Wired on Friday: Whether you were trying to read your favourite weblog on the internet or were a blogger trying to update your website for your many fans, you may have found yourself caught in a frustrating snarl-up last week. Your web browser may have slowed to a crawl, or responded to your mouse clicks with a "Server Not Responding" message.
Another internet traffic jam, you might have thought, like the slowdown on the motorway after an accident. But this was no traffic accident. What you saw were the side-effects of a "distributed denial-of-service attack" .
For hundreds of thousands of slowed-down surfers, it was an inconvenience. For the internet companies involved, it's a disaster. The companies involved suffered hours of lost advertising revenue, faced the potential for huge additional bandwidth charges, and endured a frustrating day of frantic retooling of their systems to mitigate the damage.
Worse, there was nothing anyone could have done to stop it, and no police force in the world, it seems, is capable of investigating the crime.
Distributed denial of service, (or DDoS), is the term for what happens when an unknown adversary keeps legitimate users out of a website or internet service by saturating it with their own dummy requests, pushing out the real visitors like a prankster taking over all the telephone lines to a phone-in radio show.
Denial of service seems like such a bland euphemism for an effect that can initiate a round of extortion threats, destroy a company or deny thousands access to vital services. In truth, it's the "terminate with extreme prejudice" of the internet - a method that can bring down the biggest websites or corporations with little possible comeback.
The "distributed" element comes from the origin of those fake requests. Instead of a single location, as easily blocked by network operators as banning an incoming call, the attacks seem to come from every part of the internet.
In this case, the attackers were, it is believed, Russian spammers. The victim was SixApart, which owns two of the biggest blogging websites, LiveJournal and TypePad. Close to two million journals are hosted on SixApart's sites, and their web servers are engineered to deal with vast amounts of daily traffic.
But an average day of surfing is nothing close to the gigabits of data thrown at them during these spammers' attack. None of this extra traffic came from human visitors to their website. All of it came from hundreds and thousands of "zombie" computers: virus- infected home PCs, remotely co-ordinated by the attackers for devastating effect. The machines under their control were all instructed to drown SixApart's servers in data.
And drown they did. SixApart was faced with connections to their servers from all sides of the internet - none of them human, and all of them relentless.
But just as gangsters regularly hit the wrong targets, so SixApart was the victim of mistaken identity. After the attacks subsided, it transpired that the Russians were aiming at an anti-spamming company, Blue Security, in a clumsy attempt to push the Israeli company off the world's networks.
When Blue Security first noticed the attack, directed primarily at their own pages, they redirected visitors to a simple blog so that they could provide updates on their status without using their own server. That blog was hosted at SixApart, which meant that the blogging company in turn drew the ire of the Russian attackers.
Not all denial of service attacks are this public. Many criminals use DDoS attacks as tools of extortion, preying on those who don't necessarily want to attract the attention of the lawful authorities. Internet gangsters will push a company, often a gambling or pornography site, off the internet for a few hours, then send a message demanding money to stop another attack.
Others are simple revenge attacks: one hacker attacking another individual, and catching others in the cross-fire. And yet others, their instigators claim, are perfectly legitimate.
The reason Russian spammers were so angry at Blue Security is that its own product practices a minor form of denial of service. Its software product, downloaded by users across the world, scans spam mails for URLs, and then uses its subscriber's computers to visit their spam websites, and fill in fake information.
The end result for the spammers is just the same as that visited on SixApart: many false requests drowning out the few "legitimate" inquiries after spammed products.
Surprisingly, neither Blue Security nor its shadier adversaries are necessarily breaking any law. Denial of service attacks are in a legal grey area in most jurisdictions.
The UK, for instance, is currently considering legislation to specifically criminalise the act, after a prosecution under existing laws failed last year (the judge ruled that because the server was open to the internet, each individual request was "authorised" to take place, even though the scale was not).
Even when the law is fixed, enforcement will be another challenge. Like spam, pursuing the perpetrators across national borders and past their anonymous zombie machines is nearly impossible.
But at least by clarifying the law, the idea that a denial of service is a legitimate response will be put to rest. It's bad enough when the innocent suffer from the acts of the bad guys. But when their supposed opponents stoop to the same tactics, then nobody wins.
Danny O'Brien is activism co-ordinator for the Electronic Frontier Foundation
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/VR3765MFOBH2NMV2QNICYDF67M.png)