ABSTRACT
In the middle of February 2000, Internet security changed dramatically when Amazon.com, CNN,
Yahoo! E*Trade, ZDNet, and others fell victim to what has come to be known as a distributed denial-
of-service attack or, more commonly, DDoS. Although denial-of-service attacks can be found as far back
as 1998, it was not until these sites were brought down through the use of distributed computing that the
media spotlight focused on such attacks. No longer were the attackers few in number and relatively easy
to trace. A DDoS attack occurs when a targeted system is flooded with traffic by hundreds or even
thousands of coordinated computer systems simultaneously. These attacking computer systems are
surreptitiously commandeered by a single source well in advance of the actual attack. Through the use of a
well-placed Trojan program that awaits further commands from the originating computer, the attacking
computer is turned into what is commonly referred to as a zombie. These zombie computers are then
coordinated in an assault against single or multiple targets. Zombie computers are typically targeted and
utilized because of their lax security. Although a DDoS attack has two victims-the attacking zombie
computer and the ultimate target-it is the latter of these two that suffers the most damage. Not only has
the security and performance of the victim’s computer system been compromised, but economic damage
can run into the millions of dollars for some companies. Thus, the question arises: does the attack by a
zombie computer system, because of lax security, create liability on the part of the zombie system to the
target? To address this issue, this chapter provides a jurisdictional-independent analysis of the tort of
negligence and the duty that attaches upon connection to the Internet.