Posted by: Bryan Zhao
April 19, 2015
Have you ever wondered why certain websites, despite being backed by companies with a seemingly endless budget, can slow to a halt or even seemingly disappear for hours, days, or even longer at a time? While sometimes the crash in access is caused by innocuous sources, such as maintenance, hardware malfunction, or errors, there are other occasions when the reason for the crash could be much more malicious action: DDoS. While many readers may have heard of the term or even know what a DDoS consists of as well as the fact that performing a DDoS attack may lead to criminal liability, they most likely have never researched why that is so. Additionally, they may not know
What is DDoS?
The first question you may be asking yourself is what exactly is a DDoS attack? DOS, also known as a denial of service attack, targets a server and attempts to overload it by essentially spamming it with a large amount of traffic over a short period time. The server, which is unable to respond to all of the incoming requests, is overwhelmed and is unable to respond to legitimate requests for its service as well. A DDoS attack, similarly to a DOS attack, targets a server but is differentiated by its use of multiple computers and multiple internet connections to amplify the effect. While a DDoS attack in itself is not an inexpensive request, sometimes averaging $40,000 an hour to conduct, the harm can be far more detrimental to a company that relies on its website to drive traffic and fuel purchases.
DDoS has traditionally been use for a multitude of reasons, ranging from shady businesses attacking their competitors to steal customers away to protests against a company’s actions to simply being bored and wanting to cause chaos.
Why is DDoS illegal?
Despite the fact that a DDoS attack may cause a great deal of financial damage, virtually all DDoS attacks are illegal because they fall within the parameters of 18 U.S.C § 1030. While the attack violates several provisions of the code, three sections stand out clearest: 18 U.S.C § 1030(a)(5)(B), § 1030(a)(5)(C), and § 1030(b).
- 1030(a)(5)(B) – [Whoever] knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer [shall be punished as provided in subsection (c) of this section].
- 1030(a)(5)(C) – [Whoever] intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss [shall be punished as provided in subsection (c) of this section].
- 1030(b) – Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
Under the same section of code, a protected computer is essentially any computer owned by the government or any computer used in interstate or foreign commerce. With that understanding, the attack of any commercial organization’s website, any governmental website, and any personal computer used in interstate commerce is punishable. In some cases, simply accessing a computer and using its resources to the detriment of its owner may be sufficient to constitute a violation under this act. Additionally, users who purchase such an attack but never actually conduct the act themselves are equally punishable under the provision.
How does this affect me?
DDoS attacks rely on having innocent computers with malware installed, and that means every single computer connected to the internet may carry at least some potential for being used in a DDoS attack. To prevent your computer from being part of such an attack, it is important to ensure that your anti-Malware software is up to date and avoid downloading suspicious files. While it is extremely unlike that an innocent user that happens to have malware installed on his or her computer would ever be charged, 18 U.S.C § 1030(a)(5)(A) may also authorize the government to impose criminal liability upon:
“[Whoever] knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer [shall be punished as provided in subsection (c) of this section]”
The language, somewhat ambiguous, may allow the government to charge a user that knows he or she has DDoS-supporting malware on his or her computer and fails to take action to prevent future attacks using the computer as a resource. If any user ever gets a notice about his or her computer being part of such an attack, it would be prudent to take actions to rectify that fact immediately.