Why Anonymous is Winning Its War on Internet Infrastructure
“To our hacker allies, our fellow occupiers, our militant comrades all over the world, the time for talk is over: it’s time to hack and smash, beat and shag.”
The call to arms issued last week by the international hacker group Anonymous was accompanied by a frenzy of online hacking. Attackers took down the websites of a tear-gas manufacturer in Pennsylvania, the Nasdaq and BATS stock exchanges and the Chicago Board Options Exchange. A few days later they hacked into websites owned by the Federal Trade Commission and the Bureau of Consumer Protection.
The messages they left behind—about their opposition to everything from the Anti-Counterfeiting Trade Agreement, a controversial new treaty for enforcing intellectual property rights, to violent suppression of democracy protestors in the Middle East—had the air of giddy jubilation.
“Guess what? We’re back for round two,” the hackers wrote in reference to their attack on the FTC websites, their second such raid on the agency in less than a month. “With the doomsday clock ticking down on Internet freedom, Antisec has leapt into action. Again. Holy deja vu hack Batman! Expect us yet?”
Comic posturing aside, the hackers seemed amazed by their success: A barely organized ragtag “team of mayhem,” as one Anonymous offshoot dubbed itself, was knocking down the Web infrastructure built by major corporations and large government agencies as if it were nothing but paper backdrops in a school play.
The hackers hadn’t discovered some secret digital weapon. They weren’t exploiting some zero-day vulnerability in a core application. They weren’t backed by a powerful government agency. They didn’t even have the advantage of surprise—the group has been around in one form or another for almost a decade.
The victories underscore what is perhaps both the main point of the global Anonymous movement and the secret of its success—that the people in charge, whether they be in Alexandria, Egypt or Alexandria, Virginia—are too corrupt, too complacent and too careless too be trusted. Almost nothing makes that point as effectively as Internet security: Officials have known that the networks were vulnerable for well over a decade and have chosen to do little about it.
Anonymous lays siege to websites using a method called “distributed denial of service” or DDoS. There is nothing new about a DDoS attack, which basically floods a computer that is connected to the Internet with messages, such as connection requests, until it crashes.
Since then the size and frequency of DDoS attacks has continued to increase. Akamai, whose content delivery network spans 80,000 servers in 70 countries, recently reported that DDoS attack incidents had soared 2,000 percent in the past three years. Experts describe DDoS attacks of 10 Gigabits per second and larger as “the new normal.” IT analyst groups like Forrester and Gartner regularly advise their clients to invest in DDoS protection.
But the ongoing rout of large government and corporate sites by Anonymous indicates few are listening.
“Internet security is like life insurance,” said Carlos Morales, vice president of sales engineering for Arbor Networks, which sells DDoS protection to network operators and Internet service providers around the world. “A lot of people don’t think they need life insurance until they have a major event like a heart attack.”
Robert Ayoub, an analyst with Frost and Sullivan describes a pass-the-buck mentality. “Traditionally, companies have seen DDoS as an issue for service providers or the government,” he said, noting that differentiating between a legitimate spike in traffic from an attack isn’t easy.
Part of the reluctance of major corporations and government agencies to address DDoS may be that effective protection isn’t cheap. It requires investing in bandwidth, hardware and expertise. Traffic has to be filtered in the cloud and on-premises using a variety of techniques and equipment, which has to be licensed and maintained. Ideally, the two systems are coordinated, so that when an attack is discovered on-premises, a company can request help from its Internet service provider.
Basic cloud protection alone starts at about $5,000 a month. But that cost can increase exponentially depending on the volume of traffic and the size of the site that’s under attack.
Experts will tell you that scrimping isn’t really an option. In addition to attacks by Anonymous, companies, and financial institutions in particular, are coping with DDoS attacks by criminal gangs who use ever more sophisticated tools.
According to the World Infrastructure Security Report, which was published by Arbor Networks earlier this month, attackers are upping the ante by using DDoS to take out critical applications like HTTP, DNS. SMTP and also launching multi-vector attacks—making protection more costly.
The survey’s respondents, which included 114 self-classified Tier 1, Tier 2 and other IP networks operators, said the cost of single DDoS attack could range from $8,000 to $1.5 million dollars. More than 44 percent of respondents experienced between 10 and 500 DDoS attacks per month.
Despite the large numbers of successful attacks, security personnel who responded to the survey—more than 70 percent were engineers and/or managers—had difficulty getting the ear of higher ups. The majority of respondents said their companies had ten or fewer employees working in security and a whopping 58 percent had never rehearsed their security plans.
Efforts to defend networks so far have been so ineffectual that Anonymous recently posted its plans, Joker style, to take the Internet down on March 31. The hackers provided a blueprint for “Operation Global Blackout,” daring network operators to make the changes need to prevent the attack.
“We know you won’t listen,” Anonymous wrote. “We know you won’t change. We know it’s because you don’t want to. We know it’s because you like it how it is.”
Photo of Anonymous courtesy of liryon
Photo of Internet data center courtesy of The Planet