AOH :: ISN-3315.HTM

Analysis: Websites struggling for legal recourse for DoS

Analysis: Websites struggling for legal recourse for DoS
Analysis: Websites struggling for legal recourse for DoS 

By Matt Whipp
23rd November 2006

Websites blocked by ISPs when under a distributed denial of service 
attack (DDoS) face millions of pounds in lost business because ISPs 
refuse to take responsibility for hosting infected computers on their 

Typically, a distributed denial of service attack relies on an attacker 
remotely controlling numerous and widely distributed computers infected 
by viruses and Trojans. The attacker uses these 'botnets' to send a 
flood of requests to a website, which is often unable to cope and its 
servers fail, taking the website offline.

It's a relatively simple and cheap operation for the attacker. Keith 
Laslop, President of DDOS mitigation outfit Prolexic told us: 'I've seen 
them on forums where you can hire bots for next to nothing. Four cents a 
bot. So you could take down a site very cheaply. You could get enough 
together for, say, a 50Mbits DDOS attack. You could take someone out 
with that.'

DOS attacks are also becoming increasingly common. During the first six 
months of 2006, Symantec observed an average of 6,110 DoS attacks per 

When an ISP sees this huge amount traffic aimed at one URL, the response 
can often be to block access to the target site.

However, the ISPs don't do anything about the infected computers of 
their own subscribers that are sending the flood of data in the first 
place. The result is that ISPs block access to, and therefore business 
from, websites targeted in this way.

Chris Tolson, Infrastructure Manager at bet365, told us his business is 
often targeted by DDOS attacks directed through a number of ISPs around 
the globe, including Comcast in the US. 'The Comcast issue is slightly 
different (and not specific to this ISP) and a result of sustaining a 
large scale DDOS attack that Comcast PCs are taking part in... Basically 
Comcast see large amounts of traffic saturating their ADSL lines and 
core routers due to their customers' PCs being compromised and used as 
part of the source of the attack on a gaming company like ourselves. The 
easiest way they can resolve this is to black hole the destination of 
all this traffic ie the gaming site. However, what they should really be 
doing is identifying all their customers that are infected by this 
zombie virus and cleaning up their network. The net affect of this is 
that all Comcast customers can no longer get to the gaming site even 
after the attack has finished and it is the IT manager's responsibility 
to try and get this ACL [access control list] lifted by phoning the 
offending ISP.'

Often such attacks are based around extortion attempts and, in order for 
them to be successful, they are often timed around events critical to 
the target website. In the case of the gambling industry, key sporting 
events such as horse races are often preceded by extortion threats of 
DDOS attacks. And a site taken off-air in the build-up to these events 
isn't doing business. In fact it's haemorrhaging money.

Tolson told us: '[It] obviously depends on the size of the ISP and how 
many of their customers are bet365 customers, but a figure out of the 
air for someone like BT or Claranet (neither have ever black-holed us) 
could be, over a weekend period, something like 1 million to 5 million 
in gross bets taken (our profitability depends on the outcomes of those 
bets taken)'.

Those kind of losses make a business look at its options. Tolson said: 
'Going to court over this is definitely an interesting proposition'.

The problem is that there is little legal recourse available. The UK 
Computer Misuse Act has been updated to make DOS attacks a specific 
crime, but there's nothing mandating an ISP's responsibility regarding 
identifying the IP addresses of zombie computers or dealing with traffic 
sent through them.

Andrew Katz, of Moorcrofts Corporate Law, told us: 'The law finds it 
difficult to deal with DDOS attacks. One issue which occurs is that by 
starting to block the IPs of zombies, the ISPs may be accepting legal 
responsibility for any issues which arise in the future. I would expect 
that the ISPs would say that their job is limited to delivering packets 
to and from the Internet to the relevant client IP addresses, and that 
was that, unless they had specifically accepted any other obligations 
(e.g. virus scanning). So I would have thought it would be difficult to 
claim against the ISPs in question for delivering the DDOS packets. 
Whether [bet365] has a claim against them for blocking access to [the 
bet365] site is a different matter.

'Interestingly, if the contract between the third party ISP and its 
customer had a clause saying "It is our job to deliver packets to the 
appropriate IP addresses" and there was no "Rights of Third Parties" 
clause in the agreement, even though the gambling site was not a party 
to that agreement, they could claim under the agreement that they had a 
right to have legitimately addressed packets delivered to it, as a 
consequence of the Contracts (Rights of Third Parties) Act. But I've 
never heard of anyone trying to use the legislation this way before.'

However, the terms and conditions of Orange and BT contracts, for 
example, don't make any promise to deliver legitimate packets to an IP 
destination, but simply to offer a connection.

Struan Robertson, a corporate lawyer who edits law firm Pinsent Masons' site, told us that as well as considering the contract terms, 
industry best practice is also a benchmark against which the behaviour 
of ISPs can be judged, and potentially be found negligent. 'If you can 
establish that no reasonable ISP would have done the same thing, then 
you might be able to sue for damages,' he said.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods