A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. DDoS attacks accomplish this by exploiting infected computers and Internet of Things (IoT) devices to flood the target with junk requests. As more and more devices participate in the attack, the target becomes overloaded and is unable to respond to legitimate traffic.
DDoS attacks have become increasingly common in recent years. High-profile targets of DDoS attacks include banks, news websites, gaming services, e-commerce sites and even entire countries. The motives behind DDoS attacks vary – they may be conducted for ideological, political or financial reasons, or simply to cause disruption.
Regardless of the motive, launching a DDoS attack is generally illegal. In this article, we will examine the laws surrounding DDoS attacks and analyze how illegal these types of attacks really are.
Federal Laws on DDoS Attacks
In the United States, there are several federal laws that apply to DDoS attacks:
Computer Fraud and Abuse Act
The primary law governing cybercrime in the U.S. is the Computer Fraud and Abuse Act (CFAA). Under this law, it is illegal to intentionally cause damage to a protected computer. The law defines a protected computer as any computer used in interstate communication, which includes virtually every computer connected to the Internet.
Launching a DDoS attack involves using multiple compromised computers to overload a target. This constitutes intentional damage under the CFAA. If the attack causes over $5,000 in cumulative damage over a 1-year period, it can be prosecuted as a felony with up to 10 years in prison.
Wiretap Act
The Wiretap Act prohibits the unauthorized interception of electronic communications. Since a DDoS flooding attack inevitably involves intercepting network traffic, it violates the Wiretap Act.
Racketeer Influenced and Corrupt Organizations (RICO) Act
The RICO Act allows prosecutors to charge individuals who engage in organized criminal activity. DDoS attacks often involve botnets, networks of compromised devices controlled by a hacker. Botnet-driven DDoS attacks may constitute racketeering under RICO.
Economic Espionage Act of 1996
If a DDoS attack is perpetrated with the intent of stealing trade secrets or propriety information, the Economic Espionage Act comes into play. The Act makes the theft of trade secrets a federal crime.
USA PATRIOT Act
The USA PATRIOT Act prohibits attacks that are intended to damage or interfere with critical infrastructure systems. If a DDoS attack targets infrastructure like utilities, hospitals or transportation systems, the perpetrators could face charges under the PATRIOT Act.
State Laws on DDoS
In addition to federal laws, most U.S. states have their own cybercrime statutes that apply to DDoS attacks:
Computer Trespassing Laws
Many states have laws against unauthorized computer access and computer trespassing. These laws make it illegal to access a computer system without permission, which includes sending a flood of traffic to overload a system.
Computer Fraud Laws
Similar to the federal CFAA, states have enacted computer fraud laws that prohibit intentionally accessing a computer to defraud or cause damage. Launching a DDoS attack constitutes computer fraud under these statutes.
Criminal Mischief Laws
States often have catch-all laws prohibiting intentional property damage or tampering. Causing service outages via DDoS can lead to criminal mischief charges in many states.
Consumer Protection Laws
If an online business suffers financial losses from a DDoS interruption, the attack may violate consumer protection laws in some states. These laws allow for civil charges for deceptive business practices.
Terroristic Threat Laws
Some states specifically prohibit making terroristic threats against computer networks and systems. Threatening a DDoS attack may lead to criminal charges even if no attack is carried out.
Penalties for DDoS Attacks
The exact penalties for DDoS attacks depend on the specific laws violated:
Federal Penalties
– Felony conviction under the CFAA – Up to 10 years imprisonment
– Violating the Wiretap Act – Up to 5 years imprisonment
– RICO charges – Up to 20 years imprisonment
– Economic Espionage charges – Up to 15 years imprisonment
– Damaging critical infrastructure under PATRIOT Act – Up to 20 years imprisonment
State Penalties
– Computer trespassing misdemeanor – Fines, up to 1 year in jail
– Computer fraud felony – Fines, over 1 year in jail
– Criminal mischief – Fines, possible jail time
– Consumer protection violations – Civil fines, damages
– Making terroristic threats – Misdemeanor or felony charges
In particularly serious cases with major disruption, damage, and losses, multiple federal and state laws may apply. This can lead to cumulative penalties and lengthy prison sentences.
Real World Examples of DDoS Prosecutions
While DDoS attacks are clearly illegal, tracking down and prosecuting perpetrators can be challenging. Cybercriminals often use technical means like botnets and IP spoofing to cover their tracks. However, here are some notable cases where authorities were able to identify and charge DDoS attackers:
MIRAI Botnet Creators
In 2016, the MIRAI botnet malware caused widespread DDoS attacks against DNS provider Dyn, taking down major websites including Twitter, Netflix, Reddit, and Spotify. The following year, three individuals were identified as the creators of MIRAI – Paras Jha, Josiah White, and Dalton Norman.
The MIRAI co-creators pleaded guilty to violating the CFAA. Jha and White were sentenced to 6 months house arrest and 2,500 hours of community service. Norman received a lighter sentence as he cooperated with authorities.
DDoS Extortion Gang
In 2018, federal prosecutors charged 3 men running the criminal extortion group DDoS4Hire. The group offered DDoS-for-hire services, launching attacks against businesses and then extorting payments to stop.
These DDoS extortionists were charged with conspiracy to violate the CFAA and damaging protected computers. Two members of the gang pleaded guilty and received prison sentences of 36 and 13 months.
DDoS Attack on GitHub
In 2018, a DDoS attack hit open source code hosting platform GitHub, originating from over 1,000 different IP addresses. One individual, identified as Daniel Kaye, was arrested in the U.K. and sentenced to 2 years in prison.
Kaye was convicted under the U.K.’s Computer Misuse Act. Evidence showed he conducted the massive GitHub DDoS using botnet malware.
Political Activist DDoS Attacks
Political activist groups like Anonymous have used DDoS attacks to make ideological statements. In 2011, 14 alleged Anonymous members were charged with conspiring to intentionally damage protected computers for their “Operation Payback” DDoS campaign.
Most defendants pleaded guilty under the CFAA and received probation. One defendant went to trial but only received a 14-month prison sentence.
Challenges in Prosecuting DDoS Crimes
Despite the existence of laws prohibiting DDoS attacks, the challenges in investigating and prosecuting cybercrimes means many perpetrators go unpunished:
Attribution Difficulties
With IP spoofing, proxy networks, and botnet malware, proving who conducted a DDoS attack can be near impossible. Law enforcement needs to trace the attack back to an individual device or person. Sophisticated attackers can cover their tracks.
Cross-Jurisdictional Issues
Cyber attacks often cross state and national borders. Determining which jurisdiction should handle the prosecution causes legal issues. International cooperation is required, which takes significant time and coordination.
Lack of Resources
Law enforcement often lacks the advanced technical expertise required to trace complex cyber attacks back to the source. Many police departments remain focused on traditional crimes over cybercrime.
Low Priority
With other high priority crimes like murder, assault, and drug trafficking, DDoS attacks often receive less attention from police and prosecutors. Cyber attacks are treated as lower priority.
Civil vs. Criminal Remedies
For companies impacted by DDoS attacks, civil lawsuits are often faster and have a lower evidentiary bar than criminal charges. Businesses may pursue cyber insurance claims or lawsuits instead of advocating for prosecution.
Is it Worth it to Launch a DDoS Attack?
Given the likelihood of facing criminal charges and the penalties involved, launching a DDoS attack is rarely a wise idea:
High Risk of Imprisonment
Once identified and prosecuted, DDoS perpetrators often face felony convictions and years in prison under laws like the CFAA. Prison time is all but guaranteed for repeat or large-scale offenders.
Severe Financial Penalties
Major DDoS attacks that cause service disruptions cost companies millions in losses. Convicted attackers may be sued, forced to pay massive civil fines, and cover the damages.
Reputational Damage
The media covers high-profile DDoS cases. Being convicted in court as a cybercriminal causes major reputational damage. It becomes difficult to find future employment with a criminal record for cybercrime.
Ethical Considerations
Intentional disruption of essential services like hospitals and transportation infrastructure can cost lives. Ethically, the potential harm of DDoS attacks outweighs any possible benefits.
Encourages Escalation
Widespread use of DDoS attacks as protest or vigilantism tactics encourages further escalation. Adversaries are likely to respond with even more impactful attacks.
Ultimately, for political activism or ethical hacking purposes, there are far better options than DDoS attacks. The costs and consequences simply don’t justify the risks.
DDoS Prevention Best Practices
While banning DDoS attacks is the responsibility of lawmakers, there are best practices organizations should follow to prevent and mitigate attacks:
Purchase DDoS Mitigation Services
Specialized third-party vendors offer DDoS protection services that divert or filter out malicious traffic before it reaches networks. This is more affordable than building in-house mitigation.
Improve Security Posture
Fixing vulnerabilities, isolating critical systems, and enforcing principle of least privilege access controls makes networks less susceptible to DDoS malware.
Monitor for Precursor Attacks
Many DDoS attacks are preceded by network scanning, malware delivery, and compromised account login attempts. Monitoring for these precursors provides early warning.
Have an Incident Response Plan
Develop and document an IR plan so that staff understand their roles if a DDoS attack occurs. Periodically test and update the plan.
Increase Bandwidth
Having excess network bandwidth makes infrastructure more resistant to flooding attacks. But increased bandwidth should be combined with mitigation services for optimal protection.
The Future of DDoS and Cybercrime Law
While DDoS attacks are clearly illegal already, technology evolves rapidly, which requires constant legal adaptation:
Expansion of Critical Infrastructure Categories
As more aspects of society come to rely on Internet connectivity, there are calls to expand the designation of critical infrastructure. This would impose harsher penalties for disrupting emerging technologies.
Increased International Cooperation
Cyber attacks highlight the need for cross-border legal coordination. Mechanisms like the Budapest Convention seek to align and cooperate on cybercrime laws across borders.
Focus on Disrupting Botnets
Lawmakers realize most DDoS attacks leverage botnets. There are discussions of empowering law enforcement to identify and eliminate botnets before they are used for attacks.
Higher Prioritization of Cybercrime
Cyber attacks are becoming more frequent and damaging. Law enforcement agencies face growing pressure to devote more resources to combating cybercrime and make it a higher priority.
New Technological Tools
Advances in fields like artificial intelligence may provide law enforcement with improved technical means to connect attacks to perpetrators and take down botnets.
Ultimately, the window for conducting illegal DDoS attacks with impunity is shrinking. The odds of facing prosecution continue to increase.
Conclusion
DDoS attacks clearly violate multiple state and federal laws. The Computer Fraud and Abuse Act, Wiretap Act, and various state computer crime statutes all prohibit bombarding systems with junk traffic to cause service outages.
With felony convictions and multi-year prison sentences, the penalties for DDoS are severe. However, challenges remain in prosecuting sophisticated actors who utilize technical means to evade detection. As cyber attacks increase, law enforcement priorities and resources must continue to shift to allow for effective investigation and legal consequences.
While laws banning DDoS are appropriate, companies and websites also bear responsibility for implementing defensive measures. Cybersecurity best practices combined with legal deterrence provides the best avenue for stamping out the threat of illegal DDoS attacks.
