Increasingly, a blunt weapon, known as a distributed denial-of-service (DDOS) attack, has been utilized in attempts to flood targeted Internet root servers in order to shut down service. With the increased frequency of these attacks, this Note outlines the mechanisms exercised in such attacks and focuses on federal and California criminal violations for DDOS attacks.
Most recently, an Internet attack targeted the domain name manager UltraDNS with a host of data, causing major delays and difficulties for servers running the host .info and other domains. UltraDNS, a member of the Internet Society, serves as the primary domain name server (DNS) provider for the .org and .info domain names. Ben Petro, CEO of UltraDNS, stated that the assault sent approximately two million requests per second to each device. "This is the largest attack that we've seen," Petro said.
The attack came one month after an identical attack was aimed at similar DNS root servers that many security experts considered the largest and most sophisticated attack ever. The attack used a distributed approach in attacking all of the world's thirteen root servers. The root servers, ten of which are located in the United States, serve as a master directory for the Internet. The DNS system, which converts complex Internet protocol addressing codes into the words and names that form email and Web addresses, relies on the thirteen root servers to tell computers around the world how to reach key Internet domains. At the top of the root server hierarchy is the "A" root server that generates a critical file every twelve hours telling the other twelve servers what Internet domains exist and where they can be found. The DNS is built so that eight or more of the world's thirteen root servers must fail before ordinary Internet users experience degradation. In the recent attack on the .info domain, only four to five of the root servers went down in face of the attack. As a result, end-users did not feel any slowdown.
The primary goal of a DDOS attack is to deny a victim's computer, server, or network access to a particular resource. These attacks are characterized by an explicit attempt by a user to deny another user or system from using that service. DDOS attacks can essentially disable individual computers or entire networks. Usually, DDOS attacks can be executed with limited resources against a large and sophisticated site.
Generally, DDOS attacks come in three different forms. The first type of DDOS attack is the consumption of limited or non-renewable resources. This type of attack can vary in its application. Frequently, DDOS attacks are directed at network connections with the goal of preventing the host from communicating to outside networks, or sometimes its own internal network. With this method the attacker begins a process of connecting to the victim's machine, but ultimately never completes the transmission. The result is the victim's machine waits to send all other requests until the attacker's request is resolved, which never occurs.
An alternative method of conducting a DDOS attack occurs when an attacker uses a victim's resources against themselves. This is accomplished by forging data packets to connect to the echo service of one machine. Ultimately, the echo increasingly repeats through the network, eventually degrading the network substantially. A variation of this type of DDOS attack is generating a large number of packets and directing them at a victim's network. In order to increase the frequency and duration of the assault, many attackers will uses dozens, sometimes hundreds, of computers. The end result is completely terminating incoming and outgoing traffic, halting the victim's network activity. Finally, a DDOS attack can be conducted by destroying or altering computer configuration information. Improperly configured computers can be modified to perform below optimal speed or can be entirely disabled.
The first version of federal Computer Fraud and Abuse Act (CFAA) was passed in 1984. Its purpose was to protect classified, financial, and credit information that was maintained on federal government computers. With the evolution of computing, the CFAA was amended in 1996. This included the removal of "federal interested computers" with the replacement of "protected computer." In this step, Congress effectively broadened the scope of the CFAA from protected federal computers, to exercising federal power over all computers involved in interstate and foreign commerce.
The CFAA offers varying degrees of criminal liability for the transmission of DDOS to individuals or corporations. Federal criminal violations for DDOS are addressed in Title 18 U.S.C. 1030(5)(A). And, while the standard of knowledge differs between Title 18 U.S.C. 1030(5)(A) and (B), both require the transmission of data or the use of a computer through interstate commerce. The first of these, Title 18 U.S.C. 1030(5)(A) states:
"through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system if:
(I) the person causing the transmission intends that such transmission will -
(I) damage, or cause damage to, a computer, computer system, network, information, data, or program; or
(II) withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, systems or network, information, data or program [emphasis added]"
In section A(I), the standard set forth by statue is intentional transmission of data that causes damage or the withholding of the use of a computer or network. The first subsection of Title 18 U.S.C. 1030(5)(A)(I) focuses on damage caused by the transmission of a data set to a computer or computer system. In contrast, the second section of Title 18 U.S.C. 1030(5)(A)(I) aims to criminalize the withholding of the use a computer or a computer system by means of a DDOS or similar attack.
Title 18 U.S.C. § 1030(5)(B) was essentially crafted to mimic Section A of Title 18 U.S.C. § 1030(5). However, Section B requires a lower standard of knowledge to invoke a violation. It states:
"through means of a computer used in interstate commerce or communication, knowingly causes the transmission of a program, information, code, or command to a computer or computer system -
(I) with reckless disregard of a substantial and unjustifiable risk that the transmission will -
(I) damage, or cause damage to, a computer, computer system, network, information, data or program; or
(II) withhold or deny or cause the withholding or denial of the use of a computer, computer services, system, network, information, data, or program [emphasis added]"
The knowledge standard for section B violations is reckless disregard (in contrast to section A's intentional standard). Essentially, an unintentional denial of a computer or a computer network, without the authorization of the owner can constitute a violation of the statue if the sender acted with reckless disregard to the consequences of his or her actions.
The California Penal Code, generally modeled after the federal CFAA, has varying degrees of criminal liability for DDOS. Title 13, Chapter 5, Section 502(a)(5) states that anyone that:
"knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network."
Again, while subsection (a) addresses DDOS and similar attacks, Section 8 emphasizes criminalization of data contaminants. Although modeled after the CFAA, the California Penal Code differs in significant ways. Differing markedly on the standard of knowledge required for a violation of the CFAA, the California Penal Code also has no provision for lack of consent by the owner and no minimum dollar amount for a violation to occur. Moreover, the California Penal Code's knowingly standard foregoes the intentional and reckless disregard standard applied by the CFAA, creating a lower knowledge standard for violators. This results in a stricter state penal code for Internet crime than federal law.
In conclusion, both federal and California state laws have made efforts to criminalize DDOS attacks. Furthermore, the federal government and the state of California have passed legislation covering a wide range of Internet crime from IP spoofing to virus transmissions. However, as of yet, the effectiveness of most of these laws is relatively unknown. Increasingly, DDOS attacks have become more targeted, sophisticated, and difficult to trace. As such, accelerating DDOS attacks may outstrip current legislation making it difficult or impossible to enforce. So far, it has been the engineers, not the lawyers that have save the Internet root server system and critical network infrastructure security from being jeopardized by DDOS attacks.
