Norwegian teenagers arrested over denial-of-service attacks

Filed Under: Denial of Service, Featured, Law & order, Vulnerability

Norwegian face painting. Image from ShutterstockTwo teenagers have been arrested in Norway in connection with a series of distributed denial-of-service (DDoS) attacks against websites in the country, and elsewhere around the world.

Norway's National Criminal Investigation Service (NCIS) has refused to go into much detail of which websites were targeted by the attacks, but news reports have suggested that victims are believed to include the Norwegian Lottery, the Norwegian Police Security Service, the Norwegian bank DNB, Germany's Bild Magazine, and the UK's Serious Organised Crime Agency (SOCA).

SOCA was hit by a high profile denial-of-service attack last week, preventing internet users from reaching it.

The motivation for the attacks is presently unclear.

The arrested teenagers, who have not been named, are aged 18 and 19 years, and are said to have launched the attacks over a period lasting "several weeks", flooding websites with unwanted traffic to such an extent that legitimate visitors would find them inaccessible. In simple terms, a DDoS attack is the equivalent of "15 fat men trying to get through a revolving door at the same time" - nothing can move.

If found guilty, the teenagers could face a maximum sentence of six years in jail.

Once again, it seems worth reminding computer users that participating in a denial-of-service attack is against the law, and is not viewed leniently by the authorities.

Norwegian face painting image, courtesy of Shutterstock.

, , ,

You might like

8 Responses to Norwegian teenagers arrested over denial-of-service attacks

  1. Ben · 1207 days ago

    When does a legitimate request become a DoS attack?

    • Anon · 1206 days ago

      When it causes embarrassment to people in high places?

      In my view a DDos attack is basically the digital equivalent of a sit-in. It hurts no one, causes no long term harm, and is fairly easy for anyone on the internet to do. I think it is a shame that the criminal justice system are treating DDos attacks as some sort of digital terrorism and handing down long prison sentences, rather than treating it as a form of legitimate and legal protest.

      For example suppose a group of people want to protest against a company’s actions (be it child labor, avoiding corporation tax, over payment of their CEO etc), if they turn up to the company offices and stage a sit-in, then provided they move when the police turn up, they will receive no punishment. Even if they resist, or chain themselves to fixtures the worse they can expect is a night in the cells, so why the harsh punishment for the arguably less disruptive online version of such a protest.

      • Nigel · 1206 days ago

        A sit-in seldom affects only those against whom it is targeted. Hence, a sit-in is just as wrong as a DDoS attack, and for the same reason: It interferes with others who are not interfering with you. No one has a right to interfere with others, for any reason --- no matter how "noble" the cause. "Two wrongs do not make a right" is more than a cliché; it's a moral principle.

        This business of justifying interference with others for some "higher purpose" is precisely how we get into unresolvable dilemmas that destabilize our social structures. The human species has yet to learn that a social structure based on the principle of non-interference with those who are not interfering with you is the only one that has any long-term stability.

        • Anonysupporter · 1205 days ago

          i completely disagree. i believe there is no such thing as a stable government, just like a forgotten pool of water by a river will eventually become stagnant, and need to be refreshed, so do governments every once in awhile.
          I also do think that the only way to really get a corrupt government to look at itself and maybe change is by civil disobedience. at the very least, civil disobedience will make a government crack down harder, and thus shortening its own life span.
          the power resides in the people, and opressed to a certain point it will break out. Societies need to be replaced, and most people(who are interested in societies and cultures and the downfall therof) believe in the five-fold law of societal evolution.
          however, your opinion is an interesting one, just one that i believe leads to slacktivism.


    • Paul Ducklin · 1206 days ago

      I presume it comes down to intent and reasonableness. Most developed countries have legal systems which take these into account.

      I suppose you could try a "I was runnning a purposeful site-scraping script to stay well-informed on international matters of great importance, but it slipped when I accidentally configured it to run every 1 millisecond instead of every 24 hours and it took me the best part of a month to stop it" explanation. But that's gambling on whether the magistrate sees it as a reason, or as a Big Fat Excuse :-)

      Or you could try a "sit-in" excuse. I can see why people might compare a sit-in and a DDoS - both are unlawful forms of protest in many jurisidictions, yet sit-ins often go mostly unpunished and sometimes make strong points. So why not protest with a DDoS?

      One problem with a DDoS protest is that it _isn't_ a sit-in. You don't have to be there. Your protest scales way more than linearly with the number of participants, so it's harder to claim that the volume of the protest represents the degree of its social acceptance. You aren't able to make any sort of personalised case - you're just impersonally breaking things. And you can't easily adapt the intrusiveness of your protest in the event of unintentional side-effects (e.g. by moving out into the car park if your hospital protest starts blocking emergency services).

  2. Grumble · 1206 days ago

    Web vandals do their worst - delay a handful of people viewing an obscure police website for a few hours.

    Police do their worst - arrest web vandals and keep locked up for next six years.

    Difficult to guess who's going to come out on top in this evenly pitched battle.

    • Paul Ducklin · 1206 days ago

      Six years is the maximum sentence according to statute. It's hard to imagine that such a long sentence would actually be handed down in a European country for youngsters committing DDoS offences.

      (The Norwegian Lottery - regardless of your moral outlook on national lotteries - is hardly "an obscure website", and it seems that the attacks were more than "a few hours" of interference...but that's for the court to decide. If they get convicted, that is.)

  3. Balthazar · 1206 days ago

    @Grumble: Isn't it good to arrest the vandals?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley