In two recent examples of conflict online—the Internet's response to Iran's rigged election, and 4chan's reaction to AT&T's perceived censorship—distributed denial of service attacks have been wielded (or threatened) as a powerful and disruptive, nonviolent tool for change. The relative ease with which one can coordinate and participate in such an attack means this tactic can be employed by individuals or small groups, not just militaries and large corporations. But what are the ramifications of empowering individuals to take down government sites? And what are the moral implications of adding DDoS attacks to a social movement's repertoire?

DDoS attacks are infamous for their ability to take down even the most hardened servers, and have been used by criminals to extort money from gambling sites, by corporations to disrupt the business of their competitors, and by hackers, often simply to make life interesting difficult for the rest of us.

The elusive power underlying this type of attack is its swarm nature. Rather than a single computer exploiting a single weak point of a target, as traditional hacks might, a DDoS attack is carried out by tens or hundreds of thousands of computers in tandem, all of which direct a steady stream of traffic to a target server. From a single computer, this stream of data would be harmless, but together with the rest of the swarm, the traffic overwhelms the server, which is unable to reply to every machine. This can result in reduced or total loss of server functionality, often for hours or days.

Most DDoS attacks are carried out by botnets—networks of computers infected by malicious code that, when activated, unbeknownst to their owners, carry out any instructions given to them. The largest known botnet, Srizbi, was estimated at 450,000 machines in 2008, and was purportedly responsible for 75% of the world's volume of spam before its ISP blocked it at the end of last year. Such botnets are a source of revenue for their owners, who charge clients to rent the network for attacks or to send spam. Thus, while one might have no technical ability to create a botnet, they can hire one to carry out a DDoS.

The recent DDoS attacks on US and South Korean government sites were carried out by such a botnet controlled, as a security firm revealed, by command and control servers in the UK, not North Korea as the US had previously asserted. It has not yet been revealed whether the attacks were made by those who amassed the botnet, or else someone who rented time on it.

Because a botnet is created by illegally and clandestinely hijacking users' computers, potentially damaging their data or implicating them in an attack, there can be little doubt as to this method's moral implications. Some may argue big targets legitimize the use of botnets, but doing so violates not only individuals' rights to secure computing, but forces them into the position of participating in an attack against their will.

However, there is another method that requires the consent and intentional participation of users. In the recent attacks on Iranian sites following June's elections, some outside Iran implored others to help by voluntarily running a simple program or a web-based script that would incessantly contact target servers. Links to sites like Page Reboot, which automatically reloads a user-chosen url every few seconds, or Die, Mahmoud, die!!! (WARNING: clicking automatically begins DDoS), which attacks only president.ir, proliferated on Twitter. Those with some coding skill posted scripts on their blogs that users could install and run from their web servers, along with lists of targets.

As user generated DDoS attacks continued, media outlets reported the bandwidth-intensive activities would inadvertently harm Iranian citizens by congesting the entire Iranian network. The news spread quickly on sites like Anonymous Iran, which is supported by The Pirate Bay, and hosted by Anonymous, the same group that has been taking on the Cult Church of Scientology for more than a year. In response, DDoSers changed their behavior to utilize "slow denial of service," which forces a server's socket connections to remain open without bombarding the machine with bandwidth. By doing so, DDoSers effectively disrupted Iranian government sites while attempting not to reduce bandwidth across the entire country—a strategy that demonstrates precision and restraint in its selective damage, and greater ethical consideration than botnet DDoS attacks in its voluntary nature.

It is clear that there are many tools available to protesters who intend to damage or disrupt a target without harming uninvolved or disinterested users. This ready availability and the ease with which civilians may engage in what we may honestly call cyber warfare leads to serious questions about who is innocent and which networks and machines are "legitimate" targets. Just as both the Allies and Axis bombarded civilians during WWII due to their capacity for wartime industrial production, if anyone can participate in an international attack on another government's network infrastructure, then civilian computers and networks are likely to be perceived as legitimate targets during open hostilities. The world has yet to confirm a case of state sponsored cyber warfare against a civilian network, but it seems foolish to think this critical component of a country's government, economy and culture would not be subject to attack just the same as any other.