General security

Legality of DDoS: Criminal Deed vs. Act of Civil Disobedience

Dimitar Kostadinov
December 12, 2013 by
Dimitar Kostadinov


This article was inspired by two factors: 1) the petition filed by Anonymous on the White House's We the People website in the beginning of 2013, demanding decriminalization and absolution for all DDoS attacks and sentences, respectively; 2) the lack of through research on that matter (although that is not exactly correct).

Its content is organized as follows:

  1. Legal base that regulates DDoS events—that part is of an informative nature and it is not the main topic.
  2. Welcome to the tentative tribunal—a fictional online courtroom where two opposing sides, the ones who advocate that DDoS should remain legally banned and those that vindicate DDoS as a means of participating in civil disobedience (occupy protests/sit-ins) on the Internet, figuratively represented by single entities entitled to carry on this litigation. The tribunal tries and adjudicates by giving a non-binding opinion.

Legal Base that Regulates DDoS Events

Considered in the context of international relations and norms, (the majority of) DDoS acts may not violate the prohibition on the use of force (Article 2(4) of the UN Charter) — "a temporary denial of service is unlikely to be classified as a use of force" (Tallinn Manual, 2012, RULE 11, par. 10) — nonetheless, such an act may constitute a violation of the customary law of non-intervention and sovereign immunity and inviolability ("…a denial of service attack against a State's military satellite would constitute a violation of its sovereign immunity" (Tallinn Manual, 2012, RULE 4, par. 4)). From the environmental point of view, DDoS may fall within a meaning of terms like "pollution" or cross-border "emissions" (Healey & Pitts, 2012).

In Australia, a DDoS, like any other high-tech offences, is regulated by Commonwealth legislation within Part 10.7 - Computer Offences, as codified in the Criminal Code Act 1995. Generally speaking, these matters are under the jurisdiction of Australian police when the affected computer, system, or server is in Australia, or there is an Australian citizen among the persons involved (

The European Union's Cybercrime Convention Committee criminalizes DDoS attacks in T-CY Guidance Note #5, Article 2, 4, 5, 11, 13 (Cybercrime Convention Committee, 2013).

The UK legal system, and most specifically the Computer Misuse Act 1990, outlaws DDoS and individuals face up to 10 years in prison (, 2011).

In the United States, the people that take part in DDoS attacks run the risk of being charged with legal offenses at the federal level, both criminally and civilly. The Computer Fraud and Abuse Act (CFAA) is the applicable law (18 U.S.C. §1030). For a person to violate the CFAA, he has to intentionally cause damages to a computer system part of interstate or foreign commerce (18 U.S.C. § 1030(a)(5)(A)) (, 2010). Attempted DDoS attacks may also be prosecuted (

Private parties that play the role of an intermediary along the vector of DDoS attack, such as ISPs, may also press civil charges to recoup their financial losses on the grounds of a violation of the "terms of service" agreement, which, by the way, has validity tantamount to a legal contract. Serious violations may lead to a lawsuit for breach of contract and even trespass to chattels

(, 2010).

Seeing the serious statutory measures, there is no wonder that Facebook decided to terminate groups that call for participation in DDoS attacks (, 2010).

Welcome to the Tentative Tribunal

As was explained before, this tribunal is non-existent and its task is to hear two different viewpoints and to give thereafter some regulatory prescription of a non-official and facultative character. The argument is in fact this article's title, "Legality of DDoS: Criminal Deed vs. Act of Civil Disobedience." On one side there is the prosecutor, Mr. Government, and on the other is the defendant, Mr. Activist (again fictional but catchy names). The layout of proceedings is like the real one, in which one side has the burden of proof, while the other one simply needs to shed a reasonable doubt on everything thrown at the point at issue. The sides speak in alternating order, one at a time, and after every sub-point the opposite party has a right to reply. Replies are marked off from the main flow with corresponding avatars and placed in red blocks. The prosecutor has the first word, with his entire line of adducing relevant facts, which are pursued to prove that DDoS should not be legal.

Legality of DDoS: Criminal Deed or Act of Civil Disobedience

Mr. Government /Prosecutor/ vs. Mr. Activist /Defendant/

Fig. 1 Arguments in Support of the Prosecutor's Position>




Legitimate Users Are Also Blocked

DDoS as Diversion

 Free Speech Is Silenced

 DDoS Attacks May Interfere with Back End Systems  Negative Impact on the Business  Inimitability of Occupying Space

 xxxxxxxxxxxxxxxxxxxxxxxxxxxx  Online Protests Are Susceptible to Cyber Protest Fraud  DDoS Attacks Lack a Form of Individual Presence in Cyberspace

Image courtesy of Kittisak/

Unexplored Side-effects

Legitimate Users Are Also Blocked

In order to provide you with more evidence that, in fact, DDoS attacks happen to have many side effects that may affect entities other than the intended target, I bring to your attention the fact that some mitigation appliances and methods block legitimate users or create fraud alerts on the grounds of non-functional links, timed out video streams, and slow page loads. As the DDoS security expert Barrett Lyon states regarding that matter, "some companies have had to ignore their fraud alerts when DDoS mitigation was turned on because so many of the alerts were artifacts of mitigation" (Ellen Messmer, 2013, par. 11).

By way of example, on an online discussion forum a user dubbed "Nightmare" complained that his company's website was being attacked by a DDoS every now and again, and he is forced to take recourse in a specialized DDoS protection. The problem, however, is that every time the mitigating device is in active mode, legitimate users cannot log in to his website, which indirectly constitutes a partial denial-of-service effect (Nightmare, 2012). Perhaps the particular predicament is minor in terms of finding a solution, but it goes to show that DDoS attack can affect IT systems in various mysterious ways, thus leaving many unexplored ends.

DDoS Attacks May Interfere with Back End Systems

A security expert asserts that DDoS attacks "can also cause serious damage to back end systems" (Vlissidis, 2013, par. 1). He refers to the law firm ACS:Law, which was knocked offline in 2010, allegedly by the 4chan hacker group. In the wake of their website's restoration, 350MB backup file appeared on the front page. The file in question, distributed later all over the net, contains sensitive information on thousands of internet users (Broersma, 2010).

The consequences may reach a sinister scale if we judge by the evaluation given by the privacy advisor, Alexander Hanff: "This data breach is likely to result in significant harm to tens of thousands of people in the form of fraud, identity theft and severe emotional distress" (Meyer, 2010, par. 6).

Inherently Criminal Act

DDoS as Diversion

There is a very dangerous trend that has been going on for quite a while now, where a DDoS attack is initially launched to distract attention, supervened by a sophisticated intrusion technique or another type of act that actually appears to be the primary move—something like the pincer tactic used by Hannibal Barca and Zhukov.

Such a multileveled operation struck down Sony and several US banks. According to a report issued by the Dell SecureWorks Counter Threat Unit, the famous toolkit Dirt Jumper is thought to have been used as a covering fire, shrouding an attempted fraudulent wire transfer estimated at up to $2.1 million (Musil, 2013). Evidently, "the DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer" (Musil, 2013, par. 10).

So a scenario where online activists divert attention with DDoS attacks while big corporations get exploited is not impossible.

Negative Impact on Business

There is no secret that DDoS makes the conduct of business difficult, if not impossible. This collateral effect has been experienced by: 1) banks—e.g., HSBC, Wells Fargo, Capital One, Bank of America, Sun Trust, etc.; 2) other financial institutions—e.g., Visa, MasterCard, etc.; 3) governments—practically every wired government; 4) media – e.g., WikiLeaks and Virgin Media.

And that list is not exhaustive. The impact on the business in terms of monetary loss, decrease of credence, overall embarrassing publicity, and so on, is immense. Basically, DDoS attacks are so widely spread that this occurrence comes to a point where we could define it, it is safe to say, as ubiquitous. These facts, with everything else that is already the responsibility of DDoS attacks, sound the alarm that legalization of such crimes may open the next "Black Death" chapter in human history.

Furthermore, a particular DDoS attack, the one known as the "Largest DDoS Attack ever"—an IT power equal to the most powerful nuclear bomb (and which may even surpass it soon) —exposes a different type of beast, namely, a vulnerability threatening the very foundations of the Internet itself. By the BBC's account, the DDoS onslaught against Spamhaus led to "slowing down internet speeds for millions of users across the world" (Cox, 2013, par. 9).

Online Protests Are Susceptible to Cyber Protest Fraud

Online protests are more susceptible to cyber-protest frauds. A case of reference here dates back to the dawn of DDoS (1998), when a DDoS attack was initiated nominally in support of the Zapatista rebels, who oppose the Government of Mexico. On the appointed day, thousands of armchair supporters of this online protest campaign visited a protest page and subsequently downloaded a JavaScript, which appeared benign.

Surprise, surprise. The script was reconfigured, and not in a good way, to direct the attacking flow towards the U.S. Pentagon and the Frankfurt Stock Exchange websites. Of course, the protesters had no clue that some extremist faction used their willful participation to pursue a hidden agenda. What happens as a result was that "the Pentagon retaliated by getting their non-existing target slogan page to actually spring into life, with a JavaScript that spawned hundreds of browsers and locked up some of the "attacking" PCs ("Watching Them, Watching Us" forum user, 2009). Lovely. Still want to play online, Erin Brockovich?

DDoS Is Not a Sit-in

Free Speech Is Silenced

Paradoxical as it sounds, a DDoS, in fact, denies the victim of his or her right to free speech. Even some hacktivist groups admit that DDoS attacks are in violation of the First Amendment, and of the freedoms of assembly and expression. The purpose of civil disobedience is quite the opposite: to provoke the society, policymakers, lawmakers, and so on, to stir up a moral dialogue that may bring about lasting changes (Kleinhans, 2013).

Inimitability of Occupying Space

Protesters that occupy space in front of a building are easily discernible and bystanders can tell them and non-protesters apart. Nevertheless, the situation in cyberspace is not exactly the same. With regard to DDoS, there are other beneficiaries along with the typical protesters—criminals, terrorists, rogue government officials, you name it.

Because of the inherent structure of the Internet, there is this somewhat insurmountable problem that even the victims of DDoS cannot determine categorically whether the incentive behind the act is spurred by the desire to engage in a protest or commit a malevolent act (Kleinhans, 2013). Ultimately, "if DDoS attacks are treated as virtual sit-ins then protesters literally sit at the moment next to authoritarian governments and cyber criminals on the streets and all of them occupy space" (Kleinhans, 2013, p. 39).

DDoS Attacks Lack a Form of Individual Presence in Cyberspace

In our opinion, this is certainly the main criterion that makes the difference between DDoS attacks and traditional sit-ins. The ensuing consequences, inter alia, are numerous and deservedly subdivided into independent points, since they separately represent reasons for not granting legalization:

  1. Physical presence is what makes society realize there is a protest in the first place. From the users' point of view, they would not know why a given website is inaccessible (Züger, 2013).
  2. Due to the anonymity innate to cyberspace, participants in online protests are difficult to spot and distinguish from non-protesters, as distinct from conventional form of sit-in. "There are no bystanders in cyberspace, nor can you see the people you are marching with," as one scholar concludes (Kleinhans, 2013, p. 35). The non-existence of community spirit, so typical of traditional forms of occupation of space, dissuades genuine volunteers from joining the cause.
  1. The lack of the stated feature may arouse uncertainty among society about the seriousness, sincerity, commitment, and dedication of virtual protesters. In other words, they lose this special aura of nobility that sets them apart from commonplace online trolls, not to mention that they can be taken easily for crafty cyber-criminals, and that is exactly what they will become if they use DDoS to provoke online civil disobedience (April, 2009). Nobility, as a matter of fact, can be defined in terms of the time, psychophysical energy, and expenses that every protester has personally sacrificed. What is the nobility and selflessness of a lone man who employs an automated tool or botnet to affect website?
  2. Keeping the botnet topic still open, one controversial question pops up. What is the status of people who voluntarily decided to join botnets with the idea of participating in a massive online sit-in? I can tell you that premeditated and willing complicity is something that cyber-cops will not look kindly upon (Cluley, 2010).
  1. On the grounds that online protests lack of physical element needed for "assemble," the German government assesses that the right to assembly does not extend to cyberspace; this interpretation was made in the wake of the LOIC DDoS attack by a user called "AnonLulz" against the copyright corporation for the music industry GEMA (, 2013).

What Is a Sit-in?

A sit-in is a form of civil disobedience that is characterized by certain criteria:

  • direct action

  • non-violent

  • undertaken openly

  • involves one or more persons

  • aimed at challenge injustice

  • (, 1999)

    Typically, the well-known, traditional sit-in consists of protesters that occupy and refuse to leave the space of a decision-maker until he comes round to meet their demands (, 2013).

    DDoS Us Like a Sit-in

    A person could occupy a website by connecting to the domain name / IP address (, 2012). Every time a page request is generated, the load on the website builds up, and if many protesters decide to connect at the same time, this could sink the site into oblivion (`Anon99).

    The similarity of DDoS and sit-in lies in the concept that they both strive to overutilize scarce resources, whether we talk about physical space or server cycles. Besides, both bear a political meaning that may contextualize the offense (Peterson, 2009).

    "No damage is done to the site or its backing computer system," as one proponent of DDoS protests, Mr. Leiderman opines (Leiderman, 2013, par. 5).

    Fig. 2 Juxtaposition of Standard and Online Demonstration

    In essence, DDoS is a non-violent act that occupies a limited and exact space of Internet addresses in order protesters to make a point. Moreover, websites knocked offline are not forever shut—the blackout is usually temporal, relatively short—and the website can be restored once the protest is over (`Anon99).

    We admit that customers of the website under a cyber sit-in would feel a certain inconvenience, but everyone should slow the pace and go out for a while from his daily routine and enchanting slumber just to hear out the voice of his fellow citizens, the voice of justice (Leiderman, 2013).

    Lufthansa Case

    We would like now to draw the attention of the court and its readership to the Lufthansa case, whose decision meets the standard of what is known in jurisprudence as "precedent." The story begins in 2001, when the activist Vogel made the decision to raise an online protest against the German carrier's practice of allowing local governments to use their aircraft to extradite asylum refugees. The place of assembly is "" and, according to Article 8 of the German constitution, "all Germans have the right to assemble without prior notification or permission peaceably and without arms" (, 2013, par. 6).

    At the stipulated time, give or take, about 13, 000 internet users visited the site to participate in Vogel's protest. The so created get-together of demonstrators merely turns this "meeting point" useless to everyone else worldwide for 10 minutes. At some point later, the normal functioning of the website is restored.

    The story does not end here, because Lufthansa filed a criminal charges and the Frankfurt district attorney's office acted upon the charges and brought an indictment against Vogel and other activists. The defense pled that the entire event was nothing else than sit-in protest staged on the Internet. The court based its decision on a ruling by the German Federal Constitutional Court in 1995, which stated that blocking access or traffic to a place is not in itself physical force that requires coercion. Finally, the appellate court acknowledged that this coercion requirement is not met since there is no physical force or considerable harm (, 2013).

    Penalties Are Too Harsh

    Sixteen alleged members of Anonymous were arrested for their role in the PayPal DDoS, and could face more than 10 years in prison and $250,000 in fines. They were charged with conspiracy and "intentional damage to a protected computer" under the CFAA and the case is ongoing (Thompson, 2013).

    For their role in staging DDoS against PayPal, 16 alleged members of Anonymous were arrested and charged with grievous accusations that may have them condemned to more than 10 years in prison and fines of $250,000. Many script kiddies are rotting in jail, bearing their cross because of ridiculously cruel punishment. It is obvious how these harsh sentences stand out in relief against the outcome of Lufthansa case. The disproportionality is just stunning and "calibrating punishment based on the moral value of the DDoS at issue" is needed (Peterson, 2009, 2nd comment, par. 6).

    Sit-In as a Morally Right Concept

    As we see it, participants in civil disobedience are treated on a par with plain criminals, even more so if the civil disobedience takes place on the Internet. Although there is usually no law or jurisdiction specifically addressing this social phenomenon, the citizens has no lawful right to practice it. Nevertheless, sit-ins, among the rest of the shades on this palette, are intentionally unlawful collective protest activities, which non-violently defy unjust laws and policy course. They are practiced on a belief in a prima-facie illegality, i.e., a conspicuously unlawful act that is later on legitimized (Züger, 2013).

    Civil disobedience is form of protest that should exist in every democracy, and on every medium, to offer room for moral correctives of incompetent governments. Performed reasonably and thoughtful by well-intentioned and informed persons, online sit-ins via the DDoS method may "serve as a check on the political system and prevent serious departures from justice" (, 1999, par. 3 in ‛Defining Civil Disobedience').

    After all, the right to protest is laid down by the First Amendment and people should be able to exercise it peacefully whenever and wherever they can. Additionally, the Constitution's Bill of Rights also guarantees the people's right to peaceably assemble ("How to Organize a Demonstration"). Furthermore, the right to freedom of expression is safeguarded by the "Charter of Rights and Freedoms" (, 1999). Thus, this entire set of foundational legal norms taken together should provide solid grounds for extending the concept of civil disobedience to the realm of cyberspace.

    With regard to the right of free speech, the former Supreme Court Justice William O. Douglas stated: "Restriction of free thought and free speech is the most dangerous of all subversions. It is the one un-American act that could most easily defeat us" (Leiderman, 2013, par. 19)."

    Never mind the fact that most sit-ins are silent.

    Tribunal's Prescriptions

    The purpose of this tribunal is not to pass a verdict on the proceedings taking place here, but merely to express its own non-binding position in the form of recommendations as to how the matter of a sit-in or civil disobedience should be regarded, perhaps in future dealings between citizens and officials. First and foremost, we would like to underline our conviction that contemporary legislation is valid and is the legislation that regulates DDoS events, whether intended as an attack or protest. Hence, with all due respect to the extant laws (lex lata), the tribunal would like to present its lex ferenda, or what the law should be. In fact, it is not only the law that should change; overall perestroika is needed: a new regulatory framework, in terms of institutional stage management and cultural perception, a hinge that will support the conceptualization of the conduct of protest in the realm of cyberspace. This tribunal recommends:

    1. Creation of an institution or group of experts endorsed equally by government and citizens to manage online protests in all their aspects from the moment of their birth until they cease to exist.
    2. Creation of specially designated area (website) on the Internet named the "Land of Expression," where and within whose boundaries every person can freely demonstrate without fear of prosecution (an online equivalent of NYC's Zuccotti Park just before the arrests).
      1. Participants are obliged to register and agree to terms of service, such as not using the platform for criminal activities. However, their personal data should be revealed only in the event of violation of the terms.
      2. Participants in a demonstration are allowed to be active in organizing their activities within the designated area (blogging, streaming, associating, propagandizing, etc.).
      3. The Land of Expression is intended to have considerable popularity among media and social networks. Therefore, protesting groups behind righteous causes would easily gain more support and recognition.

    Fig. 3 Visual Point-by-Point Display of What the Tribunal Recommends

    1. Conduct of controlled DDoS protests
      1. If a protest is directed against a distinct opposing party, there should be a 30-day negotiation period. If no mutual resolution is reached, the protesting party is given the opportunity to appeal to our institution/group of experts in order to be granted permission for a controlled DDoS protest on the website of the opposing party.
      2. If the DDoS protest is granted, then our institution/group of experts issues a special instruction as to how it should be conducted. No botnets or automated toolkits are allowed. If the area of the website under attack is part of its critical infrastructure, the DDoS attack is not to exceed two hours per day duration. Protesters should strictly follow all instructions without exception, and not access the protested website once the DDoS time is over. The maximum length of the DDoS protest is 15 days. Repetition of the entire cycle is possible if there is no agreement between two parties.
      3. Should any violations or unforeseen circumstances occur, our institution/group of experts is authorized to halt the DDoS right away and use all measures at disposal to ensure safety of all parties and systems.

    ~ End of tentative recommendation. Further notes and alterations are possible. ~

    This tribunal is now adjourned.

    Reference List

    `Anon99. DDoS…is it a Virtual Sit-in? Retrieved on 03/12/2013 from

    April, B. (2009). Comment after "In Praise of [Some] DDoSs?" by Chris Peterson. Retrieved on 03/12/2013 from

    Ashford, W. (2010). ACS Law hacking a text-book case that exposes several weaknesses. Retrieved on 03/12/2013 from

    Broersma, M. (2010). File-Share Law Firm Exposes Personal Data. Retrieved on 03/12/2013 from

    Cluley, G. (2010). Are DDoS (distributed denial-of-service) attacks against the law? Retrieved on 03/12/2013 from

    Cox, R. (2013). 5 Notorious DDoS Attacks in 2013 : Big Problem for The Internet of Things. Retrieved on 03/12/2013 from

    Cybercrime Convention Committee, (2013). T-CY Guidance Note #5

    DDOS attacks. Retrieved on 03/12/2013 from

    Healey J. & Pitts H., (2012). Applying International Environmental Legal

    Norms to Cyber Statecraft. Retrieved on 03/12/2013 from High tech crime. Retrieved on 03/12/2013 from (2013). The Right to Bear Low Orbit Ion Cannons. Retrieved on 03/12/2013 from

    (1999). CIVIL DISOBEDIENCE: A legal handbook for activists. Retrieved on 03/12/2013 from (2011). Sony Tells Congress Anonymous DDoS Aided Breach. Retrieved on 03/12/2013 from How to Organize a Demonstration. Retrieved on 03/12/2013 from (2011). DDoS Attacks and the Law. Retrieved on 03/12/2013 from, (2010). The legality of denial of service attacks. Retrieved on 03/12/2013 from Laws That May Apply to DDoS Attacks. Retrieved on 03/12/2013 from

    Kleinhans, J.P. (2013). Why are Gandhi and Thoreau AFK? In search for civil disobedience online. Retrieved on 03/12/2013 from

    Leiderman, J. (2013). Justice for the PayPal WikiLeaks protesters: why DDoS is free speech. Retrieved on 03/12/2013 from

    Messmer, E. (2013). Start-up Defense. Net debuts with anti-DDoS service. Retrieved on 03/12/2013 from

    Meyer, D. (2010). Privacy group takes on ACS: Law over porn data breach. Retrieved on 03/12/2013 from

    Musil, S. (2013). Cybercrooks use DDoS attacks to mask theft of banks' millions. Retrieved on 03/12/2013 from

    "Nightmare" forum user (2012). Side Effects Of DDOS Protection? Retrieved on 03/12/2013 from

    Peterson, C. (2009). In Praise of [Some] DDoSs? Retrieved on 03/12/2013 from

    The International Group of Experts at the Invitation of The NATO Cooperative Cyber Defence Centre of Excellence (2012). The Tallinn Manual on the International Law Applicable to Cyber Warfare. Retrieve on 17/02/2013 from

    Thompson, C. (2013). Hacktivism: Civil Disobedience or Cyber Crime? Retrieved on 03/12/2013 from

    United Nations (1945). United Nations Charter. Retrieved from

    U.S. Congress (1986). Computer Fraud and Abuse Act in U.S.C. Retrieved on 03/12/2013 from

    Vlissidis, P. (2013). Comment: preparing for DDoS in the legal sector. Retrieved on 03/12/2013 from

    Watching Them, Watching Us (2009). Comment after "In Praise of [Some] DDoSs?" by Chris Peterson. Retrieved on 03/12/2013 from

    Züger, T. (2013). Re-thinking civil disobedience. Retrieved on 03/12/2013 from

    Dimitar Kostadinov
    Dimitar Kostadinov

    Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.