A 17-year-old high school boy may face state and federal charges for allegedly having paid a third party to launch a distributed denial of service (DDoS) attack that crippled the West Ada school district in Idaho, US, for a week and a half earlier this month.
Because he’s a minor, he can’t be named.
A DDoS is an attack wherein the servers of a targeted online service are slowed to a crawl with loads of pointless data like email or file uploads that clog up their processing ability.
KTVB reports that West Ada students suffered assorted misery because of the attack, including losing their work on the Idaho Standard Achievement tests.
Some students had to take the tests multiple times.
Meanwhile, online classes and textbooks weren’t available for much of the week, and faculty and staff had problems accessing administrative and business systems, including payroll.
The school district’s IT staff eventually traced an IP address back to the 17-year-old, who was suspended from Eagle High. School officials are recommending that he be expelled.
The sheriff’s office told the TV station that the boy will likely be charged with a felony charge of computer crime, which is punishable by up to 180 days in a juvenile detention facility.
In addition, his family will be responsible for financial restitution to cover costs incurred by the school district. Operations at more than 50 schools were disrupted because of the attack.
As of Wednesday, investigators were also looking into whether a younger student – one attending Eagle Middle School – attempted a similar attack this week.
School officials sent parents a letter on Friday that urged them to talk with their children about the consequences of committing cyber attacks such as this one.
We can assure students and parents that the consequences associated with a DDoS attack are far from trivial.
Examples include two online gaming programmers from Poland who were given 5-year jail sentences in December 2013 for DDoS and cyber-extortion of a UK online marketing company and a US internet software company.
In that same month, a US man was fined $183,000 (£116,772) after joining, for merely 1 minute, an Anonymous DDoS of the enormous, multinational corporation Koch Industries.
When it comes to DDoS, the law doesn’t spare you if you’re a kid.
He pleaded guilty in 2014.
We often hear DDoS’ers trying to justify DDoSes under the premise that really, companies should be thanking the attackers for “raising awareness” of their vulnerability.
That’s an old, tired spiel that we got from Lizard Squad members after they ruined Christmas with their XBox Live/PlayStation attack.
Or, in the words of a man who claimed to speak for the attackers, they did it …
...to raise awareness, to amuse ourselves...
But as Naked Security’s Mark Stockley said at the time, a DDoS attack isn’t a skilful hack. You don’t need elite lock-picking skills to pull it off, because you’re not picking a lock.
Rather, you’re blocking the door from the outside with as much garbage as you can pile up.
Is DDoSing a company, or your school, or any online service, worth the lulz? For an answer, we can ask the LulzSec guys—If they’re out of prison, maybe they can let us know.Follow @NakedSecurity