The latest mass hack in the news got attention for (1) taking down several of the Internet’s most popular websites and consumer cloud services and (2) turning Internet of Things (IoT) devices like DVRs and security cameras into zombie attack bots. Following the Oct. 16 attack, I would argue too many analysts focused on the IoT novelty angle than what this attack says about the fragility of the Internet’s core infrastructure – an issue I believe has been ignored for far too long. Failing to address it now is unacceptable, at a time when so much of the world’s economy is moving to the web and business computing is moving to the cloud.
Make no mistake: worse attacks and more of them are coming. To recap: Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix were among the sites knocked offline in the October attack, but the actual target was the Domain Name Service provider Dyn, used by all of them. Security journalist Brian Krebs reported that the overwhelming volume of traffic directed at Dyn’s servers followed the same pattern as an attack that knocked his own site offline in September.
Specifically, it made use of the Mirai malware, which simplifies the process of recruiting a distributed denial of service bot army consisting of thousands of network nodes capable of flooding any target with bogus traffic. Mirai scans the Internet for easily subverted consumer devices, many of which have truly hideous security implementations like hard-coded default passwords that can’t be changed.
Krebs concludes the electronics industry needs to set and enforce minimum standards for the security to be embedded in any Internet connected device. I don’t disagree, but I don’t think that solves the real problem. For one thing, this hypothetical standards effort would take years to put into practice. XiongMai Technologies, the Chinese technology company that made many of the devices targeted by the Mirai malware, has been embarrassed into issuing a recall. Would you care to bet how many of the owners of those gadgets never sent in the warranty card and will never get the notice?
Similarly, even if the electronics industry as a whole got its act together tomorrow, the installed base of poorly secured devices would still be out there for years to come. We can’t afford to wait a decade because bigger and badder denial of service attacks are sure to follow, based on Mirai and countless permutations of that formula. Besides, IoT devices are only one example among many of poorly secured Internet endpoints. More than anything to do with IoT, what we ought to be paying attention to is how easy it is to take down large parts of the commercial Internet by targeting DNS.
My question is, why are we exposing a bedrock Internet service to DVRs and security cameras in the first place? The real problem is that Internet operators persist in following a packet-based architecture that is more than 30 years old and makes it way too easy for adversaries to map and attack foundational services like DNS, as well as specific websites and cloud services.
The need-to-know basis
Instead, we should graduate to a system that embraces the principle of topology hiding, which is basic to network security. To put it in spy novel terms, a hacked DVR that requests the IP addresses used by Dyn or Netflix or any other Internet services should be told, “That information is available on a need-to-know basis – and you do not need to know.”
Traditionally, we have tried to hide the topology of network nodes behind a firewall but accepted the necessity of exposing DNS to everyone as a public Internet service. Every time you look up a domain such as example.com, you query DNS and get back the corresponding IP address. The most active sites use load balancers to assign different clients to different IPs, but a specific IP address still comes all the way back to the endpoint device. Every packet transmitted from that point forward includes the source and destination IPs in its header.
That is all the information needed to mount a denial of service attack. With a traceroute, an attacker could even pinpoint the physical locations of the servers. It doesn’t have to be that way. While a packet-based architecture made sense in the earliest days of the Internet when computing power was relatively limited, today we don’t have to settle for stupidly forwarding packets from one point to another. By switching to flow-based networking on the Internet backbone, we can limit endpoints to requesting legitimate services and do a better job of preventing DDoS garbage traffic.
Instead of dealing purely in packets, a flow-based Internet router identifies specific traffic flows such as a voice conversation, a streaming media download, or the transmission of an email. It then manages all the packets associated with that flow as a unit. Delegating packet management means the endpoint device no longer needs to talk to specific Internet server IPs. The DNS lookup function is delegated to the Internet service provider’s routers.
Change is necessary
In this architecture, a DNS provider such as Dyn could refuse to accept connections except from trusted sources like the networks of AT&T and Verizon. Because a flow-based network is more application-aware, it could do a better job of detecting and shutting down suspicious flows – like a DVR that previously only made an occasional request for a program guide suddenly generating tons of traffic. These technologies already exist, but to date their deployment has been more focused on improving the quality of services characteristics of Internet transmissions.
As an operations leader at RingCentral, which provides cloud phone service and collaboration services, I am interested in flow-based networking because it improves voice and video quality. But to deliver large-scale security benefits, it would have to graduate from niche technology to the standard mode of Internet operations. The transition will not be instant, but it need not be as difficult as you might think. Moving to flow-based networking will not require any radical rewiring of the Internet. End users do not care about IP addresses; they care about access to Netflix and Amazon and RingCentral. ISPs can continue to provide them with the same services while concealing more of the behind-the-scenes detail of how traffic is routed.
As leading ISPs demonstrate they can deliver a better quality of traffic, top websites and cloud services can show them preferential treatment. In the event of a DDoS attack, a service might accept traffic only from flow-based networks and turn away requests from less well-managed ISPs. That ought to motivate end users to sign up with ISPs who are committed to delivering clean traffic. Unfortunately, I am afraid Internet providers are addicted to the business of stupidly forwarding packets as fast as possible, regardless of their contents. We may need our own 12-Step Program, where Step 1 is admitting we have a problem.
While I have tried to outline the benefits for everyone from consumers and cloud service providers to the ISPs themselves, I am not entirely confident the invisible hand of the market will get the job done. Much as it chills my libertarian heart to say so, regulators may have to give the industry a strong nudge in the right direction if it fails to act on its own.
Too much of our economy is bound up in the web and the cloud. For the Internet to survive, it must change.
Image Credit: Deepadesigns / Shutterstock
Curtis Peterson, SVP of Cloud Operations, RingCentral