8.4. How Often Is Legal Assistance Sought in DDoS Cases?

Each year, the FBI and Computer Security Institute (CSI) do a survey of security professionals in government and corporate environments. The 2004 survey is described in Appendix C (Section C.1). The key finding to note in this year's survey was that the 269 reporting institutions calculated total reported costs from DoS attacks of $26,064,050. DoS is the most costly kind of cyber attack this year, nearly twice as costly as the next largest category, theft of proprietary information (at $11,460,000 in losses).

The author of an article introducing the 2003 survey [McC03] makes an interesting statement regarding investigation of such crimes:

The FBI generally has a trigger point of $5,000 for a cybercrime it will pursue. Given the number of incidents and the limited number of agent-hours that can be devoted to cybercrimes, this is certainly understandable. However, it is important to remember that Cliff Stoll's famous investigation detailed in The Cuckoo's Egg (1989) [Sto89], which turned up major holes in the highly sensitive Mitre Corp.'s phone system and ended up uncovering a spy, began with a discrepancy of only a few pennies.

Obviously, the initial monetary loss should not be the sole factor that determines whether authorities decide to investigate a particular cybercrime. Unfortunately, I can't think of any other criteria that could be applied to better effect. So for the foreseeable future, companies will probably have to rely on internal resources to investigate most computer crimes. Outsourcing may be possible, but that would require companies to divulge sensitive data to outsiders, and in any case, there just aren't that many trained cybersnoops available.

A report on the British Computer Misuse Act (CMA) by the "All Party Internet Group" [api04] (both described in more detail in Section 8.10) also covers the topic of the viability of prosecution of DoS attacks. In paragraphs #59 and #60 their report states,

We received written and oral evidence from [the Association of Remote Gambling Operators, new trade body for online bookmakers] about the criminal DDoS attacks that are currently being made on gambling websites both in the UK and elsewhere. These attacks are accompanied by monetary demands (for amounts between $10,000 and $40,000) to make the attacks stop. ARGO told us that their members would not give in to this blackmail, but that the impact on the gambling businesses had been very severe indeed. The National Hi-Tech Crime Unit (NHTCU) has become involved in the investigation, but the perpetrators are believed to be based abroad, which sets some limits upon what they are able to quickly achieve.

Almost every respondent from industry told us that the CMA is not adequate for dealing with DoS and DDoS attacks, though very few gave any detailed analysis of why they believed this to be so. We understand that this widespread opinion is based on some 2002 advice by the Crown Prosecution Service (CPS) that s3 [subsection 3] might not stretch to including all DoS activity. Energis and ISPA told us that they knew of DoS attacks that were not investigated because "no crime could be framed."

Taking a look at another source of data, based on the numbers of incidents detected by groups such as CAIDA and Arbor Networks, it is probably safe to say that a very, very small percentage of the thousands of actual attacks per week ever result in legal action (either criminal or civil). Since a very large proportion of the attacks that occur on a regular basis are directed at IRC networks and their users—IRC being a free service, meaning no concrete monetary losses associated with the DDoS flooding—it follows that the actual damages from the majority of DDoS floods are also low. It is very unlikely that, even if reported, the FBI would expend scarce resources to investigate these attacks. Reporting would, seemingly, do very little good.

Of course, there are victims of DDoS flooding attacks who lose access to not only their servers, but sometimes their entire network and parts of their upstream provider's network (which may spill over to other customers of that same provider). In these cases, there may be significant financial losses, and these losses may be spread across multiple primary and collateral victims. (For example, the incident involving the Port of Houston was the by-product of an attack on a third party using the port's computers, which disrupted ship movement and may have financially impacted those shippers and even the shippers' customers!) Worse yet, consider situations in which irreparable loss is suffered as a result of an attack (for example, loss of data from instrumentation, say on scientific experiments at remote locations) or loss of life.

These are all, however, the second-phase victims of DDoS attacks. When you look at the first phase of DDoS attacks, in which thousands of computers are compromised, the damages could potentially really add up and are, for the most part, "hidden" costs.

Let us take a look at a simple example of the two phases of a DDoS attack. Imagine that an individual breaks into 1,000 computers to create a DDoS botnet. (A thousand hosts is a relatively small botnet these days. A large botnet would be in the hundreds of thousands.) The attacker then uses this DDoS botnet to attack a small business that sells consumer electronics products exclusively through their Internet Web site. During the attack, which we will imagine lasts six days, the victim would have made $500 in net revenue per day.

The obvious loss here is to the DDoS victim, who has suffered a net revenue loss of $3,000. Depending on overhead, cash on hand, and time of year, this loss could be significant to this victim. For example, is this the last week before Christmas when this single week accounts for 20% of yearly revenue? Add on top of that the cost of dealing with the attack itself, which can add up rapidly (especially if handled by a consultant, who may charge well over $100 per hour).

For simplicity, let us say the compromised computers that were used in the attack are all owned by broadband customers running Windows XP, and assume that all of them learn that their computers have been compromised and all of them want to clean up their problem. Each of these 1,000 users takes her computer in to a local computer service company, which charges $100 to back up the computer's hard drive, wipe the drive, reinstall Windows XP and all its current patches, reinstall all the users' applications, and restore the data files. The individual damage to each user is $100 plus her wasted time and loss of use of her computer, but added up we have a real financial cost of $100,000 (well above the $5,000 limit for prosecution). If these were business computers, the loss would instead be lost wages for the person who cleans up the system, plus some amount of lost productivity of the user of the computer. Adding in benefits and overhead, it could be several times this $100-per-system figure.

Any of these victims could report this problem to law enforcement, but the vast majority typically will not. There are perhaps two similar situations that exist. One is the most prolific graffiti tagging, which causes similar small amounts of actual monetary losses due to damage, spread over a large area. (Even then, it is rare that a tagger can tag tens of thousands of locations around the globe.) Another is spam, where the spammer consumes the resources of many sites around the Internet for sending or relaying the spam messages.

If the preceding victims decided to report the problem, and if they were able to adequately preserve evidence and provide useful reports to the FBI or Secret Service, these federal agencies would be in a better position to efficiently and effectively investigate and prosecute a larger number of cases and thus obtain the deterrent effect that laws and law enforcement are supposed to provide. Making it easier for victims to do the right thing and encouraging them to regularly report computer crimes are keys to improving this situation.

Besides the amount of damages, there are other factors that cause many businesses' reluctance to report computer crimes. Many corporate victims want to avoid any negative publicity for fear that they will lose their customers' trust, that their competitors will use information about an incident to their advantage, and that shareholders or others may bring lawsuits against the corporation or its executives. Some corporate executives are also not convinced that law enforcement either understands the needs of businesses (e.g., fearing that they may come in and seize critical systems) or that law enforcement is capable enough to help.

Also, some victims do not care very much about involving law enforcement. If the attack stops, they are satisfied. At most, they may investigate purchasing defenses to help in the event of future attacks. That's probably most true of relatively small businesses. There is an overhead cost associated with dealing with law enforcement on any issue, and many businesses may consider that overhead more expensive than the attack, or at least an added cost to the attack that they cannot afford to bear. They may also have what they believe to be sufficient insurance coverage and are satisfied with making a claim, or they may simply wish to assume any remaining risk above and beyond their existing insurance coverage.