The war of the packets | Protecting the internet from DDoS

By 2019-12-19 Blog
War game screenshot

Internet companies are under DDoS siege. Is the best defence a strong offense? [1]
Preface: While I appreciate what is proposed in this blog may be extreme and have flaws, it is just a proposed idea. Comments and critique are welcome.

Why we need to take the offensive to all those who don’t want to play their role in keeping one of humanity’s biggest achievements from being destroyed.

The internet and how it operates is something most people take for granted. As long as they can grab their phone out of their pocket or open their laptop, people’s expectations are that they are instantly online with fast access to the latest news, instagram updates or cat videos. The internet is becoming so much more than that – almost everything that we do with technology now requires good connectivity – music streaming on Spotify or Pandora, Cloud business apps for communications and productivity – even getting around in the physical world with Uber/Lyft/Grab etc. are all heavily reliant on stable internet access.

That stability is under serious pressure and if nothing is done to counter a looming new threat, we could lose it.

The Internet is Under Serious Attack

Denial of Service attacks (DoS) are becoming one of the most pervasive and biggest risks for the ongoing operation of the internet. In the “good ol’ days” of the early internet, DoS attacks were just for “a bit of a laugh” or used for some trivial vendetta – one person with a faster internet connection sending too much data to overload another with a slower connection to them offline. With the internet not playing a crucial role in day to day lives it was hardly worth thinking about.

Through the 2000s the internet started becoming more and more important to our lives through its role in our social lives, commerce and virtually all communications; DoS also evolved with into what became known as DDoS or “distributed denial of service” attacks. The next evolutionary step and from where the first D derives its name are where multiple computers (and now any internet connected device) work together to create a DoS attack that is the sum of all participants. Now with those participants start to number 100,000 or greater there power is immense.

Most are participants that never knew they were involved rather their computers were hijacked with rogue software, becoming part part of “botnets” – a collection of computers that together can create a large DoS attack. Botnets began life through computers running less secure operating systems #cough# Windows #cough# being infected by malicious software called malware, usually through the visiting of an uncouth website or opening a phony email attachment. The point was that the fact these were distributed could bring literally hundreds of thousands of infected devices to bear in the attack a single target – not even the fastest internet connection of the victim could take that traffic and survive. As time progressed the malware began being spread through new methods such as socially engineered emails – a method of baiting people to allow it to infect their computers through making the malware look like legitimate content.

WindowsXP retail box

The venerable Windows XP – while popular in its day, unfortunately susceptible to malware used by botnets. [2]

Service providers offering DoS “Defence” began to appear offering protection against the botnets; by having internet pipes and filtering systems that exceeded the capacity of the botnets, they could protect their clients and keep their systems from being overloaded and taken down. And that was the start of the arms race – those behind the DDoS attacks, the DoSers, started to use weaknesses found in parts of internet infrastructure such as name resolution (DNS) and the time protocol (NTP) to amplify their attacks forcing the defenders to up their defences. As the size of DoS attacks (usually measured in the volume of traffic in Gbps or Tbps of attack size) grew and continues to grow, the defenders must keep pace. It’s a never ending competition.

Fibre – the unintended negative side affects

Internet connections have increased in speed dramatically with the deployment first of DSL/cable and now fiber optic networks and high speed wireless. Especially with technologies such as fibre, these connections tend to be both faster but more importantly more synchronous (they tend to have higher upload capacity in comparison to their download – something that old-school DSL or cable connections tended not to have).

Fiber optic cable

Fibre – such a fragile piece of glass is a conduit to internet mayhem. [3]

This means that compromised systems can now each cause far more devastation. For example in New Zealand, 1gbps download and 500mbps upload connections are now standard market-fare for general consumers. Whereas previously most users had an ADSL connection with at most 1mbps upload, the same compromised computer now has 500x more bandwidth available over the connection to use in the botnet. Alongside that, virtually all new connections have no data caps so apart from some lost bandwidth (which, at such fast speeds the users are unlikely to feel anyway) there is not much “damage” that those harbouring botnet devices feel, apart from perhaps a slight slow down which at such speeds, is not usually noticeable.

Those on the receiving end feel it. Large internet sites and services are already under attack and in many cases being taken down. Some may remember that famously a huge DDoS took Sony down in 2014 including the playstation network and various other services; damaging Sony’s brand image and highly frustrating to their users. I run an internet company Xtracta that faces major risks from DoS. Xtracta provides public-cloud based document data extraction services – the fact that it is public cloud means that if we were to be on the receiving end of a DDoS it could cause our service to slow or cease which would be absolutely terrible. I alongside all in the internet community have a responsibility to help to stamp out the threat of DDoS before we ourselves become victims.

IoT – Internet of Things

But we have reached a turning point. A point where the battle will become unwinnable for the defenders with even the highest walls (fastest connections and biggest filters). This is the next internet revolution – the internet of things or IoT. IoT is where things not just computers are becoming connected to the internet. This is your router, your fridge, your internet camera, your doorbell and even pets are internet connected.
Cat wearing IoT collar device

I(oT)cat – (notice the internet connected collar). Even Puss now can contribute to Ddos attacks [4]

The problem is that while even though Windows was (Microsoft admittedly have upped their game here) highly susceptible to malware, at least Microsoft were highly dedicated to protecting it as weaknesses were found through patching via Windows Update.

With fridges, cameras and doorbells – manufacturers are not so worried about providing a stable, well tested and most importantly – constantly updated system (and I’ll get onto that soon), it’s all about getting the latest product to market and selling it like crazy. The idea of spending huge time in ensuring that (at least as this revolution kicks off) feature of internet connectivity is secure and then maintaining that security over the life of the device (which lets face it for something like a fridge could be 20-30 years) while not earning any revenue from it is unlikely to happen with the consumer electronics industry as we know it today – there simply aren’t the incentives to maintain a device’s security over its lifetime.

Let’s say we had malware infect 500 fridges in New Zealand connected to the internet with internet connections of 500mbps upload. That alone could create a 250gbps DDoS, more than enough to swamp the bandwidth of and take-offline small countries. Why does North Korea need Nuclear Weapons for a kinetic attack? They can build an arsenal of fridges that could do significant damage through a cyber attack. Some would say Kim Jong-Un is not adverse to building up his fridge arsenal.

This is the BIG problem. So how can we stop this from happening and destroying the internet?

Old-School Approach – Regulation

In most developed countries, it is illegal to manufacture or sell products which don’t meet regulations around safety, environmental standards etc. (or if you are in the EU every possible aspect to the product that man could ever dream of). If they fail to do this there are major consequences such as fines, forced removal of products from the market etc.

EU Flag

It’s not too difficult to guess where the most regulation for IoT will be… Unfortunately this won’t work on a global internet. [5]

Regulation tends to work well when a country’s own population will be the sufferers of breaches in it. The main issue with regulation in regards to botnets is that the targets may not be inside the country where the botnet participants are in. For example if Nigeria had 1 million botnet devices that were focussed on attacking USA based targets but virtually nothing within Nigeria, Nigeria would see little damage and thus have little incentive to regulate. It’s like climate change, regulations will only work if all parties commit to implementing and enforcing them. Something, as we have seen with climate change, is not happening.

What is the answer then – trade sanctions between victim and attacker countries lacking regulations? It’s very difficult to see a resolution. Here’s an idea that removes the need for government and regulation and creates incentives for industry to sort the issue themselves.

Victim and Defender Fight Back

“ISPs and Internet Account Holders Must be Held to Account for the activities of downstream users/devices running through their connections – even if its not their direct fault. Perhaps in a world where regulation on this issue will fail, it’s the only way”.

As we can see with regulations that won’t be able to resolve these issues, victims, their DDoS defenders and the industry as a whole needs to find their own solutions. Without the clout of government/courts behind them and the fact they operate in an internet spanning virtually every jurisdiction, a strong counter offensive may be the best way.

While those whose devices have been hijacked to be part of a botnet are typically completely oblivious, they need to see an incentive – perhaps even feel some pain to stop their infected device in participating in attacks.

The defenders need to start looking at their attackers and while they typically can’t figure out who they are, they usually can monitor the *source IP addresses and traffic flows to at least find the ISPs of botnet participants. *Source address spoofing is a big issue/barrier with this plan – this would need to be addressed in tandem.

The first step is for the victims and defenders to contact the ISPs so that the ISPs can either notify the source clients or pull their connections until the infected device has been taken offline – perhaps a global unwritten “code of conduct” for ISPs trying to defend the thing that their business is built around – the internet.

With a basic “notification” plan like this, the issue is that ISPs don’t have any incentive to act on these. I remember years ago when I was pretty fresh to the industry, I had an Asterisk IP telephony server that was hacked and used to rack up major toll bills on my telco account (the hackers must have been clipping the ticket on the calls to weird destinations charged at $10/minute). Tracing through the system logs, the hacking originated from a Gaza based ISP. I contacted the ISP and while they mentioned they were look into it whenever I reviewed the server logs, I still saw hacking attempts from that ISP’s IP ranges months later. What incentive do they have to stop their paying clients accessing the internet, even though they are using it for theft?

The key is to create an incentive on the ISP to take action with the source of the DoS. While this may be seen as extreme, that is to send DoS attacks (or some other kind of “pain”) against those ISPs who don’t cooperate. I am not suggesting attacking the ISP directly, rather the defenders can use their vast resources to attack the source addresses of the attacks. Firstly those connections will go offline straight away perhaps giving the connection owners a clue they need to check their internal networks. Secondly the ISPs network will be hugely affected with their engineers scrambling to find and end the issues. There will be collateral damage on firstly other users at the ISP who will have their services degraded or taken offline. The counter-attacks can be short and to make a point to the ISPs to participate in stamping out the botnets. My hope would be that ISPs would soon get the message that if they don’t cooperate, they will have their network constantly degraded to the point they may start losing customers and experiencing a direct impact to their bottom line.

The incentive chain will then work its way down. The ISPs will take the users offline who are the target of counter-attacks to protect their network. The connection owners will want an internet connection and no ISP will provide one to them as long as their devices participate in botnets. They will finally feel real damage.

A page we all don’t like to see – one that should be seen by those harbouring devices used for DDoS.

At this point the whole system of damage being felt at those who have control of stopping the botnets and dodgy devices starts. Consumers won’t buy dodgy IoT devices from vendors with poor reputations that could put them at risk of having their internet cut off. This then moves the incentive onto the distributors to make secure products or risk having no customers. The chain is complete by damage being passed down to those who can stop the botnets through ensuring device security from the start.

It’s not pretty and will have collateral damage. It’s ethics are questionable but this may be the best and possibly most-workable solution that can pass the damages and incentives onto those operating and producing these devices who otherwise wouldn’t see any consequence otherwise.

DDoS Defenders – License to Counter Hack?

A question which has come up from time-to-time but is no more relevant than ever – do we want to give the defenders the same powers as the attackers even though it may be questionable?

“License to kill” – one of 007s most critical privileges. Could you imagine the Walter PPK being replaced by a taser and the greater one-liners line “you are under arrest” repeated to goon after goon? It just wouldn’t work. This is kind of the situation the DDoS defenders face today. Their adversaries have no limits and the defenders don’t have the “internet willpower” to fight at their level. Maybe this blog can be the start of a change there.

IoT Manufacturers – Consumers & Regulators Await You

While I have intimated that IoT manufacturers may take a blasé attitude to the security of their internet connected devices, if consumers feel pain as a result of lax attention to the security of their products, the manufacturers will feel a backlash that will hurt their own bottom lines. Many in the internet security and wider internet community are already pushing for manufacturers to take a stronger responsibility and name and shame those that don’t secure their products (the news about the spread of malware on cheap consumer routers over the past couple of years is a good example of this). The problem is that this has limited dispersion and most consumers are not even aware (nor do they particularly care) about this.

If consumers start being taken offline or disconnected by their ISP (as has been suggested in this blog) for harbouring a poorly secured device, they are going to be angry with their device manufacturers. That is going to turn into mainstream media coverage, social media beat-ups and brand boycotts. While this alone is probably sufficient to get the device manufacturers to start taking serious responsibility around their device security, it may also mean politicians will likely jump on the band wagon and enact regulations around this area.

While the victim of a DDoS can complain to manufacturers of poorly secured equipment, the reality is those manufacturers aren’t going to feel any consequences and they lack the incentive to do anything. Move that pain to the masses who decide to stop buying that manufacturers’ devices, then the manufacturers will feel the consequences of their insecure devices finally and move swiftly to address issues and design and maintain their product portfolios’ security.

While it may seem severe, DDoS defence is going to mean spreading the pain for all to feel otherwise we risk the reliable and innovative internet we know and love.

Comments and critique are welcome.


(1) “Past Present Future” Author: Ivan Bukhantsov

(2) “Windows XP” Ted S. Warren AP

(3) “Macro of a multimode fiber used in 1.25Gb/s Fibre Channel with the SC termination removed. Picture taken with a Samsung NV11 digital camera at 10MP, “80 ISO” Author: Hhedeshian Creative Commons Attribution 3.0 Unported

(4) “Cat” Autothor: PetTracer

(5) “EU Flagga” Author: Bobby Hidy. Creative Commons Attribution-Share Alike 2.0 Generic