Computer Misuse: Denial-of-Service Attacks
| Date | 01 December 2006 |
| Published date | 01 December 2006 |
| DOI | 10.1350/jcla.2006.70.6.474 |
| Subject Matter | Divisional Court |
Divisional Court
Computer Misuse: Denial-of-service Attacks
DPP v Lennon [2006] EWHC 1201 (Admin)
The respondent had been charged under s. 3(1) of the Computer Misuse
Act 1990 (‘the 1990 Act’) (unauthorised modification of computer
material) which provides that inter alia a person is guilty of an offence if
he intentionally does any act which causes an unauthorised modifica-
tion of the contents of any computer (with the knowledge that the
modification is unauthorised) and by so doing permanently or tempor-
arily impairs the operation of that computer. He was employed by
Domestic and General Group plc (D&G) from October to December
2003, when he was dismissed after failing to complete a time sheet. He
was 16 years of age at the time. On Friday 30 January 2004, he started
sending e-mails to D&G using a mail-bombing program (Avalanche v.
3.6) which he had downloaded via the internet. Mail-bombing is
characterised by the repeated sending of e-mail messages to a particular
e-mail address (or addresses) within an organisation. In many instances,
these messages will be large and constructed from meaningless data in
an effort to consume additional system and network resources. This is an
example of a ‘denial-of-service’ attack where a deliberate attempt is
made to stop a machine from performing its usual activities by over-
whelming it by large volumes of specious traffic from another computer.
The Avalanche program was set to ‘mail until stopped’: in other words,
e-mail would be sent to D&G automatically and continuously until some
sort of manual intervention. The e-mail sent also ‘spoofed’ the name of
Betty Rhodes, who was D&G’s personnel manager: therefore they
appeared to be from Ms Rhodes, rather than from the respondent. Each
e-mail sent was also copied to a list of other D&G employees, thereby
increasing the overall number of messages needing to be handled by
D&G’s network and e-mail servers. Toward the end of the mail-
bombing, different addresses were used in an attempt to circumvent any
measures that might be put in place by D&G to block their arrival. The
last message said ‘it won’t stop’ and was addressed to Ms Rhodes.
Between Friday and Monday, when D&G’s staff returned to work, it
was estimated that approximately 5 million e-mails had been received
by its servers which were consequently overwhelmed and brought
down along with the corporate web site. The attack was subsequently
neutralised. The respondent was arrested. He admitted to sending the
e-mails from ‘Betty Rhodes’ with the intention of causing a ‘bit of a mess
up’ within D&G. However, he did not believe that what he had done was
criminal, neither did he realise the impact of his actions, nor the inten-
tion to cause the damage that was in fact sustained by D&G, estimated at
around £18,000. He did, however, state that he could have carried out a
‘ping’ attack. ‘Ping’ is a simple computer network tool which determines
whether a particular computer is reachable over an internet protocol
474
To continue reading
Request your trial