Is Telling People To Visit A Certain Website A Denial Of Service Attack?
from the seems-like-a-stretch dept
iamtheky sends in the story of a UC San Diego Professor, Ricardo Dominguez, whose focus of research is “electronic civil disobedience,” (for which he received tenure and a fellowship from his university), but who is now potentially facing discipline or even criminal charges from the university for staging a “virtual sit-in” to protest budget cuts. It certainly raises questions about the line between telling people to visit a website and a hack attack to take down a website. It’s difficult to see how just telling people to go to a website should ever qualify as any kind of attack, but the University is said to be contemplating criminal charges.
Filed Under: denial of service, protest
Comments on “Is Telling People To Visit A Certain Website A Denial Of Service Attack?”
I don’t think the university can press criminal charges, wouldn’t that be law enforcements job? Though the university can press civil charges.
Still, I think it depends on the intent of the sit – in. If the intent is to deny service to others, I would say there should be punishment.
Imagine if you owned a store and the store payed its workers too little. So the store workers had a strike. Well, they’re allowed to strike, but are they allowed to prevent new customers from entering the store and denying them service? Are they allowed to prevent employees that don’t want to take part in the strike from entering the store and denying them employment? I think not.
Re: Re:
deny *
Re: Re:
Here is another reason I don’t think denial of service attacks should be allowed. Let me relate this to the RIAA since that seems to be a popular subject here.
Lets say that someone who hates the RIAA just decides to do a DDOS (distributed denial of service attack) on their webserver. If these attacks were allowed then the RIAA could simply pay for the resources necessary to do its own DOS (denial of service) attacks and retaliate by doing DOS attacks on websites like public knowledge, Techdirt CopyCense, the EFF, etc… What we end up with is a bunch of huge denial of service wars (because the RIAA would not be the only group engaging in these attacks, a bunch of groups that hate each other will also engage. You may have Islam groups do denial of service attacks on Christian websites and Christian groups doing them on Islam websites, every group that hates each other could engage in a denial of service war if the law allowed it) that wastes everyone’s money, time, and resources for no good reason and that floods everyone’s ISP’s slowing down everyone’s Internet connection and increasing ISP network cost. No, denial of service attack wars are not a good solution to most of our problems and I think that humanity could find more diplomatic solutions to our problems instead. Should the university be allowed to retaliate and do a DOS attack on the professors website if the professor has a website?
Re: Re: Re:
Well, maybe the Christian – Islam example wasn’t a particularly good one, but the point is that if it’s perfectly legal you’ll have all sorts of other opposing groups flooding ISP networks with pointless DDOS wars, not just the RIAA – Anti RIAA groups.
Re: Re: Re:
I dunno that I’m quite following your argument here.
I mean, I think you’ll be hard pressed to find anyone who’ll say that DDoS attacks, or even just plain old DoS attacks are a good thing, though I think you perhaps over-state the possibility of “wars” over this (I am not a computer security expert, I’m perfectly willing to have one tell me I’m wrong).
The question of the hour seems to be “Is what he did criminal?”, I just can’t see how it is.
I think a more reasonable analogy would be this: Say someone who I strongly disagree with is giving a speech in an auditorium. I, and 50,000 of my closest friends decide that we’re going to occupy every single one of the seats, all the SRO, and indeed max out the fire marshal’s rating for the building, then stand in crowds 100 deep around the building, so that the speaker has no chance of reaching anyone who he might possibly convince.
I will agree readily that there is something of an ethical argument to be made on both sides of that, but was it illegal? We weren’t preventing him from talking, we were just making sure no one could hear him.
Re: Re: Re: Re:
“I mean, I think you’ll be hard pressed to find anyone who’ll say that DDoS attacks, or even just plain old DoS attacks are a good thing, though I think you perhaps over-state the possibility of “wars” over this (I am not a computer security expert, I’m perfectly willing to have one tell me I’m wrong).
The question of the hour seems to be “Is what he did criminal?”, I just can’t see how it is.”
This professor focuses his research on electronic civil disobedience. The point I’m trying to make is that if DOS/DDOS attacks are a legally and socially acceptable method of electronic civil disobedience, then the logical conclusion is that everyone would, and perhaps even should, be conducting in this behavior everywhere anytime they disagreed with something as a form of civil disobedience. and if they were acceptable it would be happening a lot more than it is now. The reason why it’s not so abundant, and the possibility of far more abundant wars occurring now is likely improbable, is because it’s not unanimously considered a socially/legally acceptable form of civil disobedience. but if it were, then the possibility of many many huge wars would not only be a possibility, it would be a very highly likely probability, almost inevitable even. Just trying to take this professors theory over what should be considered a socially/legally acceptable form of disobedience to its logical conclusion.
Re: Re:
Yes, workers on strike are usually allowed to detain people entering for a certain amount of time.
In this case, they didn’t shut the site down, they just made it a bit slower.
So that’s actually a very good analogy. 🙂
Re: Re:
> Though the university can press civil charges.
There’s no such thing as “pressing civil charges”. They can file a civil lawsuit, but that’s not pressing charges.
Re: Re:
Your analogy is a pretty good one, but you have to think about how a denial of service attack would work in this situation. It would be much like holding a strike and crowding around the front door of a business without actually restraining customers from entering. This would make it difficult, but not impossible to enter a store – some traffic could leak through (probably slowly).
So, in a real-world situation, this would be legal (in the US) as they have the right to protest and to assemble in their protest. It may be annoying, but making it somehow illegal in the real world or on the internet seems unreasonable.
Re: Re: Re:
“It would be much like holding a strike and crowding around the front door”
There are two notable differences. Holding a strike by crowding around the door allows those who want to enter the store an opportunity to see your signs and hear your message and see you and who you are so that you can express your free speech. A DOS does no such thing.
and secondly, I think there is a difference between hanging around the front and intentionally blocking people from entering the store (this is why I say intent matters). Yes, if the store was naturally crowded (ie: tons of legitimate users were naturally using the webserver for legitimate purposes) and lots of customers were trying to enter but were having problems due to the mere volume of people entering, that’s one thing and it’s a perfectly legitimate reason for a slow down. But if you’re just blocking the front door, creating artificial reasons why people can’t enter and forcing artificial slow downs of entrants (vs too many genuine customers creating a genuine slow down) that’s a different story altogether and you’ll be hard pressed to convince law enforcement not to make you move, with violent force if necessary even. and most people won’t care.
DDOS means the computer(s) used are not always willing to do so.
In the current case, they were all willing to go on the website. In my opinion, it’s the same as a website not powerful enough to cope up with high traffic : not illegal.
Hmmm...
Normally, I agree with most of the posts here, but I’m not sure about this one. It’s not like he told a bunch of people to visit the website in question in order to take it down (a la the Slashdot effect). He had them visit a different website that would then generate multiple requests to the server in question. In a way, it sounds like he crowdsourced a DDOS. I’m not sure if it’s criminal, but it definitely seems to cross an ethical line.
so this would make it illegal to post any story to slashdot
in fear of being sued because of the slashdot effect
Is it about intent ?
For me, visiting a public website in person (as it was intended to be used) is not a DoS. If I encourage people at a political rally to go and express their views on their elected representative’s website, and the site crashes as a result, that is the website’s problem.
But if I encourage people to hit the website 1000 times each (either manually or using a bot or other process, such as DDoS) then that is using the website in a way it was clearly not intended with intent to cause disruption.
Same goes for encouraging people to telephone a rep’s office to express views. It could jam phone lines and make it impossible for the guy to work BUT if these are all legit calls and he is supposed to represent these people, that is his problem. If someone used an automated dialler and the guy got silence when he answered the phone, that would be disruptive intent.
For me it comes down to legitimate intent.
We recently had a situation in my hometown where they wanted to close a (very successful) school. It really came down to mass letter writing to the public bodies and they made it clear that although number of letters would play a part, multiple copies of the same letter would not count multiple times. That is to say, one person has to make the effort to write their own letter to count as one vote.
The example of 50000 people going to the auditorium is (for me) OK. These people individually made the effort to make their own views felt (unless they were paid to go). A DDoS is more like a school principle bringing several hundred children along to the talk (children who have no interest in the actual talk).
I think the original flashmob concept walked a fine line in this respect. Make 1000 people suddenly materialise on a particular street corner and it looks like a strange phenomenon. Do it right in front of a high traffic McDonalds at lunchtime and it seems like an attempt to disrupt business. But participants know where they are going and presumably choose to do this.
Re: Is it about intent ?
First, let me state I’m the original progenitor of the 50,000 people analogy, now being slightly less lazy and assigning a name.
Second, let me say that the more I ponder my original analogy, and, (oddly) the more rum I imbibe, the more suspect I find that analogy.
You’re right, my analogy would hold up fine, were each of the people involved in the protest to be sitting at their computer continually refreshing the page, but as TFA states, apparently the professor set up a script which automatically, and continually refreshed the page, as well as “sending a 404 request” which I can only presume to mean requesting a known bad address from the server,, which would presumable add to the server load, without adding a proportionate amount of bandwidth for the user. That is much more in line with the notion of photocopied, or form-letters to a governmental body.
Third, I’m going to take a quick moment to address the comment about a Principal taking a hundred students to such an event. I realize that the notion of undue influence has some bearing here, this is a professor who is encouraging his students to participate in a protest supporting the professors views. This is, indeed, questionable ethical ground.
However, I would point out that a) as he is a college professor, presumably the vast majority, if not all, of his students are theoretically adults (or at least, legally so). b) given the fact that he reached tenure through research in “Electronic Civil Disobedience”, it is not unreasonable to assume (sorry, I’m too drunk and care too little to do actual research) that his students were attending a seminar, or involved in research in furtherance of the self-same electronic civil disobedience.
Fourth, and finally (I bet if you’ve read this far, you’re relieved by the finally, huh?) I would like to proffer a new analogy. Say 500 of my closest friends and I decide that we don’t like the actions being proposed by a governmental body, I extort them to photocopy and mail the same letter 500,000 times, so that the body in question is unable to discern legitimate queries from the public because they are so inundated with our protests.
Presuming that my friends and I paid for each letter (not, say, abusing franking laws or mail for the blind), Where is the illegality? As I have and others have noted and acknowledged, there exist ethical concerns, but illegal? I think not. (Incidentally, while it is quite likely that the majority of student used school provided internet access to do this, I think it is not unreasonable to assume that at least a portion of their tuition goes to pay for that access.)
Re: Is it about intent ?
What’s wrong with an attempt to disrupt business? It’s a perfectly legitimate way to protest, after failed negotiation.
Legal Obstacle
Unless the state plans to just completely ignore the law, it won’t be able to press a criminal case against this guy. As the article notes, one of the keye elements of the crime is unauthorized access:
“In order for there to be a computer crime, there has to be either an intentional denial-of-service or some form of trespass, which would be an unauthorized access. The problem you have here is if this is a public website, merely going to the website repeatedly is many, many authorized accesses, not an unauthorized access.”
Re: Legal Obstacle
You need to read the article again.
“UC San Diego Professor Ricardo Dominguez spearheaded the March 4 digital protest by calling on demonstrators to visit a webpage that sent a new page request to the UC president’s website every one to six seconds. A separate function automatically sent 404 queries to the server. A “spawn” feature allowed participants to run additional pages in another window, multiplying the strain on the targeted website.
“Okay, now just sit back and relax, or open a new browser window and do anything else you need to do, BUT LEAVE THE ACTION WINDOW OPEN IN THE BACKGROUND, THE LONGER THE BETTER,” a help page for the protest instructed.”“
If that right there does not show intent to commit a DDoS attack I dunno know how it would have to be more obvious. By saying that “That doesn’t show intent to do harm to the system” is complete BS. He knew the website would continue to send requests to the page for every webpage opened. Calling on his fellow protesters to follow his cause whether they knew this was going to happen or not can still be considered intent to cause a DoS, or DDoS attack as in this case.
Also your understanding of the law is flawed as well. Re-read it.
“In order for there to be a computer crime there has to be EITHER an intention OR some form of tresspass”
You don’t have to have both parts of the law to make it a crime. One or both of those parts full fill the requirement to make this a crime.
Re: Re: Legal Obstacle
> If that right there does not show intent to
> commit a DDoS attack
But he’s not the one who actually committed the attack. In criminal law, there are two elements to an offense: mens rea (intent) and actus rea (the action).
Both are required for an offense to be complete and actionable by the state. Even the offense of conspiracy requires an overt act in furtherance of the conspiracy. Merely intending to do something criminal is not a crime.
Here, the professor may have had the intent, but it was all his followers that committed the actual act and even *their* actions, taken individually, were not criminal. Each person was accessing the web site in an authorized manner. It was only the aggregate effect of multiple simultaneous authorized accesses that caused the problem.
Re: Re: Re: Legal Obstacle
“Here, the professor may have had the intent, but it was all his followers that committed the actual act and even *their* actions, taken individually, were not criminal.”
But the professor coordinated the “attacks.” In many states, if a bank (or liquor store) robber robs a bank and shoots and kills someone in the process, the person who drove the getaway car could also be punished for the killing that the bank robber did.
I also don’t think that a mafia leader can claim that he doesn’t get in any trouble for coordinating the actions of his followers just because he didn’t participate in them at all. For years various (mafia) gangs have tried that, and they have attempted to get away with it under the pretext that they didn’t directly commit any crimes, but I don’t think that really holds up in court. If a gang leader orders one of his gang subordinates to shoot someone, does the leader not get in trouble?
Re: Re: Re:2 Legal Obstacle
What do you think the appropriate legal punishment should be for being an accessory to a successful attempt to slow down a website during a legitimate protest?
Re: Re: Re:3 Legal Obstacle
I don’t know. The punishment should fit the crime though, whatever that means. There is debate over the appropriate punishment for someone who murders, steals, and just about everything else. but just because there is debate over what the punishment should be for many crimes doesn’t mean there shouldn’t be any punishment at all for any crimes.
Re: Re: Re:4 Legal Obstacle
controversy *
Intent matters
I think intent comes into play here.
From the article, he set up a web site that automatically sent requests to the target site every few seconds (without any action from the user.)
I think it’s one thing to browse a site to consume the material on it, but completely different to just browse the site for the sole purpose of placing a stress load on it.
I don’t disagree that it’s “electronic civil disobedience”, but that doesn’t mean that you haven’t committed a crime.
DDOS attack
My IP address was recently banned (error 404 resolved) and I suspect this was what happened -I was suspected of trying a DDOS attack because I have so many links LOL
The fact that he created…
“a webpage that sent a new page request to the UC president’s website every one to six seconds.”
AND
“A separate function automatically sent 404 queries to the server.”
AND
“A “spawn” feature allowed participants to run additional pages in another window, multiplying the strain on the targeted website.”
…will potentially bite him in the ass. Its not like he asked people to repeatedly visit the university presidents website. He created an automated method for increasing traffic to the website. Now, can he be held responsible for creating a tool that other people decided to use? Can this even be considered a DDoS “attack” since by definition a DDoS attack is performed by centrally controlled compromised systems? I think the most important aspect of all of this is that it was automated.
DoS
My consumer grade router can detect and block DoS and scans. I blame the admin for sucking.
Unless he “sit in” managed to consume all of their bandwidth, their firewall should have started to block requests from offending addresses.
Re: DoS
Not if that web server was in the DMZ.
Re: Re: DoS
ALL devices on your network should be protected from DoS.
A basic firewall that checks for these things should be between your WAN and the LAN. Anything communicating on the internet should have to do through these.
DMZ usually just means your allow connections in and devices in the DMZ have to go through a special firewall to access the LAN, but it doesn’t mean you have no firewall at all for the DMZ.
A 100% un-firewalled machine facing the net is just a horrible idea.
Re: Re: Re: DoS
It’s not that simple. A smart device could, upon detecting a DOS (assuming it can efficiently identify the attacking machines and distinguish them from legitimate machines) might be able to prevent outgoing traffic towards attackers. But how do you stop incoming traffic from hogging up all your ISP bandwidth? You must work with your ISP or something. It’s not that simple.
Re: Re: Re: DoS
“A 100% un-firewalled machine facing the net is just a horrible idea.”
Firewalls don’t really defend against a DOS or DDOS attack. They’re usually designed to defend against unsolicited traffic.
Re: DoS
You can throttle individuals without affecting others, but if the DoS is distributed, i.e. a DDoS, then you’ll almost certainly deny service to legitimate users in addition to the attackers.
Electronic Civil Disobedience
Forget the laws, broken or not. Do not worry about intent.
Please focus on this one fact: The Hippies have won!
One small action at a time. The gathering of people to express
their views, without violence, is a right of every citizen.
It is a Community thing.
Lawsuits
Why is it that things like this are handled so often with lawsuits? Have we become such poor communicators that we can’t resolve our differences without clogging the courts?
Framing the professor’s conduct as “telling people to visit a website” answers the question. Of course, that fact alone does not make some a DoS attack. But telling tons of people to go to a site, and to access it repeatedly in order to shut it down, and creating tools specifically for that task, is more than “Telling people to visit a website.” “Intent” is an element of many crimes, and having a malicious intent can transform relatively benign conduct into a crime. As any first year law student can explain, if I tap you on the shoulder on the streetcorner to ask you for directions, I haven’t committed the crime of battery. If I poke you in the shoulder with intent to cause you injury, I have.
Here's a thought
Perhaps the University should publicly “thank” Prof. Dominguez and state that because he has brought a potential security problem to light, not only will budgets be cut, but faculty salaries will be cut 1/2 of 1% with the next contract and student tuition increased by the same percentage in order to pay for the needed server enhancements that they have Prof. Dominguez to thank.
That would make the Prof. very “popular” on campus — don’t you think?
I think this is wonderful, people are starting to test the waters and will find ways to express themselves.
Just like sit ins where forbidden and violently dealt with, this too will be seen as a threat and some people will try to criminalize it but in the end is the people expressing themselves.
Making tools to protest is part of the thing also.
People make banners in real life, make costumes, make flyers, chain themselves, bring buckets, build gigantic black rats, so I don’t see the problem in building a portal or tool to do the same on the digital front. It wasn’t sneaky or anything he could even tell them this protest will take place from date A to date B and will slowdown or interrupt services at some hours, just like in the real world.
I agree with Bengie.
I think the university network admins are probably getting an ear full, but the professors actions are a separate issue. I still cant decided if what he did is even illegal.
Re: Re:
Universities typically have firewalls, so I don’t even see your point.
Re: Re:
and I’m sure that UC San Diego also has a firwall. What, do you honestly think that if I started to port scan a bunch of their ports they’re going to show up open? In fact, I don’t see how they won’t have a firewall, any NAT router or anything that enables many separate computers to share one internet IP address automatically acts like a NAT firewall. The issue here isn’t a matter of their firewall being penetrated or their website being hacked or their servers being hacked. A DOS or DDOS attack overwhelms the incoming pipes at the ISP level. The information first needs to make it to the firewall for the firewall to determine the legitimacy of a packet and decide if the packet should continue past the firewall or be rejected by the firewall and die at that point.. and in order to make it to the firewall it must make it via a communication medium like a wire. But the router/firewall can only inspect/process and allow/deny so many packets at a time and the pipe / wire can only transmit so much data at a time. A DDOS/DOS tries to jam the pipline/wire by exhausting it with so much junk traffic that no more traffic can even make it to the firewall for packet inspection hence preventing legitimate customers from making it to the site (since their packets can’t make it there either). It’s like intentionally jamming the freeway with so many cars or protesting and jamming the freeway with so many protesters/people that no legitimate users can use it anymore and hence legitimate freeway users can’t make it to their destination. A firewall is like a security guard at each destination guarding against unauthorized people from entering a building or certain parts of a building. A firewall is the security at each destination building (cameras, etc…), whereas a DDOS jams the pathway to the destination. The security guard at your work or whatever has no control over what goes on on the freeway or pathway to your work.
Re: Re: Re:
“But the router/firewall can only inspect/process and allow/deny so many packets at a time and the pipe / wire can only transmit so much data at a time.”
Most decent firewalls/routers can filter at full wire speed, so the “amount” of packets shouldn’t be an issue.
Typically the problem with a DoS is someone sends a bunch of ACK packets to establish a connection, but then doesn’t proceed any further. This means the server is left hanging on that connection until it times out. There are a max amount of connections a server can handle. Most modern OSs can detect these issues and close the connections.
Most good firewalls can block the above issue from happening in the first place. The above article says they were just loading the pages via web browsers, so this wasn’t the issue.
The only other issue would then be bandwidth. The student must’ve been downloading more from University than they had bandwidth. WTF….? GL with that.
My guess is bad server/network admins.
Re: Re: Re: Re:
“Most decent firewalls/routers can filter at full wire speed”
Depends. The point is that there are limiting factors beyond a network administrators ability to (cheaply/feasibly) control.
“Typically the problem with a DoS is someone sends a bunch of ACK packets to establish a connection”
ACK packets are acknowledgment packets. They are not sent to establish a connection, SYN (synchronization) packets are sent to establish a connection. Then the server responds with a syn/ack packet in which case the client responds with an ACK packet to acknowledge the connection established. It’s called a (TCP) three way handshake.
What happens is the client floods the servers downstream with syn packets. Then, to the extent that the server is unable to determine that a packet is illegitimate, the server will respond with syn/ack packets which will flood the servers upstream bandwidth. If the server is smart it may be able to determine that some of the syn requests are bogus (depending on the servers intelligence and the dynamics of the attack, but that’s a much more complicated issue) and it will not bog down it’s upload bandwidth with syn/ack packets, but that doesn’t prevent the servers downstream bandwidth from being bogged down.
“The only other issue would then be bandwidth. The student must’ve been downloading more from University than they had bandwidth.”
The students could collectively be sending more bandwidth to the university than the University and it’s ISP can handle. That’s generally how a DOS/DDOS works.
“My guess is bad server/network admins.”
The article seems ambiguous, but it’s irrelevant. Even if the cause is due to a bad server/network admin, that still doesn’t justify a DOS/DDOS like attack. That’s kinda like saying, because a store doesn’t have adequate security guards or because it has poor security guards and takes poor security measures it’s OK for protesters to block customers from entering. Regardless of the security measures employed by a bank, robbing a bank is wrong.
Who would be the defendant in such a case – the university itself? Certainly if the student is receiving any sort of stipend for his study then he is a sort of employee of the university, performing work sanctioned by the university, which they have been expressly told was “electronic civil disobedience.”
This reminds me of the recent Coke Zero commercials where Coke is looking to sue Coke Zero for tasting too much like Coke, even though it is Coke themselves that makes Coke Zero. What kind of university employs such faulty logic? If we assume that no university would do such a thing then is this simply a ploy for attention? For in that case I can see the only way for them to profit through this report.
There’s A Fine Line Between ...
… free speech and incitement to visit a website.
UltimateGuitar.com - Online Guitar tab & chord resource.
I will be the first to admit, I’ve watched For The Love of the full lace wigs and lace wigs several times, maybe lace front wigs and lace front wigs too many times, but that’s besides the point.
Everybody got his own perception, but if they press criminal charges maybe it’s not that easy to proof guilty. Everybody has a right to express their self and it is protected by law.