Distributed Denial-of-Service (DDOS) Attacks are a major weapon of cyberwarfare and are now also used during or before major political and military conflicts, such as the 2008 Russo-Georgian War, the Russian-Estonian political tensions as well as in the Middle East conflict. International Law is based on consensus and therefore naturally slow to react to new developments including this new tool of warfare. The same is true of many states. This raises the question of how to qualify DDoS Attacks under the existing rules of Public International Law. After investigating the legal nature of DDoS Attacks, the question needs to be asked which rules cover such attacks and who can be held responsible for DDoS Attacks, in particular such attacks which are conducted by (potentially paid and/or foreign) hackers on behalf of states.

Distributed Denial-of-Service (DDoS) Attacks have been a threat to internet sites and users since 1999. It is the aim of a DDoS attack to render the targeted website unavailable. While websites are the main target of DDoS attacks, the technical target is the computer/server on which the website operate while the intended target might actually be a single user as has been the case in the 2009 Russian attacks against Twitter, Facebook and other social networking sites which aimed at silencing a Georgian user who used the said websites to express his opposition to Russian policies. Essentially the idea behind a DDoS attack is to overwhelm the computer in question. Internet users might be familiar with the effect that a website is temporarily unavailable if too many users try to access a website at the same time, e.g., due to increased popular interest in the website which exceeds the bandwith assigned to the website. DDoS attacks do the same artificially and on a large scale by using large number of `hijacked' computers (zombies), targeting bandwith, router processing capacity or network stack resources, which essentially breaks the connection between the server on which the targeted website is physically located and the rest of the Internet. The owners/users of the computers which are used for the attack are usually unaware of the fact that their hardware has been abused for such an attack. Yet, it is internet users who fail to secure their hardware properly against being taken over, who make such attacks possible. As has been explained shortly after the first DDoS attacks at the turn of the millennium: "[T]he perpetrator starts by breaking into weakly-secured computers, using well-known defects in standard network service programs, and common weak configurations in operating systems. On each system, once they break in, they perform some additional steps. First, they install software to conceal the fact of the break-in, and to hide the traces of their subsequent activity. For example, the standard commands for displaying running processes are replaced with versions that fail to display the attacker's processes.

These replacement tools are collectively called a `rootkit', since they are installed once you have `broken root', taken over system administrator privileges, to keep other `root users' from being able to find you. Then they install a special process, used to remote-control the burgled machine. This process accepts commands from over the Internet, and in response to those commands it launches an attack over the Internet against some designated victim site. And finally, they make a note of the address of the machine they've taken over. All these steps are highly automated. A cautious intruder will begin by breaking into just a few sites, then using them to break into some more, and repeating this cycle for several steps, to reduce the chance they are caught during this, the riskiest part of the operation. By the time they are ready to mount the [...] attacks [...] they have taken over thousands of machines and assembled them into a DDoS network; this just means they all have the attack software installed on them, and the attacker knows all their addresses (stored in a file on their control system)." This is the difference between ordinary Denial-of-Service (DoS) attacks and Distributed Denial-of-Service (DDoS) attacks: "In a DDoS attack, the attacking packets come from tens or hundreds of addresses rather than just one, as in a `standard' DoS attack. Any DoS defense that is based upon monitoring the volume of packets coming from a single address or single network will then fail since the attacks come from all over. Rather than receiving, for example, a 1,000 gigantic Pings per second from an attacking site, the victim might receive one Ping per second from 1,000 attacking sites. One of the other disconcerting things about DDoS attacks are that the handler can choose the location of the agents. So, for example, a handler could target several NATO sites as victims and employ agents that are in countries known to be hostile to NATO. The human attacker, of course, might be sitting in Canada. Like DoS attacks, all of the DDoS attacks employ standard TCP/IP messages, but employ them in some non-standard ways. Common DDoS attacks have such names as Tribe Flood Network (TFN), Trin00, Stacheldraht, and Trinity." The attack is then started with a single command to the `hijacked' machines to send packets (formatted blocks of information which are carried by packet mode computer networks) and thereby to start one of a number of different possible flooding attacks against the chosen victim until the attack is stopped by sending another command. As for the technical response to DDoS attacks, there are some ideas but not really what amounts to a strategic doctrine.

Cyber Law Journal, Distributed Denial-of-Service Attacks, DDoS, Public International Law, Cyberwar, Tribe Flood Network, Computer Networks, Technical Developments, Domestic Remedies, Customary International Law, Foreign Corporations, International Environmental Law.