If my website is targeted for a DDoS attack after I have been paid for completing the website, and I get an angry phone call from the client regarding outage of service, what do I do?
It hasn't actually happened yet, but the idea haunts me.
Asked
Active
Viewed 2,422 times
20
-
I hope my edit didn't totally squash your intent. – schroeder May 19 '15 at 23:32
-
It seems fine. Thanks. Although I felt the original gave more context. – Dmytro May 19 '15 at 23:33
-
1What kind of website? A static one or did you build a web application? – spickermann May 20 '15 at 05:13
-
1It depends. What type of DDoS? Is it targeting server resources such as connection limits? Network resources en route to your app? Are specific resources within your app being targeted? The point I'm trying to make is there are different layers at which a DDoS operates. – user2320464 May 20 '15 at 06:17
-
1Make the client aware of the difference between development and operations, and make sure your contract/agreement doesn't include anything on operations. – Qwerky May 20 '15 at 09:57
-
It most certainly depends on your contract, the legislation of the country in which the contract was signed, and whether you bear responsibility in making the DDoS practically feasible in otherwise unlikely scenarios (e.g. you wrote code that can hang under specific conditions, and those conditions are used to take the site down). You need to ask legal experts in the country where you operate, not us. – Steve Dodier-Lazaro May 20 '15 at 10:06
-
If you are afraid of this, mention that it's beyond the scope of your work (and have it as such in any agreement), but you can encourage them to work with providers such as CloudFlare (no affiliation) who offer services to prevent such attacks from causing outages. – user2813274 May 20 '15 at 13:26
2 Answers
44
The following is all hypothetical:
First off you should NEVER sign a SLA in this case, or guarantee any uptime whatsoever. (you are delivering a website, not the service to host that)
Secondly, a hosting company should be used who can defend against a DoS attack in some way. (be aware of SLA's and their limitations)
You need to think of yourself in the same way a plumber does. The plumber is not responsible for your water service, just for leaks and work on the pipes. A DDoS would be like an over pressure on the water lines (like a 1000 times more than they are designed for) and the fact that the pipes break then is not the plumber's fault but the water company's. All the plumber can do is fix it after the water has been turned off.
-
-
1I can think of mistakes that a developer could do that would actually allow DoS attack to be be more likely to be successful. I your plumber analogy: Using pipes that not strong enough for expected peaks in pressure. If a developer does such a mistake I think he is responsible. – spickermann May 20 '15 at 05:20
-
3This is 100% accurate (I +1'd it), but I'll add here that it won't stop an angry and clueless customer from trying to blame you anyway, especially if you helped them provision hosting and deploy the site. – Joel Coehoorn May 20 '15 at 05:23
-
2@spickermann Don't confuse DDoS and DoS. If a bug in the software causes downtime, it's the developper's responsability to plug the hole. If the issue is that the software (and the systems it runs on) is being flooded with valid input, then it has nothing to do with the software. The exception is if the requirement specifically requested protection against some form of DDoS (in which case the shouldn't have been accepted without VERY serious considerations). – Stephane May 20 '15 at 08:28
-
@Stephane if a bug in the software makes possible a DDoS attack that would otherwise has been impossible, and if it can be demonstrated that the developer did not take measures to make the risk of the DDoS happen ALARP, there are cases where the developer can be legally liable (depending on context, contract, legal environment and stuff we infosec experts have no clue about). Lawri's answer brushes off OP's responsibilities as non-existent, and I'm afraid I disagree. – Steve Dodier-Lazaro May 20 '15 at 15:10
-
@SteveDL I wrote my awnser for the pre edited version, it holds some context. As to liable, you can only be liable for things you know or should have known. not for things that were not known yet. (same as an engineer). The developer is only responsible for the items you list here if he did not warn the 'Owner' of the risks involved. Many of the risks you descibe are actually part of the Hoster or Owner risk profiles, not the Developer, (Except in the case of 'criminal negligence'). In short your example requires intent to make him liable. – LvB May 20 '15 at 17:11
-
As to liable, you can only be liable for things you know or should have known
I wouldn't try that in my country's court :-) Keep in mind all legal systems differ, so you should always wait till OP gives a precise legal context (and refer to jurisprudence and laws in that country) to answer a legal question.
– Steve Dodier-Lazaro May 20 '15 at 17:17 -
that is pretyy much uniformal and part of international law. but yes I your right no Country was given. It is also the reason its hypothetical an answer and it is why I did not add it to the answer. (there is no context until given and with no context he is on the moon and no legal system exists there.. .... ) So, @SteveDL why are you? – LvB May 20 '15 at 17:29
3
As Lawri points out, for the most part the site being DDoSed is not your problem. It's up to the hosting provider to take the steps necessary to mitigate (not stop; there aren't really any ways to completely stop one) a DDoS attack.
Note the qualifier: "for the most part".
There is one responsibility you do have, at last as a professional designer, and that is to make as certain as possible that, should your site fail under a DDoS attack, it fails safe -- IE, suffers no data loss or corruption because of the flood of connections.
This is mostly an informal checklist to confirm your code is clean -- IE, database writes use transactions and are atomic, all input is properly validated before any of it is stored, database connections are properly closed on script termination, and so on; basically, once the flood waters recede the site should be back up and running without requiring any manual intervention.
Shadur-don't-feed-the-AI
- 2,546
- 22
- 19
-
1Could you please provide authoritative evidence why OP would have more of a legal liability to make sure the site fails "safely" than s/he has to make sure the site fails reasonably rarely? – Steve Dodier-Lazaro May 20 '15 at 15:11
-
Not a legal liability per se, more a professional obligation. Like I said, most of those were basically sound programming practice... although legally someone might decide to argye it's due diligence. IANAL though so don't take this as read. – Shadur-don't-feed-the-AI May 20 '15 at 15:34
-
My point was that a lawyer is precisely what OP needs :-) We should only be giving advice if we're confident that we're giving correct one, and when law is involved and we don't even know the operating domain or country of OP, it's impossible to have such guarantees ;-) – Steve Dodier-Lazaro May 20 '15 at 15:43
-
@SteveDL The question has the confines of a Client calling you on the phone. not a law suit. (originally even a student was part of the context). Why add the legal dimention to the awnsers if the OP did not add one? – LvB May 20 '15 at 17:33
-
Because the relationship between OP and his/her client is bound by law, and because it is courts that will force OP to hold up to his/her responsibilities. – Steve Dodier-Lazaro May 20 '15 at 17:43
-
Upon reading the unedited question I'm realising that OP is not doing contractual work, in which case your advice makes much more sense to me: just don't sign any contract and you don't have any responsibilities... Sorry for being such an annoyance :-) – Steve Dodier-Lazaro May 20 '15 at 17:49