Millions of Americans unhappy at the inauguration of Donald Trump as the 45th President of the United States are being urged to protest today by visiting the White House website.
If this sounds like an eccentric protest, its organizer Juan Soberanis hopes that if enough people visit the site enough times, it will eventually become overloaded.
As Soberanis explained the idea on his protester.io web page (cached):
“When enough people occupy www.whitehouse.gov the site will go down. Please join us and stand up against this demagogue who is threatening our democracy and our security.”
Revealingly, that text appears to have been edited from a previous version that offered more explicit instructions on how people should carry out this act.
The immediate question is whether this protest will achieve its aim. Given that the US government shields its sites behind meaty mitigation, one might assume not. But “HTTP flood” attacks are among the toughest to stop because mitigating them typically relies on IP reputation and traffic profiling, neither of which will be easy to apply in this case.
Possibly, not enough people will take part in the protest but others (including Trump supporters) will rubberneck it to see what’s happening, thus achieving the same result.
What about legality? A widely quoted response came from Stephen Gates, chief research intelligence analyst at DDoS mitigation company NSFOCUS:
Participating in a DDoS attack is a crime, regardless if you use a tool, a script, a botnet for hire, or a finger and a keyboard. If protesters move forward with this demonstration, they must remember that their source IP addresses in most cases will not be spoofed; meaning, law enforcement can easily track those who participate.
Directing traffic at a website or service using a tool or botnet is illegal in the US and UK without a shadow of a doubt, but does the same apply to fingers and keyboards? If such a statement were true, it would in effect stop anyone from visiting a website using a mouse or keyboard, clearly a ridiculous idea.
To prosecute internet users (many not based in the US), the authorities would have to prove intent – that by visiting whitehouse.gov a user was specifically trying to induce a denial of service. That sounds hopelessly difficult.
To some, the idea of annoying people you disagree by overloading their websites will seem old-fashioned, evoking as it does the Anonymous and 4chan DDoS attacks of 2010 onwards against a range of organizations.
During that era, hacktivist groups also encouraged non-expert internet users to take part in DDoS protest attacks using the Low Orbit Ion Cannon (LOIC) “DDoS for dummies’”tool until the authorities started prosecuting participants as a warning.
Others are likely to portray an attack on the White House website as cheap “slacktivism”, a gesture that diverts the hard work of political opposition into lazy symbolic acts.
In a telling irony, some time on Thursday Soberanis’s protest.io website itself became unavailable. It wasn’t clear whether this was a deliberate act or the site had suffered a DDoS attack of the sort of had promised to rain down on others.
As the Chinese proverb states: when plotting revenge remember to dig two graves.