HOPE9 Talk: Activist DDOS: When Similes and Metaphors Fail

EDIT: The video of this talk is now up! Check it out.

I presented this talk last night at HOPE Number Nine, which has been a super fun conference.  Don’t forget to check out the slide deck, which is full of lolcats.

In the interest of getting this up fast, I’m posting the raw version of my notes.  I’ll be adding citations over the next couple of days.



Previous characterizations of activist DDOS campaigns have traditionally fallen into one of two camps: those that unilaterally condemn activist DDOS campaigns as bullying and censorship, and those that align such actions with IRL sit ins.  Both these characterizations, however, cannot be applied to the entire landscape of activist DDOS campaigns as a whole. Rather, each campaign must be examined individually before a judgement can be made regarding its validity as a protest action.  DDOS as a tool cannot be wholly condemn or lauded without its surrounding context.

In this talk, I’ll be examining those previous characterizations, and at different DDOS campaigns that do and do not fit those models.  Next I’ll be outlining the current state of play of activist DDOS.  Finally I’ll be presenting a new analytical model for looking at activist DDOS campaigns, and presenting an analysis of the December 2010 Operation PayBack DDOS campaign against PayPal.  Also, to reward all you find people for coming out so late for this talk, there will be lots of pictures of cats.



The “censorship” characterization of activist DDOS as espoused by folks like Oxblood Ruffin from the Cult of the Dead Cow and others, claims that DDOS is equivalent to “shouting down” an opponent in a public forum, and that DDOS attacks deny individuals and organizations their rights to free speech.  In some but not all cases, this is a valid criticism, but before such a characterization can be made, we need to look at the motivation and intended effect of an action, the actual effects of the action and the technology used.

In July of 1997, a large scale DDOS attack was launched against the Institute for Global Communications (IGC), a non-profit internet service provider. The number of participants and the original organizers of the campaign are not known.

The attack was part of a wide spread public campaign to pressure the ISP to remove the website of the Basque publication Euskal Herria Journal, which was thought to have ties to the militant group, ETA.

The campaign was a combination of mailbombing and network-based DDOS attacks.  This was a populist-minded action; at one point, the major Spanish newspaper El Pais threw its support behind the mailbombing campaign and published target email addresses for the IGC in its digital edition, though it later retracted its support and removed the addresses from its website.

The IGC’s servers were knocked offline, rendering inaccessible the websites and email of over 13,000 subscribers.  While the IGC did eventually remove the Euskal Herria Journal‘s content from its servers, it replaced it with a statement decrying what it saw as vigilante censorship on the internet, and was supported in its arguments by groups like NetAction, Computer Professionals for Social Responsibility, and the Association for Progressive Communications.

The goal of the IGC action was to force IGC to remove the Euskal Herria Journal‘s website from its servers.  This was an objection to content being available on the internet. For as long as it was successfully running, the DDOS attack rendered that content unavailable to the internet.  So in actual effect, the IGC action was not so much a protest so much as it was the will of one group being forced on another.  “If you don’t take it down, we’ll take it down for you.”  No public debate was sought, and most of the publicity associated with the campaign revolved around recruiting participants, not articulating grievances.  The goal of the DDOS action was a permanent imposition of its immediate effects.  While DDOS actions are often condemned for being as good as censorship, the goal of the IGC action was censorship, and in the end, the condemnation it suffered was as much for its goal as for its tactics.  However, where the “censorship” condemnation falls short is in its assigning equal value to any potential target on the web.  The IGC attack targeted politically vulnerable speech online, and obliterated the Euskal Herria Journal‘s ability to reach its audience and crippled the IGC’s ability to perform its professional function.  However, targeting the website of a large corporation or government agency often has little effect on the actual operations of that entity or its ability to communicate with the public through media appearances and press releases. It would be absurd to declare an ethical equivalency between seeking to silence content  entirely, which is reprehensible, and the relative inconvenience suffered by large corporations whose online posters have briefly been torn down (to paraphrase XKCD).


The “electronic sit in” characterization was first clearly articulated by the Critical Art Ensemble, a performance art/activism collective in their essay “Electronic Civil Disobedience.”  There, they drew an equality between the monopolization of resources that takes place during an IRL sit-in, and the monopolization of resources which occurs on the technological level during a DDOS campaign.  This characterization draws heavily on the history of sit-ins in social movements for much of its validity.

In 2001, the Electronic Disturbance Theater, a spin-off of the Critical Art Ensemble, launched a campaign called the “Deportation Class Action.” Estimates put the number of participants at around 13,000, recruited primarily through activist and performance art mailing lists and websites.

The goal of the action was to draw public attention to the the German government’s use of the airline’s flights to deport immigrants, and through that public pressure change Lufthansa’s behavior as a corporation.  The online action was powered by FloodNet, a brower-based DDOS tool developed by the EDT in 1998.  The tool allowed users to participate in pre-planned DDOS campaigns, but required that users take the positive steps of navigating to the FloodNet page and choosing to participate in the action.  The FloodNet action was augmented by press releases and protests at Lufthansa stockholder meetings.

The action did result in some downtime for the Lufthansa homepage.  Shortly after the action, Lufthansa stopped allowing the German government to use its flights to deport immigrants.

The Lufthansa action resulted in the arrest and trial of Andreas-Thomas Vogel, who had run a website, libertad.de, which posted a call to action for the Lufthansa protest.  A lower court in Frankfurt initially found Vogel guilty of using force against Lufthansa, based on the economic losses the airline had suffered during the campaign.  Upon appeal, however, a higher court overturned the verdict, finding, “…the online demonstration did not constitute a show of force but was intended to influence public opinion.”

The stated goal of the Lufthansa action was to draw public attention to a specific aspect of the airline’s business, and through that attention change its behavior.  Though the DDOS attack took place on the internet, the effect it sought to have was not limited, was not even present, in the online realm.  It is important to note that, in and of itself, the DDOS attack could not have achieved what the EDT and Vogel set out to accomplish.  They set out to change the behavior of a corporation.  It took positive action on the part of Lufthansa for that to happen.  It could not be accomplished by fiat by activists on the outside.  One of the benefits of the “electronic sit in” characterization is that it references a tactic with a very visible history: most people already know what a sit-in looks like.  The comparison holds up provided the technology used remains heavily reliant on individual agency, with participants either using manual DDOS tools like FloodNet or participate in strictly voluntary botnets.  The use of sophisticated traffic multipliers, exploits or non-voluntary botnets complicates the situation enormously, and can make the use of this characterization seem overly simplistic and self-congratulatory.



The primary goals of many popular DDOS campaigns, or those which actively seek the participation of large numbers of people, are to direct media coverage, and to impact the identity of those participating in the action.  Like the Lufthansa campaign, these actions ultimately seek societal and policy changes that cannot be achieved simply by taking down a website.  Rather, the goal is to attract significant attention to a set of issues, and to cultivate a population that considers themselves activists, and who can be called on to participate in future actions.


It is much more difficult now than it was in 1997 or 2001 to bring down a corporate site through the power of individual activists alone.  Traffic multipliers and non-volunteer botnets can give all-volunteer efforts the boost needed to bring down a large site, but those tactics have the potential to delegitimize activist DDOS in the eyes of the media, policy makers, and participants.


The Electronic Disturbance Theater primarily spread word of its actions via activism and performance art centered email lists and message boards.  As a result, their participants were, more often than not, experienced activists well versed in the practices and risks of on-the-streets activism.  While they may have had an incomplete understand on the online space they were moving to, it is safe to assume that they had an understanding of the legal risks often associated with acts of civil disobedience.  As the Electronic Disturbance Theater was primarily engaged in drawing an explicit linkage between traditional forms of civil disobedience and digital actions like DDOS attacks, they were also aware, by association, of the illegal nature of the acts they were undertaking and the risks they were exposed to.

This has not necessarily been the case with more recent DDOS campaigns.  Activism-minded individuals have come onto the scene with little activism experience, either IRL or digital.  Their tactics are often innovative and interesting, but they lacked a core awareness of the basic risks they are exposing themselves to.  The media attention attracted by these actions attracts more neophytes to the cause, which is great for expanding the active population, but puts more pressure on those in leadership positions to educate newcomers.  The relative ease with which individuals can become involved, in a piecemeal fashion, with different campaigns also leads to high turnover in the active population, which makes things difficult for a political culture which is trying to establish its own internal norms and modes, as well as its legitimacy to outsiders.


Just in case there is any doubt, as of this talk, DDOS attacks remain illegal in most jurisdictions, including the United States, where it is a felony.  Participating in one remains a high risk activity, unlike many other activities associated with IRL activism, including street marches and sit-in.  The onus to educate inexperienced participants about these risks falls to the organizers, as does the ethical quandary of whether or not these types of actions are, at this time, worth the legal risk.


Finally, there are shifting views as to what constitutes a “successful” DDOS campaign.  Many activists are moving away from a strict binary “website up/website down” conception of success to more nuanced views, like number of participants, number of participants who stick around for other campaigns or levels of media coverage.


So in order to take into account both the new developments in activist DDOS campaigns and to allow for an accurate analysis of the use of the tactic, I propose an analytical model. Rather than reacting based on an objection to DDOSes as a whole or comparisons to already existing activist tactic, this model looks at the motivations behind a campaign, its intended effects, its actual effects, and the technologies used before coming to a conclusion on the legitimacy of an activist action.

Using this model we can look at Anonymous’s December 2010 Operation PayBack DDOS campaign against PayPal and other sites in the same way that we looked at the campaigns analyzed earlier.

While Operation PayBack began as an opposition to the MPAA and other copyright organizations, December 6, 2010 marked the beginning of the second stage, sometimes known as Operation Avenge Assange.  These attacks were powered by the LOIC DDOS tool, volunteer botnets running through the LOIC Fucking Hivemind mode, and non-volunteer botnets.

This stage of the campaign targeted organizations and individuals Anonymous believe were acting against the interests of Wikileaks, either by cutting off its channels of financial support, refusing to provide hosting to the website and its domain name, or by speaking out against the organization publicly.  The overall  goal was the draw attention to the ongoing banking blockade against Wikileaks, and to force media coverage of the issue.  Over the course of four days, Anonymous would launch DDOS attacks against the websites of the Swedish Prosecution Authority, EveryDNS, Senator Joseph Lieberman, MasterCard, two Swedish politicians, Visa, PayPal, and Amazon.com, forcing many of the sites to experience at least some amount of downtime.

The campaign led to massive amounts of media coverage, mostly of Anonymous itself, but also of the banking blockade and various other grievances publicized in Anonymous press releases and calls to action.  It brought extraordinary public attention to Anonymous, and with that many new participants.  It also led to the arrest of over a dozen participants in the United States, who were charged with felony violations of the Computer Fraud and Abuse act, with more individuals being arrested internationally.  Others had their homes raided by the FBI and their possessions seized.

The December DDOS attacks of Operation Payback bear a far closer resemblance to the Electronic Disturbance Theater’s 2001 Lufthansa action than they do to the IGC attacks of 1997.  Though the diffuse, unorganized, and leaderless Anons bear a much closer resemblance to the participant population of the IGC attacks, made up as it was of individuals recruited through enthusiastic media coverage, disparate people coming together for a moment around one emotional issue, the motivation and actual effects of Operation Payback are far more akin to the Electronic Disturbance Theater’s push for popular attention and policy change.  A primary goal of Operation Avenge Assange was to bring widespread attention to the plight of Wikileaks, and in that it succeeded.  A secondary goal was to cause financial damage and embarrassment to the corporations targeted, but as stated above, bringing down a corporate webpage does not restrict that corporation’s ability to function.  Rather, the corporations targeted by Anonymous had caused more harm to Wikileak’s ability to function by unilaterally cutting off its means of financial support and refusing to host it.  These actions in and of themselves constitute “denial of service” attacks in the most basic sense of the term.  The use of non-volunteer botnets to achieve downtime in the targeted servers in troubling, as is the lack of success in educating participants on the legal risks they were taking.  I feel that neither of these facts are troubling enough to completely delegitimize Operation PayBack as a reasonable act of civil protest, but they are mistakes that need to be learned from for future actions.


In conclusion, there are uses of DDOS that are more appropriate and acceptable in an activist context than others.  Not every DDOS attack that claims the activist label does so appropriately.  It is also possible to say that though the technological effects of one DDOS attack may be indistinguishable from another, the actual effects differ widely based on the circumstances and contexts of a given action.  Paradoxically, an attack on the homepage of a large corporation may draw a large amount of media attention, but have little immediate effect on the corporation itself, while an attack on a smaller, internet based organization may completely wipe it out while attracting no attention or criticism at all.

What may be considered censorship in one instance can be reasonably considered to not be censorship in another, though the technological facts remain the same.  When attempting to determine the validity of an activist DDOS action, or any contentious computer action, it is vital that we not privilege technological facts over the motivations and stated goals of the participants and the actual effects of the action.  To do so would ignore the fact that identical technological states can be arrived at under vastly differing circumstances, and ultimately devalues human agency in our dealings with technology.