Imagine standing in line at a coffee shop, the place is brimming with people all shouting their order at the one overwhelmed barista. You place your order but he can’t hear you. You shout it, you scream it over the din of the thousands of people also ordering their coffee, but the barista just shrugs because he can’t get your order much less process it. No coffee for you. As you leave you realize those thousands of other customers aren’t even customers, they were just noise generated to keep you from getting your coffee.
Welcome to DDoS.
If you, like millions of other users and businesses found yourself without some degree of internet access recently due to the DYN attack, you may have just had your first ugly introduction to DDoS, or Distributed Denial of Service. Back in the early 1980’s ThreatSTOP’s Chief Scientist Paul Mockapetris invented DNS, an infrastructure layer of the modern internet, and he is alarmed at what DDoS could mean to our future. “It’s an asymmetric warfare tactic used by the bad guys to bring down the internet” Mockapetris says, “and it’s not only getting more prevalent and sinister, but it threatens the very freedoms, values and vision we’ve long held true of the internet; a place where we can freely roam both for entertainment and business, and that the infrastructure holding it all together should always work”.
Before thinking about what can be done to prevent this attacks and their ilk, which we are surely to see more of, a short primer on DDoS attacks: DNS, often referred to as “the phonebook of the internet” stands for Domain Name System — it translates easy to remember domain names such as threatstop.com into the numerical IP addresses computers use to connect and communicate with each other. While phonebooks may be a bit dated, think of it like this: In the age of smartphones and contacts (the people I call on my phone), it’s like the mapping between my friend’s name and his actual phone number. I can tell my phone to call my friend, or press on the icon next to his name, and my phone will call the phone number. Similarly, when I make a DNS request to go to threatstop.com, a DNS server will return the IP address and my computer will “call” that IP so I can connect to it and visit the website. When this mapping breaks down, much like the poor barista, nobody gets their coffee and nobody goes to the website.
The successful DDoS attack on DYN was an asymmetric attack, that is, DYN was defending a fortified position (their DNS servers) against a huge and growing army that can fight dirty, choosing their timing and tactics. The growing army of the bad guys had enlisted IoT devices, the robotic vacuums, smart TV’s, and wireless webcams we all own to attack DYN by recruiting them with malware to do their evil bidding. Mockapetris says “this won’t be the last time we see an attack of this type or scale, and losing this battle might be the tipping point where we lose our vision for what the internet itself should be”.
But the inventor of DNS has some ideas about how we can defend against these types of growing attacks, and what solving it may cost all of us. “My position is we need to look at this in two ways: First, what are the prospects for fixing the problem with the technologies we have today? Second, if we fundamentally change the network in favor of security, what will that look like?”
The typical reaction of DNS server operators under attack is to try and identify, and then reduce the attack flows, the flood of generated DNS traffic that signals a DDoS attack. “This plays out as a cat and mouse game between the attacker’s desire to wage and grow the attack and the defender’s desire to block or reduce it”, says Mockapetris.
Attackers will use either a flood of long-winded DNS queries (a thousand customers all ordering double shot caramel macchiato with soy milk), or a method called amplification, where a small attack request over DNS bounces off a legitimate server and ricochets, echoing and resonating, into a much larger DNS answer aimed at the target. Like ordering one small coffee and then having a thousand other people repeat the order to drown out the next customer. In the case of the DYN attack, it looks as though both were used. The defender’s servers quickly become overwhelmed and fall over, the barista goes deaf — no coffee for you, and the internet goes dark for millions.
The defender today will try to recognize these attacking queries and eliminate them via source address verification (SAFE), or rate limit them, or even break the traditional DNS protocol and refuse to generate long responses (breaking the internet for some to preserve it for the many). But even when we implement all of the defenses at hand today and reduce the DDoS attack by 99 percent, is the threat really over? Probably not, assuming the attackers can just recruit 100 times more devices and swell the ranks of their bot army to attack again with redoubled effort.
According to Mockapetris, while DYN can get assistance, there is little help for those of us who often get unknowingly co-opted into the battle. “While the big companies who run the DNS root servers, or DYN might be able to get a lot of attention and assistance from law enforcement, Federal agencies, and ISPs, what about the populous who have insecure IoT devices like webcams and connected refrigerators? They are still very much on their own when it comes to defending against DDoS, ransomware and the like. Whether as a victim, or an unknowing participant”.
Joe Dahlquist, VP of Product Management at ThreatSTOP feels that DDoS is an avenue for more subtle threats in the near-term. “Perhaps we will see a simple attack that prevents someone from booking a flight, or buying a product from their preferred vendor, leaving no option but to buy that flight or product on a competing site. Could DDoS for-hire be used to subtly subvert sales or web traffic?” The online gambling world is familiar with this type of attack, so it’s not out of bounds to expect it will be used for other types of ecommerce crime. When asked if DDoS could be used by State-sponsored entities, Mockapetris said “the question of whether nation states are developing DDOS capabilities is moot, when the capability is already available and used in retail crime”.
OK, what about better security for the devices themselves that are used to attack the DNS servers like those at DYN? If we can get the devices out there using DNS to better defend against DDoS attacks, could we win this battle down in the trenches? Tom Byrnes, Founder and CEO of ThreatSTOP says “the huge routers that power the Internet were patched quickly after their vulnerabilities to NSA hacking tools went public. But what about the people everywhere with their wireless webcams, can we inspire the home users? Who has the responsibility to prevent the SmartTV from getting recruited into the attacker’s army, the manufacturer, the user, the ISP?”
Mockapetris had a big hand in making the internet we all use today, and he says it was guided by a vision. “What made the Internet great? Three ideals: connections to an ever expanding population of other users and resources (the Network Effect), second, statistical sharing of ever expanding bandwidth, and lastly, permission-less innovation sometimes called the end-to-end argument, or the ‘rise of the dumb network’. The challenge will be protecting our future network without compromising those ideals”.
In today’s digital Seregeti that is the Internet, the bad guys are simply taking full advantage of these capabilities to further their own ends. We will fight back, but will we have to sacrifice our ideals? Mockapetris says “it’s my premise that if we simply cruise along with today’s ideas about solving the problem, we could end up losing all three ideals. For the good guys to win, what we need is innovation”.
“A dumb network that allows edge nodes the unrestricted ability to send data to any other edge node is the dream of many IPv6 fans, who remember the early days of IPv4, before NATs came to own the game and provide some barrier to attacks. But so long as thousands, millions, or billions of edge bots get to send at a smaller number of targets, we won’t be safe”, says Mockapetris. “However, the filtering should always be under the control of the end user, rather than the carrier, even if most users ultimately outsource the job to the carrier”.
Network neutrality is at risk here as well. We can expect managed network services that enhance security for selected vendors, pay-to-play protection may well be on the horizon. Additionally we can expect DNS administrators to rethink how they configure DNS for their networks to favor proper load-balancing and availability in place of shortcuts that shift the burden on companies like DYN.
“Lastly”, says Mockapetris, “we need to recognize that users make the choice between capability, security, and cost, whether paying in dollars or inconvenience, and security usually isn’t the most important thing until they have been a target. This is particularly true of more recent generations that view phones as things to be jailbroken or loaded with sketchy applications and don’t care about the consequences, as well as adults that don’t realize that the web page they just viewed installed malware on their machine”.
The inventor of DNS remains cautiously hopeful that we can stop the types of attacks that impacted so many people and businesses as a result of the DYN attack, “There’s some hope that ingenuity can win out, but that’s still a dream”.