Internet users might have been tricked into participating in a series of web-based attacks on United States government sites that took place recently.
Anonymous, a group of Internet activists that are known for stepping outside the bounds of the law in some of their protests launched a series of distributed denial of service (DDOS) attacks on US Government sites on or about Thursday January 20th (depending on where in the world you live).
They have done this sort of thing in the past, what is different with this attack is that it is possible that not all participants were willingly involved. The attack was made as a protest to the Stop Online Piracy Act (SOPA) and the government takedown of file sharing site, Megaupload.
In a DDOS attack, a website is deliberately flooded with traffic. It is an automated attack whereby an overwhelmingly large number of users repeatedly access a site; in so doing they make the site inaccessible to legitimate users, cause servers to crash, and that sort of thing. It does not cause lasting damage to equipment, but it does cost money because resources and personal must be deployed in order to filter out the malicious traffic in order to bring the site back online.
In the past, Anonymous supporters have participated in such attacks by downloading and running a piece of software called Low Orbit Ion Canon (LOIC). The software does the heavy lifting with regards to repeatedly accessing the target website. It is illegal to use, but that did not stop 19,000 people from downloading it in the last day of the attack.
Using software like LOIC to participate in a DDOS is illegal— people have been arrested for taking part in earlier attacks. While LOIC was used this time, Anonymous also distributed a large number of links via Twitter, IRC, Facebook, and Tumblr that, when clicked, would cause a computer to take part in the attack. The links, which were shortened with various URL shortening services, could literally appear anywhere.
Graham Cluley, a senior technology consultant at security company Sophos, explained:
We saw some Anonymous Twitter accounts gain hundreds of thousands of new fans overnight as word began to spread.
Here is where things get a little slippery: in introducing this form of accidental participation, Anonymous also made it very easy for anyone who might be sympathetic to their cause but fearful of government retribution to participate in their attacks. While it is against the law to use LOIC, it would be very tough to prove that someone intentionally clicked a bogus link to take part in a DDOS.
According to Jennifer Granick, an attorney with experience in defending people accused of computer crimes, that while being part of the Botnet (the group of computers used in the attack) may draw police attention, the accidental element may shield those who participated by clicking on compromised links from prosecution:
If you are an unwitting participant then technically you’re not liable under the law because all criminal statutes, with some narrow exceptions, require some criminal state of mind,” such as acting “knowingly” or “intentionally.”
But even being part of a botnet could result in unwanted police attention anyway. That’s probably unlikely, depending on how many computers are involved in the DDOS attack.
The presence of the shortened links does not automatically amount to a “get out of jail free” card. As Granick stated above, participation in the botnet could draw police attention. If that attention comes in the form of a search warrant, evidence of other criminal activity, such as computer piracy might be used in prosecution. Given the large number of computers participating in this type of attack, such a scenario is highly unlikely.