Back to main site

    Denial of Service Attacks

    Module 2: Digital attacks and Online Gender-Based Violence

    Overview

    • Denial of Service (DoS): A DoS attack is defined as a “cyberattack that temporarily or indefinitely causes a website or network to crash or become inoperable by overwhelming a system with data.”(1)
    • Distributed denial of service attack (DDoS): A DDoS attack involves the malicious use of multiple distributed computers and connections to attack and disrupt the normal traffic of a targeted journalist’s devices, service, or network with an overwhelming flood of Internet traffic with the aim of making these inaccessible.(2)

    DDoS attacks in Africa

    In November 2021, SEACOM, an ICT service provider, reported that “Africa experienced 382,500 DDoS attacks between January and July 2021.” Kenya and South Africa, both ardent champions of digitisation and Internet access, accounted for a staggering 59% of these attacks.(3)

    International law and standards

    DoS and DDoS attacks have a disproportionate impact on the right to freedom of expression, media freedom and the public’s right to information, and privacy:

    • Freedom of expression: These attacks effectively heighten censorship and present significant hurdles as they impede information dissemination and viewing, directly censoring content.(4) Whether perpetrated by State actors or their proxies, contradicts Article 19 of the ICCPR. Given their clandestine and unlawful nature, these actions typically violate the legal requirement for restrictions on freedom of expression. (5) They also disrupt access to entire online platforms, hindering the dissemination of vital and time-sensitive information. Consequently, such measures are nearly always unnecessary and disproportionate under Article 19(3).(6)
    • Media freedom and the public’s right to know: Under international law, all journalists have the right to work free from the threat of violence to ensure the right to freedom of opinion and expression for all.(7) These attacks directly impact journalists’ and news organisations’ ability to provide and disseminate news and information, amounting to a curtailment of media freedom and the right of journalists to freely impart information.(8) Additionally, these attacks restrict the public’s right to know by preventing some or all Internet users from accessing targeted content and websites.(9)
    • Privacy: The UNHRC, in its Resolution on the Safety of Journalists, has emphasised that DoS attacks which “force the shutdown of particular media websites or services amount to a violation of journalists’ rights to privacy and to freedom of expression.”(10)

    Role of the private sector

    Under the UN Guiding Principles on Business and Human Rights, business enterprises have a “responsibility to respect freedom of expression [and] companies should invest resources in security measures and improvements to infrastructure that prevent or mitigate the effects of DDoS attacks involving their products or services.”(11)

    National laws

    Typically, DoS and DDoS attacks against journalists and media houses can be combatted by relying on civil and criminal liability provided under national laws regulating cybercrimes or computer misuse.(12)

    Cybercrime laws and DoS and DDoS

    UNCTAD reports that 39 out of 54 African countries (72%) have enacted cybersecurity or cybercrime laws(13) which typically create offences that can be used to counter DoS and DDoS attacks against journalists and media houses.   Generally, these offences are located in provisions prohibiting crimes against computer systems and computer data, including:

    • unauthorised access,
    • unauthorised interference,
    • unauthorised interception, or
    • access with intent to commit further offences.  

    In Ethiopia, for example, the Computer Crime Proclamation, No. 958/2016 criminalises illegal access to computer systems, data or networks, the illegal interception of non-public computer data or data processing services, intentional interference with the proper functioning of a computer system, and causing damage to computer data rendering it useless or inaccessible.  

    For SSA countries without or with inadequate cybercrime laws, recourse might be found through other legal avenues:

    • For SSA countries without or with inadequate cybercrime laws, legal recourse might alternatively be found in data protection legislation. For example, Section 72 of Kenya’s Data Protection Act, 2019 prohibits obtaining access to personal data without prior authority of the data controller or data processor in certain circumstances.
    • Lawyers may rely on civil provisions, including trespass to chattel, or a breach of contract if the attack violates a website owner’s or internet service provider’s terms of use.(14)
    • In the alternative, if a perpetrator has used threats in an attempt to extort a journalist or a media house, one could potentially rely on criminal offences under the Penal or Criminal Code.

    Litigating DDoS Attacks: United States

    The sentencing of a man in the United States, Andrew Rakhshan,(15) for launching multiple, international DDoS attacks on media sites in Australia, New Zealand, and Canada illustrates the viability of legal recourse against DDoS attacks where there is an identifiable perpetrator.(16)

    Rakhshan was charged and convicted with violating United States Code § 1030 (a)(5)(A) (knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization, to a protected computer).(17) However, in April 2019, owing to ineffective assistance of trial counsel, the court ordered a retrial in which the state alleged the offence of U.S.C. § 1030 (b) (conspiracy to violate 1030 (a)).footnote]United States of America v Kamyar Jahanrakhshan (2018) (accessible at https://www.govinfo.gov/app/details/USCOURTS-txnd-3_17-cr-00414/context).[/footnote]

    In June 2020, Rakhshan, after pleading guilty to the conspiracy charge, was sentenced to five years in federal prison and ordered to pay more than $520,000 in restitution.

    Critically, this case illustrates that litigating DoS and DDoS cases impacting digital journalism requires technical expertise and may often require the cooperation of multiple state and non-state actors, including those from multiple jurisdictions. As noted by Sentinel One, the use of the law to combat cybercrimes is “not always easy and cases often lag for years or are tried ineffectively due to a lack of technical prowess across all involved parties.”(18)

    Securing accountability for such attacks usually strictly requires being able to clearly attribute it to a specific state or non-state perpetrator(s).(19) However, there are some practical challenges to be aware of:

    • Accurately identifying the origin of an attack and the perpetrator is extremely difficult due to the technical skills and know-how required and the prevalence of online anonymity tools, which makes these attacks effective intimidation tools.
    • Anonymity protections online enable perpetrators to remain hidden, a challenge exacerbated by ‘false flag’ attacks that are committed to disguise the real perpetrator and shift blame to a third party.(20)

    Footnotes

    1. PEN America, accessible at https://onlineharassmentfieldmanual.pen.org/defining-online-harassment-a-glossary-of-terms/. Back
    2. Id. See also: Cloudflare, ‘What is a DDoS attack?’, (accessible at https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/); UNESCO, ‘Building Digital Safety For Journalism – A Survey Of Selected Issues’ (2015) (accessible at https://unesdoc.unesco.org/ark:/48223/pf0000232358). Back
    3. SEACOM, ‘Latest research shows DDoS attacks up by 300% in Africa since 2019’ (2021) (accessible at https://seacom.com/media-centre/latest-research-shows-ddos-attacks-300-africa-2019/). Back
    4. UNESCO, ‘Building Digital Safety for Journalism – A Survey of Selected Issues’ (2015) (accessible at https://unesdoc.unesco.org/ark:/48223/pf0000232358). Back
    5. UNSR, ‘Research Paper 1/2019: Freedom of Expression and Elections in the Digital Age’ (2019) (accessible at https://www.ohchr.org/sites/default/files/Documents/Issues/Opinion/ElectionsReportDigitalAge.pdf). Back
    6. Id. Back
    7. UNESCO, ‘Freedom of expression: A fundamental human right underpinning all civil liberties’, (accessible at https://en.unesco.org/70years/freedom_of_expression). Back
    8. AlterMidya, ‘DDoS attacks: A menace to the people’s right to know’ (2021) (accessible at https://www.altermidya.net/ddos-attacks-a-menace-to-the-peoples-right-to-know/). Back
    9. Susan McGregor, ‘Why DDoS attacks matter for journalists’(2016) (accessible at https://www.cjr.org/tow_center/journalists_ddos_hack_passwords.php). Back
    10. UNHRC ‘Resolution adopted by the Human Rights Council on the safety of journalists’ (2020) (accessible at https://ap.ohchr.org/documents/dpage_e.aspx?si=A/HRC/45/L.42/Rev.1) (UNHRC Resolution on the safety of journalists). Back
    11. Id. Back
    12. Thomson Reuters, ‘Distributed Denial-of-Service (DDoS) Attack’ (2022) (accessible at https://uk.practicallaw.thomsonreuters.com/7-516-9293). Back
    13. UNCTAD, ‘Cybercrime Legislation Worldwide’ (accessible at https://unctad.org/page/cybercrime-legislation-worldwide). Back
    14. Thomson Reuters above n 117. Back
    15. Department of Justice, ‘Man Receives Maximum Sentence for DDoS Attack on Legal News (2020) (accessible at https://www.justice.gov/usao-ndtx/pr/man-receives-maximum-sentence-ddos-attack-legal-news-aggregator); Department of Justice, ‘Seattle Man Arrested for the Attempted Extortion of Leagle.com and Several Other Media Companies’ (2017) (accessible at https://www.justice.gov/usao-ndtx/pr/seattle-man-arrested-attempted-extortion-leaglecom-and-several-other-media-companies). Back
    16. United States v Kamyar Jahanrakhshan also known as “Kamyar Jahan Rakhshan, Andy or Andrew Rakhshan,” “Andy or Andrew Kamyar,” and “Kamiar or Kamier Rakhshan (accessible at https://cdn.arstechnica.net/wp-content/uploads/2017/08/jahanrakhshanchargingdoc.pdf). Back
    17. 18 U.S. Code § 1030 – Fraud and related activity in connection with computers (accessible at https://www.law.cornell.edu/uscode/text/18/1030#e_2). Back
    18. Sentinel One, ‘The Good, the Bad and the Ugly in Cybersecurity – Week 25’ (2020) (accessible at https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-25/). Back
    19. Dimitar Kostadinov, ‘The attribution problem in cyber attacks’, (2013) (accessible at https://resources.infosecinstitute.com/topic/attribution-problem-in-cyber-attacks/). Back
    20. David Trilling, ‘Hacking: What journalists need to know. A conversation with Bruce Schneier’, (2016) (accessible at https://journalistsresource.org/economics/hacking-bruce-schneier-journalists-cyberattacks-ddos/). Back