1 | P a g e

National Law Institute University, Bhopal

And
Rajiv Gandhi Proudyogiki Vishwavidyalaya, Bhopal
Collaborative Program Jointly Offers

Master
In
Cyber Law and Information Security

Legal Aspects of DDOS

SUBMITTED TO:
Asst. Prof. Mr. Atul Kumar Pandey

SUBMITTED BY:
R Prasun Kumar Naidu 2012MSCLIS12



2 | P a g e

LEGAL ASPECTS OF DDoS
ABSTRACT
Distributed Denial of Service is a sophisticated level of Denial of Service whose effect is same
but application is different. It is much more complicated to its primitive counterpart as it is
highly untraceable since many sources are used for attacking the target. The problem arises in
places where there is lack of awareness in law enforcement agencies about the proper working of
such an attack. This attack is very difficult to prevent as it clearly challenges the servers
proficiency. In this document well try to understand what all problems are faced by the agencies
that block them and also the laws that are followed by different countries.

















3 | P a g e

Contents

INTRODUCTION .......................................................................................................................... 4
WHAT IS DDOS? .......................................................................................................................... 4
WORKING OF DDOS ................................................................................................................... 5
COUNTER MEASURES ............................................................................................................... 6
LEGAL ASPECTS ......................................................................................................................... 8
LAWS IN DIFFERENT COUNTRIES .......................................................................................... 8
US LAWS ............................................................................................................................... 8
UK LAWS .............................................................................................................................. 9
AUSTRALIAN LAWS ........................................................................................................... 9
INDIAN LAW ...................................................................................................................... 10
CONCLUSION ............................................................................................................................. 11














4 | P a g e

INTRODUCTION
Advancement of cyber technology has led to the global success, but has also made it vulnerable
to greater risks. With the development of Internet, cyber attacks have also increased and grown
more complicated. In this cyber era, there are 2 types of attackers which came into existence, one
of them being the group of sophisticated attackers who are good at coding and also create
software for these purposes. Other group uses this software created by the first group for
attacking but has very less knowledge about its working.
Denial of service (DoS) attacks has emerged as a major cyber attack weapon. A DoS attack aims
to deny genuine users of a resource or service provided by a system, by overloading the system
with a flood of data packets, thus preventing it from processing legitimate requests. In one of the
denial of service incident, a hacker attacked the eighth biggest shipping port in the world, Port of
Houston. Due to this attack, crucial navigation data was unavailable which was on its web
service to the pilots, thus causing collisions and other risks.
1

There are 2 types of denial of service attacks, namely flooding attack and vulnerability attack.
Vulnerability attacks exploit certain vulnerabilities of the target or victim. For e.g., buffer
overflow is one of the vulnerabilities which may be exploited for injecting malicious code into
the target or victim. Flooding attacks deal with flooding the target with legitimate looking data
packets which brings immense load on the resources of the target ultimately bringing it down.
WHAT IS DDOS?
Distributed Denial of Service is the advanced form of DoS attacks and does the same thing but
with much more efficiency as multiple sources is taken into account to launch an attack. The
attacker generally uses a virus or worm to gather information about the hosts that can be used as
agents or zombies for launching the attack. After getting this information the attacker uses these
hosts for launching an attack by taking control of these agents and start launching the attack by
flooding the target with the packets through these agents resulting in the usage of the resources
of the target and thus, bringing it down. This kind of attack is very difficult to identify and trace
as many agents are used in it that are mostly unaware of it. One example of DDoS is a worm
called W32/Code Red that exploits vulnerabilities for attacking. Since, it is done from multiple
sources; it is called Distributed Denial of Service.



1
Meiring de Villiers, "Distributed Denial of Service: Law, Technology & Policy" (January 2007).University of New
South Wales Faculty of Law Research Series. WorkingPaper3.
http://law.bepress.com/unswwps-flrps/art3
5 | P a g e

WORKING OF DDOS
DDoS attacks are of 2 types namely Application attacks and Network attacks. Application
attacks exploit the vulnerabilities to exhaust the system resources such as memory or processing
time etc. one of the methods is SYN flooding which exploits the 3-way handshaking of TCP. In
this, the target is flooded with SYN packets without sending any ACK. As a result, the target
reserves some resource for each SYN received waiting for its acknowledgement ultimately,
exhausting its resources. This kind of attack is very easy to be detected as a large number of such
packets are sent through a single stream. It is also easily prevented through rate limiting in which
we block the IP address issuing too many requests.
Network attacks use botnets, amplifiers or the combination of both for this purpose. Botnets is a
network of agents or zombies controlled by its handlers or attackers to attack simultaneously so
as to have a multiplying effect of the packets to be sent. This increases the stream of attack using
multiple hosts for it. Amplification is a method through which the single stream of attacker is
converted into a flood of multiple streams. An example of it is DNS amplification in which the
attacker makes a request to the DNS server showing that the request came from the target server.
Now, DNS server replies to the target server with chunks of information. There are many servers
where the ratio of the reply to request may be up to 76:1 which is a great amplification in the
attack.
Application attacks exploit the vulnerabilities such as buffer overflows in which when the buffer
is fed with more data than it can hold then data overflows to the adjacent memory locations
corrupting data in those locations. So, this overflow is employed to get into the memory of the
target.
Attack Affected Area Example Description
Network Level
Device
Routers, IP
Switches, Firewalls
Ascend Kill II,
Christmas Tree Packets
Attack attempts to
exhaust hardware
resources using
multiple duplicate
packets or a software
bug.
OS Level Equipment Vendor
OS, End-User
Equipment.
Ping of Death,
ICMP Echo Attacks,
Teardrop
Attack takes
advantage of the way
operating systems
implement protocols.
6 | P a g e

Application Level
Attacks
Finger Bomb Finger Bomb,
Windows NT Real Server G2
6.0
Attack a service or
machine by using an
application attack to
exhaust resources.
Data Flood
(Amplification,
Oscillation, Simple
Flooding)
Host computer or
network
Smurf Attack (amplifier
attack)
UDP Echo (oscillation attack)
Attack in which
massive quantities of
data are sent to a
target with the
intention of using up
bandwidth/processing
resources.
Protocol Feature
Attacks
Servers, Client PC,
DNS Servers
SYN (connection depletion) Attack in which
bugs in protocol
are utilized to take
down network
resources. Methods
of attack include: IP
address spoofing, and
corrupting DNS
server cache.
2


COUNTER MEASURES
Attack Countermeasure
Options
Example Description
Network Level
Device
Software patches,
packet filtering
Ingress and
Egress Filtering
Software upgrades can fix
known bugs and packet
filtering can prevent attacking
traffic from entering a network.

2
www.princeton.edu/~rblee/ELE572F02presentations/DDoS.ppt
7 | P a g e

OS Level SYN Cookies, drop
backlog connections,
shorten timeout time
SYN Cookies Shortening the backlog time
and dropping backlog
connections will free up
resources. SYN cookies
proactively prevent attacks.
Application Level
Attacks
Intrusion Detection
System
Guard Dog, other
vendors.
Software used to detect illicit
activity.
Data Flood
(Amplification,
Oscillation, Simple
Flooding)
Replication and Load
Balancing
Akami/Digital
Island provides
content
distribution.
Extend the volume of content
under attack makes it more
complicated and harder for
attackers to identify services to
attack and accomplish
complete attacks.
Protocol Feature
Attacks
Extend protocols to
support security.
ITEF standard for
itrace, DNSSEC
Trace source/destination
packets by a means other than
the IP address (blocks against
IP address spoofing).
DNSSEC would provide
authorization and
authentication on DNS
information.
3









3
www.princeton.edu/~rblee/ELE572F02presentations/DDoS.ppt
8 | P a g e

LEGAL ASPECTS
A DDoS attack constitutes of 5 constituents namely:-
1. Attackers.
2. Computer systems which are turned into zombies and are used for launching attacks.
3. Target sites or servers.
4. The software retailer accountable for the exploited vulnerabilities.
5. Network intermediaries and ISPs.
4

There are provisions in different countries that cover these attacks. But, target sites or servers
and the retailers whose softwares vulnerabilities are exploited are also liable under the TORTS
law, as the attack would be considered as the negligence of both of them. The users whose
systems are used as zombies would also attract these TORTS liabilities, as they also have certain
duties to perform which they didnt which caused such an attack.
LAWS IN DIFFERENT COUNTRIES
US LAWS
Causing Computer Damage (18 U.S.C. 1030(a) (5))-
Cause[ing] loss aggregating at least $5,000 in value during any 1-year period to one or
more individuals.
Modify[ing] or impair[ing] . . . the medical examination, diagnosis, treatment, or care of
one or more individuals.
Cause[ing] physical injury to any person.
Threaten[ing] public health or safety.
[Causing] damage affecting a computer system used by or for a government entity in
furtherance of the administration of justice, national defense, or national security.
These are federal crimes if they involve a protected computer. Protected computers are of 5
types:-
Used exclusively for or by the United States Government.
Used exclusively for or by a bank or other financial institution.
Used in part for or by the United States Government where the damage "affects"
government use or use of the government's behalf.
Used in part for or by a bank or other financial institution where the damage "affects" use
by or on behalf of the institution.

4
Meiring de Villiers, "Distributed Denial of Service: Law, Technology & Policy" (January 2007).University of New
South Wales Faculty of Law Research Series. WorkingPaper3.
http://law.bepress.com/unswwps-flrps/art3
9 | P a g e

Used in interstate or foreign commerce or communications.
5

UK LAWS
Computer Misuse Act 1990
Computer misuse offences:-
1. Unauthorized access to computer material.
2. Unauthorized access with intent to commit or facilitate commission of further offences.
3. Unauthorized acts with intent to impair, or with recklessness as to impairing, operation of
computer, etc.
Section 3: Unauthorized acts with intent to impair, or with recklessness as to impairing,
operation of computer, etc.
1. A person is guilty of an offence if
a. he does any unauthorized act in relation to a computer;
b. at the time when he does the act he knows that it is unauthorized; and
c. Either subsection (2) or subsection (3) below applies.
2. This subsection applies if the person intends by doing the act
a. to impair the operation of any computer;
b. to prevent or hinder access to any program or data held in any computer;
c. to impair the operation of any such program or the reliability of any such data; or
d. To enable any of the things mentioned in paragraphs (a) to (c) above to be done.
6

AUSTRALIAN LAWS
Criminal Code Act 1995
Part 10.7Computer offences
Impairment of electronic communication to or from a computer includes:-
the prevention of any such communication; or
the impairment of any such communication on an electronic link or network used by the
computer;
But does not include a mere interception of any such communication.
7


5
http://www.usa.gov/Topics/Reference-Shelf/Laws.shtml
6
http://www.legislation.gov.uk/ukpga/1990/18/section/3
7
http://www.comlaw.gov.au/Details/C2012C00306/Html/Text#_Toc319937493
10 | P a g e


INDIAN LAW
Section 43(f)
Denies or causes the denial of access to any person authorized to access any computer, computer
system or computer network by any means.
8


Section 66F(1)A(i)
Denying or cause the denial of access to any person authorized to access computer resource.


8
http://eprocure.gov.in/cppp/sites/default/files/eproc/itact2000.pdf
11 | P a g e

CONCLUSION
Prevention of DDoS is very difficult as there are a whole lot of methods for attackers to employ.
However, in this scenario, taking adequate steps may also be not sufficient to prevent such an
attack. There is also lack of awareness among the law enforcement agencies on how this attack
works which is a big hindrance. We have a law for such an attack but there is no implementation
as most of them are not reported and even when they are reported, it is very difficult to
understand and track the attacker. Our law is also inadequate as it only talks about the denial of
service and does not talk about the damages it may cause. Other section that it covers is of Cyber
Terrorism in which such an act is used for inducing fear in minds of public or particular section
of public. Our law talks about DoS and not DDoS, so, there is nothing mentioned about the
agents or zombies that are used for causing the attacks who may or may not fall under a liability.
Thus, criminal liabilities must be added to it under certain cases other than Cyber Terrorism as
they may be of criminal nature under certain conditions and not being an act of Terrorism.