8.5. Initiating Legal Proceedings as a Victim of DDoS

If your network and/or security operations staff can confirm that an attack is under way and that your systems have been impacted enough to cause monetary and/or physical damage, it is time to decide how to move forward. It is assumed here that your own staff, and that of your upstream network provider(s), have already identified and attempted to use all available technical measures to mitigate the attack, and that these efforts have not been adequate to bring the network back to reliable functioning.

At this point, management is faced with a decision as to whether or not to start legal proceedings.

8.5.1. Civil Proceedings

Discussed in this chapter are several theories of tort that could be used, but a victim will immediately be faced with two problems.

First, who are you going to sue? Trying to identify the perpetrator of a DDoS attack by direct traceback will be almost impossible. He may be foolish enough to brag on an IRC channel about his attack or may even contact you directly (he would have to contact you if this were an extortion attempt). However, actually identifying a physical person sitting at a keyboard and proving that he caused the damage will be very, very difficult.

Second, there is no obvious case law surrounding use of civil litigation against DDoS attackers, or even downstream liability for that matter. This may change over time, but at present this will be a hard path to follow.

8.5.2. Criminal Proceedings

Criminal proceedings are easier to initiate, but they, too, suffer the same problem of identifying the attacker. At least with a criminal investigation, law enforcement has powers of subpoenas, search warrants, and seizure of evidence to help identify the attacker, provided they have the resources and desire to pursue the case. As mentioned before, how well victims preserve, process, and present the evidence will have an impact on law enforcement's ability to pursue the case.

Start now, before an attack occurs, by reviewing the guidance provided on the Department of Justice's Cybercrime Web page (http://www.cybercrime.gov/reporting.htm). In case you did not read this in advance and are currently under attack, the numbers to call for reporting computer crimes at the time of publication of this book are +1-202-323-3205 for the National Infrastructure Protection Center (NIPC) Watch Desk, and +1-202-406-5850 for the U.S. Secret Service's Electronic Crimes Branch.

You should also consider reporting the incident to the CERT Coordination Center. The CERT Coordination Center is a trusted third party, who will not release any information about a victim site, the attack, etc., without the victim's express permission. Reporting to both federal law enforcement and the CERT Coordination Center also provides valuable visibility at a national level of potential large-scale cyber attacks or attacks targeted at specific critical infrastructure sectors, such as banking, telecommunications, energy, etc. The CERT Coordination Center can be contacted at cert@cert.org or +1-412-268-7090.

Organizations may also have other reporting requirements. For example, if your organization is in the financial sector, you may be required to file a Suspicious Activity Report (SAR) with the Securities and Exchange Commission [sar]. Even if you are not in the financial sector, you may wish to consult this same reference and use the SAR as a model for collecting information and constructing a narrative with which to report the incident to federal law enforcement.