Want CNET to notify you of price drops and the latest stories?

Anonymous tricked people into joining Web site attacks

Clicking on innocent-looking links prompted computers running JavaScript to join distributed denial-of-service attacks on Web sites targeted for attack.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read
The Web pages hosting the denial-of-service attack tools, some of which were in Spanish, redirected the visiting computer to the target site automatically, unless JavaScript was disabled, while others allowed users to specify which site to target.
The Web pages hosting the denial-of-service attack tools, some of which were in Spanish, redirected the visiting computer to the target site automatically, unless JavaScript was disabled, while others allowed users to specify which site to target. Anonymous

If you clicked a link distributed by Anonymous yesterday, you may have unwittingly helped the online activists in their attacks against U.S. government and entertainment industry sites that were organized to protest proposed antipiracy legislation.

Anonymous has launched distributed denial-of-service attacks, designed to shut down Web sites, against government and corporate sites in the past. Typically, supporters download software called Low Orbit Ion Canon (LOIC) that directs their computer to repeatedly try to connect to a target Web site. So many digital knocks on the door, as it were, can shut a site down so no one can get in.

However, the source of the attack--the IP address for the individual computers attempting to access the site--can easily be traced when LOIC is used, putting participants at risk of prosecution. (Despite that threat, people have been downloading LOIC like mad since Wednesday, including more than 19,000 downloads in the last day, according to a blog post by security firm Imperva.)

So, Anonymous has come up with a way to allow people to participate without risking arrest. In protest of the Stop Online Piracy Act (SOPA), as well as yesterday's government takedown of file-hosting site Megaupload and the indictment of its operators, Anonymous launched DDOS attacks on more than a dozen sites and used a new tactic.

The group distributed Web links yesterday during its attacks on the Department of Justice, FBI, Universal Music and a host of other sites, that made joining the attacks as easy as clicking the mouse. The links led to Web pages with special JavaScript instructions that automatically redirected the visiting computer to a Web site being targeted for attack. The computer continues attempting to access the target site until the Web page is closed.

Another version of the tool, for people willing to participate, would direct computers to a Web page on which a visitor could type in the IP address to target and the page would automatically refresh in the background so the computer would continually try to access the target.

The tool relies on JavaScript being enabled, and given how many Web sites require JavaScript, it's likely most of the people who clicked the links were unwittingly drawn into the attacks.

It's likely that the tricky links increased the effectiveness of the attacks, which appeared to have impacted overall Internet traffic patterns, at least for a while, according to a real-time Web monitoring site operated by content delivery company Akamai. The site registered 218 attacks yesterday hours after the attacks started. Attack-related traffic was up 24 percent over normal, while general network traffic was up 14 percent.

The links were distributed on Twitter, IRC, Facebook, Tumblr, and other sites and there was no indication that they were potent. Some of the links led to sites similar to Pastebin, where Anonymous often posts its messages. Other links were obscured using Web address shorteners like Bitly.com.

"From the looks of things, this is on a scale we haven't seen before," said Graham Cluley, senior technology consultant at security company Sophos, who wrote a blog post about the tool. "We saw some Anonymous Twitter accounts gain hundreds of thousands of new fans overnight as word began to spread."

If you did happen to click one of the links, you aren't likely to get in trouble. For one, investigators might conclude that all the different IP addresses that hit the site during the attack were part of a botnet of compromised computers. And even if investigators suspected that the blasts from your IP address on the target site were conducted as part of the attack, it's unlikely that you would be singled out for a visit from the authorities, said Jennifer Granick, an attorney who has represented defendants accused of computer crimes.

"If you are an unwitting participant then technically you're not liable under the law because all criminal statutes, with some narrow exceptions, require some criminal state of mind," such as acting "knowingly" or "intentionally," she said.

"But even being part of a botnet could result in unwanted police attention anyway," Granick added. "That's probably unlikely, depending on how many computers are involved in the DDOS attack."

The situation is another story for the people distributing the attack-enabling links, however.

"If you are a distributor of malware that targets a site, you can be liable for all damage that occurs to that site as a result of the malware functioning," Granick said. "If you are distributing a program and intending to cause damage and that's what results, that is a violation under the law."

In computer crime cases, damage is usually defined broadly and includes resources needed to respond to an attack and return the system to normal, so damages can add up, she said.

Updated at 4:25 p.m. PT to clarify that the tool is based on JavaScript, which is used by many sites for functionality.