Prosecuting DDoS Attacks?

dptalia writes "We all have heard of major DDoS attacks taking down countries, companies, and organizations. But how many of them are ever prosecuted? And how many prosecutions are even successful? I've done some research and it appears the answer is very few (Well duh!). And those that are successfully prosecuted tend to have teenagers as the instigators. Does this mean DDoS is a fairly safe crime to conduct? Are the repercussions nonexistent? Does anyone have some knowledge an insight into this that I don't have? How would you go about prosecuting a DDoS attacker? What's your experience with getting the responsible parties to justice?"

Illegal; but....

[fuzzyfuzzyfungus]

The basic problem with DDoSes is that anyone who isn't a moron(ie. the teenage punks who get caught), is generally working from behind multiple layers of indirection and usually across a number of jurisdictions. What they are doing is probably illegal in all of them; but the degree to which the authorities care, or are on the ball enough to do anything about it can be pretty limited.

It doesn't help that a lot of the DDoS victims are either clueless and irrelevant(Yup, the feds don't really care about dialup users getting ping-flooded on IRC), widely considered to be a little shady themselves(*Call to the FBI* "Hi guys, I run this offshore gambling site in Antigua, and I've been having some problems with DDoS attacks that are really cutting in to my ability to serve American customers during peak sporting-event times...." *click*), or are parties in some sort of nationalist pissing match, of the sort where many "patriotic excesses" have a tendency to be overlooked(Yeah, I'm sure the Russian authorities are working night and day to bring to justice anybody involved in atttacks against Estonia...)

While, as a matter of law, DDoSing is hard to do legally, even in fairly shady areas(if nothing else, your botnet likely implies a fair number of computer-intrusion crimes in jurisdictions where that is an offense, and it is unlikely at best that you are properly reporting and paying taxes on the "protection" money that you are collecting). However, with the complexity of cross-jurisdiction investigation and prosecution, and without the massive public antipathy that something like kiddie porn has, the odds of actually getting brought to justice are fairly low, unless you are basically just a petty vandal, hitting some high-profile target in the same country as you.

It depends on the scale of your operation

[Yaa 101]

If you are a rich company that is well connected politically you can get away practically anything, this also goes for DDOS attacks.

Re:It depends on the scale of your operation

[LostCluster]

And if you're a rich company that can pay for more bandwidth and processing than the other guy, you're virtually immune to DDoS problems.

Re:Illegal; but....

[fuzzyfuzzyfungus]

Perhaps I am underestimating the public's perverse acceptance of broad criminalization of all kinds of stuff; but I find it hard to believe that any scheme where Joe Public could find himself paying serious fines or doing serious time just for plugging in a commercially available computer and running normal software would possibly be adopted.

I'd be delighted if there were something that caused people to wipe their flyblown zombie-boxes more often than they do now; but essentially criminalizing getting compromised seems cruel and ineffective when it is so easy to do and sometimes so hard to detect. You don't have to be "negligent", in any useful sense of the term, to get hit.

Re:Illegal; but....

[LostCluster]

Not applying security fixes, or not having a minimal level of antivirus/firewall software is a sure way to join a botnet lately. We need those $15/yr. subscribers to pay the white hat hackers who develop antivirus tech, this isn't like letting a magazine subscription lapse.

Re:Illegal; but....

[berzerke]

...not having a minimal level of antivirus/firewall software is a sure way to join a botnet lately...

Even having one isn't nearly as much protection as most of us would like to believe. A 2007 research study by Panda Labs [pandasecurity.com] found that about 23% of infected machines had active and up-to-date AV software.

My own tests of AV software were less than encouraging and made the 23% quite believable. The better software either had more than a few false positives (Avira), or can be a PITA for non-techie users, and even techie users, (Comodo).

Re:Illegal; but....

[Opportunist]

The public's acceptance of that crime is simply the same that applies to everything else:

Does it affect me?
No.
Can I get in trouble for it?
No.
Then why the heck should I care?

That's basically what it comes down to. People do not care about crime that (appearantly, or at least directly) does not affect them. Even if they're being made accomplices. Why? Because it takes an effort to avoid it and there's no gain in it. Simple as that.

And no, you can't really make people directly liable for the damage they do that way. As much as I'd like it, but even I could, unwittingly, become part of a botnet. A fair lot of malware passes through my machines here on a daily base. That one of them manages to escape the sandboxes sooner or later is a given. So, for simple self preservation, I wouldn't really want to see such a law become reality. Besides, it is near impossible for the average user to 100% avoid becoming subject to an infection. Yes, that includes you, dear reader. Not being a moron does help a lot to minimize the infection propability, but it does not remove it entirely. And with knowledge comes the (false) sense of security that you're too good to be infected. You're not. Well, you might be if you don't use Windows. But don't count on it. How often did you reinstall your Windows in the last 2 years? The average clueless idiot does so about every 6 months. And at least then his machine will be clean again. I have to admit, some of the machines here have been running Windows for over 5 years now. Are they still clean? I sure hope so. Am I sure? Not really.

But, and here is the point where I'd put the liability angle, I do what I can to keep them clean. I update their software. I keep them patched and sealed. I use a router to avoid external direct access. They are hidden behind a layer of firewalls. And of course they run on-access AV scanners, and are regularely swept with a different on-demand scanner. And aside of the firewall layers this is something that can easily be asked from Joe Randomuser: Get a router, get a AV scanner and get a software firewall. Where's the problem with that? You don't need to have a huge knowledge of computers to install those tools and turn on auto updates on the software you're using.

I wouldn't call it asking too much from any user to do that. If you got that and still get infected, pity. But you're off the hook. You did everything that could possibly be asked from you as a normal user. But if you install every kind of crap that's sent to you in a spam mail and poke around the net without any protection at all then yes, you're acting negligent. And then you should be liable for the damage you do.

Re:Illegal but the FBI does not care.

[mindstrm]

What makes you think they don't?