Have you ever attempted to access a popular website but instead been presented with a cryptic error message? If so, you may have encountered the aftermath of a distributed denial-of-service (DDoS) attack.
This article breaks down the mysteries of this cybercrime and explains what the criminal law has to say about it.
What are DDoS Attacks?
DDoS attacks are a sophisticated and dangerous form of denial-of-service (DoS) attack. To understand how DDoS attacks work and the risks they pose to you, it is important to first understand DoS attacks.
DoS attacks
A DoS attack aims to overload the processing capability of its target by sending massive amounts of data in a short period of time. Targets usually include corporations, businesses, and government bodies, but can include any sort of entity with an online presence. A successful DoS attack will send so much information to the target’s website or application that it is required to either purchase more storage or processing capacity, slow down its functions, or shut down entirely. Essentially, a DoS attack will push its target to the limit, forcing it to spend money, slow down or shut down.
A common analogy to explain DoS attacks is to imagine a store being crammed with people who have no intention of buying anything. The store then becomes so full that it is unable to serve or let in any legitimate customers, and it loses money.
An ordinary DoS attack sends out large amounts of information in various forms from a single computer. This means that it is easy for targets to identify the source of the attack and block it, solving the problem and avoiding any ongoing consequences. Imagine if the store manager knew that the problem customers were the ones with red hats. The manager could easily exclude these customers from the store and resume ordinary business.
DDoS attacks
DDoS stands for distributed denial-of-service. Whereas DoS attacks come from a single system, DDoS attacks are distributed as they are sent from many different systems. This makes it difficult for targets to determine which information comes from legitimate sources and which is part of the DDoS attack.
If the store manager doesn’t know which customers are legitimate, they will have no option but to suffer a slow-down of business or temporarily shut down the store.
Botnets
There are many ways that hackers use computing systems and software to launch DDoS attacks. These methods vary depending on the capabilities of the attacker and the motivations for the DDoS attack.
A common method of conducting a DDoS attack is to use a “botnet”. A botnet is a network of internet-connected devices called “bots” that have been compromised by a hacker. The hacker can therefore control and direct the devices to follow commands. Any internet-connected device can be used as a bot as part of a botnet, once compromised. This includes computers, smartphones, and home assistants. The hacker can then use their army of internet-connected devices as separate sources to execute a DDoS attack.
In some cases, established botnets are even rented out like mercenaries to hackers who wish to execute DDoS attacks.
Why do hackers conduct DDoS attacks?
As with most cybercrimes, the principal motivation for DDoS attacks is profit. A hacker might conduct a DDoS attack against a company and demand a ransom payment in exchange for stopping the attack.
Sometimes, more sophisticated hackers use a DDoS attack as part of a suite of attacks to undermine and destabilise a target. For example, a hacker might launch a DDoS attack to reduce a target’s ability to receive customer enquiries. This would distract the target’s cybersecurity team, providing the hacker with the opportunity to launch a more damaging attack against the target using other tools in their hacking arsenal.
Groups such as “Anonymous” have increasingly used DDoS attacks to advance their activist platform. Anonymous has claimed responsibility for DDoS attacks against targets including ISIS, the Minneapolis Police Department and Jair Bolsonaro to protest their political or social activities.
On rare occasions, ordinary people may accidentally participate in what is called an “unintentional DDoS attack”. This occurs when a significant event or a widely shared link causes so many people to visit the same site that the site crashes. When Ellen DeGeneres posted her famous celebrity-filled selfie from the 2014 Academy Awards, it caused so much traffic that Twitter temporarily crashed.
How common are DDoS Attacks?
DDoS attacks typically target businesses, not individuals. Although the higher profile DDoS attacks that make the news have targeted large corporations, small businesses with an online presence are often targeted.
On 12 April 2022, Cloudflare reported that ransom DDoS attacks around the world had decreased 52 percent from the final quarter of 2021. Cloudflare also found that only 0.57 percent of global DDoS activity is directed at Australian targets.
DDoS attacks in Australian criminal law
DDoS attacks are criminalised in Australian law under part 10.7 of the Criminal Code, which is found in the Schedule to the Criminal Code Act 1995 (Cth).
Section 477.3 of the Code outlines the offence of “Unauthorised impairment of electronic communication”. This offence has three elements, namely that:
- A person causes an impairment of electronic communication to or from a computer,
- The impairment is unauthorised, and
- The person knows that the impairment is unauthorised.
The use of botnets or other tools to carry out a DDoS attack will likely satisfy the elements of this offence:
- A successful DDoS attack impairs electronic communication to or from a computer.
- Intentional DDoS attacks are not authorised.
- Unless the attack falls within the category of “unintentional DDoS attacks” outlined above, the perpetrator will know that the impairment was unauthorised.
An offence under section 477.3 carries a maximum sentence of 10 years’ imprisonment.
In addition, under section 477.1, it is an offence to carry out a DDoS attack with the intention of committing a serious offence, such as extortion or fraud. If found guilty under section 477.1 of the Code, an offender faces a maximum sentence equal to the penalty for the serious offence.
The prosecution does not need to prove that the more serious offence was actually committed.
It is not an offence to attempt a DDoS attack under sections 477.1 and 477.3.
Possible defences
Possible defences to a charge under sections 477.1 and 477.3 of the Criminal Code might include:
- That there was no impairment to electronic communication. This would require proof that the alleged DDoS or DoS attack was not effective.
- That the attack was authorised. For example, if the attack was done with approval from the target to test its cybersecurity capabilities.
- That the attack was unintentional, for example as part of an unintentional DDoS attack.
- In relation to section 477.1 alone, that the attack was not done with the intention of committing a serious offence.
How do you know if you are the victim of a DDoS attack?
The Cybersecurity and Infrastructure Security Agency (CISA), a branch of the U.S. Government, lists the following symptoms that may indicate a DDoS attack:
- Unusually slow network performance.
- Unavailability of a particular website.
- An inability to access any website.
- Unusually large amounts of network traffic.
However, these symptoms might be unrelated to a DDoS attack, which is why the CISA recommends installing antivirus software and a firewall, and following good online security practices.
What to do if you are the victim of a DDOS attack
Fighting or recovering from a DDoS attack requires specialised technical assistance. The CISA recommends contacting your network administrator and internet service provider.
How to report DDoS attacks in Australia
If you believe that you have been the victim of a DDoS attack, you can make a report to the Australian Cyber Security Centre at https://www.cyber.gov.au/acsc/report
How can we help?
Nyman Gibson Miralis provides expert advice and representation to people charged with offences involving DDoS attacks and the use of botnets.
Contact us if you require assistance.