Are DDoS (distributed denial-of-service) attacks against the law?

Graham Cluley
Graham Cluley
@[email protected]

AnonymousIt’s not pleasant to be on the receiving end of a distributed denial-of-service (DDoS) attack.

Malicious hackers can commandeer thousands of computers around the world, and order them to deluge a website with traffic – effectively clogging it up, preventing others from reaching the site, and bringing the website to its knees.

As I’ve described before, DDoS attacks are the equivalent of “15 fat men trying to get through a revolving door at the same time” – nothing can move.

In recent days a number of websites have been struck by DDoS attacks, seemingly co-ordinated by supporters of WikiLeaks against firms and websites who they feel have turned their back on the controversial whistle-blowing website.

Sign up to our free newsletter.
Security news, advice, and tips.

Most recently, internet users have been urged to voluntarily join a botnet, by downloading a DDoS attack tool called LOIC (the name stands for Low Orbit Ion Cannon, and you can read more about it in a detailed analysis by Sophos’s Vanja Svajcer).

My advice to you is to stay well away. Not only would you be foolish to run code on your computer which allows unknown parties to launch attacks against websites at a whim, but you should also understand the legal issues which surround participating in a denial-of-service attack.

For instance, in the UK (where I am writing from today), anti-DDoS laws have been in place since 2006 and could result in you being sent to jail for up to ten years. Similar laws have also been present in Sweden since 2007.

It’s the same story in the USA, where they take a tough line on those who engage in denial-of-service attacks against websites. For instance, last year saw the jailing of a man who launched a DDoS attack against the Scientology website.

And just last month, 23-year-old Mitchell L Frost, of Bellevue, Ohio, was given a 30 month prison sentence for a series of DDoS attacks he launched against the websites of high profile US right-wingers Bill O’Reilly, Ann Coulter and Rudy Giuliani.

So, with that in mind, would it really be wise for you to volunteer to join a botnet which is participating in DDoS attacks? Normally botnets are comprised of the computers belonging to innocent people who have fallen foul of malicious hackers without their knowledge. But if you knowingly participate in a botnet and denial-of-service attack – well, that’s a whole different ball game and unlikely to be looked upon kindly by the computer crime cops.

The police may find it very difficult to identify the shady group of anonymous individuals who have co-ordinated the latest round of attacks against sites they don’t consider pro-WikiLeaks, of course. But you would be crazy to give the authorities any reason to come knocking on your door. After all, someone might be looking for an easy poster-child to warn off others who might be tempted to assist in a distributed denial-of-service.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.