Ten Ways to Think About DDoS Attacks and "Legitimate Civil Disobedience"
BY Nancy Scola | Monday, December 13 2010
Distributed denial of service attacks (a.k.a. DDoS), and whether they form a legitimate expression of civil disobedience in this distributed, often virtual age was one topic that seemed to provoke some passionate reaction at the event that PdF held on Saturday about Wikileaks, broadly written. There was even a bit of intermission yelling that occured amongst a handful of participants.
Above, activist and current New York State Senate employee Noel Hidalgo frames the question: Are DDoS attacks, where a group of people come together online to overwhelming a particular website or online service by sending a disabling amount of traffic its way, a reasonable evolution of the tactics humans reasonably and productively use to get things to change when it comes to politics or society, akin to sit-ins? Or is DDoS vandalism the suppression of free speech and freedom of assembly dressed up in digital glitz? A little of both? Something else entirely?
DDoS is hot in the news right at the moment because of the takedowns of sites and services belonging to PayPal, MasterCard, Visa, and others under the banner of "Anonymous," part of what's being called Operation Payback against those company's moves to stop supporting Wikileaks and its leader Julian Assange in some way.
But it's a more serious, and more provocative, question than that. And that's because DDoS seems to speak to the fact that the relationships amongst and between governing states and citizens and social organizations and corporations seem to be in a state of abnormal fluidity at the moment, something Wikileaks and the resulting service attacks have put into sharp relief. A number of people who participated in person in Saturday's conversation have since written up their thoughts on DDos.
First up, Deanna Zandt, author of Share This! writes that DDoS attacks are a legitimate tactic, though of limited utility:
Thus, in response, Anonymous launched a DDoS attack against the websites of the companies that took away people’s rights to support a political organization. Many, myself included, consider DDoS in this context to be much like a sit-in in the offline world. The point of a sit-in is to render a building/room/service unusable for a temporary period of time. Sit-ins aren’t “legal”– you get arrested, and most activists who participate in them know this ahead of time and prepare for it.
No permanent damage is done in a DDoS attack. This is particularly important to note when discussing DDoS as a political tool. It’s the difference between participating in a die-in at an embassy, for example, and smashing the windows of an embassy. As with any other form of activism, it shouldn’t be the only prong in a campaign strategy, and shouldn’t be used in every campaign.
Commenting on Deanna's post, long-time Tibet activist Nathan Frietas writes that he's not anti-DDoS as tactic, necessarily, but that there are other, more powerful and more constructive ways to use your digital skillset to effect change:
I also believe there are better ways to make use of distributed human and computing resources. As an example, I have built a similar “botnet for good” system in the past, that allowed anyone to add their computer into a cloud of machines used to send SMS messages to mobile phones via the “free” SMTP/Email-to-SMS gateways offered by carriers. Normally, a single machine can only send a few messages at a time through these gateways, but with our opt-in cloud of sms senders, we were able to send tens of thousands a messages a day without any cost. This was used to send SMS reminders about election days to people who had willingly given their cellphone numbers to various NGOs, unions, etc. This is not civil disobedience, but it does help change things.
Another great example is running a Tor bridge for users in countries with restricted net access. This is a constructive act, that enables the network to work BETTER, and for information to move more freely, as opposed to shutting things down.
Finally, I just don’t think I can get over the anonymous aspect of it all. I am a huge pro-anonymity advocate, but I am against that capability being used for disruptive network attacks, both because it wasn’t what these services were built for, and it potentially harms and disreputes the anonymous services down the road.
I am not condemning DDoS as not being CD, I think I am just saying “is that it? is that the best you can do?”.
An journalism veteran Tom Watson says that he sees similarities between what Anonymous and company are doing in defense of Wikileaks and Assange, and what radicals believed were justified actions during the blow-up over Salaman Rushdie's The Satanic Verses:
Two men threw a pair of Molotov cocktails through the front windows of The Riverdale Press in the Bronx, gutting the newspaper's editorial offices and shutting down the building for five months.
Those men, like the group that declares it is defending Wikileaks and its leader Julian Assange, were anonymous. And like the anonymous attackers of Amazon, Visa, MasterCard and PayPal, they were attempting to silence without consent or recourse the commercial speech of an institution they disagreed strongly with. They believed their cause was a just one, based upon a gross and unlawful insult, as well as their deeply-held beliefs.
In their case, it was the strong conviction that author Salman Rushdie should die for the religious blasphemy in The Satanic Verses, and that a newspaper that defended Rushdie's First Amendment rights in the United States to sell his book in any bookstore in the land must be silenced and shuttered. Who can doubt that these men (never caught) believed their cause was a just one, and that The Riverdale Press deserved to lose its editorial voice using the most expedient technology available (firebombs)?
This public debate, over the kosher-ness of using DDoS as a political tactic, is just getting started. And like so much with Wikileaks, there's a seemingly endless number of ways to look at the thing without much ever coming to a resolution. But as a way of continuting the conversation, here's ten rough thoughts from yours truly on additional factors that seem to inform this debate:
- Sit-ins, of course, are by their very definition, an expression of people of commited values putting real skin in the game. But inviduals looking to take down a site through a denial of service swarming, there's no real cost involved for them. It's all upside. DDoS isn't much to look at as far as the technical bit of it goes, much like taking a million little sledgehammers to a site. It's a rather crude tactic, and the tools that make it possible are free; Anonymous uses something that they call the Low Orbit Ion Cannon. Virtual in this case is rather costless. Does that change the dynamic in any meaningful way?
- Calling DDoS attacks "civil disobedience" implies that there's a some sort of social relationship binding together the attackers and the attackees. But that's not necessarily true, especially when we know that kids in, say, Estonia, can go after New York-based MasterCard just as easily as kids in Connecticut can. There's no reason to assume that PayPal's "civil" overlaps in the least with DDoS's "civil." Does that break the model completely?
- In that same vein, '60s sit-ins -- the Woolworth sit-ins, for example, took place within an existing legal framework, that of the United States (and to some extent, state and local laws). The activists who made the decision to put their very bodies on the line -- literally, but refusing to get up when ordered -- deliberately made a concious calculation. They're were breaking a known law because they thought that that law was in conflict with a more important and powerful good, as in the right of an American of whatever color to get a lunch like anybody else. They knew that they were risking going to prison, because there was a transparent social contract they were operating under. They also had a known outcome -- changing the laws of their land to reflect justice, something that, obviously, ultimately occured. What does it mean for these attacks to operate in a space, the Internet, were human-made laws leave enormous gaps?
- DDoS attacks are anonymous. Or maybe not. What would change in this dynamic if people "signed" their involvement in an attack?
- Because these attacks are costless, distributed, and potentially anonymous, they're particularly terrifying to people whose view of the world has to have people that can be targeted, that has to have actions have consequences. After 9/11, Al Qaeda emerged as a largely distributed, decentralized network, and added to the garish violence that that network created, that nature carried its own sort of scariness for many folks. Still, in that case, the establishment, such as it is, adapted its tactics to that reality. Even Al Qaeda needed financial and logistic resources to plot out and carry out its actions, and that reality created a target in the form of Osama Bin Laden and the Taliban in Afghanistan. How do we think that the powers-that-be might strike back in a case where there's no source-of-resources to go after?
- Is there a theory of change at work in DDoS attacks, some sort of path to sustainable change that DDoS participants are after? A theory of change is often at the heart of political activism. But does it have to be anymore?
- By definition, DDoS attacks arguably lack proportionality. The whole point is to bring down a site, or to at least make it so slow that nobody else wants to bother using it. It's all or nothing. Civil disobedience (think the Woolworth sit-ins, the march on Selma, the bus boycotts) tends to scale up progressively -- starting with demands made against the target, and then limited action, ramping up when resolution seems not in the offing. Is that a bug?
- DDoS attacks don't really require any unity of purpose, at least beyond the initial spark for the attack. A target can emerge in the swirl of public events, and some limited cordination is required to time the onslaught for the right moment. But some people can be participating for the lulz -- defined a few years ago by one "troll" in a New York Times article as -- "watching someone lose their mind at their computer 2,000 miles away while you chat with friends and laugh" -- while other folks can be doing their part becuase of a serious complaint against the target. Of course, every political action in known human history has involved people displaying a range of political commitedness, but does that become more pronounced when the action is virtual, easy, and takes only a few seconds?
- In the Interent policy space, there's debate raging over the United States Department of Homeland Security's "Cyber Monday" takedown of websites at the domain name service, or DNS, layer, based on complaints that they're copyright infringing sites. There's no court of law making the determination in those cases, something that has outraged not a few online activists and thinkers. And the U.S. is attempting to enshrine that practice into law with a bill before Congress at the moment that's called the Combatting Online Infringement and Copyright Act, better known as COICA. The DNS takedowns and COICA arguably militarize the Internet. Do DDoS attacks do the same?
- And, finally, there seems a decent chance that the outcome of a militarization of the Internet is that those who have the money to protect themselves, do. There are shades of rich families in Mexico having to hire private security forces to protect themselves from kidnapping. One logical response to a DDoS attack is to build up your digital firmament. Already, big sites do this by hosting their sites across a distributed range of servers. The White House, for example, has used a service called Akamai in the past to keep itself up and running despite being the target of DDoS attacks. But Akamai, in my understanding, isn't cheap. The possible outcome is that only the big guns will be able to afford the protection that's needed to engage safely on the Internet.
Again, those are some rough thoughts. What are you thinking about DDoS?