Click on an Anonymous link, and you could be DDoS’ing the US government

Graham Cluley
Graham Cluley
@[email protected]

AnonymousHere’s a quick summary of events:

* On Wednesday, thousands of websites participated in an “internet blackout”, protesting against proposed US anti-piracy legislation.

* Yesterday, file-sharing website Megaupload was shut down, and its founders arrested.

The charge? Online piracy alleged to have cost the entertainment industry more than half a billion dollars.

Sign up to our free newsletter.
Security news, advice, and tips.

* Overnight, websites belonging to the FBI, Department of Justice, RIAA, MPAA, Universal and others were struck by a distributed denial-of-service (DDoS) attack.

* The loosely-knit collective Anonymous has claimed responsibility for the attacks (which they dupped Operation Megaupload):

We Anonymous are launching our largest attack ever on government and music industry sites. Lulz. The FBI didn’t think they would get away with this did they? They should have expected us.

In the past, Anonymous has encouraged supporters to install a program called LOIC (Low Orbit Ion Cannon) which allows computers to join in an attack on a particular website, blasting it with unwanted traffic.

This time, things are slightly different: you only have to click on a web link to launch a DDoS attack.

DDoS tweets

We’ve seen many links posted on Twitter, and no doubt elsewhere on the internet, pointing to a page on the website. If you visit the webpage, and do not have JavaScript disabled, you will instantly, without user interaction, begin to flood a website of Anonymous’s choice with unwanted traffic, helping to perpetuate a DDoS attack.

Section of webpage code

At the time of writing, for example, it’s the Justice department website which is in their sights.

DDoS launch webpage

Don’t forget, denial-of-service attacks are illegal. If you participate in such an attack you could find yourself receiving a lengthy jail sentences.

With this method, however, Anonymous might be hoping that participants could argue that they did not knowingly assist in the DDoS attack, and clicked on the link in innocence without realising what it would do.

I’m not a lawyer, so I can’t tell you if that’s going to be an adequate defence or not if you end up in court.

Personally I find it much easier to support users and companies blacking out their websites for a day in protest against the SOPA/PIPA legislation than launching DDoS attacks against US government websites.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.