2

I wasn't sure whether to put this in the legal or security stack exchange because this will take someone with considerable computer knowledge to answer.

Amyways, I want to try out an amplified DDOS attack using either an NTP server (which I think is public) or public DNS server. I know that running a DDOS attack on someone who is okay with it is legal, but this is using a public server to amplify the attack. The attack doesn't do any damage to the public server and only uses it as a middleman, but it doesn't use the server for what it's designed to do.

To be totally clear, this is for educational and not malicious purposes only.

Byte11
  • 551
  • 1
  • 5
  • 12
  • Interesting question, and I don't know the answer but would also like to know. Is there some reason you can't run this attack on an internal network set up to mimic this? – ian Jul 17 '17 at 16:32
  • I don't have a very powerful network, and since I'm doing this for educational purposes, I don't yet have the skills to do that. – Byte11 Jul 17 '17 at 17:30
  • Take a look into setting up a private network of multiple servers using Vagrant and you should be able to do this kind of thing without bothering anyone else. – ian Jul 18 '17 at 20:28

2 Answers2

1

"Public" DNS servers are public in the sense that they are available for the public to use by the adminstrator of each server. But each DNS server is run by either a government entity (or semi-government, such as a university or a government run corporation) or a private telecom company. And as such, each entity that runs a DNS server will have TOS (terms of service) that dictates the use of that server.

And each - I'd assume - forbids DNS access in for form of high-volume, repeated accesses such as would be used in a DDOS attack test. You should find the administrative domain and website of the DNS server you want to use from public-dns.info and read their TOS to determine their policies about access to their DNS services.

But there are many other factors involved in a DDOS attack test other than the one DNS service: you need to consider each ISP, each upstream provider, each network between the DNS service and the target server, in each country, as a DDOS attack - even a controlled stress test - creates huge amounts of traffic all across each network and as such costs time and money to each. And each services' TOS may very well forbid such use for a DDOS stress test.

You don't think a DDOS test will inflict "damage." It will: "damage" outlined in a TOS will be defined as CPU and network loads that cause slowness and network latency to other customers, time spent by admins to mitigate the issues, and more.

It doesn't matter that you are educational and not malicious.

Don't think that a DNS server administrator, the ISP, upstream providers, etc. can't track you down.

In the US at least, DDOS attacks are illegal: https://www.law.cornell.edu/uscode/text/18/1030#a_5

BlueDogRanch
  • 18,824
  • 5
  • 35
  • 61
  • I think your reference's 'without authorization' doesn't apply to this. –  Jul 17 '17 at 21:30
  • I don't plan to use anything but my own personal computer to run this. Even with the maximum power of my computer (and I don't plan to use more than 20%), it still won't make a noticeable dent in the DNS's servers, nor my ISP's. I don't plan to hide myself when running this attack. I want to make sure I'm doing a VERY small attack in a legal way. As far as I can tell from that link, I should be fine if I'm doing an attack that doesn't do any harm. I'm not doing a "controlled stress test" on a server. I'm seeing if I can kick my friend off the internet for 5 minutes. – Byte11 Jul 18 '17 at 17:16
  • You're a user of another (person's, company's, etc) service(s), be it DNS, ISP, and telecom. You don't get to decide if any of your actions (large or small) are an abuse of their service or cause harm to their services; they decide that. They outline their right to decide what abuse and harm is in their TOS, not you. You agree to their TOS by using their service(s). – BlueDogRanch Jul 18 '17 at 18:29
0

I am assuming this is in the UK, so we are talking about the Computer Misuse Act 1990, as amended by the Police & Justice Act 2006. Also note that I am not a lawyer.

The act prohibits any act or sequence of acts that "impairs" a computer. There is a bunch of clauses around this, but basically if you intentionally make the computer work slowly or cause any delay in access to it then you are guilty. You are also guilty if you are "reckless" about the impact.

"Reckless" means showing a complete lack of concern about the impacts of your actions. So I think that if you take positive steps to prevent or mitigate any impacts on the public server then you would have a defense against any charge of intent or recklessness. Good steps would be to estimate the available bandwidth of the server you are planning to use, limit the bandwidth of your simulation to a tiny fraction of that, and monitor the actual bandwidth during your demonstration so you can abort if anything goes wrong. You should document this ahead of time in a lesson plan or something.

The fact that you are using the public server for a purpose that the operator didn't have in mind is not (as far as I know) relevant.

In practice if you don't cause any problems then the likelihood of any police coming calling are very low.

Paul Johnson
  • 13,533
  • 2
  • 38
  • 60
  • I'm in the US but I should be the same either way. My entire network combined isn't close to enough to do any damage to the DNS server and I don't plan to use that much power. – Byte11 Jul 17 '17 at 18:12
  • The US law is at https://www.law.cornell.edu/uscode/text/18/1030. Its less clear about DDOS, but I agree that all the relevant sections seem to be bounded by "intent" and "reckless" qualifiers. – Paul Johnson Jul 17 '17 at 18:20
  • @PaulJohnson "The fact that you are using the public server for a purpose that the operator didn't have in mind is not (as far as I know) relevant." Of course it is relevant; any DNS service has a TOS that will be violated by any form of abuse. – BlueDogRanch Jul 17 '17 at 19:13
  • @BlueDogRanch, thats an interesting issue. In theory the TOS is merely a civil contract, so usage outside the TOS that does not reach the threshold of criminality is merely something they could sue you for. However in the US the government has sometimes argued that anything outside the TOS is a crime of access without authorisation. https://www.eff.org/press/releases/eff-asks-supreme-court-review-dangerous-interpretation-computer-crime-statute – Paul Johnson Jul 18 '17 at 21:34