A distributed denial-of-service (DDoS) attack is absolutely illegal in most countries around the world. Performing a DDoS attack can result in severe legal and financial consequences.
What exactly is a DDoS attack?
A DDoS attack is a cyberattack where multiple compromised devices are used to target a single system, such as a website or web server. The flood of requests overwhelms the target, causing a denial of service to legitimate users. The goal is to disrupt normal traffic and make the system unavailable.
Is performing a DDoS attack illegal?
Yes, conducting a DDoS attack is illegal in most jurisdictions. Here are some key reasons why DDoS attacks are against the law:
- DDoS attacks amount to a form of hacking and unauthorized access to computers and networks.
- They disrupt business operations and cause financial losses for companies.
- DDoS attacks deprive legitimate users of access to online services.
- They consume large amounts of bandwidth and resources.
Most countries have cybercrime laws that prohibit gaining unauthorized access to computers, networks, and online services. DDoS attacks fall under these laws in most places.
What are the penalties for DDoS attacks?
The penalties for conducting a DDoS attack depend on the jurisdiction but can include:
- Fines up to hundreds of thousands of dollars.
- Lengthy jail sentences of 5-10 years or more in some cases.
- Paying damages and compensation to the victims.
- Permanent criminal record that affects future employment.
For example, the Computer Fraud and Abuse Act (CFAA) in the United States makes it a felony to cause unauthorized damage to computers. The maximum sentence is 10 years in prison.
Notable DDoS attack cases and punishments
Here are some noteworthy cases of DDoS prosecutions and punishments around the world:
United States
- In 2000, a 15 year old known as the “Mafiaboy” was sentenced to 8 months in juvenile detention for a series of major DDoS attacks.
- In 2006, Jeanson James Ancheta became the first person to be indicted and jailed for profiting off botnet-based DDoS attacks. He received 57 months in federal prison.
- In 2011, a man was sentenced to two years in prison for a DDoS extortion attack on an online casino.
United Kingdom
- In 2017, Daniel Kaye received a two-year suspended sentence for attacking an African phone company with a DDoS that knocked out internet access for millions of people.
- In 2018, a 23 year old who conducted DDoS attacks on universities was sentenced to two years in prison.
Australia
- In 2015, two men in Australia were given prison sentences for DDoS attacks on government websites following high-profile data retention legislation.
- In 2016, another Australian man received 12 months in prison for DDoS attacks against internet service providers.
These examples highlight how conducting DDoS attacks often leads to stiff criminal penalties around the world.
Can you go to jail for DDoS attacks?
Yes, jail time is a very real possibility if you conduct or take part in a DDoS attack. As the case examples above show, courts do imprison people for orchestrating and carrying out these attacks maliciously. The length of sentence depends on factors like:
- Scale and impact of the attack
- Damage caused
- Motivation and intent
- Jurisdiction
- Defendant’s criminal history
But make no mistake – DDoS attacks can absolutely land you behind bars. The risks are not worth it.
Can you be extradited for DDoS attacks?
Possibly yes. If you conduct DDoS attacks targeting another country, that country can potentially request your extradition if treaties allow it. For example:
- In 2016, Artem Vaulin, founder of KickassTorrents, was arrested in Poland and extradited to the US to face charges related to copyright infringement and DDoS attacks.
- In 2012, UK citizen Richard O’Dwyer narrowly avoided extradition to the US on charges related to copyright infringement and DDoS attacks.
So if you participate in international cyberattacks, you may not be safe from prosecution simply by being in another country. Extradition is a real possibility depending on the treaties involved.
Are there any legal DDoS uses?
Very few. Intentional DDoS attacks are almost always illegal. There are a couple potential legal exceptions:
- Authorized penetration testing – Companies can hire cybersecurity firms to simulate DDoS attacks on their own networks to test defenses. This must be authorized to be legal.
- Protesting human rights abuses – Some argue that DDoS attacks may be justified civil disobedience against repressive regimes abusing human rights. But this tends to be a legal gray area at best.
In general, you should assume that conducting an intentional DDoS attack on any system without clear written authorization is very likely illegal.
Can websites give you legal permission for DDoS attacks?
No, websites cannot legally give you blanket permission to conduct DDoS attacks in most circumstances. There are a few reasons why:
- Websites generally cannot exempt you from laws prohibiting DDoS attacks and unauthorized access.
- Attacks can unintentionally spread beyond the intended target.
- Internet service providers, which are not giving permission, are impacted.
- Other users of the site and related services suffer collateral damage.
For these reasons, permission from a website does not make DDoS attacks legal or advisable in most situations.
Can you DDoS yourself?
Technically yes, but this is still generally inadvisable and legally questionable at best. “Attacking” your own servers or networks could potentially disrupt services, get you in trouble with your ISP, or negatively impact other users. While unlikely, charges are theoretically possible under anti-hacking laws in some jurisdictions. For legitimate penetration testing, it is safer to hire an authorized security firm.
Conclusion
In summary, conducting a DDoS attack is very likely illegal and comes with potentially severe civil and criminal penalties. The risks of fines, jail time, damages, and permanent criminal records are high. Be very cautious before attempting to conduct any DDoS activity, as the majority of uses are considered malicious hacking. Consult qualified legal counsel if you have any questions.
