Last Wednesday, in the hallways of the NANOG 68 meetings in Dallas, I started asking a question that goes to the heart of prioritizing work to improve Internet security; on Friday, with the DDoS attack on Dyn’s infrastructure, we got some searing insight into why it is quite possibly an urgent question.
My question on Wednesday was:
Do we have any idea what percentage of malicious behaviour on the Internet is caused by spoofed addresses, hijacked routes, or otherwise-purloined Internet resources?
The point is — much of the discussion around how to secure the Internet infrastructure revolves around ensuring the appropriately-designated entities are making use of Internet resources, and that accountability for actions is an adequate deterrent for significantly malicious behaviour on the Internet. If that’s not the case — if bad actors can carry out significantly damaging actions on the Internet while using un-spoofed addresses and non-hijacked routes — then our work to ensure accountability is certainly necessary, but not sufficient.
No, we don’t have a scientifically complete (or statistically-relevant) answer to my question, but Friday’s attack on Dyn’s infrastructure, that was noticed by Twitter and other major service users on the US East Coast, apparently did not rely on spoofing. Where a “typical” DDoS attack is mounted by spoofing a source address with an unroutable return IP address, possibly sending many such attack messages from one (unaccountable) source to get the effect of millions of hits on the infrastructure, Friday’s attack apparently used a different approach to generate all that traffic. Evidently, it used the tens of millions of devices in the so-called Mirai botnet of consumer electronics (PVRs, cameras, and Internet gateways) to generate the DDoS traffic in a coordinated fashion. Millions of hits, all at once, from all over the network.
Did anyone else think, “Rise of the Machines“? :-/ .
However, it means that the inevitable chant of “Implement BCP 38 already!” is not immediately helpful to prevent this. Crypto-encrusted routing topology would not prevent this.
So, what can we do?
- Build better consumer electronics with real security baked in. (See http://www.securerf.com/dyn-suffered-ddos-attack-consumer-iot-device-vulnerabilities-can-addressed/ ). It won’t solve the problem for existing devices, but we need at least to staunch the flow of attack devices being deployed unwittingly.
- Collaborate — new attack approaches mean that existing tools and practices are not enough, and at some point the problem of an attack explodes beyond the scope of any single organization to detect and/or mitigate. I was very pleased to see Kyle York’s statement from Dyn (http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/) recognize the value of support from other infrastructure operators as Dyn worked to mitigate the attacks.
- Secure what we can. There are organizations that are building increasing knowledge of what constitutes “normal” or “abnormal” behaviour on the Internet, including the ability to detect where spoofed traffic is actually coming from in reasonable timeframes. But, all of this is easier if the foundation of the network is appropriately secured. So, implement BCP 38 already!
What does this mean for projects like URSA, which aims for better Internet routing infrastructure security? Definitely necessary! And, where that’s not sufficient, it pays to remember that the fundamental premise of TechArk activities is that (cross-industry) collaboration is key to a better Internet for everyone. What can we do to work together to prevent, detect and mitigate malicious behaviour?
By the way, the inspiration for my question came from watching a couple of the NANOG 68 presentations, not the least of which was the presentation of Ron Winward, of Radware, on “The Current Economics of Cyber Attacks”. It’s an excellent presentation, and I challenge you to walk away without a renewed appreciation of how the scale of the challenge is changing: https://www.youtube.com/watch?v=szwSlFAsexU .
