And Rajiv Gandhi Proudyogiki Vishwavidyalaya, Bhopal Collaborative Program Jointly Offers
Master In Cyber Law and Information Security
Legal Aspects of DDOS
SUBMITTED TO: Asst. Prof. Mr. Atul Kumar Pandey
SUBMITTED BY: R Prasun Kumar Naidu 2012MSCLIS12
2 | P a g e
LEGAL ASPECTS OF DDoS ABSTRACT Distributed Denial of Service is a sophisticated level of Denial of Service whose effect is same but application is different. It is much more complicated to its primitive counterpart as it is highly untraceable since many sources are used for attacking the target. The problem arises in places where there is lack of awareness in law enforcement agencies about the proper working of such an attack. This attack is very difficult to prevent as it clearly challenges the servers proficiency. In this document well try to understand what all problems are faced by the agencies that block them and also the laws that are followed by different countries.
3 | P a g e
Contents
INTRODUCTION .......................................................................................................................... 4 WHAT IS DDOS? .......................................................................................................................... 4 WORKING OF DDOS ................................................................................................................... 5 COUNTER MEASURES ............................................................................................................... 6 LEGAL ASPECTS ......................................................................................................................... 8 LAWS IN DIFFERENT COUNTRIES .......................................................................................... 8 US LAWS ............................................................................................................................... 8 UK LAWS .............................................................................................................................. 9 AUSTRALIAN LAWS ........................................................................................................... 9 INDIAN LAW ...................................................................................................................... 10 CONCLUSION ............................................................................................................................. 11
4 | P a g e
INTRODUCTION Advancement of cyber technology has led to the global success, but has also made it vulnerable to greater risks. With the development of Internet, cyber attacks have also increased and grown more complicated. In this cyber era, there are 2 types of attackers which came into existence, one of them being the group of sophisticated attackers who are good at coding and also create software for these purposes. Other group uses this software created by the first group for attacking but has very less knowledge about its working. Denial of service (DoS) attacks has emerged as a major cyber attack weapon. A DoS attack aims to deny genuine users of a resource or service provided by a system, by overloading the system with a flood of data packets, thus preventing it from processing legitimate requests. In one of the denial of service incident, a hacker attacked the eighth biggest shipping port in the world, Port of Houston. Due to this attack, crucial navigation data was unavailable which was on its web service to the pilots, thus causing collisions and other risks. 1
There are 2 types of denial of service attacks, namely flooding attack and vulnerability attack. Vulnerability attacks exploit certain vulnerabilities of the target or victim. For e.g., buffer overflow is one of the vulnerabilities which may be exploited for injecting malicious code into the target or victim. Flooding attacks deal with flooding the target with legitimate looking data packets which brings immense load on the resources of the target ultimately bringing it down. WHAT IS DDOS? Distributed Denial of Service is the advanced form of DoS attacks and does the same thing but with much more efficiency as multiple sources is taken into account to launch an attack. The attacker generally uses a virus or worm to gather information about the hosts that can be used as agents or zombies for launching the attack. After getting this information the attacker uses these hosts for launching an attack by taking control of these agents and start launching the attack by flooding the target with the packets through these agents resulting in the usage of the resources of the target and thus, bringing it down. This kind of attack is very difficult to identify and trace as many agents are used in it that are mostly unaware of it. One example of DDoS is a worm called W32/Code Red that exploits vulnerabilities for attacking. Since, it is done from multiple sources; it is called Distributed Denial of Service.
1 Meiring de Villiers, "Distributed Denial of Service: Law, Technology & Policy" (January 2007).University of New South Wales Faculty of Law Research Series. WorkingPaper3. http://law.bepress.com/unswwps-flrps/art3 5 | P a g e
WORKING OF DDOS DDoS attacks are of 2 types namely Application attacks and Network attacks. Application attacks exploit the vulnerabilities to exhaust the system resources such as memory or processing time etc. one of the methods is SYN flooding which exploits the 3-way handshaking of TCP. In this, the target is flooded with SYN packets without sending any ACK. As a result, the target reserves some resource for each SYN received waiting for its acknowledgement ultimately, exhausting its resources. This kind of attack is very easy to be detected as a large number of such packets are sent through a single stream. It is also easily prevented through rate limiting in which we block the IP address issuing too many requests. Network attacks use botnets, amplifiers or the combination of both for this purpose. Botnets is a network of agents or zombies controlled by its handlers or attackers to attack simultaneously so as to have a multiplying effect of the packets to be sent. This increases the stream of attack using multiple hosts for it. Amplification is a method through which the single stream of attacker is converted into a flood of multiple streams. An example of it is DNS amplification in which the attacker makes a request to the DNS server showing that the request came from the target server. Now, DNS server replies to the target server with chunks of information. There are many servers where the ratio of the reply to request may be up to 76:1 which is a great amplification in the attack. Application attacks exploit the vulnerabilities such as buffer overflows in which when the buffer is fed with more data than it can hold then data overflows to the adjacent memory locations corrupting data in those locations. So, this overflow is employed to get into the memory of the target. Attack Affected Area Example Description Network Level Device Routers, IP Switches, Firewalls Ascend Kill II, Christmas Tree Packets Attack attempts to exhaust hardware resources using multiple duplicate packets or a software bug. OS Level Equipment Vendor OS, End-User Equipment. Ping of Death, ICMP Echo Attacks, Teardrop Attack takes advantage of the way operating systems implement protocols. 6 | P a g e
Application Level Attacks Finger Bomb Finger Bomb, Windows NT Real Server G2 6.0 Attack a service or machine by using an application attack to exhaust resources. Data Flood (Amplification, Oscillation, Simple Flooding) Host computer or network Smurf Attack (amplifier attack) UDP Echo (oscillation attack) Attack in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources. Protocol Feature Attacks Servers, Client PC, DNS Servers SYN (connection depletion) Attack in which bugs in protocol are utilized to take down network resources. Methods of attack include: IP address spoofing, and corrupting DNS server cache. 2
COUNTER MEASURES Attack Countermeasure Options Example Description Network Level Device Software patches, packet filtering Ingress and Egress Filtering Software upgrades can fix known bugs and packet filtering can prevent attacking traffic from entering a network.
2 www.princeton.edu/~rblee/ELE572F02presentations/DDoS.ppt 7 | P a g e
OS Level SYN Cookies, drop backlog connections, shorten timeout time SYN Cookies Shortening the backlog time and dropping backlog connections will free up resources. SYN cookies proactively prevent attacks. Application Level Attacks Intrusion Detection System Guard Dog, other vendors. Software used to detect illicit activity. Data Flood (Amplification, Oscillation, Simple Flooding) Replication and Load Balancing Akami/Digital Island provides content distribution. Extend the volume of content under attack makes it more complicated and harder for attackers to identify services to attack and accomplish complete attacks. Protocol Feature Attacks Extend protocols to support security. ITEF standard for itrace, DNSSEC Trace source/destination packets by a means other than the IP address (blocks against IP address spoofing). DNSSEC would provide authorization and authentication on DNS information. 3
3 www.princeton.edu/~rblee/ELE572F02presentations/DDoS.ppt 8 | P a g e
LEGAL ASPECTS A DDoS attack constitutes of 5 constituents namely:- 1. Attackers. 2. Computer systems which are turned into zombies and are used for launching attacks. 3. Target sites or servers. 4. The software retailer accountable for the exploited vulnerabilities. 5. Network intermediaries and ISPs. 4
There are provisions in different countries that cover these attacks. But, target sites or servers and the retailers whose softwares vulnerabilities are exploited are also liable under the TORTS law, as the attack would be considered as the negligence of both of them. The users whose systems are used as zombies would also attract these TORTS liabilities, as they also have certain duties to perform which they didnt which caused such an attack. LAWS IN DIFFERENT COUNTRIES US LAWS Causing Computer Damage (18 U.S.C. 1030(a) (5))- Cause[ing] loss aggregating at least $5,000 in value during any 1-year period to one or more individuals. Modify[ing] or impair[ing] . . . the medical examination, diagnosis, treatment, or care of one or more individuals. Cause[ing] physical injury to any person. Threaten[ing] public health or safety. [Causing] damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security. These are federal crimes if they involve a protected computer. Protected computers are of 5 types:- Used exclusively for or by the United States Government. Used exclusively for or by a bank or other financial institution. Used in part for or by the United States Government where the damage "affects" government use or use of the government's behalf. Used in part for or by a bank or other financial institution where the damage "affects" use by or on behalf of the institution.
4 Meiring de Villiers, "Distributed Denial of Service: Law, Technology & Policy" (January 2007).University of New South Wales Faculty of Law Research Series. WorkingPaper3. http://law.bepress.com/unswwps-flrps/art3 9 | P a g e
Used in interstate or foreign commerce or communications. 5
UK LAWS Computer Misuse Act 1990 Computer misuse offences:- 1. Unauthorized access to computer material. 2. Unauthorized access with intent to commit or facilitate commission of further offences. 3. Unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. Section 3: Unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computer, etc. 1. A person is guilty of an offence if a. he does any unauthorized act in relation to a computer; b. at the time when he does the act he knows that it is unauthorized; and c. Either subsection (2) or subsection (3) below applies. 2. This subsection applies if the person intends by doing the act a. to impair the operation of any computer; b. to prevent or hinder access to any program or data held in any computer; c. to impair the operation of any such program or the reliability of any such data; or d. To enable any of the things mentioned in paragraphs (a) to (c) above to be done. 6
AUSTRALIAN LAWS Criminal Code Act 1995 Part 10.7Computer offences Impairment of electronic communication to or from a computer includes:- the prevention of any such communication; or the impairment of any such communication on an electronic link or network used by the computer; But does not include a mere interception of any such communication. 7
5 http://www.usa.gov/Topics/Reference-Shelf/Laws.shtml 6 http://www.legislation.gov.uk/ukpga/1990/18/section/3 7 http://www.comlaw.gov.au/Details/C2012C00306/Html/Text#_Toc319937493 10 | P a g e
INDIAN LAW Section 43(f) Denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means. 8
Section 66F(1)A(i) Denying or cause the denial of access to any person authorized to access computer resource.
8 http://eprocure.gov.in/cppp/sites/default/files/eproc/itact2000.pdf 11 | P a g e
CONCLUSION Prevention of DDoS is very difficult as there are a whole lot of methods for attackers to employ. However, in this scenario, taking adequate steps may also be not sufficient to prevent such an attack. There is also lack of awareness among the law enforcement agencies on how this attack works which is a big hindrance. We have a law for such an attack but there is no implementation as most of them are not reported and even when they are reported, it is very difficult to understand and track the attacker. Our law is also inadequate as it only talks about the denial of service and does not talk about the damages it may cause. Other section that it covers is of Cyber Terrorism in which such an act is used for inducing fear in minds of public or particular section of public. Our law talks about DoS and not DDoS, so, there is nothing mentioned about the agents or zombies that are used for causing the attacks who may or may not fall under a liability. Thus, criminal liabilities must be added to it under certain cases other than Cyber Terrorism as they may be of criminal nature under certain conditions and not being an act of Terrorism.