The Megaupload takedown and arrests and subsequent wave of retaliatory Distributed Denial of Service (DDoS) attacks that have followed raises a some interesting points in the wake of the apparently temporary shelving of the copyright infringement piracy legislation SOPA (Stop Online Piracy Act) and PIPA (Protect IP Act) earlier in the week. Consider:
- Hacktivists responding swiftly, effectively and collectively (with thousands of apparently willing participants) in retaliation to the legal action against Megaupload
- Escalating concern over ideologically motivated attacks
- The contrast between the criminal proceedings being brought against Megaupload and the SOPA/PIPA approach to piracy.
The shuttering of Megaupload, a Hong Kong-based file hosting and sharing services company with an estimated 150 million users, and arrest in New Zealand of four employees, including the company’s founder Kim Dotcom (nee Schmitz) brought a breathtakingly quick response in the form of denial-of-service attacks against a number of sites, including the FBI, Department of Justice, the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MIAA) and Universal Music.
Anonymous, the loose confederation of hacktivists which has claimed responsibility for a number of attacks in recent years, took credit for the latest DDoS-ings on the @AnonymousWiki Twitter account. One of the more interesting aspects of Anonymous’ DDoS attacks has been its recruiting of willing, enthusiastic participants, who are encouraged to download the Low Orbit Ion Cannon (LOIC) to DDoS websites in Anonymous’ Operation Payback campaign. Security company Imperva has been tracking down the downloads, which spiked from a daily average of about 1,000 to nearly 6,000 on Thursday and more than 19,000 as of 8:30 a.m. PST Friday.
The wrinkle in the latest attacks is automation. Recruits were invited on Twitter and other sites to simply click on a link, which took them to a website that automatically DDoS’d the hactivists’ current target. Check out Sophos Naked Security blog for discussion of the mechanism and examples. Anonymous doesn’t necessarily have to take this tack to DDoS its targets. Typically, attackers deploy botnets of thousands of hijacked computers to launch flooding attacks. If you don’t own a botnet, you can rent one, cheap. So, this tactic of recruiting soldiers rather than hijacking bots seems more about movement building and showing off the strength of their following. It’s the democratization of DDoS, facilitated by social media. Rob Rachwald, Imperva’s director of security strategy, refers to as “an impressive evolution in crowdsourcing.”
The rise in ideologically motivated DDoS attacks has become a very serious security concern. Since the early wave of mischief-driven attacks about 10 years ago, the primary motives have been extortion under the threat of DDoS (a variant on the venerable protection racket) and competitive advantage from unscrupulous companies who cripple your websites and, they hope, drive business to theirs. Now, hacktivists can easily cripple a site based on whatever motive is driving them. Your business could be a target because of corporate policies and practices, political stances or simply the industry you’re in.
The criminal action against Megaupload raises the subject of the complexity of determining what constitutes a file-sharing site that is actively engaged in the trade of pirated content and software. (For en excellent and balanced discussion of the Maegeupload case, see Nate Anderson's excellent article on ARS Technica) Megaupload has steadfastly and publically claimed that it prohibited illegal content sharing by policy and practice. The Department of Justice asserts it has sufficient proof that Megaupload has knowingly engaged in illegal practices.
Now consider the primary enforcement mechanisms in SOPA and PIPA, which allow complaining companies or organizations to obtain a court order requiring ISPs to block offending foreign sites. The ISPs have just days to appeal a judge’s opinion that the site is trucking in pirated music, software, etc. The House bill, PIPA, is very broad in its definition of offenders, and SOPA, while it narrows its definition to sites that exist solely to peddle pirated wares, leaves much open to interpretation. In either case, how is a judge, with a short appeal window, to decide if punitive action is warranted? The Department of Justice undoubtedly put a lot of time, investigation and effort building its case. If it proceeds to a conclusion, the case, including what may be lengthy extradition efforts, could go on for a year or more. But this is the right way to address piracy. It may not be politically appetizing, but it may result in justice.