Analysis: Websites struggling for legal recourse for DoS attacks

 

Gallery

Posted on 23 Nov 2006 at 13:05

Websites blocked by ISPs when under a distributed denial of service attack (DDoS) face millions of pounds in lost business because ISPs refuse to take responsibility for hosting infected computers on their networks.

Typically, a distributed denial of service attack relies on an attacker remotely controlling numerous and widely distributed computers infected by viruses and Trojans. The attacker uses these 'botnets' to send a flood of requests to a website, which is often unable to cope and its servers fail, taking the website offline.

It's a relatively simple and cheap operation for the attacker. Keith Laslop, President of DDOS mitigation outfit Prolexic told us: 'I've seen them on forums where you can hire bots for next to nothing. Four cents a bot. So you could take down a site very cheaply. You could get enough together for, say, a 50Mbits DDOS attack. You could take someone out with that.'

DOS attacks are also becoming increasingly common. During the first six months of 2006, Symantec observed an average of 6,110 DoS attacks per day.

When an ISP sees this huge amount traffic aimed at one URL, the response can often be to block access to the target site.

However, the ISPs don't do anything about the infected computers of their own subscribers that are sending the flood of data in the first place. The result is that ISPs block access to, and therefore business from, websites targeted in this way.

Chris Tolson, Infrastructure Manager at a large gambling site told us his business is often targeted by DDOS attacks directed through a number of ISPs around the globe, including Comcast in the US. 'The Comcast issue is slightly different (and not specific to this ISP) and a result of sustaining a large scale DDOS attack that Comcast PCs are taking part in... Basically Comcast sees large amounts of traffic saturating their ADSL lines and core routers due to their customers' PCs being compromised and used as part of the source of the attack on a gaming company like ourselves. The easiest way they can resolve this is to black hole the destination of all this traffic ie the gaming site. However, what they should really be doing is identifying all their customers that are infected by this zombie virus and cleaning up their network. The net affect of this is that all Comcast customers can no longer get to the gaming site even after the attack has finished and it is the IT manager's responsibility to try and get this ACL [access control list] lifted by phoning the offending ISP.'

Often such attacks are based around extortion attempts and, in order for them to be successful, they are often timed around events critical to the target website. In the case of the gambling industry, key sporting events such as horse races are often preceded by extortion threats of DDOS attacks. And a site taken off-air in the build-up to these events isn't doing business. In fact it's haemorrhaging money.

Tolson told us: '[It] obviously depends on the size of the ISP and how many of their customers are [our] customers, but a figure out of the air for someone like BT or Claranet (neither have ever black-holed us) could be, over a weekend period, something like £1 million to £5 million in gross bets taken (our profitability depends on the outcomes of those bets taken)'.

Those kind of losses make a business look at its options. Tolson said: 'Going to court over this is definitely an interesting proposition'.

The problem is that there is little legal recourse available. The UK Computer Misuse Act has been updated to make DOS attacks a specific crime, but there's nothing mandating an ISP's responsibility regarding identifying the IP addresses of zombie computers or dealing with traffic sent through them.