The successful DDoS attack on DYN (opens in new tab) is merely a new twist on age-old warfare. Previous attacks on the root servers, or for that matter the famous historic battles at Dien Bien Phu, Cannae, and others. Classic warfare can be anticipated and defended against. But warfare on the internet, just like in history, has changed.
So let’s take a look at the asymmetrical battle in terms of the good guys (DYN) and the bad guys (Mirai botnets), and realise and plan for more of these sorts of attacks before it gets better. We have the good guys deployed in hardened positions. They have lots of hardware, lots of people, and lots of responsibility in making the internet work for millions of people and businesses. But the bad guys outnumber them, are growing in capability and numbers, and can choose their attacks and timing.
You can read the technical details and the headlines in the aftermath of these attacks in many places, but the basic fact is that without working security, every cell phone and home network device is a potential recruit for the bad guys to bring down the internet.
My position is we need to look at this in two ways:
- First, what are the prospects for fixing the problem with the technologies we have today?
- Second, if we will fundamentally change the network for security, what will that look like?
These attacks are far-reaching, they impact huge groups, countries, even regions of internet users. They force us to think differently about security and usability. They force us to not take the DNS for granted. Let’s talk about the realities of today, and what the future might hold.
The typical reaction of server operators under attack is to try and identify, and then reduce the attack flows, the flood of generated DNS traffic that signals a DDoS attack. This plays out as a cat and mouse game between the attacker’s desire to optimise the attack, and the defender’s desire to remove those optimisations.
Attackers use amplification so that a small attack request over DNS (using a forged source address) bounces off a legitimate server and ricochets, echoing and resonating into a much larger DNS answer aimed at the target. The defender tries to recognise these queries and eliminate them via source address verification (SAFE), or rate limit them, or even break the traditional DNS protocol and refuse to generate long answers. But is amplification, and source address forging essential to the attack? If we implement all of the defenses and reduce the attack by 99 per cent, is the threat over? Probably not, assuming the attackers can just recruit 100 times more devices and swell the ranks of their bot army.
Furthermore, while the root servers, or DYN might be able to get a lot of attention and assistance from the law enforcement and ISPs, et al, all of those people with insecure IoT devices like webcams are on their own against DDOS, ransomware and the like. Perhaps we will see a simple attack that frustrates my ability to book online with my favourite airline and sends me to some junk airline website by default, while the attacker enjoys the ownership of options on my now struggling favourite airline? The online gambling world is familiar with this type of attack. Which retail industry will use it next? The question of whether nation states are developing DDOS capabilities is moot, when the capability is already available and used in retail crime. Countries acquired DDoS capabilities years ago.
OK, so what about better security for the devices? If we can get the devices out there using DNS to better defend against DDoS attacks, could we win in the trenches? The huge routers that power the Internet were patched quickly after their vulnerabilities to NSA hacking tools went public. But what about the people everywhere with their wireless webcams, can we inspire the home users? Who has the responsibility to prevent the SmartTV from getting recruited into the attacker’s army? The manufacturer? The user?
What made the Internet great? Three ideals: connections to an ever expanding population of other users and resources (the Network Effect), statistical sharing of ever expanding bandwidth, and lastly, permission-less innovation sometimes called the end-to-end argument, or the “rise of the dumb network”.
In today’s digital Serengeti that is the Internet, the bad guys are simply taking full advantage of these capabilities to further their own ends. We will fight back, but will we have to sacrifice our ideals? It’s my premise that if we simply cruise along with today’s ideas about solving the problem, we could end up losing all three ideals.
For the good guys to win we need innovation. In the case of the DNS, which powers our ability to connect to billions of other parties in the Internet, we probably need to think in terms of making the DDoS attacks more difficult to carry out. So rather than a handful of addresses for contacting DYN, we need to think about creating multiple paths for getting DNS information between the creator and consumers of that information. This won’t be popular with the business models of DNS providers, just as ICANN’s policy of freely expanding the population of the so-called L-Root servers, but we need to make attacks on the naming infrastructure several orders of magnitude harder, so we can depend on DNS services to aid in the defense.
A dumb network that allows edge nodes the unrestricted ability to send data to any other edge node is the dream of many IPv6 fans, who remember the early days of IPv4, before NATs came to own the game and provide some barrier to attacks. But so long as thousands, millions, or billions of edge bots get to send at a smaller number of targets, we won’t be safe. One choice here is to charge for packets, another is to insert carrier owned filters. As a matter of policy, we believe that DNS filtering by reputation is merely a public health issue, like requiring vaccination as a condition of attending public school. However, the filtering should always be under the control of the end user, rather than the carrier, even if most users ultimately outsource the job to the carrier.
Network neutrality is at risk here as well. We can expect managed network services that enhance security for selected vendors. We can expect DNS admins to rethink the very short TTLs they choose, where they could push off responsibility of proper load-balancing and availability yesterday, actually contributing to the problem we saw with sites impacted by the DYN attack, to longer TTLs and investing in the infrastructure to meet their availability goals.
There’s some hope in virtualisation that isolates my banking apps from my web surfing, but that’s still a dream. We certainly need more dreams and innovation if the Internet is to succeed.
Paul Mockapetris, Chief Scientist at ThreatSTOP (opens in new tab)
Image source: Shutterstock/lolloj