Are DDoS (distributed denial-of-service) attacks against the law?

Filed Under: Botnet, Denial of Service, Law & order, Malware

AnonymousIt's not pleasant to be on the receiving end of a distributed denial-of-service (DDoS) attack.

Malicious hackers can commandeer thousands of computers around the world, and order them to deluge a website with traffic - effectively clogging it up, preventing others from reaching the site, and bringing the website to its knees.

As I've described before, DDoS attacks are the equivalent of "15 fat men trying to get through a revolving door at the same time" - nothing can move.

In recent days a number of websites have been struck by DDoS attacks, seemingly co-ordinated by supporters of WikiLeaks against firms and websites who they feel have turned their back on the controversial whistle-blowing website.

Most recently, internet users have been urged to voluntarily join a botnet, by downloading a DDoS attack tool called LOIC (the name stands for Low Orbit Ion Cannon, and you can read more about it in a detailed analysis by Sophos's Vanja Svajcer).

My advice to you is to stay well away. Not only would you be foolish to run code on your computer which allows unknown parties to launch attacks against websites at a whim, but you should also understand the legal issues which surround participating in a denial-of-service attack.

For instance, in the UK (where I am writing from today), anti-DDoS laws have been in place since 2006 and could result in you being sent to jail for up to ten years. Similar laws have also been present in Sweden since 2007.

It's the same story in the USA, where they take a tough line on those who engage in denial-of-service attacks against websites. For instance, last year saw the jailing of a man who launched a DDoS attack against the Scientology website.

And just last month, 23-year-old Mitchell L Frost, of Bellevue, Ohio, was given a 30 month prison sentence for a series of DDoS attacks he launched against the websites of high profile US right-wingers Bill O'Reilly, Ann Coulter and Rudy Giuliani.

So, with that in mind, would it really be wise for you to volunteer to join a botnet which is participating in DDoS attacks? Normally botnets are comprised of the computers belonging to innocent people who have fallen foul of malicious hackers without their knowledge. But if you knowingly participate in a botnet and denial-of-service attack - well, that's a whole different ball game and unlikely to be looked upon kindly by the computer crime cops.

The police may find it very difficult to identify the shady group of anonymous individuals who have co-ordinated the latest round of attacks against sites they don't consider pro-WikiLeaks, of course. But you would be crazy to give the authorities any reason to come knocking on your door. After all, someone might be looking for an easy poster-child to warn off others who might be tempted to assist in a distributed denial-of-service.

, , , , , , ,

You might like

40 Responses to Are DDoS (distributed denial-of-service) attacks against the law?

  1. Deb · 1414 days ago

    Why are DDoS attacks only now coming under question? Wikileaks itself was under DDoS a few days ago and no one batted an eye. Illegal? Yes, and for good reason. Only illegal if it's you who suffer, but acceptable for your enemy to suffer? I would hope not.

  2. SweetAlabama · 1414 days ago

    There are better ways to show disagreement and to changed the world than by doing illegal acts. There is a reason its illegal or anyone who wants to bully other people on the internet can use DDOS to intimidate, harass, and make other's lives and businesses miserable and fail.

    We have been on the receiving end of a ddos attack before because of something we published and the other party did not like what he had to say and wanted it taken down. We lost the new hosting of the site - lost out on money, time, and had to give up our publication of the time.

    This 'wikileaks' are wrong, they outed people helping the US government against terrorists and put these same people in danger for their Lives!

    If you wonder why people are after the owner of wikilinks to arrest and try him for various things, its because by all his actions he has shown to be criminally and morally corrupt and does not care what he does to other people. Those whose support him don't care for those they use either. There is getting the truth out there and then there is Criminal carelessness.

    Here is to the Truth!

    • Morten Sorensen · 1414 days ago

      I disagree with what you have to say but will fight to the death to protect your right to say it?

    • Eddie · 1413 days ago

      Its sad.. I'm sure the people who support WikiLeaks only support it online rather than publicly. The internet allows people to let the dark side (no starwars pun intended) of themselves out and a lot of people take advantage of it.

      • rene · 1412 days ago

        the internet is more public then real life. Public means in front of or in the midst of other people. What is more public then the internet?

    • Amt · 1411 days ago

      What Wikileak did is what any good news agency should have done. Truth should be based on facts which Wikileaks have provided.

      Now you have a right to not to read it, close your eyes and relax hoping the world is fine around you. But you have no right to tell others what they can or cannot think. If we have some bad secrets, we have to face it. And start working on why we reached to that level of lies and deception. And what can we do to change and avoid it in future.

    • Particle · 1286 days ago

      that is a rather naive and reductionist description of WikiLeaks you are using. the main point of WikiLeaks is to "OUT" clandestine operations which for the most are actually illegal by international law. if PayPal or the swiss PostFinace cuts of WikiLeaks and then tells the press that this had absolutely nothing to do with getting heat from certain agencies, then they simply lied to the people. if they are so morally confident about their decision, why not tell the public so? it's exactly this shadow world, which seems nonexistent in your thoughts, that WikiLeaks attacks.

    • Anonymous · 894 days ago

      Yes, they outed U.S. Imperialists from stirring up more trouble in the middle east for their own selfish ends.

    • Jack · 621 days ago

      Why would anyone want to DDOS you. You forgot to leave the motive for the action. Were you doing someone wrong, have a disgruntled worker? why did you get DDOS? Most people don't just randomly DDOS someone.

  3. what is the point of all this ?

  4. bla · 1414 days ago

    So be afraid, very afraid to take any actions. It doesn't matter if you disagree with something. Shut up and think of all the bad things that can happen to you if you dare to change the world.....

    • McGee · 1412 days ago

      Yeah, we should just shut up and watch TV, because we're merely citizens. We're not governments, they're the only ones who can DDoS stuff...

      WAY TO GO, SOPHOS PEOPLE

      • Anonymous · 1335 days ago

        The price of apathy is to be ruled by evil men - Plato.

    • jesse_a_b · 923 days ago

      This article is biased : LOIC cannot be harmful to your computer as they say here.

    • Anonymous · 259 days ago

      Because joining in on a DDOS attack accomplishes oh-so-very-much.

      How about they do something USEFUL and non-assholish?

  5. CrankCase · 1414 days ago

    Laws are made by rotten, corrupt politicians to send people hiding under their little rocks in fear. It comes to a point where people must decide whether they be a lion or a sheep, whether they forever be like a child that is frightened of the bullying teacher, or a grown adult that can strike back.

    • timandm · 811 days ago

      I'd like to say I knew an honest politician once.... but I can't.... I completely agree that there are times when people MUST challenge the laws... No doubt.... But when these actions hurt innocent law abiding citizens, they aren't being done to change the world for the better...

      So, how is that relevant here? Well, if you join a group in which you don't really know the other members...AND you aren't completely aware of everything they're doing.... You're likely to end up on the wrong side... These groups can be misused the same way politicians misuse they're powers to take over the government and oppress the people...

      Fight corrupt government and oppressive regimes? ABSOLUTELY....
      but that should never include attacks on the innocent.

  6. Mark · 1414 days ago

    The problem with obeying the law - is that nothing tends to change. Sometimes you have to empower the little guy to make a stand.

    Democracy is a discussion involving two wolves and a sheep voting on what to have for dinner. Empowerment is giving the sheep a gun.

  7. Guest · 1414 days ago

    You didn't hear those hypocrites when it was Wikileaks that was under attack some days ago. I would say: WTF DDoS? Just yank some plugs out of the wall, or cut off the power to the datacenters. Lets see how they like *that*.

    Rise against evil. It doesn't matter if it are governments or "bad" guys. DO NOT let yourself be silenced.

  8. anonymous coward · 1414 days ago

    A hacker named th3 j3st3r was committing successful DDoS attacks against WikiLeaks a few weeks ago but all he got was a purple heart and glowing articles written about him.

    Just saying

  9. anon · 1413 days ago

    You sir, are a brain-washed victim of governmental ideas

  10. Eddie · 1413 days ago

    I don't understand why the punishment is so harsh?! 10 YEARS for partaking in a DDoS attack? Maybe I don't understand what the real harm is here? Possibly some of these sites lose money from people not being able to access them but... is that really worth taking 10 years away from somebodies life for?

  11. Disgruntled Peon · 1412 days ago

    Our (I use the term loosely) government has been ruining peoples lives for even less serious offenses for decades, they only thing that surprises me anymore is that they aren't shooting us and billing our next of kin for the cost of the bullet. 10+ years for smoking pot, 10+ years for participating in DDOS attacks, 3-5 for rape, welcome to the American justice system

  12. Anon · 1410 days ago

    If this whole WikiLeaks fiasco has taught me anything it's that my voice is meaningless

  13. Phill A · 1409 days ago

    Just look at some of the murders committed by the USA and exposed by Wikileaks during this present conflict. Look at the bodies lying on the ground, look at the gunship hovering over the bodies and the airmen praising themselves. Look closer and see that some of the bodies are children, others reporters and non have guns.
    Listen to the yanks calling it a conflict and now listen to the silence as they are exposed by Wikileaks.
    A damming silence, the silence of a wicked, evil government.
    It is that silence that wants DDOS attacks stopped - it is that silence that that hides behind the law.
    Don't tell me companies get hurt by DDOS attacks when thousands upon thousands are being killed by that very same government. get your priorities right!

  14. Anon · 1407 days ago

    if you try to load a web page too many times you will get in trouble.

    grandma stop hitting the refresh button or the feds are gonna come a runnin!

  15. zep · 1400 days ago

    I would suggest that DDoS 'attacks' are often really little more than a digital version of civil disobedience. and while illegal, they certainly don't rise to the level of crime they're (often) being prosecuted as. it's the problem of little guys fighting big guys; the big guys get to make the rules of what's fair and what's off limits.

  16. Excellent work, as usual, Graham. I really appreciate your clear, level-headed presentation of the truth. The only thing I want to add is that the Anonymous people using the Low Orbit Ion Cannon won't be hard to find at all. The only issue for law enforcement is how many of them they feel like prosecuting, and when.

    I don't see DoS as a moral way to effect change at all, unless you do it openly under your real name and accept being arrested for it. That would analogous to Ghandi and Martin Luther King. Attacking and then hiding doesn't send any useful message to anyone, except that there are a lot of bored teenagers who want attention.

  17. David Villa · 1378 days ago

    Wait just a minute. If you run LOIC or a similar program on your own machine, it's a denial of service (DoS) attack. The only reason it's a distributed denial of service (DDoS) attack is that thousands of others are doing it at the same time. There's a difference between participating as a single bot voluntarily and coordinating a botnet without permission from the owners. I wouldn't doubt it's still illegal, but so is forming a chain around the entrance of a building. This is the digital world equivalent.

  18. anonamyous · 1366 days ago

    Ilegal? Well, in the most democracies the right for resistance against enemeys of the democracy is settled in the constitution. So if people are raising their voice (in this case with DDOS) to support the people in an other country in their fight for freedom I call it justified!

  19. KornDeSand · 1364 days ago

    This article is biased. It offers no alternative than to abide by the schizophrenic laws of our addict and infantile power holders. -1

  20. BogBlog · 1332 days ago

    I thought it was like a fine. ten years? I'm staying the hell away from ddos.

  21. Max · 1094 days ago

    I really dislike the implication at the end that Anonymous is attacking any website that is not "pro-wikileaks"

  22. Onlooker · 1038 days ago

    10 years for clogging a website? There's a documentary called "If A Tree Falls" about an environmentalist group who burnt down millions of dollars of corporate property. The leader of the group only got 8 years in prison. So... arson?

  23. guest · 997 days ago

    if this is what it takes for nerdy teenagers to stand up and let there voice be heard so be, but for the most part they are hidden behind so many proxies/vpn/and tor networks that it is literally (but not quite) untraceable..

  24. Ronald D · 948 days ago

    What if you, residing in the US, use such a tool to participate in a DDOS attack on a website in a different country, say, in China, Russia, Nigeria?

    Is the FBI likely to knock on your door in this case as well? Or would it take a legal warrant from that country in order to put US authorities in motion?

  25. Bon Andrews · 929 days ago

    What is the age limit for getting arrested for ddossing??

  26. Axiste · 403 days ago

    Can you do a DDoS attack on a friends router and not get in trouble? Is it only when the target of the DDoS pushes for legal action againts you do they investigate? How does it work

  27. Mike · 63 days ago

    DDoS attacks are existing because the law do allow it.
    There are no real law which do work to stop the DDoS attacks at all. Those laws may only work if the target of attack is quite rich person which wishes to punish an attacker.
    If you are not a millionaire then no one cares if you are under attack. ISPs just disconnect internet connection which is under attack, and if attacks continue then ISP may annul the contract with that customer which is under attack. This is totally unfair, but this is nowadays reality.

    Any immature bad kid may to download the program for making DDoS and to terrorize good people in such a internet services as chats, online games, skype and any other kind of services based on P2P connections.
    And there is no real salvation of that plague if you are not a millionaire.
    As a last resort there is only special VPN service, protected against DDoS attacks, which really works, but not for free.

    There are a lot of protection services which get the money of DDoS attacks, and of course they wouldn't like if DDoS attacks would be stopped at all.
    Bad thing is that most of these services aimed to protect rich customers, web sites and big internet projects...
    They have no idea to protect a single persons. Among tens of such a services there is only very few which may protect a single person by a moderate price, but still that person should understand a lot of things in computers to be able to manage that service.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.