In a legal decision published online this week, a state court in Düsseldorf found that a denial of service attack against a website can be prosecuted under current German law.
The case, which was decided in late March 2011, revolved around a man living in the Frankfurt area, who was convicted on six counts of "computer sabotage" and three counts of extortion. Computer sabotage is already part of the German criminal code, which has now been found to include distributed denial of service, or DDOS, attacks.
The defendant, who was not named in the legal decision, was convicted of having successfully blackmailed three online German betting sites and attempting to blackmail three others by threatening them with crippling DDOS attacks that would make their sites unusable.
The German defendant was sentenced to two years and 10 months in prison, and was ordered to pay the losses against the companies, of up to 350,000 euros ($504,000).
The legal decision outlines how the man hired the services of a Russian botnet at a price of $65 per day, and threatened the six bookmakers by telling them that he would make their sites unusable during a particularly high-volume time - July 2010, during the World Cup - if they did not pay him 2,500 euros ($3,700). Botnets can be used to artificially flood a website with traffic, which makes it unusable.
This tactic is often used against offshore betting sites around the world as a way to quickly extort money during high-traffic periods.
Three of the sites paid a combined total of 5,000 euros, while the three others refused, even after the defendant reduced the demanded amount to a "friendship price" of 1,000 euros.
Few DDOS cases in German courts
Legal observers noted that this is one of the few German cases that have dealt directly with DDOS attacks, which have been increasingly used in recent months for political purposes, most notably by the online vigilante group Anonymous.
On Sunday and Monday, respectively, authorities in Turkey and Spain said that they had arrested members of Anonymous for conducting cyber-attacks in their countries as well.
However, in May 2006, a Frankfurt appeals court ruled that a 2001 DDOS attack against Lufthansa that was also accompanied by a sit-in at the company's headquarters, did not violate German law.
In that case, two non-profit organizations, "Libertad" and "Kein Mensch ist illegal" (No person is illegal), were protesting the airline's use of their airplanes to deport people seeking asylum in Germany. At that time, 13,000 people flooded the Lufthansa website with traffic. The airline charged the protestors with coercion in a legal case in 2005.
Legal and Internet experts said the 2011 Düsseldorf decision differs from the 2006 Frankfurt decision as it involves criminal extortion rather than political protest.
"I believe the decision to be correct," said Dominik Boecker, an IT attorney in Cologne, in an e-mail sent to Deutsche Welle. "DDOSing the website of a company is a stupid idea. The criminal norm is problematic though: the request to the server is the same that occurs if [you're using the site normally]."
He explained that the burden is on the prosecution to show that there was criminal intent, and therefore that the case should be punished under the appropriate section of the German criminal code.
"If you're using a browser, everything should be fine," he added. "If you use a specialized program to submit lots and lots of requests to a server, [that] is very problematic."
Joe McNamee, the head of European Digital Rights, an Internet advocacy group in Brussels, pointed out that European law is already very clear when it comes to the illegality of DDOS attacks, which are covered under the 2005 Attacks Against Computer Systems Framework Decision.
However, as DDOS attacks become more prominent, McNamee pointed out that the European Commission has proposed rules that would increase penalties for the illegal use of botnets and other cybercrimes.
Author: Cyrus Farivar
Editor: Sean Sinico