Last week’s Operation Titstorm attacks by online activist group "Anonymous" brought down the Parliament House website for three days. One cyber hacker tells Crikey just how easy it was to do.
Last week’s Operation Titstorm attacks by Anonymous
brought down the Parliament House website for three days, yet they seem to have been organised by teenagers using basic tools.
As Crikey reported
in September a Denial of Service
attack (DoS) took the PM’s website offline for about 10 minutes. The inconvenience was minimal.
This time, the attacks
were more effective, with aph.gov.au being hit by up to 7.5 million incoming inquiries every second, completely overloading it. While that sounds a lot, today’s fast computers and broadband links mean it can be accomplished with a few hundred computers.
The attack also included a flood of pornographic emails and faxes to parliamentary staffers.
In an interview for today’s Patch Monday podcast
, a young-sounding organiser using the handle "c0ld blood" told me that about 400-500 people had taken part.
"Lots of them are kids and teenagers, and the main reason that they take part in these attacks is because kids and teenagers don’t really get the chance to voice their opinions," he told me.
c0ld blood acknowledges that DoS attacks are illegal, but was dismissive of conventional political processes.
"It would just be falling on deaf ears. By DoSing the sites it’s giving … it’s forcing the hand of the Australian government because they’re going to have to take notice," he says. "We need to send a message across that governments can not just mess with the internet and not expect any backlash."
c0ld blood wasn’t sure how the Parliament House website ended up being a target.
"There was a long list of ones which were going to be targeted and I think that one just fell down the easiest so people carried on doing it," he says.
While c0ld blood considers the attack "quite successful", other groups opposed to internet filtering are distancing themselves -- even other sections of "Anonymous".
"AnonSA does not endorse or support the recent attempts by Anonymous hackers to attack government websites," the South Australian chapter said in a statement
"Whilst we agree that the government’s proposed internet censorship legislation is an ill-conceived idea, we do not condone the methods taken by the individuals responsible for the DDoS attacks as an appropriate way to engage with the government."
According to Electronic Frontiers Australia: "Not only are [the attacks] illegal, but they damage the cause by playing to stereotypes of filter opponents as juveniles motivated by a desire to keep the internet safe for p-rn. They serve no purpose but to give the government the moral high ground.'
Alan Thompson, secretary of the Department of Parliamentary Services, would agree. He personally received more than 8000 p-rnographic emails, and his inbound fax machine "just jammed up".
"It gives little credit to the people who organised it," he told Crikey
. "It diminishes their cause enormously."
The Parliament House website isn’t particularly modern, something Thompson is happy to admit. It currently appears to be run from a commodity-grade hosting service.
"We acknowledge that the service to the external world has been badly affected, we acknowledge and apologise for that," he says.
Nevertheless, the website isn’t a mission-critical system (shoosh, Bernard Keane). It’s separate from the core Parliament House network. One can safely assume the PM and other key players have their own secure, high-reliability network provisioned in … other ways.
A new aph.gov.au website is expected to be built in the next 12 months. While it could be built to withstand attacks such as that from Anonymous -- an attack from 500 computers is small beer compared with the vast botnets
run by organised criminals -- it would also be expensive.
"There’s no need to spend the million dollars which would be required to build the right infrastructure protection on a system which isn’t mission critical," security consultant Crispin Harris told Crikey
"Financially, is there any reason for them to spend any more money than they’ve done? My opinion is no."