Attacking Websites Is Surprisingly Easy Social Protest The websites of Amazon, PayPal and MasterCard were the subjects of attack this week. The targets may be massive multinational companies, but the attacks themselves are startlingly easy to pull off.
NPR logo

Attacking Websites Is Surprisingly Easy Social Protest

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Attacking Websites Is Surprisingly Easy Social Protest

Attacking Websites Is Surprisingly Easy Social Protest

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


This past week, the websites of Amazon, PayPal, MasterCard and others were hit by what computer experts called denial-of-service attacks. The attackers are anonymous. In fact, they're part of a group called Anonymous, and they're acting in support of WikiLeaks.

The targets of their attacks are huge, multinational corporations. But it turns out the method of attack itself isn't that complicated.

Here to explain is Nicolas Christin. He's associate director of the Information Networking Institute at Carnegie Mellon University in Pittsburgh.

Nicolas Christin, thanks for being here.

Mr. NICOLAS CHRISTIN (Associate Director, Information Networking Institute, Carnegie Mellon University): Thank you for having me.

CORNISH: So a 16-year-old boy in the Netherlands was arrested and charged with launching some of these attacks. I mean, 16 years old - really? How do they work, and is it that simple?

Mr. CHRISTIN: They're not very difficult from a technological standpoint. So essentially, to give you an analogy, it's as if you are trying to call someone, and you have many people trying to call the same person. Well, now when another person is going to try to call, they're going to get a busy signal.

And that's essentially what is happening here. You have many computers that are connecting to one, specific, target website. And because they are doing that simultaneously, somebody else wants to engage in a legitimate transaction with this website - simply doesn't get through; gets a busy signal, if you will.

CORNISH: And what I'm reading, though, is that, I mean, this technique's been around for a while, but that there's something a little bit different going on in the latest attacks.

Mr. CHRISTIN: Yes. Traditionally, what people were doing was to enroll those machines somewhat involuntarily - meaning, a virus or worm would spread, and the attacker would basically be carrying out their attacks without the knowledge or the permission of the machine owners.

What we see here is a little bit different. People actually sign up to lend their machines to the attackers and...

CORNISH: Right. And social media is sort of amplifying this, right? I mean, I'm seeing a lot of this - conversation about this on Twitter.

Mr. CHRISTIN: Absolutely. So what you see is that people are saying on Twitter things like: We want to punish Amazon, or we want to punish PayPal. Just download this program and join the fight. And indeed, this has been made possible by the emergence of social networks, which make it a lot easier than before to have protests of such massive scale be started in just a matter of minutes.

CORNISH: One thing I have to ask, though, is with companies like MasterCard and PayPal, I mean, they're holding on to personal finance information for a tremendous number of people. So again, isn't this also jeopardizing that information, that that could fall into the wrong hands during these attacks -which are really about WikiLeaks; they're about something else?

Mr. CHRISTIN: Well, I think those are actually two different problems. When a site such as MasterCard or PayPal is victim of a denial-of-service attack, the attacker is actually not getting into those computers. They're just calling them.

So getting a busy signal on a phone line doesn't mean that there's a burglar or that he's at the same time entering your house.

CORNISH: Nicolas, taking a step back, what can we learn from this latest round of denial-of-service attacks, as sort of a chapter of computer science history?

Mr. CHRISTIN: I think that what we're seeing right now is the convergence between technological availability and civil disobedience. There's always been protests of people being unhappy about something. But what we realize now is that with the technological means that we have at our disposal, and in particular the social media on the one hand, the easy network access that most people have, participating in acts of electronic civil disobedience is actually relatively easy.

And I think we're going to see, unfortunately, more of these attacks in the future just because they are so easy to carry out, and they are relatively difficult to defend against.

CORNISH: Nicolas Christin - he's associate director of the Information Networking Institute at Carnegie Mellon University, in Pittsburgh. He spoke to us from the studios of WQED.

Nicolas Christin, thanks so much.

Mr. CHRISTIN: Thank you.

Copyright © 2010 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.