FISHING FOR A CURE TO DDOS ATTACKS
An interesting New York Times article tells the story of how, against the backdrop of generally depressing conditions for the world’s fisheries, those in the United States have started to rebound owing to the combination of science-based guidelines and hard-won, public-private collaboration. The parlous condition of the world’s fisheries is a tragedy of the commons, because although fisheries are a critical source of protein for many populations, endemic overfishing means that 90% of the world’s fisheries are exploited in an unsustainable manner. The recent progress in the U.S. gives cause for hope. In 2014, the Marine Stewardship Council certified the West Coast U.S. fishery as sustainable and well-managed, 15 years after that entire fishery collapsed from overfishing.
DDoS: The Tragedy of the Internet Commons
There is no way you can equate the importance of the Internet to a vital source of daily nutrients for billions of people. Yet the Internet is no doubt a critical ingredient of modern society. And it’s far from being “overfished.” In fact, the Internet is exploding with promising new use cases.
Sadly, the Internet is also exploding with menace. Among other exploits, distributed denial of service (DDoS) is becoming ever more pervasive and dangerous. In the last couple of years, we’ve started to see DDoS attacks that hit a terabit per second or greater in volume. If that isn’t bad enough, attacks have the potential to swell by an order of magnitude thanks to the Internet of Things (IoT) bringing billions of new, poorly secured new devices online, ready to be exploited. Add this all up and we’re facing a future of multi-terabit DDoS attacks, big enough to bring even large Internet service provider (ISP) networks to a grinding halt.
Why is this a tragedy of the commons? One of the chief reasons why DDoS attacks are so common, pervasive and massive is because the Internet infrastructure industry allows Internet Protocol (IP) address forgery on a vast scale, enabling attackers to launch untraceable attacks with impunity from all over the globe. In essence, the Internet is full of poorly engineered networks in which botnets can thrive because those networks don’t implement well-known hygienic measures to check whether computers are sending traffic from IP addresses that have been assigned to them. In fact, up to 40% of the Internet today allows botnets to function unimpeded.
A Better Way Forward for the Internet
Trying to fix DDoS on the Internet can seem daunting, like dealing with all the fish in the seas. This where the progress made in restoring U.S. fisheries provides a hopeful angle. Using the right approach, based on science and sound management, you can really make a difference.
Back in 2000, the Internet Engineering Task Force (IETF)—the global standards body—introduced a Best Current Practice (BCP38) to address the IP-address spoofing problem. BCP38 directs Internet service providers to check incoming data traffic to ensure it’s coming from an IP address registered to the network that sent it.
To verify that IP addresses line up with their sending networks, major network-equipment manufacturers such as Cisco developed reverse-path-forwarding technologies for their routers. This approach is also known as network ingress filtering. A packet filter sits at the edge of a network to spot IP sources that have adopted an address belonging to some other network.
About 80% of large Internet backbone providers today have implemented ingress filtering. If other network operators of all sizes around the world followed suit, they would significantly reduce the impact of DDoS attacks.
When BCP38 made its debut, industry watchers suggested that the federal government should use its massive purchasing power to include ingress filtering as part of its contracting requirements. In this way, the industry could rely on market forces to improve network security, rather than imposing new regulations. But the powerful telecom lobby quickly pushed back, and Congress failed to pass federal contracting requirements.
Using known science like BCP38 is about will power and collaboration. It could take many years to get sound, scientific ground rules in place for the Internet. After all, the Internet isn’t collapsing—at least not yet—so there’s less motivation for the Internet’s commercial interests then there was for fishers who were going out of business. In the meantime, one viable idea is (at least in aggregate) to use market pressures to influence Internet service providers to halt the spread of phony IP addresses and botnet attacks.
Defend Yourself Locally, Contract With the Globe in Mind
There is no magical cure for DDoS attacks or cyber exploits. As long as humans have financial or other incentives, the attacks will continue. IT organizations must invest in an agile, multi-layered approach to defending themselves in the here and now. That effort should include perimeter-based detection systems that operate on a network-wide basis and offer flexibility to adjust alerts to changing conditions. Network organizations should also deploy deep network-traffic analytics that offer unconstrained ad hoc data exploration. Network and security experts can use that visibility to identify new attacks, prune false positive and negative alerts, and continuously improve detection and mitigation practices.
Companies and government agencies have another tool at their disposal. They can use their contracts for Internet services to make a safer Internet by requiring BCP38 compliance as part of all proposal requests. In this way, business leaders and public officials can do their part to prevent the Internet of Attacks and reduce future harm as the industry rolls out the next generation of Internet infrastructure.