MANY OF Eircom’s 500,000 internet subscribers have been left offline or experienced delays in web browsing at times this week because of a suspected attack by hackers.I've said it before but it's worth repeating: Irish law does not adequately deal with computer crime at the moment (with denial of service attacks being one of many areas left without adequate sanctions) and legislation to implement the Cybercrime Convention and the Framework Decision on Attacks Against Information Systems is now long overdue.
Some customers who tried to connect to popular sites such as RTÉ, Facebook or Bebo were redirected to incorrect websites, often displaying images of advertising or scantily clad women.
The company blamed the problems on “an unusual and irregular volume of internet traffic” directed at its website, which affected the systems and servers that provide access to the internet for its customers.
Internet discussion groups speculated that the problems were caused by a hacker accessing Eircom’s domain name server (DNS) system through a denial-of-service attack.
This involves a target site being saturated with messages and requests to the point it can no longer function properly.
Here's an excerpt from a chapter I wrote in Reich (ed.), Cybercrime and Security discussing the uncertain Irish law on denial of service attacks:
Whether or not such an attack would amount to an offence under Irish law will vary depending on the precise structure of the attack.
For example, suppose that A sets out to harm B by sending several million emails to B’s server. The effect is not only to use up B’s bandwidth but also to use his disk capacity. In this case, it might be possible to charge A with criminal damage under section 2 of the Criminal Damage Act 1991, on the basis that A has damaged B’s data within the meaning of section 1 by adding to it without lawful excuse.
This result is supported by the English decision in DPP v. Lennon. In that case the defendant was a 16 year old who took umbrage at the circumstances of his dismissal and sent five million emails to his former employer with the expressed intention of “causing a bit of a mess up”. He was charged with unauthorised modification to a computer system with intent to impair the operation of the computer, contrary to section 3(1) of the Computer Misuse Act 1990 (the equivalent provision to section 2 of the Criminal Damage Act 1991). His defence was that the company had implicitly consented to receiving emails and as such he had not made unauthorised modifications. Although the trial judge accepted this argument, on appeal the Divisional Court held that any implied consent did not extend to emails sent for the purpose of disrupting the system. Per Jack J.:“I agree, and it is not in dispute, that the owner of a computer which is able to receive emails is ordinarily to be taken as consenting to the sending of emails to the computer. His consent is to be implied from his conduct in relation to the computer. Some analogy can be drawn with consent by a householder to members of the public to walk up the path to his door when they have a legitimate reason for doing so, and also with the use of a private letter box. But that implied consent given by a computer owner is not without limit. The point can be illustrated by the same analogies. The householder does not consent to a burglar coming up his path. Nor does he consent to having his letter box choked with rubbish. That second example seems to me to be very much to the point here. I do not think that it is necessary for the decision in this case to try to define the limits of the consent which a computer owner impliedly gives to the sending of emails. It is enough to say that it plainly does not cover emails which are not sent for the purpose of communication with the owner, but are sent for the purpose of interrupting the proper operation and use of his system.”However, if the facts of a denial of service attack are varied slightly then criminal damage may no longer be an appropriate charge. Suppose for example that C sets out to hinder access to D’s publicly available website, and does so by programming several computers to repeatedly download large pages from the site. The result is to use up D’s bandwidth and ensure that other users cannot get through to the site, though the server itself continues to function. What crime, if any, has been committed?
In this case C would not have damaged D’s data (assuming that C downloaded data only and did not make any modifications to the data on the server). It might be argued that C has committed criminal damage to the server itself given the extended definition of “damage” under section 1, which includes situations where a person “whether temporarily or otherwise, render[s] inoperable or unfit for use or prevent[s] or impair[s] the operation of” property.
Such a charge would, however, prevent some difficulties. It might be successful if the effect of a denial of service attack was to cause the server to crash – that temporary inoperability would certainly seem to constitute damage within the meaning of section 1. In the hypothetical above, however, C has not rendered the server inoperable but merely inaccessible – which would seem to fall outside the scope of the criminal damage offence.
On the other hand, using the reasoning in DPP v. Lennon it might be possible to characterise the attack as unauthorised access contrary to section 5 of the Criminal Damage Act 1991. The argument could be made that while public websites carry with them an implied permission to access the site, this permission does not (to use the words of Jack J.) cover visits which are “the purpose of interrupting the proper operation and use of [the] system”, so that such a visit would constitute operation of the server with intent to access data without lawful excuse.