Cyber War is, we are told, happening increasingly all around us. However it doesn’t normally (touch wood) affect the average man in the street, until last month that is when millions of ordinary Internet users were caught in an ugly crossfire between warring companies; suffering delays in services and disruption to access.
The target of what became the largest DDoS attack in history (up to 300 Gb/s) was Spamhaus – an anti-spam website whose practices and methods have made them unpopular within shadier corners of the internet. The attack, began on March 18th, fully saturating Spamhaus’ connection to the rest of the Internet and came close to knocking their site offline. If not for the intervention of Cloudflare (who provide protection against such attacks) it’s likely it would have done. Cloudflare ‘rescue’ story below.
The Spamhaus DDos attacks may be the biggest to date, but they are not in isolation, rather they are the latest in a long list of recent incidents. American Express and HSBC fell victim to large scale attacks last year and it’s a trend security vendor Kaspersky expects to continue. “In general, attacks of this type are growing in terms of quantity as well as scale. Among the reasons for this growth is the development of the Internet itself (network capacity and computing power) and past failures in investigating and prosecuting individuals behind past attacks.”
Another trend that we are witnessing is that of cyber criminals exploiting a fundamental feature that allows us to use the internet - DNS. Domain Name System converts from name to IP through your computer asking a server what the IP address is. However the chances are that the server you ask won’t know the answer, so it will go and get it for you from a list of known authoritative servers. Once it has the answer it will reply back to original sender. These ‘recursive’ DNS servers are the life blood of how we use the internet, without them you would have to memorise each IP address!
However there are thousands of ‘recursive’ DNS servers out there which will accept queries from any IP address. If spoofed DNS packets are then sent to those unsecured servers they are susceptible to what is known as a DNS amplification attack – where only 3 or 4 KB of data can be sent, but where the request can generate as much as 100x that amount. This means that even with a relatively small number of nodes the bandwidth hit can be enormous. Combating these attacks is possible, but the way in which we do so may hinge on the answers to many other much broader questions about the future of the internet and in particular – who governs it.
Looking at the Spamhaus attack, it would appear that both unsecured DNS (by design) and unsecured DNS (by misconfiguration) were responsible for the amplification of the attack. One way of nullifying this would be for all ISP’s to only allow their customers IP’s to query their own DNS servers (as we do at Fluidata) however the processing overheads deter many others from doing so. As it stands customers also have the option to build their own recursive DNS servers on their own infrastructure; moving DNS outside of the ISP’s responsibility and increasing the potential for misconfiguration; which can be exploited for malicious purposes.
In theory ISP’s could form a united front against DDoS attacks of this nature; through insisting that customers only use their recursive DNS servers and ensuring that those servers are secure. To increase security further BCP-38 could also be deployed – providing filtering on every edge port so that customers cannot spoof traffic from their links. However the move to a more regulated system would rely on (if it was to be truly effective) cross national coordination and likely meet opposition from service providers who do not wish to incur the processing overheads associated with such measures.
Overcoming that opposition (i.e. by turning regulation into something more akin to legal statute) would inexorably carry this issue into the contentious territory of who governs the internet, who polices it and whether anybody has the right to do; a proverbial Pandora’s box with far reaching consequences and considerations for subjects ranging from security to freedom of speech, right to privacy and the debate over the openness of the web. Given this, raising awareness around responsible DNS use seems the most viable course of action; the Spamhaus attack legacy might just be encouraging people to think a little more about it.