DDoS: Terrorism or legitimate form of protest?

Some people seem to think that distributed denial of service attacks can be justified morally or ethically. Read this analysis to find out if that claim is supported or thoroughly debunked.
Written by David Gewirtz, Senior Contributing Editor

If your neighbor doesn't like that you watch certain TV shows, is it okay for him to come over and smash your TV?

If your neighbor doesn't like the gas guzzler you drive, is it ethical for him to take a sledge hammer to your car?

If your neighbor doesn't like the books you read, is it moral for him to burn your house down?

If your neighbor doesn't like the company you work for, is it righteous of him to break into your house and steal your valuables?

If your neighbor doesn't like the computer games you play, is it just hunky-dory for him to destroy the network connections to your entire neighborhood?

Well? Is it okay?

What would the police say? What would the courts say?

Of course, it's not okay. It's not ethical, it's not moral, it's not righteous, it's not hunky-dory. It's simply criminal.

Now, what if your neighbor, instead, simply told you (or even chanted at you) that he doesn't like your TV choices, your car, your books, or even your employer?

Would that be criminal? No. Annoying, yes. Criminal, no.

What if he held up a sign on the public street outside your house, telling you to watch something different or drive something different?

Would that be criminal? No. It might be in violation of one town ordinance or another, it would certainly be unsettling, but it wouldn't be criminal.

What if he kidnapped a bunch of unwilling and unwitting people, drugged or infected them, and forced them all to carry signs and chant? Would that be criminal? Yep, it sure as heck would be.

It's pretty easy to tell the difference between criminal acts and acts of free speech. Criminal acts are destructive. Free speech acts are, at worst, annoying.

Now, let's move on to the topic of a Distributed Denial of Service attack.

Is there ever a case where a DDoS is a form of legitimate protest, or are DDoS attacks criminal at best, and terrorism at worst?

Before we answer the question, let's explore how a DDoS works. All DDoS attacks aren't identical, but most follow a simple pattern: many attackers and one victim.

Let's start with the attackers first. For a DDoS to have any effect at all, there have to be thousands to millions of computers sending out packets to the victim machine or network. That means, the attacker (or activist, if you will), needs to have access to thousands or millions of machines.

The way this is done is through botnets. A botnet controller sends instructions to thousands or millions of zombie computers. These are computers that you use, your mom uses, your boss uses, your cousin uses, your kids use, or even your emergency responders use to save lives. 

To function in a DDoS botnet, these computers have to be infected without their owners' permission, and corrupted with malware that may be used to initiate a DDoS. It's the digital equivalent of kidnapping and drugging or infecting a bunch of people, then making them carry protest signs.

Often, there is damage to the zombified machine, and the infection often has a secondary purpose of keylogging or otherwise stealing information.

So, even without any discussion yet as to the identity or alleged heinousness of the target victim, we see that crimes have been committed, privacy has been invaded, property has been damaged, and — depending on what computers were infected — lives may have been put at risk.

And all of that is without even looking at the damage to the victim or any other collateral damage.

A recent MIT study explored the question of whether there could be an ethical framework for DDoS actions.

According to Molly Sauter, the study's author, there are, "...three major criticisms of activist DDOS actions: that they are the equivalent of censorship, that as symbolic activism they are not as effective as direct action, and that they have unfocused success conditions."

With all due respect to MIT and Ms. Sauter, she completely misses the point. Activist DDoS actions — like all DDoS attacks — are invasive, they are destructive, and they cause extensive collateral damage to non-combatants.

This is not an issue of whether or not the attack is good messaging. This is an assault where actual damage is being done.

If the 9/11 terrorists had merely stood in front of the World Trade Center and Pentagon with protest signs, they wouldn't have been terrorists. But they chose to fly a plane into the buildings, killing not only thousands of office workers, but also the unwitting and certainly unwilling passengers on Flights 11, 77, and 93.

When it comes to a DDoS, whether or not the intended victim is a schmuck or not has no bearing on whether such attacks can be considered ethical. Beyond the hijacked attack computers, interrupting service can cause all sorts of collateral damage.

No sane person (at least outside the financial industry) will argue that our bankers are entirely ethical. But using a DDoS to block a bank from processing transactions may block individual depositors from accessing their money. What if someone needs to make a financial system transaction for, say, emergency healthcare?

To that end, as I wrote in How To Save Jobs (free download), and Steven Brill wrote in TIME Magazine, it's clear that most hospitals, insurance companies, and healthcare providers have themselves quite a racket at the expense of American citizens.

Using a DDoS to shut down an insurance company may also prevent a patient in need from getting timely healthcare. Using a DDoS or a hack to attack the power grid may inconvenience the fat cat utility CEOs, but it might also cut off power to people who need it to stay warm, study for a test, or power a medical device.

All that doesn't include the stress and expense that comes from being on the receiving end of a DDoS. An activist group might be angry at a bank or an insurance company, but the person at the direct front-line receiving end of the attack is the IT manager — who may well lose his or her job for not preventing the unpreventable.

Or a DDoS might be used against a small company or organization. I can tell you from personal experience that fighting off millions of computers at once is no fun, highly destructive, and almost incomprehensibly stressful.

Then there's the actual cost of the attack. Forrester Consulting recently did a survey of companies to ascertain actual costs of an attack. They reported on one company that would lose more than $10 million in revenue for each hour offline. They disclosed two "respondents would lose between $1 million and $2 million per hour, five indicated that they would lose between $200,000 and $500,000 per hour, and eight would lose between $50,000 and $200,000 per hour."

That's just the loss of revenue. That doesn't include the cost of the battle itself, the IT expense, the manpower, increases in insurance fees, the cost of the eventual layoffs that would likely happen after a sudden large loss of income, or the incalculable inconvenience and resulting consequences to individual customers.

We can simplify the job cost number a bit using research from Ponemon Institute reports that DDoS attacks cost companies an average of $3.5 million each year.

They surveyed 700 companies and 65 percent (455 companies) reported being on the receiving end of at least three DDoS attacks a year. So let's take those 455 companies and multiply that out by $3.5 million dollars.

Just this set of survey respondents alone lost $1.6 billion dollars due to DDoS attacks.

So, let me ask you this: how many jobs could have been created if $1.6 billion hadn't been lost to DDoS attacks? In How To Save Jobs, I used $50,000 as a workable average salary number in the United States. So, how many $50,000 salaries could have been paid out of that $1.6 billion? The answer is 32,000.

You can look at this two ways: the $1.6 billion spent by the survey respondents either cost 32,000 people their jobs, or it could have provided enough money to hire 32,000 people.

In either case, just looking at the small set of survey respondents for one survey, DDoS attacks cost just about 32,000 jobs. Given the worldwide prevalence of DDoS attacks, the actual cost in dollars and jobs is far higher. 

Now, let's bring this back to the discussion of legitimate form of protest vs. terrorism.

If you woke up tomorrow and turned to your favorite news outlet, and you read or heard that 32,000 people had lost their jobs as a result of some kind of attack, would you think terrorism or would you think legitimate form of protest?

Without a doubt, there is absolutely no ethical, moral, religious, or righteous justification for a DDoS. Unlike civilized protests, DDoS attacks inflict damage and pain on a very large number of unwilling and unwitting victims, expose them to future infection, theft, and hardship, and result in astonishing financial losses.

There is no room for prevarication. A distributed denial of service attack is criminal and may well be a terrorist attack. There is no high ground here. If you participate in a DDoS attack, you're either a criminal or a terrorist...and a fool.

Editorial standards