Denial of Service (DoS) attack and relevant Indian Laws

What is a DoS (Denial of Service) attack? And how is it committed?

To understand DoS, you will need to have an idea of what is the Service being provided, how someone can deny it to you, and how it can be counted as an attack.

 

What is the Service?

Every website you visit are made up of  files like the ones you have in your Downloads folder. Pictures, Word files, PDF files, MP3 files, Videos, etc. On any given website all these files are organised in a easy to use presentable format called HTML. HTML (Hyper Text Markup Language) is a convention which is used to structure data in a viewer-friendly manner.

You can also make HTML files by using softwares like Microsoft Frontpage (old legacy), Adobe Dreamweaver (contemporaneous), Sublime Text (for advanced users).

Whatever you are looking at right now, even this text, is organised in a specific format and saved as .html files (on my server) which you are accessing and reading now.

The Service part is yet not fully defined.

The other component of the Service is the operation of a server. Believe it or not you have operated at least fifty servers from the morning today.

A server is a highly specialised computer designed only to serve web content. The HTML files which we were discussing about, are stored on these servers and the servers are connected to the internet in the same way you are connected to the internet. This connection to the internet enables anyone else to access the files kept on a server computer.

So for example, if you are watching a video on YouTube, you are accessing an HTML file kept on YouTube’s servers which has an embedded video on it. YouTube lets you access and watch it because then YouTube can show you ads. This transaction is thus complete with a win-win situation for YouTube and you.

The Service is complete when the Server renders the data to an user, and the user is able to access it successfully.

 

How do you then deny it?

Denying it is actually easier than setting up the service. Remember the part where the server is nothing but a super specialised computer? Yes.

And just like all computers (like yours), servers also can slow down to a screeching halt and freeze to lifelessness. Once a server hangs, and until it is restarted, whoever visits the server through the internet will see either a 500 Internal Server Error, a 503 Service Unavailable, or any other error of the codes starting from 500 to 511. I am sure you must have seen quite a few of these.

The way forward then is to visit the target website as many times as possible in a short period of time. A flood of visits to the same website will get the server busier than normal, and slow it down by taking up all the server resources like RAM, CPU and internet bandwidth.

Therefore if your friend wants to deny your access to YouTube, he can do so by artificially bringing YouTube’s servers to a halt or slowing them down.

For him to be able to pull off that feat on a website of that scale, he will mostly need to visit it a whopping 500 million times in under an hour. Once he manages to get YouTube down, congratulations he has broken the law.

 

How is it an attack?

Well if you understood the Service part, the Denial part and the frustration emanating from it, you would not ever want this to happen to YouTube, had you owned it. Even one hour of downtime for YouTube would mean millions of lost business opportunities, and billions of losses ensuing due to lost user confidence. I would personally term any losses above the $100 mark as an attack.

 

How to do it?

There are multiple free, open source and premium softwares which can help you do exactly that. These can be installed on any laptop or computer and put to action in under a minute. The most popular of them all could be Low Orbit Ion Cannon (LOIC) and the High Orbit Ion Cannon (HOIC). Others are also available by the names: Locust, CloudTest, LoadRunner, etc.

If you do not want to dive into all the details, some very easy online softwares are also there by the names of Loader.io, blitz.io, etc.

You can find LOIC here: https://github.com/NewEraCracker/LOIC

The HOIC is the latest version of LOIC, and it is analogous to the Death Star as shown in Star Wars, it can launch parallel attacks on as many as 256 URLs at one go.

 

Why are the softwares freely available?

Just like every other things, softwares are also known to be abused. What started out as a network stress testing tool has quickly become an innovative way to attack and cause harm to others.

Softwares like Locust, CloudTest and LoadRunner and many other open source variants exist simply for use of network administrators who can test different flows of traffic on their networks.

And till the time you are doing it on your own network or on a network you are authorised to, it is totally legal. It is illegal only when it is done with lack of authorisation and with the intention to cause disruption.

 

Different types of attacks. Difference between DoS, DDoS and APDoS

If the offending computer is a single entity it is simply called Denial of Service (DoS), but when such an attack is orchestrated along with multiple other machines parallely  it is called Distributed Denial of Service or DDoS.

And when the attack is made through a large array of computers (tens of millions) and with very sophisticated and advanced methods, it can last for weeks. Such an attack is called advanced persistent DoS or APDoS.

It would be very foolish of anyone to try a DoS attack without adequate measures. The prime characteristic of a DoS attack is repeated similar requests from the same IP Address. It is then easy to block the offending IP Address. However, in the advanced versions of DDoS and APDoS, there are two classes of victims, one whose servers have been targeted and others whose computers have been used without their knowledge to pull off the offense.

In DDoS and APDoS, varieties of malwares and viruses are transferred over the internet to unsuspecting users, and then their computers are used to organise a massive attack on a third party.

The trickiest and the most difficult to diagnose are the Degradation of Service attacks. This type of attacks are highly advanced with algorithms which can detect the victim’s network capacity, on the basis of which attacks are perpetrated not to hang the servers but to increase error rates and slow down the network ingress and egress. This type of attacks can last for weeks before detection and cause the heaviest losses at the least cost.

 

Laws of India on this?

Whether it is a simple disruption, degradation, denial or distributed denial Indian Law has provisions for all of them.

Section 43 (e), (f) and (g) of the The Information Technology Act, 2008

provide for watertight provisions which as of now cover the entire gamut of DoS attacks.

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network

  1. disrupts or causes disruption of any computer, computer system or computer network; (applicable in cases of disruption and degradation)
  2. denies or causes the denial of access to any person authorised to access any computer,
    computer system or computer network by any means; (applicable in cases of denial or distributed denial or advanced persistent denial)
  3. provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder, (applicable in cases of denial or distributed denial or advanced persistent denial)

then such a person can be made liable under the act.

Moreover, there is another clause that covers cyber terrorism which is punishable with life imprisonment.

Section 66F. Punishment for cyber terrorism

  1. Whoever,
    1. with intent to threaten the unity, integrity, security or sovereignty of India or to strike
      terror in the people or any section of the people by –

      1. denying or cause the denial of access to any person authorized to access computer resource; or …
    2. … commits the offence of cyber terrorism.
  2. Whoever commits or conspires to commit cyber terrorism shall be punishable with
    imprisonment which may extend to imprisonment for life’.

 

Pertinent History

The first big ticket DDoS attack happened on the Church of Scientology in 2008. This was organised by the Anonymous group which is apparently the largest hackers’ network in protest to the philosophies and practices of the Church of Scientology.

In June 2014, the Occupy Central movement in Hong Kong was responsible for taking down multiple websites of the Chinese Government, this was too in protest of the Chinese voting system where they have a fixed 1200 member committee which elects new leaders to power.

In April 2015, TRAI released a list of over a million email ids who wrote to TRAI favoring NET Neutrality. TRAI was foolish enough to release the email ids along with the names of the users and their messages. A group of Hackers calling themselves Anonymous India saved the day by DDoSing TRAI’s website so that no one could download the list of email ids. It was supposedly a gold mine for spammers.

The supporters of Wikileaks have been attacking websites of the US Government and other Financial Institutions to the extent that Mr. Assange had to request everyone in a tweet to stop all such activities.

Software and Mathematical Algorithms: Is Mathematics discovered or invented?

In the early 1990s the U.S. Patent Office issued several patents that reawakened interest in the patentability of “pure” algorithms. The first, U.S. Patent No. 4,744,028, issued to one Dr. Karmarkar and was assigned to AT&T Bell Labs.

This patent covers a new linear algebra technique for allocating scarce resources in a large system such as a telephone network (AT&T’s obvious application of the invention). The Karmarkar algorithm describes an improvement on the well-known (to mathematicians) “simplex method” for solving a very large series of equations, which is how these resource allocation problems are set up mathematically.

The second patent issues on a “pure algorithm” covers a mathematical technique known as the Discrete Bracewell Transform in the field of signal processing. Bracewell’s advance was to create an algorithm that handles sophisticated signal processing without using what are known as “complex” numbers. (These are number which are based on the square root of negative one.)

These patents, which are expected to lead to applications by other mathematicians, raise anew the problems hinted at in the Benson and Diehr cases: what is the nature of mathematics? How do algorithms relate to laws of nature and natural products? Should patents be allowed on “this type” of subject matter?

In comparing computer algorithms to natural products and laws of nature, Justice Douglas states:

Phenomena of nature, though just discovered, mental processes, and abstract intellectual concepts are not patentable, as they are the basic tools of scientific and technological work

Benson, 409 U.S. at 67.

What view of algorithms, and mathematics as a whole is implicit in this statement?

The debate amongst mathematicians on the exact nature of what they do has taken many forms. However, it is possible to simplify the various positions by marshalling them into two main groups.

First are platonists, who believe that mathematics is a real phenomenon which is discovered by mathematicians in the course of their research. On this view, mathematicians simply discover the ordered relationships that nature has laid down.

The alternative view is that mathematics is simply a formal game, which mathematicians “make up” in accordance with strict rules. According to this “formalist” theory, mathematics does not describe any underlying reality. One must simply be careful to state mathematical assertions according to the accepted “rules of the game”. This view comes closer to the theory that math is “invented” by mathematicians.

One overview of the field states:

Most writers on the subject seem to agree that the typical working mathematician is a Platonist on weekdays and a formalist on Sundays. That is, when he is doing mathematics he is convinced that he is dealing with an objective reality whose properties he is attempting to determine. But then, when challenged to give a philosophical account of this reality, he finds it easiest to pretend that he does not believe in it after all.

P. Davis & R. Hersh, The Mathematical Experience 321 (1981).

But the view that math is invented is more starkly stated in the philosophy of Imre Lakatos. Lakatos, whose Proofs and Refutations was published in 1976, sets out a theory of mathematics which places it more properly within modern traditions of the history of science. That is, Lakatos believed that mathematics grows by the criticism and corrections of theories which are never entirely free of ambiguity or the possibility of error. According to Davis and Hersh:

Starting from a problem or a conjecture, there is a simultaneous search for proofs and counterexamples. New proofs explain old counterexamples, new counterexamples undermine old proofs. To Lakatos, “proof” in this context of informal mathematics does not mean a mechanical procedure which carries truth in an unbreakable chain from assumptions to conclusions. Rather, it means explanations, justifications, elaborations which make the conjecture more plausible, more convincing, while it is being made more detailed and accurate under the pressure of counterexamples.

P. Davis & R. Hersh, The Mathematical Experience, supra, at 347 (1981).

Note that in this passage, the authors are discussing Lakatos’ view of that part of mathematics which is in the process of growth and discovery, rather that “settled” mathematics. However, the authors point out that “informal” or unsettled mathematics “is of course mathematics as it is known to mathematicians and students of mathematics” – i.e., the most significant part of the field.

These two authors conclude that neither the Platonist nor the Formalist philosophy of mathematics is ultimately satisfying. They propose instead a view of mathematics that combines the objectivity of the Platonist view with the reliance on social consensus of the Formalist view:

Mathematics is not the study of an ideal, pre-existing non-temporal reality. Neither is it a chess-like game with made-up symbols and formulas. Rather, is is the part of human studies which is capable of achieving science-like consensus, capable of establishing reproducible results. The existence of the subject called mathematics is a fact, not a question. This fact means no more and no less than the existence of modes of reasoning and argument about ideas which are compelling and conclusive, “noncontroversial” when once understood.

P. Davis & R. Hersh, The Mathematical Experience, supra, at 410 (1981).

Mathematics, the authors conclude, has “conclusions [which] are compelling like the conclusions of natural science. They are not simply products of opinion, and not subject to permanent disagreement like the ideas of literary criticism.”

That is, while admitting that at any given time certain propositions at the frontiers of mathematics may be fallible or correctable, they deny that this makes mathematics a meaningless battle of symbols.

What does all this mean for the patent system? First of all, it sheds some light on the naive Platonism of the early Supreme Court opinions on algorithms. As Davis and Hersh point out, there is no consensus among mathematicians that they are in fact discovering a preexisting reality. Thus, the Supreme Court’s treatment of algorithms – as akin to other “found” natural objects, such as products of nature – conflicts with the views that many sophisticated mathematicians see to have of their field. Of course, these views are normally expressed only when “frontier” or pioneer mathematics is at issue; much of the applied mathematics which is the subject matter of algorithm claims would probably be considered outside the discussion of mathematical philosophy anyway. However, even these applied algorithms raise the same philosophical problems. It must be noted that since applied mathematics strives to emulate underlying physical relationships, there is much stronger pull toward the Platonist position when this branch of mathematics is under investigation.

Perhaps this explains some of the cases we have examined. For instance, the use of the Arrhenius Equation in the rubber-curing process at issue in the Diehr case is well within the realm of applied mathematics. That is, this equation tries to capture a physical relationship and state it as a “law”. For the variables stated in this equation, the relationship which it sets fort will always hold. On the other hand, consider the algorithm at issue in the Benson case. This was a “pure” mathematical algorithm which converts binary coded decimal numerals into their binary equivalents. Since numbers of a given base (e.g., base 2 or base 10, the decimal system) do not really correspond to any physical objects, this is an algorithm which states only an abstract relationship. (Compare this to the variables in the Arrhenius equation, which stand for physical properties – pressure, heat and so on.) Perhaps the differences between the Arrhenius equation in the Diehr case and the “pure” number conversion algorithm in the Benson case go a long way toward explaining the different outcomes of the two cases. In any event, the statements made in Benson about the nature of mathematics surely conflict both with the offhand treatment of the mathematical aspects of the Diehr process and the way in which mathematicians themselves view their field, or at least that part of it which deals with purely abstract matters.

The underlying view of mathematics contained in the Benson case may one day be tested when the new generation of mathematical algorithm patents – such as the Karmarkar patent discussed above – come under review.

In the meantime, the debate over the nature of mathematical algorithms is very much alive. Consider some recent comments on the Bracewell and Karmarkar patents, discussed above:

Unlike an industrial technology, an algorithm, the step-by-step recipe for carrying out a mathematical calculation, might seem more like something that is discovered than invented. But in the last few years, corporations have been patenting these abstract procedures, leading many mathematicians to complain that the free flow of ideas is in danger of being interrupted.
“The tradition in algorithms has been that they should be free,” said Ronald Rivest, a mathematician at the Massachusetts Institute of Technology, who said he had mixed feelings on the subject. “Research generally has proceeded on that basis.”
Michael Ian Shamos, a mathematician and computer scientist at Carnegie Mellon University in Pittsburgh and a lawyer in private practice, said that the patenting of important algorithms is contrary to the best interests of science.
“Mathematical facts are the building blocks of research,” he said. “I’m an intellectual property attorney. I like patents. But the patent law was never designed to apply to algorithms. The argument that you spent lots of money developing an algorithm and therefore you should be able to protect it is nonsense.”

G. Kolata, Mathematicians Are Troubled by Claims on Their Recipes, N.Y. Times, March 12 1989

For an argument that the entire software patent issue should turn on the invention/discovery distinction, see John A. Burtis, Comment, Towards a Rational Jurisprudence of Computer-related Patentability in Light of In re Alappat, 79, Minn. Law Review, 1995.

Burtis observes that “Mathematical expressions may be used to describe both discovered and invented subject matter and are therefore imperfect proxies for mathematical truths and other laws of nature.” He concludes by arguing that a “tightly-defined test built on a robust discovery and invention distinction” would improve on Alappat. He then tries to enunciate a test to identify whether an algorithm claim essentially encompasses a “natural truth,” in which case it is an unpatentable discovery, or whether it contains “an implicit, but real, use limitation,” i.e., is tied to a specific application or field of use. Id., at 1165.

In the end, the analysis is helpful because it focuses on the scope of software claims. Recall that in many ways this was the underlying concern in Benson – the case that caused most of the headaches that now plague the law in this area. This approach can be seen as implicitly arguing that software patent doctrine went awry when it rejected “field of use” limitation as a way of preserving patentability.

 

Digital Currency Regulator: the need to be set up in India

A lot of interesting concepts were discussed at the Global Technology Summit held recently in December 2016. It had been organised by the Indian Chapter of Carnegie Endowment for International Peace which is Carnegie India.

The Global Technology Summit is particularly important at this point of time as it holds relevance while we strive to move towards a cashless economy particularly: digital currency.

The topic of a Digital Currency Regulator (“DCR”) came up for discussion, and therefore we need to know more about the roles and regulations such a regulator would be involved in.

The Monetary Authority of Singapore (“MAS”) is a model to be learned from, specifically in this context.

What is the typical role of a DCR? What does it do differently?

Around the world it has been a convention to put out white papers inviting suggestions, advice and criticism from the general public and all stakeholders. While the needs and pace of the technology industry is quite different, traditional or conventional model of public participation do not serve to create efficient outputs.

MAS innovatively puts entrepreneurs, MNCs, Governmental Authorities and Regulators together in touch through different events and programmes. MAS organises safe virtual environments where softwares are allowed to run and mimic real life interactions. In a nutshell, MAS helps entrepreneurs test their ideas in a sandbox and makes it easier for regulators to approve or deny technology innovations when it comes to Digital Currency.

Here Banks and other big corporates regularly share the bottlenecks they want to overcome in their businesses and Developers and Entrepreneurs have ready access to an ecosystem where they can constantly solve problems.

The best part of such collaborations is that regulations can be effected instantly and before any new technological standard hits the market. The Government can keep a tab on all latest inventions and discoveries without investing a tonne of sweat.

MAS has effected a lot of changes recently, particularly on the rules of outsourcing, cloud hosting, Applications Programming Interface and Open Source Programming.

While developing new technologies startups have to face lack of incentives in terms of finance, growth prospect, regulatory interference, etc. While some technologies take governments by storm, some very innovative ideas are never heard of.

For e.g. no country still perfectly knows how to handle Uber, while alternative technologies for e-signatures like Blockchain could not find adoption in India yet.

Recently National Payment Corporation of India released advisory instructions to banks for enabling the Universal Payment Interface. Such recourse would not have been necessary if Banks and Regulators were kept in constant touch with Entrepreneurs and Developers.

The platform created by MAS invests in learning of disruptive technologies and constantly creates challenges and incentives for developers to explore more. But unlike Singapore, India does not have a regulator like MAS.