SOPA Could Create New Denial of Service Attack, Powered by Law not Botnets

by Matthew Prince.

The United States House of Representatives is considering the Stop Online Piracy Act, known as SOPA. Companies including Google, Zynga, Facebook, Yahoo, AOL, and Mozilla, along with organizations like the Electronic Frontier Foundation (EFF) have been sharply critical of the law. At CloudFlare, we share these concerns but see another significant risk: that SOPA's proposed restrictions could be used to launch a new form of denial of service attack against which I'm not sure we will be able to defend.

The Status Quo

There is no denying that the Internet creates new challenges for content creators. We see this first hand. CloudFlare's users are content creators. Every day they publish unique content and are deeply concerned when that content is used without their permission. We spend significant time building technologies, such as tools to prevent content scraping bots, in order to help publishers keep their content from being stolen.

At CloudFlare we also receive requests from content owners alleging one of our users has published their content without their permission. While CloudFlare is not a hosting provider, we do sit as a network provider in front of websites in order to make them faster and shield them from attack. The Digital Millennium Copyright Act, known as the DMCA, contemplates network providers like CloudFlare and generally outlines the procedures we take to reveal the actual host of a website when we are contacted by a copyright holder with a valid complaint.

Abusing the DMCA

We've been seeing a disturbing trend recently. Increasingly, we're receiving purported DMCA requests that ask us to identify website hosts that are actually from attackers abusing the legal code. If we reveal the requested information, attacks are launched directly at those hosts, bypassing CloudFlare's protections and knocking legitimate sites offline. Initially, these requests were relatively easy to spot. When we recognized the new attack method, we changed our policies and trained our customer support team to more carefully screen DMCA requests. Increasingly, however, the requests are becoming more sophisticated and difficult to detect.

Imagine the challenge for someone on CloudFlare's support team. If someone writes to us alleging that they are a photographer who took a picture that appears on a website, or a designer who drew a logo, or an author who wrote some text, how can that claim be verified? I'm an attorney and member of the bar. I teach a course on intellectual property and technology law at the John Marshall Law School. I serve on the Board of the Center for Information Technology and Privacy Law. I've reviewed many of these requests and, even with my training in the subject, I have no idea how to effectively and efficiently tell the difference between valid and invalid complaints.

In an Internet without bad guys, the consequences of revealing a host's information is relatively minimal. Unfortunately, the Internet is full of bad guys. There has been a steady rise in attacks, increasingly affecting legitimate small businesses and ecommerce sites. These attacks have been part of why more than 100,000 websites have sought shelter behind CloudFlare in just the last 12 months. We offer great technical protections to shield sites from attack, but I'm concerned some of our efforts could be undermined by new laws like SOPA.

SOPA: Enabling a Purely Legal DDoS

CloudFlare's policy under the DMCA is to reveal information about the origin host when we receive a valid copyright complaint. If we make a mistake and reveal the origin host to a bad guy, then the bad guy still needs the technical acumen to launch a DDoS attack. What's concerning to me about SOPA is it could remove the technical requirement and effectively streamline DDoS attacks.

SOPA, as it is currently written, requires network service providers like CloudFlare to stop resolving DNS for sites that are alleged copyright violators. The allegation merely needs to include some reasonable evidence. In other words, a carefully crafted letter, or forged subpoena, could be all it takes for a future attacker to knock a site offline. No botnet needed, just a passable mastery of legalese.

While it is important to acknowledge the need for copyright protections online and to provide systems to protect content creators, new laws designed to uphold those protections need to be carefully crafted so as to not create substantial new security risks. Writing bad computer code has always provided a vector for attacks. I'm increasingly concerned that writing bad legal code, like SOPA, will provide a similar vector.

If you're in the US, follow this link to the EFF's site. From there, it takes less than a minute to send a message to your legislators to tell them SOPA is a bad idea.

comments powered by Disqus