The legality of DDoS attacks has been argued both in the U.S. and abroad. Some say penalties are far too harsh, comparing DDoS attacks to peaceful protest. Others argue that these types of attacks are criminal and meant to disrupt and cause damage. Regardless of what side of the fence you stand, the reality is that DDoS is a difficult issue to address.
Distributed denial of service is the act of overwhelming a server until it can no longer perform. In simple terms, a successful DDoS attack occurs when repeated requests are sent to a target machine at a rate that exceeds the bandwidth and capabilities of the web server, causing it to go offline. There is no lasting damage, but until the attack stops there will be intermittent performance issues and downtime.
In the United States, DDoS attacks fall under federal statutes. Participants run the risk of being charged with both criminal and civil complaints. There is no point in distinguishing between distributed attacks and denial of service, as both types of attacks fall under the same laws. A person simply needs to have culpability in the attack or attempt it to be liable for prosecution.
The Computer Fraud and Abuse Act (the “CFAA”) prohibits a person from “knowingly caus[ing] the transmission of a program, information code, or command, and as a result of such conduct, intentionally causes damages without authorization to a protected computer” (see 18 U.S.C. § 1030(a)(5)(A)). While broadly worded, DDoS can be classified as transmission of a “program, information code, or command”. Damage is defined as “any impairment to the integrity or availability of data, a program, a system, or information” under 18 U.S.C. § 1030(e)(8).
Under the guidelines of the law, those found guilty can face up to 20 years in prison. The law stipulates different sentencing structures, each depending on the severity of the attack as well as the intended target. Attacks against government websites and financial institutions face the harshest penalties, especially where national security is concerned.
Beyond the criminal nature of DDoS, the civil component can mean hefty fines. One Wisconsin man learned this the hard way when he was fined $183,000 for his involvement in an Anonymous DDoS attack. His participation amounted to one minute. The attack targeted the Koch Industries website, with the entire attack lasting only 15 minutes. The company cited business losses of only $5,000 making this sentence seem disproportionate to the crime, some have argued.
In any case, DDoS attacks are a tricky thing to prosecute. Not only because of the act itself, which is often difficult to trace, but because DDoS attacks often involve other crimes. Most attackers rely on botnets to carry out attacks, which means system intrusions and malware. Evidence of this in conjunction with DDoS attacks mean more charges and longer sentencing.
DDoS Used In Commission of Crime
DDoS is often used as part of a larger crime or simply used as a diversion for fraud. There have been many documented cases of DDoS being used as a tool for extortion. Attacks have also been used to aid in theft, as was the case when fraudsters used DDoS to distract banks from wire transfers used to steal millions.
It’s cases like these that undoubtedly spur lawmakers into handing out long sentences for DDoS, but there are still others who argue DDoS is nothing more than a virtual ‘sit in’.
DDoS As Peaceful Protest
Protest is an expression of objection to particular events, policies or situations. Protest is an important part of free speech — it allows all those who are against something the collective right to voice their opinion and allow their message to be heard. DDoS attacks are argued by some to be a form of protest, not unlike standing in front of a store with signs in hand. The Guardian wrote a compelling piece advocating DDoS as free speech. There has even been a petition to the White House, calling on government to recognize DDoS as online protest.