Denial of Service (DoS) is tricky to regulate because it involves high volume of "legitimate" traffic which stresses the target's resources [1]. Since the traffic is legitimate, what makes an act DoS is the underlying intent to exhaust the target's resources. To illustrate, web scraping also generates high volumes of legitimate traffic but is generally accepted because the intent is data collection for commercial or research purposes. Edwards posits that it is "impossible for law enforcement authorities to distinguish between" DoS and legitimate traffic [2]. This may be prima facie true, however upon closer inspection of the traffic, one can usually distinguish them. Normal traffic usually spans multiple different pages, a user may perform a few searches and view the product descriptions to compare them. However, a DoS attack designed to exhaust resources would usually pick the slowest page, for example a search page, and repeatedly execute the search without viewing any of the results. That said, the contents of the page do matter, if the page contains stock price data or concert ticket sales, there could be legitimate reasons to continuously request the same page.
Apart from blackmail, DoS is also used to "make a political or ethical point" and to "[threaten] critical infrastructure" [3]. In the case of the latter, the EU has legislated against the behaviour in Article 4 of the framework decision on attacks against information systems [4]. A "flash mob" event would possibly be the closest physical manifestation of a DoS attack. Police have used the offence of "conspiracy to cause public nuisance" to preemptively prevent such an event in the UK [5]. Under the statutory act, an offence is committed if an act causes "serious inconvenience" or "serious loss of amenity" to a "section of the public" [6]. Since a DoS greatly inconveniences visitors of a website and prevents them from accessing it, it will likely fall under the ambit of the act.
Victims can definitely pursue damages from the perpetrator under tort law, as long as they are able to identify and can take action in the appropriate jurisdiction [7]. In Spartan Steel & Alloys Ltd vs Martin & Co, the plaintiffs suffered economic loss due to a power cut to their factory caused by the defendant's actions [8]. Similarly, an e-commerce store would suffer economic loss due to a DoS attack, hence I believe there would be cause of action under tort law. If civil action is taken, the plaintiffs will be compensated for their loss, hence this may be advantageous compared to criminal action.
[1] Edwards L, ‘Dawn of the Death of Distributed Denial of Service: How to Kill Zombies’ (2006) 24 Cardozo Arts & Entertainment Law Journal 23, pp. 24
[2] ibid.
[3] ibid, pp. 33
[4] Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems [2005] OJ L 69/67, art. 4
[5] Maisie Olah, 'Arrests and dispersal order over Birmingham flash mob event' (CNBC, 20 May 2023) https://www.bbc.com/news/uk-england-birmingham-65648862 accessed 12 January 2025
[6] Police, Crime, Sentencing and Courts Act 2022, Section 78
[7] Edwards L, ‘Dawn of the Death of Distributed Denial of Service: How to Kill Zombies’ (2006) 24 Cardozo Arts & Entertainment Law Journal 23, pp. 45
[8] Spartan Steel & Alloys Ltd vs Martin & Co [1973] QB 27