Internet Denial of Service Attacks: Legal, Technical and Regulatory Issues

Article excerpt

ABSTRACT

Internet virus and worm attacks plagued the Internet during the summer of 2003. Millions of computers were affected, and Internet traffic was slowed worldwide. Businesses suffered lost revenue while computer users experienced crashes, cluttered email inboxes, or impaired performance. This was only the latest episode in a continuing problem.

Many of these attacks, including the destructive attacks of August 2003, involve denial of service (DOS). A DOS attack occurs when an attacker sends malicious communications over the Internet, crashing computers or interfering with websites. The computer user or website is thus denied service and access to the Internet. This paper will explain how DOS attacks are perpetrated. It will explain why technical "black box" solutions like firewalls and anti-virus software have failed to provide effective protection. The paper will examine current remedies in civil and criminal law. It will explain why law has failed as an effective deterrent in this area.

Government regulation, which has so far been rejected as a solution to the DOS problem, will nevertheless be considered and regulatory objectives will be identified. Finally, the paper will describe best practices that firms and individuals can employ now to limit their exposure to DOS attacks or to mitigate their impact.

INTRODUCTION

In February 2000 a series of high-profile DOS attacks occurred that knocked leading e-commerce sites like Ebay, CNN and Yahoo off the Internet. Financial loss has been estimated at $1.1 to 1.7 billion (Katyal 2001). The culprit turned out to be a Canadian teenager who used the name "mafiaboy". In the ensuing three and a half years DOS attacks have gained in sophistication and continue to menace the Internet community. For example, in July 2002 the Recording Industry Association of America (RIAA) website was downed for four days by a DOS attack after it endorsed tighter copyright legislation (McCullagh, 2002). The more recent SQL Slammer worm is estimated to have disrupted half of all Internet traffic in January 2003, while the Sobig virus that emerged in late August 2003 affected one in 17 emails worldwide (Economist, 2003). eWeek magazine estimates that as of the end of August, 2003, 63,000 viruses have plagued the Internet, causing a total of $65 billion in damage (Mendoza, 2003).

The events of 9/11 have caused an increased concern for the security of our nation's information infrastructure. DOS attacks have the potential of doing more than taking websites like eBay temporarily off the Internet. They can shut down power grids, hospitals, airports and other vital services (Guth and Machalaba, D., 2003). The objective of this paper is to provide a deeper understanding of how these attacks are perpetrated and what social mechanisms might be employed to deter them. Law and regulation are two of our most effective social mechanisms for modifying behavior. However, they have so far failed to effectively deter these attacks. This paper will explain why. It will examine the legal sanctions facing those who perpetrate or facilitate DOS attacks. Government regulation, which has so far not been applied in this area, will be considered and regulatory objectives will be proposed. Finally, the paper will describe best practices that can now be followed to reduce the chances of being an attack victim or to minimize the harm following an attack.

UNDERSTANDING DENIAL OF SERVICE ATTACKS

A DOS attack can be said to occur whenever a person maliciously causes an interruption in another's service over the Internet. There are many sub-types, but they fall into two broad categories: distributed denial of service and hacked denial of service. A distributed DOS attack floods a target with a great number of packets--small segments of information sent over the Internet. The target's server attempt to respond and establish the connections, but the volume of requests is too great and the server crashes. …