Is Telling People To Visit A Certain Website A Denial Of Service Attack?
from the seems-like-a-stretch dept
iamtheky sends in the story of a UC San Diego Professor, Ricardo Dominguez, whose focus of research is "electronic civil disobedience," (for which he received tenure and a fellowship from his university), but who is now potentially facing discipline or even criminal charges from the university for staging a "virtual sit-in" to protest budget cuts. It certainly raises questions about the line between telling people to visit a website and a hack attack to take down a website. It's difficult to see how just telling people to go to a website should ever qualify as any kind of attack, but the University is said to be contemplating criminal charges.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: denial of service, protest
Reader Comments
Subscribe: RSS
View by: Time | Thread
Still, I think it depends on the intent of the sit - in. If the intent is to deny service to others, I would say there should be punishment.
Imagine if you owned a store and the store payed its workers too little. So the store workers had a strike. Well, they're allowed to strike, but are they allowed to prevent new customers from entering the store and denying them service? Are they allowed to prevent employees that don't want to take part in the strike from entering the store and denying them employment? I think not.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Lets say that someone who hates the RIAA just decides to do a DDOS (distributed denial of service attack) on their webserver. If these attacks were allowed then the RIAA could simply pay for the resources necessary to do its own DOS (denial of service) attacks and retaliate by doing DOS attacks on websites like public knowledge, Techdirt CopyCense, the EFF, etc... What we end up with is a bunch of huge denial of service wars (because the RIAA would not be the only group engaging in these attacks, a bunch of groups that hate each other will also engage. You may have Islam groups do denial of service attacks on Christian websites and Christian groups doing them on Islam websites, every group that hates each other could engage in a denial of service war if the law allowed it) that wastes everyone's money, time, and resources for no good reason and that floods everyone's ISP's slowing down everyone's Internet connection and increasing ISP network cost. No, denial of service attack wars are not a good solution to most of our problems and I think that humanity could find more diplomatic solutions to our problems instead. Should the university be allowed to retaliate and do a DOS attack on the professors website if the professor has a website?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
I mean, I think you'll be hard pressed to find anyone who'll say that DDoS attacks, or even just plain old DoS attacks are a good thing, though I think you perhaps over-state the possibility of "wars" over this (I am not a computer security expert, I'm perfectly willing to have one tell me I'm wrong).
The question of the hour seems to be "Is what he did criminal?", I just can't see how it is.
I think a more reasonable analogy would be this: Say someone who I strongly disagree with is giving a speech in an auditorium. I, and 50,000 of my closest friends decide that we're going to occupy every single one of the seats, all the SRO, and indeed max out the fire marshal's rating for the building, then stand in crowds 100 deep around the building, so that the speaker has no chance of reaching anyone who he might possibly convince.
I will agree readily that there is something of an ethical argument to be made on both sides of that, but was it illegal? We weren't preventing him from talking, we were just making sure no one could hear him.
[ link to this | view in chronology ]
Re: Re: Re:
The question of the hour seems to be "Is what he did criminal?", I just can't see how it is."
This professor focuses his research on electronic civil disobedience. The point I'm trying to make is that if DOS/DDOS attacks are a legally and socially acceptable method of electronic civil disobedience, then the logical conclusion is that everyone would, and perhaps even should, be conducting in this behavior everywhere anytime they disagreed with something as a form of civil disobedience. and if they were acceptable it would be happening a lot more than it is now. The reason why it's not so abundant, and the possibility of far more abundant wars occurring now is likely improbable, is because it's not unanimously considered a socially/legally acceptable form of civil disobedience. but if it were, then the possibility of many many huge wars would not only be a possibility, it would be a very highly likely probability, almost inevitable even. Just trying to take this professors theory over what should be considered a socially/legally acceptable form of disobedience to its logical conclusion.
[ link to this | view in chronology ]
Re:
In this case, they didn't shut the site down, they just made it a bit slower.
So that's actually a very good analogy. :)
[ link to this | view in chronology ]
Re:
There's no such thing as "pressing civil charges". They can file a civil lawsuit, but that's not pressing charges.
[ link to this | view in chronology ]
Re:
So, in a real-world situation, this would be legal (in the US) as they have the right to protest and to assemble in their protest. It may be annoying, but making it somehow illegal in the real world or on the internet seems unreasonable.
[ link to this | view in chronology ]
Re: Re:
There are two notable differences. Holding a strike by crowding around the door allows those who want to enter the store an opportunity to see your signs and hear your message and see you and who you are so that you can express your free speech. A DOS does no such thing.
and secondly, I think there is a difference between hanging around the front and intentionally blocking people from entering the store (this is why I say intent matters). Yes, if the store was naturally crowded (ie: tons of legitimate users were naturally using the webserver for legitimate purposes) and lots of customers were trying to enter but were having problems due to the mere volume of people entering, that's one thing and it's a perfectly legitimate reason for a slow down. But if you're just blocking the front door, creating artificial reasons why people can't enter and forcing artificial slow downs of entrants (vs too many genuine customers creating a genuine slow down) that's a different story altogether and you'll be hard pressed to convince law enforcement not to make you move, with violent force if necessary even. and most people won't care.
[ link to this | view in chronology ]
In the current case, they were all willing to go on the website. In my opinion, it's the same as a website not powerful enough to cope up with high traffic : not illegal.
[ link to this | view in chronology ]
Hmmm...
[ link to this | view in chronology ]
in fear of being sued because of the slashdot effect
[ link to this | view in chronology ]
Is it about intent ?
But if I encourage people to hit the website 1000 times each (either manually or using a bot or other process, such as DDoS) then that is using the website in a way it was clearly not intended with intent to cause disruption.
Same goes for encouraging people to telephone a rep's office to express views. It could jam phone lines and make it impossible for the guy to work BUT if these are all legit calls and he is supposed to represent these people, that is his problem. If someone used an automated dialler and the guy got silence when he answered the phone, that would be disruptive intent.
For me it comes down to legitimate intent.
We recently had a situation in my hometown where they wanted to close a (very successful) school. It really came down to mass letter writing to the public bodies and they made it clear that although number of letters would play a part, multiple copies of the same letter would not count multiple times. That is to say, one person has to make the effort to write their own letter to count as one vote.
The example of 50000 people going to the auditorium is (for me) OK. These people individually made the effort to make their own views felt (unless they were paid to go). A DDoS is more like a school principle bringing several hundred children along to the talk (children who have no interest in the actual talk).
I think the original flashmob concept walked a fine line in this respect. Make 1000 people suddenly materialise on a particular street corner and it looks like a strange phenomenon. Do it right in front of a high traffic McDonalds at lunchtime and it seems like an attempt to disrupt business. But participants know where they are going and presumably choose to do this.
[ link to this | view in chronology ]
Re: Is it about intent ?
Second, let me say that the more I ponder my original analogy, and, (oddly) the more rum I imbibe, the more suspect I find that analogy.
You're right, my analogy would hold up fine, were each of the people involved in the protest to be sitting at their computer continually refreshing the page, but as TFA states, apparently the professor set up a script which automatically, and continually refreshed the page, as well as "sending a 404 request" which I can only presume to mean requesting a known bad address from the server,, which would presumable add to the server load, without adding a proportionate amount of bandwidth for the user. That is much more in line with the notion of photocopied, or form-letters to a governmental body.
Third, I'm going to take a quick moment to address the comment about a Principal taking a hundred students to such an event. I realize that the notion of undue influence has some bearing here, this is a professor who is encouraging his students to participate in a protest supporting the professors views. This is, indeed, questionable ethical ground.
However, I would point out that a) as he is a college professor, presumably the vast majority, if not all, of his students are theoretically adults (or at least, legally so). b) given the fact that he reached tenure through research in "Electronic Civil Disobedience", it is not unreasonable to assume (sorry, I'm too drunk and care too little to do actual research) that his students were attending a seminar, or involved in research in furtherance of the self-same electronic civil disobedience.
Fourth, and finally (I bet if you've read this far, you're relieved by the finally, huh?) I would like to proffer a new analogy. Say 500 of my closest friends and I decide that we don't like the actions being proposed by a governmental body, I extort them to photocopy and mail the same letter 500,000 times, so that the body in question is unable to discern legitimate queries from the public because they are so inundated with our protests.
Presuming that my friends and I paid for each letter (not, say, abusing franking laws or mail for the blind), Where is the illegality? As I have and others have noted and acknowledged, there exist ethical concerns, but illegal? I think not. (Incidentally, while it is quite likely that the majority of student used school provided internet access to do this, I think it is not unreasonable to assume that at least a portion of their tuition goes to pay for that access.)
[ link to this | view in chronology ]
Re: Is it about intent ?
[ link to this | view in chronology ]
Legal Obstacle
"In order for there to be a computer crime, there has to be either an intentional denial-of-service or some form of trespass, which would be an unauthorized access. The problem you have here is if this is a public website, merely going to the website repeatedly is many, many authorized accesses, not an unauthorized access."
[ link to this | view in chronology ]
Re: Legal Obstacle
"UC San Diego Professor Ricardo Dominguez spearheaded the March 4 digital protest by calling on demonstrators to visit a webpage that sent a new page request to the UC president's website every one to six seconds. A separate function automatically sent 404 queries to the server. A "spawn" feature allowed participants to run additional pages in another window, multiplying the strain on the targeted website.
"Okay, now just sit back and relax, or open a new browser window and do anything else you need to do, BUT LEAVE THE ACTION WINDOW OPEN IN THE BACKGROUND, THE LONGER THE BETTER," a help page for the protest instructed.""
If that right there does not show intent to commit a DDoS attack I dunno know how it would have to be more obvious. By saying that "That doesn't show intent to do harm to the system" is complete BS. He knew the website would continue to send requests to the page for every webpage opened. Calling on his fellow protesters to follow his cause whether they knew this was going to happen or not can still be considered intent to cause a DoS, or DDoS attack as in this case.
Also your understanding of the law is flawed as well. Re-read it.
"In order for there to be a computer crime there has to be EITHER an intention OR some form of tresspass"
You don't have to have both parts of the law to make it a crime. One or both of those parts full fill the requirement to make this a crime.
[ link to this | view in chronology ]
Re: Re: Legal Obstacle
> commit a DDoS attack
But he's not the one who actually committed the attack. In criminal law, there are two elements to an offense: mens rea (intent) and actus rea (the action).
Both are required for an offense to be complete and actionable by the state. Even the offense of conspiracy requires an overt act in furtherance of the conspiracy. Merely intending to do something criminal is not a crime.
Here, the professor may have had the intent, but it was all his followers that committed the actual act and even *their* actions, taken individually, were not criminal. Each person was accessing the web site in an authorized manner. It was only the aggregate effect of multiple simultaneous authorized accesses that caused the problem.
[ link to this | view in chronology ]
Re: Re: Re: Legal Obstacle
But the professor coordinated the "attacks." In many states, if a bank (or liquor store) robber robs a bank and shoots and kills someone in the process, the person who drove the getaway car could also be punished for the killing that the bank robber did.
I also don't think that a mafia leader can claim that he doesn't get in any trouble for coordinating the actions of his followers just because he didn't participate in them at all. For years various (mafia) gangs have tried that, and they have attempted to get away with it under the pretext that they didn't directly commit any crimes, but I don't think that really holds up in court. If a gang leader orders one of his gang subordinates to shoot someone, does the leader not get in trouble?
[ link to this | view in chronology ]
Re: Re: Re: Re: Legal Obstacle
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Legal Obstacle
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Legal Obstacle
[ link to this | view in chronology ]
Intent matters
From the article, he set up a web site that automatically sent requests to the target site every few seconds (without any action from the user.)
I think it's one thing to browse a site to consume the material on it, but completely different to just browse the site for the sole purpose of placing a stress load on it.
I don't disagree that it's "electronic civil disobedience", but that doesn't mean that you haven't committed a crime.
[ link to this | view in chronology ]
DDOS attack
[ link to this | view in chronology ]
"a webpage that sent a new page request to the UC president's website every one to six seconds."
AND
"A separate function automatically sent 404 queries to the server."
AND
"A "spawn" feature allowed participants to run additional pages in another window, multiplying the strain on the targeted website."
...will potentially bite him in the ass. Its not like he asked people to repeatedly visit the university presidents website. He created an automated method for increasing traffic to the website. Now, can he be held responsible for creating a tool that other people decided to use? Can this even be considered a DDoS "attack" since by definition a DDoS attack is performed by centrally controlled compromised systems? I think the most important aspect of all of this is that it was automated.
[ link to this | view in chronology ]
DoS
Unless he "sit in" managed to consume all of their bandwidth, their firewall should have started to block requests from offending addresses.
[ link to this | view in chronology ]
Re: DoS
[ link to this | view in chronology ]
Re: Re: DoS
A basic firewall that checks for these things should be between your WAN and the LAN. Anything communicating on the internet should have to do through these.
DMZ usually just means your allow connections in and devices in the DMZ have to go through a special firewall to access the LAN, but it doesn't mean you have no firewall at all for the DMZ.
A 100% un-firewalled machine facing the net is just a horrible idea.
[ link to this | view in chronology ]
Re: Re: Re: DoS
[ link to this | view in chronology ]
Re: Re: Re: DoS
Firewalls don't really defend against a DOS or DDOS attack. They're usually designed to defend against unsolicited traffic.
[ link to this | view in chronology ]
Re: DoS
[ link to this | view in chronology ]
Electronic Civil Disobedience
Please focus on this one fact: The Hippies have won!
One small action at a time. The gathering of people to express
their views, without violence, is a right of every citizen.
It is a Community thing.
[ link to this | view in chronology ]
Lawsuits
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Here's a thought
That would make the Prof. very "popular" on campus -- don't you think?
[ link to this | view in chronology ]
Just like sit ins where forbidden and violently dealt with, this too will be seen as a threat and some people will try to criminalize it but in the end is the people expressing themselves.
Making tools to protest is part of the thing also.
People make banners in real life, make costumes, make flyers, chain themselves, bring buckets, build gigantic black rats, so I don't see the problem in building a portal or tool to do the same on the digital front. It wasn't sneaky or anything he could even tell them this protest will take place from date A to date B and will slowdown or interrupt services at some hours, just like in the real world.
[ link to this | view in chronology ]
I think the university network admins are probably getting an ear full, but the professors actions are a separate issue. I still cant decided if what he did is even illegal.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Most decent firewalls/routers can filter at full wire speed, so the "amount" of packets shouldn't be an issue.
Typically the problem with a DoS is someone sends a bunch of ACK packets to establish a connection, but then doesn't proceed any further. This means the server is left hanging on that connection until it times out. There are a max amount of connections a server can handle. Most modern OSs can detect these issues and close the connections.
Most good firewalls can block the above issue from happening in the first place. The above article says they were just loading the pages via web browsers, so this wasn't the issue.
The only other issue would then be bandwidth. The student must've been downloading more from University than they had bandwidth. WTF....? GL with that.
My guess is bad server/network admins.
[ link to this | view in chronology ]
Re: Re: Re:
Depends. The point is that there are limiting factors beyond a network administrators ability to (cheaply/feasibly) control.
"Typically the problem with a DoS is someone sends a bunch of ACK packets to establish a connection"
ACK packets are acknowledgment packets. They are not sent to establish a connection, SYN (synchronization) packets are sent to establish a connection. Then the server responds with a syn/ack packet in which case the client responds with an ACK packet to acknowledge the connection established. It's called a (TCP) three way handshake.
What happens is the client floods the servers downstream with syn packets. Then, to the extent that the server is unable to determine that a packet is illegitimate, the server will respond with syn/ack packets which will flood the servers upstream bandwidth. If the server is smart it may be able to determine that some of the syn requests are bogus (depending on the servers intelligence and the dynamics of the attack, but that's a much more complicated issue) and it will not bog down it's upload bandwidth with syn/ack packets, but that doesn't prevent the servers downstream bandwidth from being bogged down.
"The only other issue would then be bandwidth. The student must've been downloading more from University than they had bandwidth."
The students could collectively be sending more bandwidth to the university than the University and it's ISP can handle. That's generally how a DOS/DDOS works.
"My guess is bad server/network admins."
The article seems ambiguous, but it's irrelevant. Even if the cause is due to a bad server/network admin, that still doesn't justify a DOS/DDOS like attack. That's kinda like saying, because a store doesn't have adequate security guards or because it has poor security guards and takes poor security measures it's OK for protesters to block customers from entering. Regardless of the security measures employed by a bank, robbing a bank is wrong.
[ link to this | view in chronology ]
This reminds me of the recent Coke Zero commercials where Coke is looking to sue Coke Zero for tasting too much like Coke, even though it is Coke themselves that makes Coke Zero. What kind of university employs such faulty logic? If we assume that no university would do such a thing then is this simply a ploy for attention? For in that case I can see the only way for them to profit through this report.
[ link to this | view in chronology ]
There’s A Fine Line Between ...
[ link to this | view in chronology ]
Re: UltimateGuitar.com - Online Guitar tab & chord resource.
[ link to this | view in chronology ]
[ link to this | view in chronology ]