The Case against DDOS

Last night I wrote a slightly hyperbolic tweet about the Anonymous denial of service attacks, and I’ve gotten a surprising amount of pushback on it. So I thought I’d expand on my thinking here.

In a distributed denial of service attack, or DDOS, a large number of computers send data to a target computer with the intent of saturating its network links and/or overloading the server, thereby “denying service” to actual users of that server. In this case Anonymous, a group of online vigilantes, have launched DDOS against MasterCard, PayPal, and other companies that have taken anti-Wikileaks steps that they (and I) don’t approve of.

Evgeny Morozov points me to this post, which reports that a German court was apparently persuaded that DDOS attacks are a form of civil disobedience, like a sit-in. This comparison strikes me as not just wrong but kind of ridiculous.

The Internet is a collaborative network built on strong implicit norms of trust. There’s no global governance body or formal enforcement mechanisms for many of the Internet’s norms, but things work pretty well because most people behave responsibly. This responsible behavior comes in two parts. Ordinary users obey the norms without even knowing about them because they are baked into the hardware and software we all use. For example, all your life you’ve been observing the TCP backoff norm, probably without knowing about it, because your computer’s networking stack has been programmed to follow it.

Then there’s a worldwide community of engineers and sysadmins who collaborate to track down problems and cut off the small minority of people who abuse the Internet’s norms. The decentralized nature of the Internet means that no single administrator has all that much power, so their ability to respond to an attack often depends on cooperation from the systems administrators who run the network from which the attack originates. These folks are fighting a continuous, largely invisible, battle to keep the Internet running smoothly. The fact that most people never think about them is a testament to how well they do their job.

DDOS attacks work by exploiting the Internet’s open architecture and flouting its norms. Most computers on the Internet are provisioned with significantly more bandwidth than they’re expected to be using at any given moment; this allows us to have fast downloads when we need them, while leaving the extra capacity available for others to use when we don’t need it. Similarly, servers depend on relatively good behavior from client computers. Major Internet protocols like TCP/IP and HTTP don’t have any formal mechanism for limiting the amount of server capacity used by any given client, they simply trust that the vast majority of clients won’t behave maliciously. Systems administrators deal with the small minority that do behave maliciously on a case-by-case basis.

I’d be willing to bet that at this very moment, a small army of sysadmins at Anonymous’s various targets, and their ISPs, are working around the clock to respond to Anonymous’s attacks. They’re probably not getting paid overtime. These folks likely had no influence over their superiors’ decisions with respect to Wikileaks. And indeed, given the pro-civil-liberties slant of geeks in general, I bet a lot of them are themselves Wikileaks supporters. Some of them may even be exerting what small influence they have inside their respective companies to stand up to the government’s attacks on Wikileaks.

DDOS attacks take advantage of, and deplete, the Internet’s reservoir of trust. They are something like a kid who lives in a small town where no one locks their doors going into his neighbors’ houses and engaging in petty vandalism. The cost of his behavior isn’t so much cleaning up the vandalism as the fact that if more than a handful of people behaved that way everyone in town would be forced to put locks on their doors. Likewise, the damage of a DDOS attack isn’t (just) that the target website goes down for a few hours, it’s that sysadmins around the world are forced to build infrastructure to combat future DDOS attacks.

The comparison to sit-ins is particularly absurd because the whole point of a sit-in is its PR value. You’re trying to call the public’s attention to a business’s misbehavior and motivate other customers of that entity to pressure the business to change its behavior. You do this by being unfailingly polite and law-abiding (aside from the trespass of the sit-in itself), and by being willing to spend some time in prison to demonstrate your sincerity and respect for the law. In contrast, the people who are prevented from using MasterCard’s website may not even realize that Anonymous is responsible, and to the extent they do find out it’s through media accounts that are (justifiably) universally negative. In addition to all the other problems with what they’re doing, it’s a terrible PR strategy that generates sympathy for Anonymous’s targets and reinforces the public’s impression of Wikileaks as a rogue organization.

I suspect that most of the Anonymous participants simply don’t know any better. If this arrest is representative, the people involved are literal and metaphorical children, throwing high-tech temper tantrums without any real understanding of the consequences of their actions. These attacks are doing no serious damage to the nominal targets of the attacks and they create zero incentive for other corporate entities to change their behavior vis-a-vis Wikileaks. But they do significant and lasting damage to a variety of third parties. I don’t literally want them to “rot in prison,” but I’ll have zero sympathy if they’re caught and prosecuted.

Update: One final obvious point that I forgot to mention: while I don’t know the details of this particular attack, it’s relatively common for DDOS attacks to utilize botnets, a.k.a. networks of computers that have been remotely compromised and are being used without their owners’ knowledge or permission. Even if everything I wrote above is wrong, the use of botnets—for this or any other purpose—is flatly immoral and illegal, and no DDOS attack that utilizes them should be considered a legitimate form of political protest.