NetEqualizer News Blog

DARPA (Defense Advanced Research Projects Agency) is now awarding projects to vendors so they can proliferate the security industry with next-generation tools to mitigate DDoS attacks.

In the article main points are:

DARPA says the XD3 program looks to develop technologies that:

• Thwart DDoS attacks by dispersing cyber assets (physically and/or logically) to complicate adversarial targeting
• Disguise the characteristics and behaviors of those assets to confuse or deceive the adversary
• Blunt the effects of attacks that succeed in penetrating other defensive measures by using adaptive mitigation techniques on endpoints such as mission‐critical servers.

How about instead of creating infinite complexity, just stopping them.  I wrote how this could be done back in December in 2015.

Or better yet, how about stinging and arresting people who initiate them? Perhaps we don’t have the police powers to do so.  Maybe the FBI has the manpower to do this. Hopefully it will not get to the point where we need to just cut off those countries from the Internet.

Am I just stupid? Or am I missing something?  What would be the cost to the security industry if we actually found a non labor-intensive way to put and end to this nonsense?

By  Art Reisman
CTO www.netequalizer.com

In Christian Sager’s June 2014 article “Why do people perform DDoS attacks“, he does an excellent job in outlining the possible motivations for DDoS attackers. I especially like the DDoS attack map site he references. Here is a snapshot from today’s attacks

Christian covers a range of excellent points behind DDoS attacks, and yes he does address direct monitory extortion in the following excerpt.

Extortion:
Feedly’s claim that their DDoS attack was the result of extortionists isn’t that unbelievable. There have been several cases where a DDoS is followed by a ransom note. Once the site is down, the attackers demand money in exchange for stopping their attacks. Some even make the threat before the attack. In both cases their rate of success is usually low.

A DDoS attack with a ransom note is a bit crude when compared to the much more insidious indirect extortion going in the world of DDoS attacks.  One half Million Dollars is the base price for a firewall capable of mitigating a DDoS attack on a 10 gig network  (with limited success at that).  Vendors are selling thousands of them  year.  Let me state, I do not have evidence of any link between the sale of a Firewall product  to a deliberate DDoS attack, but I wonder why the DDoS attacks are so widespread and cannot help but to speculate. With equipment sales in infrastructure struggling in a flat IT infrastructure economy. The prevalence of wide spread DDoS attacks is picking up.

I started off this post thinking about whether or not moving your infrastructure to a cloud would give organizations better protection against DDoS attackers, and the short answer is: not really.

The issue with a coordinated DDoS attack is that it is usually orchestrated from a wide range of attacking computers, which are typically hijacked, and retrofitted with undetected scripts that can be turned on to send out a flood of data at target when directed by the hijacker.

When the attack is commenced all these disparate computers start sending data to your organization in unison. In order to stop  just one  of these attacking computers from flooding your network you have to cut it off upstream at the source.

Blocking the attackers incoming IP  at your local firewall doesn’t do any good because the  main pipe  coming from your upstream provider is still flooded with garbage, and most likely unusable.   So you have to follow the trail of attacking computer farther upstream. Your provider should be able to help if you can work with them, but that may or may not be effective, because the DDOS attack, if large enough can also torment your provider.   And even if you do manage to work upstream and block the IP’s where the attack is coming from , some DDOS attackers can just keep coming at you from new wave of  IP addresses.  One person acting alone can Hi-jack millions of computers from around the world and use them in waves of recurring attacks, with little effort.

How does a hijacker have the time to take over a million computers?

I’ll cover that in my next post.

As for the cloud offering protection, a cloud hosted IT infrastructure cannot provide any immunity, the cloud can be attacked; however the cloud providres might have the resources to detect and more easily block an attacker farther upstream  and a bit more quickly so there is some benefit.

See also

Regulate DDOS like pollution

DD4BC Group Targets Companies with Ransom-Driven DDoS Attacks

I just read another article on DDOS attacks and how companies are being extorted.  As usual I am thinking way out of the box again.

Background on the mechanics of DDOS attack

The raw tools of  DDOS attacker are made possible by  the billions computing devices sitting around  the world attached  to the Internet.   A DDOS attacker probes constantly for computers to hack, and then once they have access to  several hundred or more in their control , they can point  them to any business, sending a storm of data requests jamming  Internet links from the outside. Think of a million people trying to cram into the door of your apartment all at once, you would be trapped inside.

I know first hand this can happen. I put some vulnerable poorly written HTML code on a home computer I was  testing with , and somebody found it , exploited the HTML code and turned it into an attacking computer.

The best and perhaps the only reliable way to stop a DDOS attack is to stop it at the source computers. The problem here is that these are privately owned and are maintained by people that usually have no idea that their computer has been hijacked.  The larger providers do have fairly sophisticated software to detect attacks coming from home users but obviously this is not working very well.

Despite how Orwellian this might sound , I am thinking that perhaps some government standard built into the line cards that connect to the Internet is where we will find a solution.    Okay, I can hear the groans and feel the tomatoes hitting my face , but before you pass judgment , remember these attacks are terroristic in nature. We debate heavily over gun control and the second amendment, and yet we sort of sit idly by and take  trillions in dollars of economic hits from internet terrorists.

A technical solution is quite feasible and here is how it would work. 

Most of the devices that connect computers to the Internet have mini computers built into them. These computers that handle the lowest level of communication are basically factory sealed at the time of manufacture. For example: the computer chips inside wireless Lan cards that connect you to the outside world, they have little factory sealed computer programs.

The footprint of a DDOS attack going out is much different than normal usage patterns and could be easily spotted and detected by the chip sets in these line cards.

The EPA regulates the smoke stacks on coal power plants and the emissions on cars to keep our air clean. The same precedent could be used to regulate any device that connects to the internet. It is absurd at the ease of which a few people can bring down entire multi billion dollar corporations. By inserting a simple logic  in the chip sets of consumer devices we could detect and disable DDOS attack attempts before they get going. In essence  we would remove the criminals tool set , perhaps entirely in a matter of a few years . The beauty of this proposal is that it would have no effect on the operating systems that computers use.  IOS , Linux, Windows would not require any updates, only the platforms that they run on.

I am likely about 10 years ahead of my time with this writing , but I suspect given the rise of DDOS attacks this may be a very viable solution. We’ll see when the dust settles.

Before the telescope, planets and stars were just dots of light to the human eye. Before the invention of X-rays, and the MRI, doctors often could not determine the cause of a problem until a person was in an autopsy room.

Today, there is no reason to remain blind to DDoS and hacking intrusions.

This morning I got a text message from our training engineer at a customer site. “Just stopped a Chinese DDoS attack at the #### school.”

Our training engineer was not even doing a security audit. He was simply walking through the features of our product. He had scrolled over to our DDoS monitoring tool, and right away this attack popped out. It was as clear as a large cancerous tumor in an MRI. He noticed an outside entity was bombarding the customer link with all kinds of queries.

The attacker stood out because our DDoS tool identifies uninvited queries, as well as gives you a count of how often they are hitting your enterprise. Our engineer then checked the source of the incoming IP, and thus removed any lingering doubt that this was a hostile attack. The requests were originating from China, which was not an expected source of traffic on this school’s network.

This wasn’t yet a full-scale DDoS attack, but the warning signs were clear. The attacker happened to be hitting port 22, probing for login vulnerability on all the servers inside the school. From the frequency of the incoming requests, it was obviously a bot. Combining the frequency of hits with the fact that it was an uninvited outside IP address, it stood out like a sore thumb in our DDoS monitor (easily flagged). Once identified, the IT administrator at the school was then able to block the IP, averting any further shenanigans from this hacker.

In everyday life, we’re able to identify warning signs and act accordingly for our own protection. For example, if a person showed up at your front door wearing a ski mask with an AK-47, you would likely not let them in, right? The threat would be obvious. The point is it should not be expensive or impractical for the average layman to also easily spot a security risk on a network. You just need a tool that exposes them.

You Also Might Like

Firewall Recipe for DDoS Attack Prevention and Mitigation

My Internet Service went down yesterday and I had to revert to my backup provider.

Network Outages due to upstream provider failure are endless…

Comcast Outage for North Denver Fiber cut

Comcast hit with massive Internet outage

Forum discussion about wide spread Internet outage Des Moines Iowa

Spokane Washington 10,000 customers without Internet service

Wide spread Internet outage London , Virgin Media

And even if your provider is not to blame, there are endless hackers out there instigating DDoS attacks , some with an ax to grind others just for random entertainment.

DDoS attack brings down Web Drive Client New Zealand

DDoS attack brings down dutch government

DDoS attack interrupts tournament.

Although this sampling of news stories is not very scientific, I could literally spend a month clipping these articles. There are new ones every day, and that is just the major ones that get reported. If I informally poll our customers, almost every single one of them has seen a DDoS attack of  some kind in the past year, and all have had some sort of upstream Internet outages within the last couple of years.

Now if I ask how many have had critical Network Equipment go down due to hardware failure, that list shrinks to maybe 1 or 2 percent of our customers. Basically, what this tells me is you have a 100 percent chance of a Network outage for some period of time every year due to a problem upstream with your provider. You have  a 2 percent chance due to a hardware failure with your local core Router/Firewall/Bandwidth/Switches.

To put that another way, for every 50 outages caused by external events at your provider beyond your control, you have 1 event due to internal hardware failure.

The solution is to have multiple distinct Internet Providers on hand at all times, so if one goes down you can switch over to the other. As I said there is nothing wrong with the idea of sourcing redundant local equipment, but statistically it is much more important to get a second Internet provider sourced before investing in redundant equipment.

Here is another article highlighting the prevalence network outages.

Note: Although DDoS attacks are provider Independent, your chances of stopping or mitigating the attack are enhanced by having multiple providers.

Other causes of failures:
Yes, wireless topologies are notoriously unstable, and so are applications running on Web Servers, both of which can cause service outages to local users. These types outages are usually not on the same order as catastrophic hardware failure problems or upstream failures. Outages with wireless equipment and service are usually related to these products getting into a bad state, and are not associated with a complete loss of communication to the outside world. You’ll still need to re-boot these systems to get them back into a good state.

Related Articles: 

The Top Five Causes of Disruption of Internet Service

Five Tips for Defending Against a DDoS Attack