But the lesson here is, when you visit a web page, a line in a log that identifies you is generated. Generate too many of these lines, and, one line of Perl later, the cops are going to be asking you some questions. Don't participate in a DDoS attack unless you're absolutely sure that nobody is logging your traffic. And that is something that's impossible to be sure of these days.
Edit: I've watched Anonymous (insert typical disclaimer about the membership of a heterogenous group of net users) attack more than one of my boxes. DDOS's have been traditionally been the regime of surreptitious botnets, not voluntary ones. I'll bet you some unsuspecting soccer mom (or someone who pisses off Anon) gets nabbed at some point.
They cherry picked a few IP addresses, set surveillance on them, and then chose those few which belonged to people who were active on forums revealing that they were in fact probably guilty and didn't just have a trojan or little brother.
If the FBI intended to comprehensively prosecute every offender your point would be a genuine hindrance. However they only need a few to deter the behaviour and they know this.
Thousands of people participated in these protests, and a handful are going to be made examples of. It's not at all unlike a flesh-and-blood protest.
Just use some JS to create image elements, script tags, iframes etc all with sources pointing at the target, should be able to do a few hundred a second at least.
As things move on, I don't think individuals who happen to fire off a few hundred requests at a website should be investigated/prosecuted/etc. Website owners just need to get better at protecting their systems.
They didn't just pick a random IP and then send a team.
They picked the IP, sniffed their traffic, monitored their internet behaviour, read their forum posts, and then finally selected them to be an example.
By performing surveillance like this you can be 99% sure who is a real voluntary participant and who is just a stooge. A voluntary participant will talk about it on forums for example, brag on IRC, etc etc. These will be the ones selected by the FBI for dramatic home visits.
So it's like assassination, then: all you have to do to get away clean is to execute only on others' commands, making no plans of your own, and not discussing, bragging, or asking questions. Historically, this leads quickly to a two-level military structure: officers to point, and enlistedmen to shoot.
The only question is whether any sort of hierarchy is possible within a completely decentralized system of mutually non-trusting agents, who are nonetheless driven by either status or belonging. That sounds like it should have a mathematical answer...
Mostly agree, but thought it worth pointing out that no browser will respond to this by parallelizing the million requests - most browsers don't ever open more than a dozen or so concurrent connections to one site. So this wouldn't do as much as you might think, unless you could get lots of users to stay on your page for a long time.
Maybe my 'few hundred a second' was a bit off, idk