By Matt Whipp
23rd November 2006
Websites blocked by ISPs when under a distributed denial of service
attack (DDoS) face millions of pounds in lost business because ISPs
refuse to take responsibility for hosting infected computers on their
Typically, a distributed denial of service attack relies on an attacker
remotely controlling numerous and widely distributed computers infected
by viruses and Trojans. The attacker uses these 'botnets' to send a
flood of requests to a website, which is often unable to cope and its
servers fail, taking the website offline.
It's a relatively simple and cheap operation for the attacker. Keith
Laslop, President of DDOS mitigation outfit Prolexic told us: 'I've seen
them on forums where you can hire bots for next to nothing. Four cents a
bot. So you could take down a site very cheaply. You could get enough
together for, say, a 50Mbits DDOS attack. You could take someone out
DOS attacks are also becoming increasingly common. During the first six
months of 2006, Symantec observed an average of 6,110 DoS attacks per
When an ISP sees this huge amount traffic aimed at one URL, the response
can often be to block access to the target site.
However, the ISPs don't do anything about the infected computers of
their own subscribers that are sending the flood of data in the first
place. The result is that ISPs block access to, and therefore business
from, websites targeted in this way.
Chris Tolson, Infrastructure Manager at bet365, told us his business is
often targeted by DDOS attacks directed through a number of ISPs around
the globe, including Comcast in the US. 'The Comcast issue is slightly
different (and not specific to this ISP) and a result of sustaining a
large scale DDOS attack that Comcast PCs are taking part in... Basically
Comcast see large amounts of traffic saturating their ADSL lines and
core routers due to their customers' PCs being compromised and used as
part of the source of the attack on a gaming company like ourselves. The
easiest way they can resolve this is to black hole the destination of
all this traffic ie the gaming site. However, what they should really be
doing is identifying all their customers that are infected by this
zombie virus and cleaning up their network. The net affect of this is
that all Comcast customers can no longer get to the gaming site even
after the attack has finished and it is the IT manager's responsibility
to try and get this ACL [access control list] lifted by phoning the
Often such attacks are based around extortion attempts and, in order for
them to be successful, they are often timed around events critical to
the target website. In the case of the gambling industry, key sporting
events such as horse races are often preceded by extortion threats of
DDOS attacks. And a site taken off-air in the build-up to these events
isn't doing business. In fact it's haemorrhaging money.
Tolson told us: '[It] obviously depends on the size of the ISP and how
many of their customers are bet365 customers, but a figure out of the
air for someone like BT or Claranet (neither have ever black-holed us)
could be, over a weekend period, something like 1 million to 5 million
in gross bets taken (our profitability depends on the outcomes of those
Those kind of losses make a business look at its options. Tolson said:
'Going to court over this is definitely an interesting proposition'.
The problem is that there is little legal recourse available. The UK
Computer Misuse Act has been updated to make DOS attacks a specific
crime, but there's nothing mandating an ISP's responsibility regarding
identifying the IP addresses of zombie computers or dealing with traffic
sent through them.
Andrew Katz, of Moorcrofts Corporate Law, told us: 'The law finds it
difficult to deal with DDOS attacks. One issue which occurs is that by
starting to block the IPs of zombies, the ISPs may be accepting legal
responsibility for any issues which arise in the future. I would expect
that the ISPs would say that their job is limited to delivering packets
to and from the Internet to the relevant client IP addresses, and that
was that, unless they had specifically accepted any other obligations
(e.g. virus scanning). So I would have thought it would be difficult to
claim against the ISPs in question for delivering the DDOS packets.
Whether [bet365] has a claim against them for blocking access to [the
bet365] site is a different matter.
'Interestingly, if the contract between the third party ISP and its
customer had a clause saying "It is our job to deliver packets to the
appropriate IP addresses" and there was no "Rights of Third Parties"
clause in the agreement, even though the gambling site was not a party
to that agreement, they could claim under the agreement that they had a
right to have legitimately addressed packets delivered to it, as a
consequence of the Contracts (Rights of Third Parties) Act. But I've
never heard of anyone trying to use the legislation this way before.'
However, the terms and conditions of Orange and BT contracts, for
example, don't make any promise to deliver legitimate packets to an IP
destination, but simply to offer a connection.
Struan Robertson, a corporate lawyer who edits law firm Pinsent Masons'
Outlaw.com site, told us that as well as considering the contract terms,
industry best practice is also a benchmark against which the behaviour
of ISPs can be judged, and potentially be found negligent. 'If you can
establish that no reasonable ISP would have done the same thing, then
you might be able to sue for damages,' he said.
Subscribe to InfoSec News