as people believe and the key is the ISP traffic monitoring process.

“Participation in DDoS attacks is illegal in many countries and users accepting the invite by AnonOps are under a serious risk of litigation,” warned Vanja Svajcer, a principal virus researcher for Sophos Labs. “Many people believe that privacy on the Internet can be somewhat protected, but beware, the source IP addresses of attackers, which will inevitably end up in the target’s website log files, can easily be matched with users’ accounts if ISPs decide to co-operate with the law enforcement agencies.”

Snowflake on an iceberg

In Holland, there have been two arrests so far for DDoS attacks. The first may have been part of the AnonOps attacks but few details have been given. The second was, seemingly, a vigilante with a grudge against the Dutch legal system – who did not have the guile to hide his IP address.

Even if both were part of the international brigade of WikiLeaks’ supporters, they represent something less than a snowflake on the tip of a very big iceberg.

A weapon can often be a humble tool, such as a hammer, used for evil purposes and so it is with the Ion Cannon. It is advertised as a tool for conducting stress tests of web applications under heavy loads – heavy loading being what a DDoS attack actually is.

As such, it is freely available for download and extremely user-friendly to configure. Even a child could do it and, evidently, many do.

It would be difficult to rid the Internet of these tools so we have to learn to live with them.

According to Bob Tarzey, analyst and director at Quocirca: “MasterCard could learn from Visa here, for high profile transactional sites, one protection against DDoS is multiple servers that make the total service harder to target.

“As for government, it will depend on the nature of the website. If it is transactional then government should heed the warnings of the last week, however, if it is more about content, reigning things in makes sense and content distribution services, such as Akamai, can ensure widespread availability,” he added.

Business sites have two areas that need protecting. The most important is the core business network that are increasingly linked to remote and home workers. These can be sensibly protected using virtual private networks (VPNs). A traffic monitor can be positioned to reject unsanctioned connections and, in theory, a concerted DDoS attack would be an inconvenience rather than a disaster.

The Fragile Customer Interface

The other side of the business, the public-facing site, is a different proposition. There is no way to vet connections as easily because the whole concept is based on any potential customer gaining access. A vetting procedure is inapplicable here and advice depends on specific, often unique, corporate specifications.

“DDoS is not going to disappear; it has become, and will remain a weapon for all sides,” advises Tarzey. “The best thing an organisation worried about DDoS can do is to engage with experts that provide insurance and protection against it, such as the new service from London based www.Adversor.net.”

Adversor is one of a growing cloud of service providers. It aims to stop a DDoS attacks from even reaching the targeted organisation’s network. The cyber-attack is engaged in its cloud by accurately pinpointing and eliminating the malicious traffic, the company claims. Legitimate traffic is allowed to pass “with no loss of trade or reputation”.

It is clear that there are solutions to the problem out there but it requires something like the WikiLeaks exploits to wake the world up to the devastation that DDoS attacks can bring. Only then, it appears, will someone open up their wallets and pay for the necessary insurance.