Click on an Anonymous link, and you could be DDoS’ing the US government

FBI: Anonymous has been exploiting Adobe flaws in yearlong, ongoing assault on US gov't sites

AnonymousHere’s a quick summary of events:

* On Wednesday, thousands of websites participated in an “internet blackout”, protesting against proposed US anti-piracy legislation.

* Yesterday, file-sharing website Megaupload was shut down, and its founders arrested.

The charge? Online piracy alleged to have cost the entertainment industry more than half a billion dollars.

* Overnight, websites belonging to the FBI, Department of Justice, RIAA, MPAA, Universal and others were struck by a distributed denial-of-service (DDoS) attack.

* The loosely-knit collective Anonymous has claimed responsibility for the attacks (which they dupped Operation Megaupload):

We Anonymous are launching our largest attack ever on government and music industry sites. Lulz. The FBI didn't think they would get away with this did they? They should have expected us.

In the past, Anonymous has encouraged supporters to install a program called LOIC (Low Orbit Ion Cannon) which allows computers to join in an attack on a particular website, blasting it with unwanted traffic.

This time, things are slightly different: you only have to click on a web link to launch a DDoS attack.

DDoS tweets

We’ve seen many links posted on Twitter, and no doubt elsewhere on the internet, pointing to a page on the website. If you visit the webpage, and do not have JavaScript disabled, you will instantly, without user interaction, begin to flood a website of Anonymous’s choice with unwanted traffic, helping to perpetuate a DDoS attack.

Section of webpage code

At the time of writing, for example, it’s the Justice department website which is in their sights.

DDoS launch webpage

Don’t forget, denial-of-service attacks are illegal. If you participate in such an attack you could find yourself receiving a lengthy jail sentences.

With this method, however, Anonymous might be hoping that participants could argue that they did not knowingly assist in the DDoS attack, and clicked on the link in innocence without realising what it would do.

I’m not a lawyer, so I can’t tell you if that’s going to be an adequate defence or not if you end up in court.

Personally I find it much easier to support users and companies blacking out their websites for a day in protest against the SOPA/PIPA legislation than launching DDoS attacks against US government websites.