In the digital world, distributed denial of service (DDoS) attacks are a common form of cybercrime. They aim to cripple servers or networks by flooding them with requests, which can cause significant operational disruptions. But what is the legal side? Is a DDoS attack a criminal offense and is it possible to take action against the attacker? This blog post highlights these issues and provides a detailed look at the legal aspects of DDoS attacks.

What is a DDoS attack?

A Distributed Denial of Service (DDoS) attack is a specific type of cyber attack in which an attacker aims to render a server, service or network inaccessible through a flood of Internet traffic. This attack aims to disrupt and interrupt normal functionality and access to a network, system or service.

The method used is usually the use of a botnet. A botnet is a group of hacked computers that are under the control of the attacker. These computers, often referred to as “zombies,” are tricked into sending coordinated requests to the target. These can be simple requests, such as calling a web page, or more complex actions, such as sending large packets of data designed to overload the target’s bandwidth.

The primary goal of a DDoS attack is to put so much strain on the server’s resources that it is no longer able to handle legitimate requests. This can cause the server to respond slowly, become unreliable, or even fail completely. The consequences can be significant, especially when it comes to mission-critical services where downtime can lead to substantial financial losses and reputational damage.

It is important to note that DDoS attacks are not aimed at stealing data or infecting systems. Instead, their main goal is to disrupt normal operations. Despite their apparent simplicity, DDoS attacks can be extremely effective and require careful planning and preparation to successfully defend against them.

Criminal liability of DDoS attacks

In many countries around the world, including Germany, DDoS attacks are explicitly punishable by law. These types of cyberattacks violate the law because they are specifically designed to interfere with the functioning of computers and networks. They generate massive traffic, which results in legitimate requests not being able to be processed, causing significant operational disruptions.

In Germany, the legal basis for the criminal liability of DDoS attacks is enshrined in Section 303b of the German Criminal Code (StGB). This paragraph explicitly criminalizes data alteration and computer sabotage. Data modification is the unauthorized deletion, suppression, rendering unusable or alteration of data. Computer sabotage, on the other hand, refers to acts intended to disrupt data processing operations that are essential to the operation of a company or government agency.

In this context, a DDoS attack can be considered a form of computer sabotage. Flooding a server or network with requests disrupts normal operations and, in many cases, completely paralyzes it. This can cause significant economic damage, especially when it comes to commercial websites or online services that rely on constant access from their customers.

It is important to emphasize that criminal liability for DDoS attacks applies not only to the actual perpetrators, but also to individuals who commission or support such attacks. This can be done, for example, by deploying botnets or developing and distributing special software to carry out DDoS attacks. These acts can also be prosecuted under Section 303b of the German Criminal Code.

Penalties for DDoS attacks can vary depending on the severity of the attack and the damage caused. They range from fines to prison sentences. In particularly serious cases, for example if the attack results in significant economic damage, prison sentences of several years may be imposed.

Warning and compensation

If you become a victim of a DDoS attack, you have the right to take legal action. This may include warning the aggressor and claiming damages. Damages may include the cost of restoring the system, lost profits, and other direct or indirect damages.

The legal basis for such claims may arise from a variety of sources. One of them is § 823 para. 2 of the German Civil Code (BGB) in conjunction with Section 303b para. 1 No. 2, para. 2 of the Criminal Code (StGB). According to these provisions, the person who intentionally or negligently violates the property, the right of another unlawfully is obliged to pay damages. A DDoS attack can be considered such a wrongful infringement because it affects the functioning of a computer system that is the property of the victim.

In addition, a claim for damages may also be asserted on the basis of impairment of the established and practiced business. This claim arises from case law and is recognized if the DDoS attack disrupts the operations of a company. This may be the case in particular if the attack results in operations having to be shut down for a certain period of time or if customers migrate away as a result of the attack.

In addition, a so-called quasinegatory injunctive relief pursuant to §§ 1004 para. 1, 823 para. 2 BGB in conjunction with § 303b para. 1 No. 2 StGB may be invoked. This claim exists if there is a risk of repetition, i.e. if it is to be feared that the attacker will carry out a DDoS attack again. The claim is directed at the omission of such attacks.

However, enforcing these rights can be challenging. DDoS attacks are often difficult to trace because attackers mask their identities through the use of botnets and other techniques. As a result, it is often difficult to identify the polluter and hold them legally responsible. In such cases, it may be helpful to consult an expert in IT law or a specialized lawyer who has experience with such cases and can assist in enforcing the claims.

Conclusion

DDoS attacks pose a serious threat to the stability of IT systems and are a clear violation of the law. They can cause significant damage that goes far beyond technical problems and can have a significant economic impact. Victims of such attacks have the right to warn the attacker and claim damages. This may include the cost of restoring the system, lost profits, and other direct or indirect damages.

However, enforcing these rights can be challenging. The nature of DDoS attacks and the techniques used by attackers can make it difficult to identify who is responsible. This can make legal prosecution more difficult and make it difficult to enforce claims for damages.

Therefore, it is crucial to take preventive measures to protect against such attacks. This can include implementing security measures such as firewalls and DDoS protection services, monitoring network traffic, and training employees on cybersecurity practices.

If you become a victim of a DDoS attack, it is important to seek professional help. This may include IT security professionals, attorneys, and law enforcement. They can help investigate the attack, identify those responsible and take legal action.