DDOS – A Legitimate Form of Protest?

ddosOver the past week a lot has been written about the Spamhaus DDOS attack and how it  has gotten really big, and might even be enough to take down the internet (or at least specific parts, like LINX in London). Others disagree, saying it was nothing really. Regardless, the legitimacy (or not) of DDOS attacks are the focus here.

It’s a topic that has divided a lot of people. To some, a Distributed Denial of Service (DDOS) attack is a tool of legitimate protest. To others, it’s a script-kiddie temper tantrum, and shouldn’t be tolerated. So which is right?

The trouble is, it’s not such a clear-cut result. A lot depends on the ‘how’ and ‘why’ of the attack, what it’s attacking and why. And then there are the punishments. Just this week, one person was charged for his involvement in a DDOS against Koch industries in Feb 2011, facing up to 10 years in prison and $500,000 in fines.

Some of the most famous DDOS attacks (certainly the most publicised) were part of Operation Avenge Assange, Anonymous’ attempt to make Amazon, Paypal, Visa, Mastercard and a bunch of others ‘pay’ for the way they treated Wikileaks. If there was ever a set of targets guaranteed to get you less of a friendly receptive edge in government, it’s attacking the two biggest credit card companies/networks.

Terminally dumb is an understatement.

Likewise, the DDOS attack against the Indian anti-piracy company Aiplex, after they allegedly DDOS’d bittorrent trackers. It’s why I helped draft a letter from both the UK and US Pirate Parties, about those DDOS actions, asking them to stop.

The short answer is that DDOS attacks have never had a positive result yet.

Many say they’re a positive means of protest, analogous to the sit-in protests of old. There is a problem with this though, in that the results are completely disconnected from the actions. A sit in, or a protest outside a traditional bricks & mortar premises requires people to be present outside. Now, those that are going to do business, see the protestors, and can judge on the merits of the protest.

A DDOS doesn’t work like that. A successful one takes the site offline. Anyone attempting to use the site just gets an error. There’s no reason, or explanation as to why the site is down. The ‘teachable moment’ which is the key to the protest, is missing. Even a partly successful one, that just slows the site, gives no indication to the casual visitor as to the reason.

In that case then, it’s less like a sit-in, and more like putting superglue or chewing gum into the locks. It prevents people doing business, and doesn’t require a hard investment of time. And to people attempting to do business, they don’t know why it’s locked.

So from that angle, it’s less a protest and more a temporary act of petty vandalism. In the DDOS defence, when it stops there’s little/no damage to clean up.

LOICThere’s also the scale of the protests, and its method. The Operation Payback/Avenge Assange attacks were quite different from the current Spamhaus attack. The Anon attacks were a combination of lots of people using a program called LOIC (for ‘Low Orbit ion Cannon’) which doesn’t obscure the users IP address.

The Spamhaus attack, by contrast uses a technique called ‘DNS Reflection’. It uses the infrastructure of the internet itself to cause the attack. It can have a multiplying effect over the bandwidth needed to operate the attack. While the Anon LOIC attacks were basically lots of people using their own connections and just all hammering as a group, DNS reflection can be undertaken with only a handful of people, with the weight of the attack being provided by network infrastructure. In this attack, it’s estimated that the gain ratio is 1:100.

Thus the 300GBit/sec attack can be carried out with a 3GBit/sec connection (or multiple connections that total that). The LOIC method would need peers with 300Gbit/sec of connection total to give the same impact.

That’s a major distinction. When you have a lot of people each individually contributing, then that gives more credence to the ‘protest’ angle. Or it would if not for botnets; exploited computers (by virii, Trojans or other malware) that can be used as a swarm to do a standard DDOS. So even if it were a simple 1:1 ratio packet flood attack, there’s no guarantee that there is actually that many people ‘protesting’.

The DNS reflection method is even harder to justify as a legitimate protest. Not only is there less of a base of support, there’s the fact that most of the bandwidth comes from someone else, and the identity of the ‘protestor’ is hidden.

It’s more a coward’s way. The textbook script-kiddie f**k-you to people, and as the size in the Spamhaus cases has ramped up, it’s even less easy to justify. The core business isn’t affected – heck the lists can just be updated by going to another net connection. It’s pointless and doesn’t accomplish anything.

So what can be done? What’s the best way to treat this? It’s difficult. There’s no way to picket an online presence, as you could in the offline world. And with a picket/protest you still have the option of braving it and conducting your business. A DDOS doesn’t give you that option; whatever your purpose in visiting the site, your request gets denied without reason.

At the same time, using the Computer Fraud and Abuse Act (CFAA) is using a wrecking ball to drive in a nail, and only leads to more problems because of its disproportionate nature. Of course, there are cases where it’s more appropriate, such as in the Spamhaus case (but the perpetrators are apparently in the Netherlands, so the CFAA wouldn’t be used anyway) but still, it is not really applicable to the regular, DDOS.

And of course, the effectiveness of DDOS’ has been reduced in recent times with the likes of Cloudflare, and other CDN’s. Indeed the Spamhaus attack has largely been mitigated by Cloudflare’s anycast setup. [Disclosure – this site uses Cloudflare’s systems, and I’ve had prompt help from them when rolling out this new site]

So the age of the DDOS as a “protest tool” of any effectiveness is also coming to an end. Coupled with its lack of “message”, and the lack of ability to ignore the protest and continue as normal, it’s really hard to see how a DDOS can be classified as a protest tool at all.

The answer then, to the question at the start is “no, not really.” It’s more likely to generate a negative backwash than sympathy, and has no real impact for the means of protest. And if people don’t know what you’re protesting, or that one is even ongoing, what good is the protest overall? The answer to that is simple – NONE.

Sounds like a great reason not to bother in the first place then.