Analysis: Websites struggling for legal recourse for DoS attacks

 

Gallery

By Matt Whipp

Posted on 23 Nov 2006 at 13:05

Andrew Katz, of Moorcrofts Corporate Law, told us: 'The law finds it difficult to deal with DDOS attacks. One issue which occurs is that by starting to block the IPs of zombies, the ISPs may be accepting legal responsibility for any issues which arise in the future. I would expect that the ISPs would say that their job is limited to delivering packets to and from the Internet to the relevant client IP addresses, and that was that, unless they had specifically accepted any other obligations (e.g. virus scanning). So I would have thought it would be difficult to claim against the ISPs in question for delivering the DDOS packets. Whether [a site] has a claim against them for blocking access to the site is a different matter.

'Interestingly, if the contract between the third party ISP and its customer had a clause saying "It is our job to deliver packets to the appropriate IP addresses" and there was no "Rights of Third Parties" clause in the agreement, even though the gambling site was not a party to that agreement, they could claim under the agreement that they had a right to have legitimately addressed packets delivered to it, as a consequence of the Contracts (Rights of Third Parties) Act. But I've never heard of anyone trying to use the legislation this way before.'

However, the terms and conditions of Orange and BT contracts, for example, don't make any promise to deliver legitimate packets to an IP destination, but simply to offer a connection.

Struan Robertson, a corporate lawyer who edits law firm Pinsent Masons' Outlaw.com site, told us that as well as considering the contract terms, industry best practice is also a benchmark against which the behaviour of ISPs can be judged, and potentially be found negligent. 'If you can establish that no reasonable ISP would have done the same thing, then you might be able to sue for damages,' he said.