Should Your Organization Add DDoS Attacks to its Tactics Toolkit?

In two recent examples of conflict online—the Internet's response to Iran's rigged election, and 4chan's reaction to AT&T's perceived censorship—distributed denial of service attacks have been wielded (or threatened) as a powerful and disruptive, nonviolent tool for change. The relative ease with which one can coordinate and participate in such an attack means this tactic can be employed by individuals or small groups, not just militaries and large corporations. But what are the ramifications of empowering individuals to take down government sites? And what are the moral implications of adding DDoS attacks to a social movement's repertoire?

DDoS attacks are infamous for their ability to take down even the most hardened servers, and have been used by criminals to extort money from gambling sites, by corporations to disrupt the business of their competitors, and by hackers, often simply to make life interesting difficult for the rest of us.

The elusive power underlying this type of attack is its swarm nature. Rather than a single computer exploiting a single weak point of a target, as traditional hacks might, a DDoS attack is carried out by tens or hundreds of thousands of computers in tandem, all of which direct a steady stream of traffic to a target server. From a single computer, this stream of data would be harmless, but together with the rest of the swarm, the traffic overwhelms the server, which is unable to reply to every machine. This can result in reduced or total loss of server functionality, often for hours or days.

Most DDoS attacks are carried out by botnets—networks of computers infected by malicious code that, when activated, unbeknownst to their owners, carry out any instructions given to them. The largest known botnet, slow denial of service," which forces a server's socket connections to remain open without bombarding the machine with bandwidth. By doing so, DDoSers effectively disrupted Iranian government sites while attempting not to reduce bandwidth across the entire country—a strategy that demonstrates precision and restraint in its selective damage, and greater ethical consideration than botnet DDoS attacks in its voluntary nature.

It is clear that there are many tools available to protesters who intend to damage or disrupt a target without harming uninvolved or disinterested users. This ready availability and the ease with which civilians may engage in what we may honestly call cyber warfare leads to serious questions about who is innocent and which networks and machines are "legitimate" targets. Just as both the Allies and Axis bombarded civilians during WWII due to their capacity for wartime industrial production, if anyone can participate in an international attack on another government's network infrastructure, then civilian computers and networks are likely to be perceived as legitimate targets during open hostilities. The world has yet to confirm a case of state sponsored cyber warfare against a civilian network, but it seems foolish to think this critical component of a country's government, economy and culture would not be subject to attack just the same as any other.