How illegal is a DDoS attack?

What is a DDoS Attack?

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic to a website or online service by overwhelming it with a flood of internet traffic (Cloudflare). Technically, DDoS attacks work by leveraging multiple compromised devices to target a single system. These devices form a botnet that flood the target with requests, overloading its resources and rendering it inaccessible to legitimate users (Fortinet).

The goal of a DDoS attack is to make a website or service unavailable through massive bogus requests. By flooding the target’s bandwidth and resources, attackers hope to overwhelm and ultimately crash the system. This prevents real users from being able to access the website or service during the attack (Wikipedia).

DDoS attacks differ from standard denial of service (DoS) attacks in their distributed nature. While DoS attacks originate from one source, DDoS attacks involve multiple attacking devices coordinated through malware. This makes DDoS attacks more difficult to mitigate (Cloudflare).

History of DDoS Attacks

The first known distributed denial of service (DDoS) attack occurred in 1996 when Panix, one of the oldest internet service providers in New York, was targeted via a SYN flood attack where the hacker used a spoofed IP address to overwhelm Panix’s systems with fake traffic requests (Wikipedia). Other early instances of DDoS attacks in the late 1990s targeted high profile websites like CNN, eBay, Amazon, and Yahoo.

In the early 2000s, political activist groups like the Electrohippies Collective started orchestrating DDoS attacks on organizations they disagreed with as acts of civil disobedience. The group coordinated over 3,000 volunteers to send requests to the WTO’s website during the 1999 WTO Ministerial Conference, taking the site offline (SENKI).

Hacker groups like Anonymous and Lizard Squad emerged in the late 2000s and began using DDoS attacks to make political statements. In 2010, Anonymous coordinated DDoS attacks on PayPal, Mastercard, and Visa in retaliation for blocking donations to WikiLeaks. In 2014, Lizard Squad infamously took down Xbox Live and PlayStation Network with massive DDoS attacks on Christmas Day.

Criminalization of DDoS

DDoS attacks first emerged in the early 2000s as the internet was rapidly expanding. Initially there were no specific laws prohibiting DDoS attacks, but they could potentially fall under computer crime laws related to unauthorized access or damage to systems.

The United States was one of the first countries to pass legislation specifically targeting DDoS attacks. In 2004, new provisions were added to the Computer Fraud and Abuse Act, making it a federal crime to knowingly cause unauthorized damage to a protected computer system. This includes flooding a system with requests to deny service to legitimate users [1].

Other countries gradually followed suit, including the United Kingdom which added amendments to the Computer Misuse Act in 2006. Canada, Australia, and European countries have also enacted laws prohibiting DDoS attacks as a form of cybercrime [2].

Today, most developed countries consider DDoS attacks to be illegal. Attackers can face fines, imprisonment, and civil lawsuits particularly if damages and losses can be quantified. However, enforcement remains challenging as many attacks originate from foreign jurisdictions.

Potential Legal Penalties

Launching a DDoS attack can result in severe legal penalties. According to the FBI, those convicted of DDoS attacks may face the following:

  • Fines – Depending on the scope and impact of the attack, fines can range from thousands to millions of dollars.
  • Jail time – Individuals can face years in prison for DDoS attacks. Sentences of 5-10 years are not uncommon for major attacks.
  • Other Sanctions – Courts may order restitution to victims, probation, or restrictions on computer usage after release from prison.

For example, in the United Kingdom, perpetrators can receive up to 10 years in prison under the Computer Misuse Act [1]. The Act prohibits unauthorized access to computers that “impairs operation of computer, prevents/hinders access to programs/data, [and] impairs reliability/operation of data.”

In the United States, the maximum sentence increases to 20 years if critical infrastructure like banking, utilities, and emergency services are targeted. Clearly, participating in or supporting DDoS attacks has severe legal risks.

Notable Prosecutions

There have been some high profile DDoS attack prosecutions over the years. In 2000, Canadian Michael Calce was arrested and sentenced to 8 months in a juvenile detention center for his role in “Project Rivolta”, a series of DDoS attacks that took down major websites including Amazon, eBay, CNN, and Yahoo!.

In 2001, an American teenager known as “Mafiaboy” carried out a series of major DDoS attacks and was sentenced to 8 months in juvenile detention after pleading guilty. His attacks took down sites including CNN, eBay, Amazon, and Yahoo.

More recently in 2018, the “Memorial Day attacks” targeted over 1,000 sites. Two men involved were charged and pleaded guilty, receiving sentences of 2 and 2.5 years in prison.

Challenges for Law Enforcement

Law enforcement agencies face several challenges in investigating and prosecuting DDoS attacks. One of the biggest challenges is attribution – tracing the attack back to the perpetrator. DDoS attacks often involve botnets with hundreds or thousands of compromised devices across multiple countries. Law enforcement must sift through extensive technical evidence to identify the attack’s point of origin and locate the attacker (

Another challenge is the cross-border nature of many DDoS attacks. Attackers often route traffic through multiple jurisdictions to conceal their identity and location. This requires cooperation between law enforcement agencies across national borders. However, differences in laws, priorities, and resources between countries can hamper investigations (

Finally, law enforcement agencies often lack the technical expertise and resources needed to fully investigate complex DDoS attacks. Specialized training and digital forensics capabilities are required. Smaller agencies may need to partner with larger organizations or private sector experts to successfully attribute attacks to perpetrators (

Ethical Considerations

There are debated ethical implications regarding DDoS attacks. While clearly illegal, some argue DDoS can be justified as a form of protest or free speech. According to an article on ZDNet, some supporters view it as similar to a physical sit-in, obstructing access to raise awareness of an issue ( However, most ethicists argue there are proportionality issues, as a DDoS can block access for innocent third-parties unrelated to the protest target. An NC State University ethics study concluded that DDoS attacks fail tests of proportionality and can be considered an unethical “invasion of personal space” (

Intent is another ethical consideration. If the intent is raising awareness of an issue rather than simply to disrupt, some view DDoS as more defensible. However, the act still involves compromising systems without consent, leading most experts to categorize DDoS attacks as unethical, especially given the availability of legal alternatives like boycotts or public advocacy.

Alternatives to DDoS

There are more ethical and legal alternatives to launching DDoS attacks that allow individuals and groups to make their voices heard without breaking the law. Peaceful protest and petitioning government officials are time-honored ways to enact change that do not involve illegal cyberattacks. Additionally, working within the system by lobbying legislators directly or launching letter-writing campaigns can be effective.

For those with technical skills, becoming a white hat hacker and working with companies to find and report vulnerabilities through proper channels provides a legal outlet to use abilities, make money, and improve cybersecurity. There are also opportunities to get involved with computer security conferences and competitions that allow for hacking in a controlled environment. Ultimately, no matter how noble the cause, DDoS attacks endanger essential infrastructure and violate the law. There are many legitimate alternatives that avoid crossing legal and ethical lines while still creating positive change.

Defenses Against DDoS

There are various technical and legal defenses that can help mitigate the impact of DDoS attacks. On the technical side, using a web application firewall can help filter out malicious traffic before it reaches your servers. Load balancers can also distribute traffic across multiple servers to prevent any single server from being overwhelmed. Implementing mechanisms like SYN cookies, connection rate limiting, and traffic shaping can make it harder for an attack to exhaust resources. DDoS protection services offered by cloud providers like Amazon Web Services and Azure can scrub incoming traffic at scale before it hits your infrastructure.

On the legal front, targets of DDoS attacks can work with their internet service provider to block malicious traffic. They can also file a complaint with the FBI Internet Crime Complaint Center. Law enforcement has had some success taking down DDoS-for-hire websites through seizures and arrests. However, attribution remains difficult and attackers are often based overseas. Ultimately, the best defense is being prepared through monitoring, partnerships with ISPs, and maintaining extra capacity.

The Future of DDoS

DDoS attacks are likely to continue evolving in terms of complexity, frequency, and impact. According to recent research, the number of DDoS attacks increased significantly in 2023, with attacks growing smarter and more evasive (1). Major targets will continue to be critical infrastructure, financial services, gaming, and other high-value sectors.

Some key DDoS attack trends to expect in the near future include:

  • Increasing focus on application layer (L7) attacks that are more difficult to detect and mitigate (1)
  • Ransom-based extortion DDoS threats designed to force ransom payments (1)
  • Highly distributed botnets involving millions of compromised IoT devices for large volumetric attacks (2)
  • More frequent use of DNS amplification to conduct powerful reflection/amplification attacks (3)

To combat evolving DDoS threats, organizations will need advanced technologies including intelligent DDoS protection networks, machine learning detection, and proactive botnet tracking. Security teams need to conduct DDoS attack simulations and develop updated incident response plans.

Lawmakers may consider increased penalties for DDoS offenses as attacks grow more disruptive. However, the global nature of DDoS will continue to pose challenges for legal prosecution and jurisdiction. As technology advances, the cat-and-mouse game between attackers and defenders will likely continue for the foreseeable future.