Denial of Service attacks - who pays the piper?

Denial of service attacks are nothing new. I first wrote about them in 2001 and even then they didn’t need much explaining – the electronic equivalent of ringing the doorbell and running away.

Typically they’re used to shut down a website or knock a service offline for a while. In the old days accidental DOSing became known as a “Slashdotting” after the US-based geek-centric website renowned for posting news stories that included (gasp) links to source material which would then be completely inundated with viewers and thus crash the system.

I managed to Slashdot the New Zealand Herald’s Australian parent company once by interviewing Ben Goodger, the Auckland-raised software engineer behind Firefox. The Aussies had decided to host most of its Aussie-based content in New Zealand but after the Goodger interview made it to Slashdot, most of the international capacity they’d booked was soaked up with US viewers clicking through to the Herald site. Hilarity ensued, I can tell you.

These days of course it’s quite an underpowered website that gets slammed in such a fashion. Most have nimble IT teams that can scramble some extra resources if needs be and with mirrors, caches and content farms dotted around the planet, it’s unlikely that most sites will suffer the embarrassment of being crushed like a bug under the weight of overwhelming demand.

Individuals and small organisations, however, are not as well-endowed and unfortunately if someone wants to slam them with more traffic than they can handle, they’re likely to be knocked offline for a while.

And it doesn’t stop there because then there’s another problem – who pays for the data sent to you?

Typically you pay because you’re the one with the internet connection. Normally, you or your staff would be requesting content to be delivered to you (websites, email, cat videos) or sending stuff out yourself – but when the traffic is unwanted you may find yourself on the wrong side of a steep bill.

The ISP billing engine can’t differentiate between unwanted traffic and someone at your end downloading something large, which means it’s all delivered to your door whether you want it or not.

One TUANZ member has been slammed in such a way and received a hefty bill to boot – thankfully the ISP in question is willing to go halves but even so, it’s a nasty surprise (and wouldn’t any reasonable ISP either wipe the charges completely or just bump a valued customer up to the next plan size for the duration?).

I’d expect to see more of this once we are all moved over to fibre and the kiddies find out they can cause this kind of havoc.  As our correspondent notes:  “A DOS attack pinging people using 50Mbit/s each way can consume 10MB per second – 600MB per minute, 36GB per hour, 864GB per day” which would soon hit a multi-thousand dollar phone bill for an unwary customer.

The problem is that even if you as an end user take all the relevant precautions (antivirus up to date, no unauthorised apps allowed on the network, firewall blocking such traffic) you’ll still get stuck with the bill for traffic being delivered that you probably don’t want.

TUANZ encourages members to talk to your providers about what obligations there are on both sides with regard to this kind of activity and to make sure you’re covered in such a situation.

Have you been stung for excess charges in this kind of situation? Let me know.