After Visa, MasterCard, and others cut services to WikiLeaks, a group launched ‘distributed denial of service’ attacks against these businesses. But a new analysis shows that the attacks lacked punch.
"Welcome to Infowar" between WikiLeaks supporters and detractors, blared one headline. London’s Guardian newspaper declared the first "Internet-wide Cyber War." But it turns out that cyberwar this month may have been mostly cyberhype, Internet security experts say.
A WikiLeaks support group calling itself Anonymous organized “Operation Payback” after Visa, MasterCard, PayPal, and others had cut services to WikiLeaks and its founder, Julian Assange. The group launched so-called "distributed denial of service" (DDoS) attacks against these businesses. DDoS attacks, which have been growing in size and intensity across the Internet, seek to clog websites by making millions of virtual requests for information simultaneously.
The attacks slowed or blocked for hours a number of targeted websites, but they notably failed against Amazon and others. Thus the breathless "cyberwar" reports by major media outlets – at least one of which evoked visions of 16-year-olds ruling the world from their laptops – were well off the mark, security experts say.
In fact, a fresh, detailed analysis shows that the cyberattacks related to the WikiLeaks controversy were more like a college-level cyber sit-in than global cyberwar.
"Despite the thousands of tweets, press articles and endless hype, most of the attacks ... were both relatively small and unsophisticated," wrote Craig Labovitz, chief scientist at Arbor Networks, an Internet security company in Chelmsford, Mass., on his blog recently. "Other than intense media scrutiny, the attacks were unremarkable."
Operation Payback used botnet software. Botnets, which take over computers and then run automatically, have been used by criminals to distribute spam and computer viruses and to extort money from Web businesses. By the end of 2010, the total number of active botnets worldwide was between 3.5 million and 5.4 million, Symantec reported earlier this month.
Most botnets take over without the consent of computer owners. But the group Anonymous says that the botnet for its proprietary DDoS attack system – called “Low Orbit Ion Cannon” or LOIC – is voluntary in nature. Anonymous has offered its LOIC botnet software to anyone who wants to turn his or her computer into an attacking "zombie" computer in support of the cause. The idea, Anonymous says, is to cater to people who favor a free and open Internet and oppose censorship of WikiLeaks.
But a volunteer "hacktivist" network can be hard to maintain – and it can be hard to persuade people to join attacks. Even though more than 100,000 users have downloaded LOIC software, Arbor Networks' analysis of the distinct computer IP addresses shows that the "actual peak number of simultaneous Wikileaks [Anonymous] attackers was significantly lower ... in the hundreds ... instead of thousands or tens of thousands," Dr. Labovitz wrote.
In terms of the bandwidth – or raw size – of the attack, the Anonymous salvos were not particularly large: They fell into the "small to mid range" for such attacks – or about 350 megabytes per second, which is the average for 2010 attacks, Labovitz found.
Among more than 5,000 confirmed DDoS attacks this past year, the largest recorded so far was 22 gigabytes per second. Last year saw a massive 49-gibabyte-per-second attack. By contrast, the largest attack in 2002 was 400 megabytes a second, Arbor Networks found. That’s about on a par with today’s Anonymous operation.
To give an idea of scale, Harvard College in Cambridge, Mass., links thousands of users on its network to the Internet through a 2-gigabyte-per-second connection. A 49-gigabyte attack would consume the bandwidth of 25 Harvards, reports a new study on DDoS attacks by Harvard University's Berkman Center for Internet and Society. Yet even a relatively puny 2002-sized 400-megabytes-per-second attack would still be a challenge for most websites, it said.
"While they have received a great deal of publicity and are capable of being quite effective, attacks that rely on voluntary participation ... may be less frightening from a security perspective," the Harvard study said.
One reason might have to do with the less-than-anonymous nature of the operation (despite the group name Anonymous). The attackers can often be found out by "simply studying the messages used to recruit and organize the volunteers," the report found. Also, software used to organize the attacks usually does not hide a participant's computer IP address.
Evidence of this came earlier this month when a Dutch teen was arrested by authorities and charged with participating in Operation Payback.
"The technology opens the door for a lot of barely aware people to participate in this DDoS attack," says Ted Welser, an assistant professor of sociology at Ohio University in Athens who has studied the Anonymous group. "It's certainly not like a Russian crime gang controlling millions of computers. A lot of these people are 14-year-olds sitting in their parents' basement."
Labovitz voices similar findings. "Overall, both the attack traffic and the hundreds of volunteers running the software on their PCs were not terribly sophisticated," he wrote. "Most volunteers clearly did not realize the tools do not anonymize their PC source IP address nor that word processors store incriminating meta-data in revolutionary manifestos. In short, not exactly the work of evil criminal masterminds."
Perhaps so, yet the costs are potentially large. Online banks and other e-commerce companies lose anywhere from $190,000 to $19 million an hour when hit by a DDoS attack that shuts them down, according to a 2009 report by Forrester Consulting in Cambridge, Mass. The Anonymous attacks did manage to take down or slow down Visa, PayPal, and several other sites, despite not being particularly large or sophisticated.
"Ultimately, I’d suggest the ... DDoS attacks surrounding Wikileaks supporters and opponents falls far short of a ‘cyberwar,’ ” Labovitz wrote. "While it makes a far less sexy headline, cyber-vandalism may be a more apt description."