DDoS: Terrorism or legitimate form of protest?

DDoS: Terrorism or legitimate form of protest?

Summary: Some people seem to think that distributed denial of service attacks can be justified morally or ethically. Read this analysis to find out if that claim is supported or thoroughly debunked.

TOPICS: Security, Government

If your neighbor doesn't like that you watch certain TV shows, is it okay for him to come over and smash your TV?

If your neighbor doesn't like the gas guzzler you drive, is it ethical for him to take a sledge hammer to your car?

If your neighbor doesn't like the books you read, is it moral for him to burn your house down?

If your neighbor doesn't like the company you work for, is it righteous of him to break into your house and steal your valuables?

If your neighbor doesn't like the computer games you play, is it just hunky-dory for him to destroy the network connections to your entire neighborhood?

Well? Is it okay?

What would the police say? What would the courts say?

Of course, it's not okay. It's not ethical, it's not moral, it's not righteous, it's not hunky-dory. It's simply criminal.

Now, what if your neighbor, instead, simply told you (or even chanted at you) that he doesn't like your TV choices, your car, your books, or even your employer?

Would that be criminal? No. Annoying, yes. Criminal, no.

What if he held up a sign on the public street outside your house, telling you to watch something different or drive something different?

Would that be criminal? No. It might be in violation of one town ordinance or another, it would certainly be unsettling, but it wouldn't be criminal.

What if he kidnapped a bunch of unwilling and unwitting people, drugged or infected them, and forced them all to carry signs and chant? Would that be criminal? Yep, it sure as heck would be.

It's pretty easy to tell the difference between criminal acts and acts of free speech. Criminal acts are destructive. Free speech acts are, at worst, annoying.

Now, let's move on to the topic of a Distributed Denial of Service attack.

Is there ever a case where a DDoS is a form of legitimate protest, or are DDoS attacks criminal at best, and terrorism at worst?

Before we answer the question, let's explore how a DDoS works. All DDoS attacks aren't identical, but most follow a simple pattern: many attackers and one victim.

Let's start with the attackers first. For a DDoS to have any effect at all, there have to be thousands to millions of computers sending out packets to the victim machine or network. That means, the attacker (or activist, if you will), needs to have access to thousands or millions of machines.

The way this is done is through botnets. A botnet controller sends instructions to thousands or millions of zombie computers. These are computers that you use, your mom uses, your boss uses, your cousin uses, your kids use, or even your emergency responders use to save lives. 

To function in a DDoS botnet, these computers have to be infected without their owners' permission, and corrupted with malware that may be used to initiate a DDoS. It's the digital equivalent of kidnapping and drugging or infecting a bunch of people, then making them carry protest signs.

Often, there is damage to the zombified machine, and the infection often has a secondary purpose of keylogging or otherwise stealing information.

So, even without any discussion yet as to the identity or alleged heinousness of the target victim, we see that crimes have been committed, privacy has been invaded, property has been damaged, and — depending on what computers were infected — lives may have been put at risk.

And all of that is without even looking at the damage to the victim or any other collateral damage.

A recent MIT study explored the question of whether there could be an ethical framework for DDoS actions.

According to Molly Sauter, the study's author, there are, "...three major criticisms of activist DDOS actions: that they are the equivalent of censorship, that as symbolic activism they are not as effective as direct action, and that they have unfocused success conditions."

With all due respect to MIT and Ms. Sauter, she completely misses the point. Activist DDoS actions — like all DDoS attacks — are invasive, they are destructive, and they cause extensive collateral damage to non-combatants.

This is not an issue of whether or not the attack is good messaging. This is an assault where actual damage is being done.

If the 9/11 terrorists had merely stood in front of the World Trade Center and Pentagon with protest signs, they wouldn't have been terrorists. But they chose to fly a plane into the buildings, killing not only thousands of office workers, but also the unwitting and certainly unwilling passengers on Flights 11, 77, and 93.

When it comes to a DDoS, whether or not the intended victim is a schmuck or not has no bearing on whether such attacks can be considered ethical. Beyond the hijacked attack computers, interrupting service can cause all sorts of collateral damage.

No sane person (at least outside the financial industry) will argue that our bankers are entirely ethical. But using a DDoS to block a bank from processing transactions may block individual depositors from accessing their money. What if someone needs to make a financial system transaction for, say, emergency healthcare?

To that end, as I wrote in How To Save Jobs (free download), and Steven Brill wrote in TIME Magazine, it's clear that most hospitals, insurance companies, and healthcare providers have themselves quite a racket at the expense of American citizens.

Using a DDoS to shut down an insurance company may also prevent a patient in need from getting timely healthcare. Using a DDoS or a hack to attack the power grid may inconvenience the fat cat utility CEOs, but it might also cut off power to people who need it to stay warm, study for a test, or power a medical device.

All that doesn't include the stress and expense that comes from being on the receiving end of a DDoS. An activist group might be angry at a bank or an insurance company, but the person at the direct front-line receiving end of the attack is the IT manager — who may well lose his or her job for not preventing the unpreventable.

Or a DDoS might be used against a small company or organization. I can tell you from personal experience that fighting off millions of computers at once is no fun, highly destructive, and almost incomprehensibly stressful.

Then there's the actual cost of the attack. Forrester Consulting recently did a survey of companies to ascertain actual costs of an attack. They reported on one company that would lose more than $10 million in revenue for each hour offline. They disclosed two "respondents would lose between $1 million and $2 million per hour, five indicated that they would lose between $200,000 and $500,000 per hour, and eight would lose between $50,000 and $200,000 per hour."

That's just the loss of revenue. That doesn't include the cost of the battle itself, the IT expense, the manpower, increases in insurance fees, the cost of the eventual layoffs that would likely happen after a sudden large loss of income, or the incalculable inconvenience and resulting consequences to individual customers.

We can simplify the job cost number a bit using research from Ponemon Institute reports that DDoS attacks cost companies an average of $3.5 million each year.

They surveyed 700 companies and 65 percent (455 companies) reported being on the receiving end of at least three DDoS attacks a year. So let's take those 455 companies and multiply that out by $3.5 million dollars.

Just this set of survey respondents alone lost $1.6 billion dollars due to DDoS attacks.

So, let me ask you this: how many jobs could have been created if $1.6 billion hadn't been lost to DDoS attacks? In How To Save Jobs, I used $50,000 as a workable average salary number in the United States. So, how many $50,000 salaries could have been paid out of that $1.6 billion? The answer is 32,000.

You can look at this two ways: the $1.6 billion spent by the survey respondents either cost 32,000 people their jobs, or it could have provided enough money to hire 32,000 people.

In either case, just looking at the small set of survey respondents for one survey, DDoS attacks cost just about 32,000 jobs. Given the worldwide prevalence of DDoS attacks, the actual cost in dollars and jobs is far higher. 

Now, let's bring this back to the discussion of legitimate form of protest vs. terrorism.

If you woke up tomorrow and turned to your favorite news outlet, and you read or heard that 32,000 people had lost their jobs as a result of some kind of attack, would you think terrorism or would you think legitimate form of protest?

Without a doubt, there is absolutely no ethical, moral, religious, or righteous justification for a DDoS. Unlike civilized protests, DDoS attacks inflict damage and pain on a very large number of unwilling and unwitting victims, expose them to future infection, theft, and hardship, and result in astonishing financial losses.

There is no room for prevarication. A distributed denial of service attack is criminal and may well be a terrorist attack. There is no high ground here. If you participate in a DDoS attack, you're either a criminal or a terrorist...and a fool.

Topics: Security, Government


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Praise where due

    I don't normally agree with many of the authors articles, but find this spot on.

    Having dealt with DDoS in the past, it is purely a criminal act designed to destroy the affected service. Many go anonymous, so are no form of protest, just an attack designed to harm.

    Many examples and parallels can be drawn to real-world actions (as the author has done), and all of these would be classed as criminal be the majority of the readership (except the crims)

    Wikipedia taking down it's own site for a day is protest (regardless if you agree with them), destroying another business for your own gains is never a protest.
    • Praise lost to the offensive exaggeration

      Some of the arguments are sound, but the extreme exaggeration (e.g, comparing taking a company off-line for a day to intentionally murdering 3,000 people) quickly turn the argument offensive and expose the idiocy of the shock value. For anyone who has lost a loved one to violent terrorism, or lived under true fear, I suspect that this article makes us more angry than anything else. It's a shame that the exaggeration and the lack of understanding made some valid points get lost.

      To me, Anonymous and their ilk is probably a dubious, ill-defined non-organization of individuals, many of whom are likely no better than common criminals, some of whom believe themselves to be thieves with honor, but most living on borrowed morals. Sure one can draw parallels to terrorist organizations - but one could do that with a "legitimate" franchise as well, and the stretch is absurd. This is in part because there is no evidence that any DDoS perpetrator intends to kill anyone through their DDoS, and there is at least some evidence that "members" of groups like Anonymous balk when collateral damage is too much. So they are closer to vandals than murderers and therefore equating them to terrorists is ridiculous.

      One of the more valid points is that DDoS attacks hurt innocents, particularly through the use of infected systems and, yes, even those working for the (sometimes questionably labelled) "bad guys" being attacked. There is a cost to these attacks that cannot be ignored. It is also true that DDoS and all of the surrounding activities are illegal and therefore legally criminal in most regions of the world. So there is a real potential cost to the perpetrators.

      It is, however, moronic to believe that acts which have been criminalized are by definition immoral or unethical. Unless you slept though K-12 schooling, you should be aware of countless unethical or immoral laws criminalizing (or compelling) behavior, many of which persist today throughout the world. Civil disobedience, which helped the world become a better place, was by definition criminal and landed people in prison more than once before. So legally criminal does not mean unethical or immoral.

      It is equally simplistic to state that if "innocents" get hurt your acts are immoral or unethical. The waitress who gets fired for serving a person of color who sat in the wrong place got hurt by an illegal act, but most 1st graders understand that it was the right thing for all but the employer to do. The workers who loose their jobs because a company using child labor gets boycotted were hurt, but who can argue that the boycott was unethical. The list goes on and on and on.

      So where does it leave us? More or less where we've been since ethical dilemmas have been pondered - there are no absolutes. The IT professional who works for a company doing evil things may or may not be complicit. But although there are no clear cut lines, just gray ones, there are plenty of spaces far away from the fuzziness. Killing someone to make a statement is not in the gray area, of course. Breaking into a random individual's computer to damage someone else's is hard to defend ethically, but is orders of magnitude closer to the line than murder. It is not difficult, however, to come up with scenarios (some of which exist, particularly with Chinese hactivists) where doing just that seems ethically justifiable if not justified.

      Make no mistake: I think that most self proclaimed "hactivists" are unethical and deluded. But it would be myopic in the extreme not to try to understand why these attacks And perhaps more importantly to understand why so many people sympathize with them.

      However, making absolutist arguments about criminality and equating DDoS attacks on a blogger or company to 9/11, arson, or violent acts like smashing someone's car which legitimately put fear of livelihood on the intended recipient is, euphemistically speaking, regrettable.
      Mr. Copro Encephalic to You
      • agreed

        Excellent comment. I often appreciate David Gewirtz's contributions, but the exaggerations here are practically hysterical.
        In a world where most real terror is perpetrated by armies and mercenaries backed by governments and corporations, the inconveniences and occasional misfires of civil disobedience pale in comparison.
        That said, one can't let activist hackers off the hook for the actions they take. Not least because one has to ask if the disregard for "collateral damage" isn't a minor but symbolically significant perpetuation of the cynicism and heartlessness that leads governments to stifle dissent in the name of security, or occupying armies to use civilians as target practice, or corporate-backed mercenaries to assassinate community leaders protesting roughshod mining projects. One hardly needs to exaggerate to go to the other extreme.
      • I agree, this article is exagerated.

        I question the losses claimed by the companies affected by DDos. First of all, everyone exaggerates their losses. (Insurance companies then minimize them.) The music industry claims they lost more money to file sharing than actually exists in all the countries in the world! Yeah, only an idiot would take those figures at face value.

        Secondly, if a company cannot sell dingbats today because of a ddos, all the people that could not buy dingbats online today will simply buy them tomorrow. Most of those sales are not lost!

        Thirdly, "...or it could have provided enough money to hire 32,000 people." Could have, but wouldn't!!! That is the whole point, isn't it? I COULD have tripped over a rock that turned out to be another Hope Diamond, but I didn't.

        Understand that companies don't make jobs. Consumers make jobs. If a company needs 32,000 workers to make money, they will hire them. Give them an extra $1.6 billion dollars, and they will not hire 32,000 extra people they don't need, they will simply hide $1.6 billion dollars offshore to avoid paying tax on it. Any company that (claims to) lose $100k - $10Mil an hour isn't going to instantly gut its workforce or cancel all expansion plans because their internet connection took a dive for a few hours. A small business that got hit with a ddos? Yeah, that would hurt. The fat companies used as fodder for this article? Not so much. I ain't buying it!

        A Question:

        What if 100k people voluntarily participated in a ddos as a protest against a company? No malware involved. Is that still terrorism, or is it protest? How is that different than picketing in front of a business and deterring people from entering?
        • I love this person

          Thank you so much for not being another person buying into this obviously bought-out article. I believe DDoS is a valid form of protest, albeit a bit different than a picket line or a boycott or a march that clogs the streets to raise awareness. I'm sure the million-man march caused some problems for businesses on the route. Not a great example, though...lol.
          DDoS - provided no software is used - is actually basically a picket line preventing entry. Unfortunately it doesn't really work without software (from what I understand).

          Obviously DDoS is a complicated issue, as is everything involving the money of corporations. However, anything that puts power in the hands of the citizens of the world is a good thing in my mind. No matter how you spin it, this is a nonviolent form of protest. Non-criminal? That's up to debate.

          But non-violent AND effective? That kind of tool is gonna be difficult for the CEOs to take away. This isn't the 90's anymore. I want disclaimer myself by saying I really have never participated in a DDoS. However, I've seen them do good things. Most famously in my mind, the downfall of Hal Turner: a bigoted internet broadcaster who got shut down real bad. I'm not sure if they used software.
          Anyways, if you wanna talk about criminal behavior, think about illegal parking, illegal lane changes, speeding, endangerment, assault, entrapment, extortion and murder; these are crimes our government is allowed to perpetrate. For the greater good? How can a single officer or even a single arm of the law be allowed to make such judgement calls, yet the collective number of people required to DDoS a site is not considered legitimate?

          I know I don't sound impartial. I've seen DDoS's whose purpose I agreed with and others I found reprehensible and irresponsible. It seems like a valid protest tool, especially since using it seems to be dangerous for the user. If people are willing to take that risk, that's their problem. I'm allowed to have an opinion on the outcome.
          Dylan Medford
  • Agreed.

    An elegant, informative analysis and explanation of the subject matter.
  • Definitely criminal

    But I don't think DDoS can be called terrorist unless people's lives or physical safety is deliberate threatened.
    John L. Ries
    • It's terrorism

      Certainly it's terrorism.

      Anonymous and other "hacktivist" organizations issue threats like the following: "if you do or don't do this, [or even if I don't like your friends], I will cause this damage." Or, "BECAUSE you did this, I will cause this damage."

      That type of threat of frightening damage happening against a government entity or corporation is indistinguishable from a threat of damage against a nation-state or its citizens.

      Further, Gewirtz makes clear that actual real-world damage can occur to bystanders as a result of DDoS attacks, and he's right. And in some cases, cyber-terrorists have released personal information for those who happen to be loosely affiliated with an organization that ordinarily provides important services. (Just one example: http://www.californiabeat.org/2011/08/14/anonymous-hackers-attack-bart-personal-information-for-some-riders-breached
      • By the same notion...

        ...peaceful picketing and boycotting also constitute terrorism. But I think that such a definition is ridiculously overbroad and constitutes an abuse of the English language.
        John L. Ries
        • No, it's not

          Peaceful boycotting or moving your business elsewhere is a perfectly legitimate form of protest. If I don't want to become a customer, that's entirely up to me. If I block the door of the store for people who want to buy - say groceries - I'm acting against their free will and this would be illegal. The same goes with banks. If I clear my account and move to another bank, it would be my right as a free citizen. Blocking other citizens from accessing their account is an infringement of their rights.
          • Definitely an infringement of rights and criminal

            But it's not terrorism. Secondary boycotts are illegal too and sometimes engaged in as an intimidation tactic, but they're not terrorist unless enforced by threat of violence (in which case, it's the threat that constitutes terrorism, not the boycott).
            John L. Ries
          • I'm not into legal terms, so...

            ... I'll take your word for secondary boycotts. But when you're subverting a critical infrastructure (be it a bank, which people rely on critical operations, including healthcare), I think this can easily match the description of terrorism. Substitute the bank with any large-scale infrastructure - transportation system, for instance and that's terrorism at its best. I'm not challenging your response, it's just a humble argument that cyber-crime - even in the mildest form, can have dramatic, unpredictable consequences on others' lives.
          • I'll accept that

            The problem I see is that terms are sometimes expanded for rhetorical purposes in such a way as to be almost meaningless. "terrorism" is one such word.
            John L. Ries
      • Hmm.

        I think you're just mad cuz you can't tear gas gigantic crowds over the internet
        Dylan Medford
  • It's terrorism if the intent is to cause fear

    Doesn't matter what the person is in fear of; although it usually is of loss of life or limb. I cna be in fear of loss of my money from bounced checks because the miscreants blocked the timely transfer. fear of blocked timely transfer between planes or other transportation modes causing damage to my health because I couldn't get to my medications in a timely manner. Take your pick.
    • The colored terrism alert system caused fear!

      Just sayin'...
    • Better haul in Fox News for terrorism m8

      whoah look out, Jason and Freddy. If your scary movie keeps this guy from going to the bank, you're terrorists.
      Dylan Medford
  • Civil disobedience is justified only in those situations

    where you do not have government representation. In other words, as long as politicians continue to step down from office when they lose elections, you have no right to throw a riot, and a DDoS is simply a 21st century riot. BTW, it's also why Occupy Wallstreet was nothing more than a bunch of criminal thugs.
    • DDoS isn't civil disobedience

      It's more akin to lynching. The theory of civil disobedience, however, is that it's more important to obey one's conscience than it is to obey the law. Thus in the event of a conflict between the two, the former should prevail and one should willingly accept the consequences of the necessary legal violations (civil disobedience is not a legal defence). And all of the above should be done in a civil manner (no need to revile others). The term is frequently abused (there is no conceivable moral imperative to block access to a foreign embassy, no matter how odious the government it represents, for example), but the general understanding of the term is as stated above.

      It's certainly not the ethic followed by Anonymous or other prominent "hacktivist" organizations.
      John L. Ries
    • via representation?

      I had no idea that the big lobbyists cared for this country and people over their personal interests (at our expense).

      The only real "thug" is the ignorant...