Security Externalities and DDOS Attacks
Ed Felten has a really good blog post about the externalities that the recent Spamhaus DDOS attack exploited:
The attackers’ goal was to flood Spamhaus or its network providers with Internet traffic, to overwhelm their capacity to handle incoming network packets. The main technical problem faced by a DoS attacker is how to amplify the attacker’s traffic-sending capacity, so that the amount of traffic arriving at the target is much greater than the attacker can send himself. To do this, the attacker typically tries to induce many computers around the Internet to send large amounts of traffic to the target.
The first stage of the attack involved the use of a botnet, consisting of a large number of software agents surreptitiously installed on the computers of ordinary users. These bots were commanded to send attack traffic. Notice how this amplifies the attacker’s traffic-sending capability: by sending a few commands to the botnet, the attacker can induce the botnet to send large amounts of attack traffic. This step exploits our first externality: the owners of the bot-infected computers might have done more to prevent the infection, but the harm from this kind of attack activity falls onto strangers, so the computer owners had a reduced incentive to prevent it.
Rather than having the bots send traffic directly to Spamhaus, the attackers used another step to further amplify the volume of traffic. They had the bots send queries to DNS proxies across the Internet (which answer questions about how machine names like www.freedom-to-tinker.com related to IP addresses like 209.20.73.44). This amplifies traffic because the bots can send a small query that elicits a large response message from the proxy.
Here is our second externality: the existence of open DNS proxies that will respond to requests from anywhere on the Internet. Many organizations run DNS proxies for use by their own people. A well-managed DNS proxy is supposed to check that requests are coming from within the same organization; but many proxies fail to check this—they’re “open” and will respond to requests from anywhere. This can lead to trouble, but the resulting harm falls mostly on people outside the organization (e.g. Spamhaus) so there isn’t much incentive to take even simple steps to prevent it.
To complete the attack, the DNS requests were sent with false return addresses, saying that the queries had come from Spamhaus—which causes the DNS proxies to direct their large response messages to Spamhaus.
Here is our third externality: the failure to detect packets with forged return addresses. When a packet with a false return address is injected, it’s fairly easy for the originating network to detect this: if a packet comes from inside your organization, but it has a return address that is outside your organization, then the return address must be forged and the packet should be discarded. But many networks fail to check this. This causes harm but—you guessed it—the harm falls outside the organization, so there isn’t much incentive to check. And indeed, this kind of packet filtering has long been considered a best practice but many networks still fail to do it.
I’ve been writing about security externalities for years. They’re often much harder to solve than technical problems.
By the way, a lot of the hype surrounding this attack was media manipulation.
Clive Robinson • April 10, 2013 8:21 PM
Yes there was a lot of apparent hype, and at the time it looked like few people were effected (I’ve an interest in the London INX which was hit but did not see much in the way of problems). A journalist for the UK’s Guardian Newspaper called “hype” for what appeared fairly sound reasons.
But it appears in some respects a bullet was dodged, because the attackers actually performed two seperate DDoS attacks.
The first attack against SPAMhaus it’s self that initially worked but then failed due to some niffty background work with virtualising their IP address to many places thus dividing the actuall DDoS traffic down into smaller regional areas each of which had a fraction of the DDoS traffic.
Apparently the second attack was then directed not at SPAMhaus but against the organisation helping SPAMhaus virtualise the IP addresse across regeions. Basicaly it was directed against IP adresses of the Tier1 network suppliers that could not be virtualised in the same way and this did do some significant harm. From some of what has been said it appears that this latter attack maxed out some Tier-1 links and it was only other peering at Tier-2 that enabled traffic to be carried around the maxed out Tier-1 links.
I”ve yet to hear the full story as those that know appear to be saying not much currently.
Apparently part of the problem is that although Tier-1 and Tier-2 organisations have the capability in the routers etc to carry considerably more traffic they don’t have spare capacity at the interface level and only add the required hardware to provide network capacity on demand which takes time and planning. Whether this policy will now change or not is something we will have to wait on.
One thing this episode has highlighted is how few the number of Tier-1 exchanges are which is where the Spooks want to put their mass surveillance hover points in. But it’s also revealed that with careful planning and placment of nodes you could probably route your traffic through Tier-2 INX’s which might enable you to avoide the mass surveillance points…