How Anonymous took down the DoJ, RIAA, MPAA and Universal Music Websites

Anonymous, the Internet-based hacker and protest group, did it with a distributed denial of service attack, here's how they did it.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Who is behind the Anonymous DDOS attack? Maybe you.

Who's behind the Anonymous DDoS attack? Maybe you.

When the U.S. Department of Justice working in conjunction with New Zealand's law enforcement agencies took down the popular file-storage and sharing site Megaupload and arrested its executives, they never counted on the Internet-based hacker and protest group, Anonymous, attacking the Department of Justice (DoJ), Recording Industry Association of America (RIAA), Motion Picture Association of America (MPAA), Universal Music, and other Websites. And, they certainly didn't expect for many of these sites to be taken down by this assault.

Anonymous declared this attack was being made in reaction to Megaupload being taken down. The loosely knit group also said that this was its "largest attack ever, crippling government and music industry sites. Hacktivists with the collective Anonymous are waging an attack on the website for the White House after successfully breaking the sites for the Department of Justice, Universal Music Group, RIAA and Motion Picture Association of America."

In the event, the White House's site never went down. At this time, 11:30 AM EST, January 20th, the Universal Music site is still off the air but the others are back up.

The group managed this by the use of a Distributed Denial of Service (DDoS) attack. Specifically, Anonymous is using their old favorite DDoS tool: Low Orbit Ion Cannon (LOIC).

There's nothing subtle about the open-source LOIC attack tool. It's a brute-force site-smashing program. All it does is crank out multiple simultaneous requests to the site that it's attacking for a Web page that's unlikely to exist. Individually such request is harmless, but when there are tens or hundreds of thousands of simultaneous requests, even the biggest Web server farms will break.

To co-ordinate these attacks for maximum damage, LOIC uses a "Hivemind" feature. What this means is that while you're running LOIC you can allow someone on an Internet Relay Chat (IRC) or other online communication service, such as Twitter, to direct your PC's LOIC attack on its designated target. This gives Anonymous the sheer volume of traffic it needs to knock off major Websites.

There are ways to defend against most DDoS attacks that target network protocol weaknesses. Sadly, against attacks like LOIC that rely on nothing fancier than over-running your site there's little you can do except add more bandwidth, more Web servers, and use lightweight Web servers such as NGINX that can handle heavy laws-and then pray that's it's enough.

One thing that struck me odd about this particular attack though was how successful it was. After all the MPAA and RIAA are often targeted by DDoS attacks. Heck, they're the poster-children for DDoS attacks. So, why was this one so successful?

Someone, perhaps Anonymous, but there's no proof of their responsibility, has been spamming a message about Anonymous and/or Megaupload and a link to a Web site on Twitter and IRC rooms. If you click on the link you'll find that you've opened a Web browser window to a site that invites you to "Join the hive!" It's not actually asking you to join the attack though. Once you've on the page, your PC will be used in the DDoS attack. So long as you're on the page, your Web browser will continue to hammer the selected target site. When I tried it, the DoJ site was being attacked.

The DDoS attack Web page at work. Note the targetted site in the lower right corner.

The DDoS attack Web page at work.

With this, many unwitting people are joining in on a DDoS attack without even realizing it. This, in turn, gives the attack even more force and may help explain why the MPAA and RIAA sites went under.

While DDoS attacks have long relied on Windows botnets to mass their virtual troops, this Website-based approach represents a new wrinkle on co-coordinating DDoS attacks. Given how effective Anonymous and its "allies" have been with this attack. I expect we'll see this method used again... soon. There's every reason to believe that Anonymous will be continuing its Megaupload protest DDoS attacks.

Anonymous mask image by Domenico / Kiuz, CC 2.0.

Related Stories:

Anonymous hacks DOJ, RIAA, MPAA and Universal Music websites

Megaupload assembles worldwide criminal defense

FBI charges Megaupload operators with piracy crimes

How to try to stop DDoS Attacks

DDoS: How to take down WikiLeaks, MasterCard or any other Web site

Editorial standards