Skip to main content

Massive attack

How a weapon against war became a weapon against the web

Illustrations by Jude Buffum

Every year, artists and technology enthusiasts meet in Linz, Austria, for the Ars Electronica Festival, a meetup in the city’s downtown, located just off the Danube River. The festival is a haven for those with an eye toward the future — something between Burning Man and a TED conference, with visitors navigating scientific equipment, LED lights, and colorful installations. International visitors for the event are common enough, but the 1998 festival featured an unlikely participant: the Pentagon.

That year, members of an art group called the Electronic Disturbance Theater were invited to demonstrate a program called FloodNet. Billed as a “virtual sit-in,” users navigated to the FloodNet website at a predetermined time, and through a simple Java tool, were directed to a targeted website that would reload constantly, every few seconds. With enough people — perhaps thousands — the sit-in caused targeted websites to slow or maybe even crash, rendering them intermittently inaccessible.

The ability to neutralize practically any website on demand...was a powerful new tool for global civic disobedience

The group set three targets, picked in solidarity with Mexico’s Zapatista revolutionary movement and “against neoliberalism and the global economy”: Mexican president Ernesto Zedillo, the Frankfurt Stock Exchange, and what was then the site of the US Department of Defense, The group called its protests “actions,” and this action was called SWARM — Stop the War in Mexico.

The ability to neutralize practically any website on demand — what’s now commonly referred to as a distributed denial of service, or DDoS, attack — was a powerful new tool for global civic disobedience. But for agencies like the Department of Defense, then facing the earliest prospects of war in the digital age, the capability posed a legitimate threat, and a dark omen of what was to come.

This year marks the 20th anniversary of the group’s earliest beginnings, and the questions raised by Electronic Disturbance Theater’s actions are relevant in ways its creators could not have foreseen. Today the DDoS attack seems like a fait accompli of digital life: in October, a bot-powered DDoS attack shut down major sites around the internet — a caper that exposed the fragility of the internet, as the attack was soon classified as the largest of its kind ever observed.

In a documentary from 2001, Ricardo Dominguez, EDT’s bespectacled, wavy-haired ringleader, explains the group’s mission in the sober, scholarly diction of a determined revolutionary: “Electronic civil disobedience is non-violent direct action online.”

EDT’s precise ideological origins are murky, and not without some controversy. In the 1990s, a group called Critical Art Ensemble was formed in Tallahassee, Florida. Led by Steve and Hope Kurtz, a married couple, the group published two seminal texts in the history of digital protest: 1994’s The Electronic Disturbance and 1996’s Electronic Civil Disobedience and Other Unpopular Ideas. The texts anticipated a near-future when street protests, used to block physical space, would shift to blocking digital space — a radical idea for the time. Dominguez was a member of the group, although Steve Kurtz still disputes his contribution to the texts.

EDT didn’t patent the denial of service technique. As Molly Sauter documents in her book The Coming Swarm, an Italian hacker group called the Strano Network is often credited with the first major DDoS-like protest. In 1995, the Strano Network targeted French government sites with a one-hour “net strike” after the government tested nukes in the Pacific Ocean — an action with limited success. But it was EDT, through high-profile demonstrations against governments and businesses, that first popularized the idea of politically driven DDoS attacks, creating the foundation that others would use well into the future.

The incident that brought EDT together came in late 1997. The revolutionary Zapatista Army had rebelled for years against the Mexican government, and in December of that year, the violence came to a head when 45 people, including 15 children, were killed during an attack in the state of Chiapas, in a town sympathetic to the Zapatistas. The Zapatistas’ leaders were clear on who they blamed: President Zedillo. He condemned the massacre, but surviving witnesses said the gunmen were allied with Zedillo’s political party. ''The direct responsibility for this bloody event lies on the shoulders of Ernesto Zedillo and Interior Ministry officials who two years ago gave the green light for the Army to fight a counterinsurgency war in Chiapas,” the Zapatistas said in a communique.

The attack brought EDT’s members together under a common cause, and a lineup coalesced with four members: Brett Stalbaum and Carmin Karasic, two artists with technical expertise, formed the coding backbone of the group; Dominguez and Stefan Wray, activists more interested in theory, were its philosophers. Dominguez and Wray, who were already involved in Zapatista solidarity efforts in the US, began to discuss the idea of an electronic civil disobedience action. Stalbaum wrote an early draft of what would become FloodNet, and worked with Karasic, who improved on the concept with him.

EDT planned a series of actions for 1998, starting with a response to the Chiapas massacre. In April, Dominguez sent out a series of notes alerting people to the plan: "FLOODNET: TACTICAL VERSION 1.0." would target the website of President Zedillo, with the goal of bringing attention to the killings. The group bristles now at the idea it intended to bring down the site, but did foresee the possibility that access would be disrupted.

“Truth not found; Justice not found.” 

In one clever twist, the program even let users customize messages attached to their server requests, pinging for information like “truth” or “justice.” In a stylistic flourish with little practical use in a pre-social media era, the users could send word- or phrase-related queries to the site, which would spit out errors in the server log: truth not found; justice not found. The first action attempt that month, launched in a pair of two-hour stretches, brought in more than 8,000 individuals, EDT later claimed. The group received reports that, although it did not seem entirely disabled, the site was at times inaccessible.

But the group saved its most organized action for the Ars festival, which Dominguez and Wray attended in person: a grand demonstration of FloodNet, once again targeting Zedillo’s website, as well as the Frankfurt Stock Exchange and Pentagon.

The festival had always been a haven for the hacker counterculture, with icons like William Gibson making the journey to speak, and participants didn’t shy away from the political: one prescient exhibit from 1998 featured a miniature border wall topped with security cameras. That year, the theme was information warfare, and EDT was invited to attend alongside prominent hackers, including groups like the Hippies From Hell, a radical Dutch collective that Dominguez says considered EDT “impure.” He remembers offering the use of FloodNet to another group in exchange for some beer.

As other attendees discussed theoretical ideas, EDT was eager to act. Their action was planned for the third day of the festival, and it drew considerable media attention. As usual, the group announced its plans in advance, conscious of the attention it might garner, but a sign of sabotage appeared early. That morning, Dominguez says, he received a threatening phone call from a Spanish speaker, who he claims said, We know who you are, but didn’t reveal his identity. Dominguez believes it was “Mexican agents,” although this hasn’t been substantiated.

A screenshot of the original FloodNet program. A full, working version of the program has been preserved by Rhizome, a non-profit dedicated to new media and digital art.
A screenshot of the original FloodNet program. A full, working version of the program has been preserved by Rhizome, a non-profit dedicated to new media and digital art.

At 11AM Linz time, web users began flooding the sites. The hits poured in for hours — from Italy, Japan, Malaysia — even, it appeared, from servers associated with US education and military institutions. That afternoon, the group gave a talk on their work.

But then something strange happened. “I looked at my desktop and noticed a string of Java icons — little coffee cups — streaming across the bottom of the screen,” Wray later wrote. “And then FloodNet just froze. I saw this happen on several machines.” Similar reports surfaced that some kind of error had halted the protest. “Countermeasures effectively kept me from participating this morning; I'm wondering if you could give me an update on how things went,” one hopeful user messaged to the group.

A small screenshot from the time preserved the error that appeared:

Netscape is unable to locate the server: reload-your-search-page.please The server does not have a DNS entry.

Check the server name in the Location (URL) and try again.

The group couldn’t have known what was happening, but Wray soon received a message that eventually provided some shocking clarity. The email was from an administrator at NYU, who said they’d been contacted by the Department of Defense, asking questions about EDT, which hosted a page with an EDT-related link on the university’s servers.

The counterstrike shut down the action, and later that night, Stalbaum uncovered what he says now was “a kind of media combat weapon” — a counter Java applet that appeared to be crashing machines loading the Pentagon pages. When he looked further, he found that it was named “Hostile Applet.”

The next day, Wired published a story on the incident, in which a Defense Department spokesperson obliquely took credit for shutting down the digital attack. “Our support personnel were aware of this planned electronic civil disobedience attack and were able to take appropriate countermeasures,” the spokesperson said.

“Measures were taken to send the countless demands [from the attackers] into the great beyond.”

The group’s actions continued throughout the year, as EDT expanded to target other websites, including the White House. By the end of the year, the group had drawn the attention of The New York Times. “Radical groups are discovering what hackers have always known: Traditional social institutions are more vulnerable in cyberspace than they are in the physical world,” a story on the group and other hacktivists read.

Members of EDT tend to demur when asked about their role in popularizing DDoS attacks. As Karasic points out, the group differed from many hackers, who may take action against an entity unilaterally, without the support of like-minded internet users. FloodNet required participation from thousands to be effective — there was something akin to “a vote.” But the group’s most notable legacy may be a radical blurring of the line between provocative art and hacking.

The group released a freely available version of FloodNet, which other activists could use to launch their own protests, just after midnight on New Year’s Eve 1998. The year’s actions completed, the members went their separate ways. In 2001, the airline Lufthansa was targeted by a different group, inspired by EDT, protesting deportations from Germany facilitated by the company. “[EDT’s members] were tangentially involved in literally every DDoS thing that happened in the early 2000s,” Sauter says.

“EDT’s members were tangentially involved in literally every DDoS thing that happened in the early 2000s.”

About 13,000 people took part in the Lufthansa “sit-in,” and while the airline said it successfully withstood the attack, an organizer was arrested and charged. Eventually, he was ordered to pay a fine or serve three months in jail, Sauter explains, but another court overturned the ruling, saying the action was a justified form of protest. Parts of the commentariat, like the writer Evgeny Morozov, have since said that this is a reasonable legal interpretation — that it is possible to see such actions as a form of dissent — but the legal test that may one day decide these issues definitively in the United States still hasn’t materialized.

Meanwhile, both the technology powering activism and the cultural landscape behind it have changed dramatically since EDT was active. A small group can take down large parts of the internet without much help, but many continue to do so in the name of protest and art. Dominguez himself organized a digital “sit-in” of hundreds of students targeting the University of California president’s website to protest the institution’s financial policies. Dominguez was a UC San Diego professor, and still is, although the protest nearly cost him tenure. Stalbaum is also a professor at the university, and, although the group has mostly drifted apart, is now a part of Electronic Disturbance Theater 2.0: a group with new members, if a similar mission. Carmin Karasic works as an artist in the Netherlands. Wray has lost touch with the group.

Dominguez sees a fundamental difference between EDT’s work and later activists that took up its cause as activists. “Our work may end up being useful to a wide variety of communities, but our approach was always as artists,” he says.

“It doesn’t mean that we’re not concerned with the political, we’re not concerned with the conditions we find ourselves in,” he continues. “But as artists we’re not necessarily rapidly mobilized to hit Trump Tower now.”

The distinction between art and protest might be lost on the groups using today’s version of EDT’s tactics. In 2013, Anonymous supporters launched a White House petition to legalize DDoS attacks after a series of arrests related to politically motivated attacks launched by the group. The petitioners argued that a DDoS attack was free speech. “Distributed denial-of-service (DDoS), is not any form of hacking in any way,” the petition read. “It is the equivalent of repeatedly hitting the refresh button on a webpage.” The idea had more than a small hint of EDT philosophy.

The page for the petition has since been taken down.