Schneier on Security
A blog covering security and security technology.
« What Is the Comprehensive National Cybersecurity Inititative? |
| The Ethics of Vulnerability Research »
May 14, 2008
U.S. Air Force Considers Creating its Own Botnet
Actually, I think this is a fine idea -- as long as they only use computers that they legally own.
Posted on May 14, 2008 at 6:09 AM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
From the article:
> Multiday attacks against CNN and Yahoo in 2000 and against Estonia
> in 2007 cost tens of millions of dollars.
err, like, how? tens of thousands I can see - but millions? Is this one of those numbers with a flexible zero count?
"Actually, I think this is a fine idea"
You do? The reason to use a botnet is that it's a cheap way to control the bandwidth and CPU needed for an attack (cheap because you don't own the machines or pay for the bandwidth). If they own all the machines, that doesn't apply
Hmmm - The mission of the Comprehensive National Cybersecurity Initiative suddenly becomes a bit more clear.
Hmmm .. Can cyberdraft be far behind? Uncle Sam wants your PC!
"You do? The reason to use a botnet is that it's a cheap way to control the bandwidth and CPU needed for an attack (cheap because you don't own the machines or pay for the bandwidth). If they own all the machines, that doesn't apply"
That's true and also there is the fact that you need to use a very large number of attackers on the same target, making blocking the attack and distinguishing between legits hosts and attackers very hard.
And to do that, these attackers needs to be spread out all over the net, not only in your own controlled networks.
"Actually, I think this is a fine idea"
I think: from a military point of view that isn't the way to go. You don't want your fleet of nice attack subs to go around trailing floating buoys.
Using "only computers they own" would bring the added problem of keeping those computers unknonwn, concealed, updated and, well, secure.
suggests the Air Force is aiming at a more literal botnet. Are we witnessing the first Call for Backdoors?
And, what will other (even NATO) countries think of future weapons systems endorsed by that same Air Force? I remember some problems have already surfaced with the Brits being picky about some jet fighter firmware.
Join the war on terror and register your computer today! For free! Free download included.
Exactly. I would also argue that a legally-owned array of computers running their software is not what "botnet" actually means.
From Wikipedia: "While the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised computers (called zombie computers) running programs, usually installed via worms, Trojan horses, or backdoors, under a common command and control infrastructure."
You're thinking "WarOnTerror@Home"?
There are other areas already being looked at by DoD as offensive operations. Attacking the OS of a machine be it a PC, Command and Control, radar, aircraft, etc which all can be detected is useful but is not effective over time. However, attacking the hardware by some other means is much more covert and very few people would know were to look for it or be able to defend against it. This is modern day cyber warfare. Worms, rootkits, Botnets, in modern day cyber warfare are just the decoys. Have a look at this article but take it with a grain of salt as it is open source. However, you will get the underlying idea and what lays ahead for future warfare.
Oops. The anonymous post above (@Alun Harford) was mine.
"And to do that, these attackers needs to be spread out all over the net, not only in your own controlled networks."
Exactly. Not only would the military have to buy hundreds of machines, it would have to deploy them on all kinds of civilian networks to make the botnet effective.
Isn't this what we complain about terrorists doing? Blending in with the civilian population?
This isn't strategic thinking--this is sheer bloody-mindedness combined with a childish lust for expensive toys of destructions.
The author has lost sight of the difference between denial and control.
A botnet used as a ddos is strictly a weapon of denial. And it's not even particularily effective either, compared to the diplomatic approach of administratively shutting down communications circuit. Or compared to the military approach of dropping a bomb on a communications facility. Or sending a backhoe team in to cut a fiber.
The strategic goal for the military presence in cyberspace, though, should be more than just denial. It should be control. And that means getting your own packets through.
U-boats versus convoys.
Subscribe today...or you will be subscribed.
Does this mean that if my computer offers an mp3 file for download that I can blame the airforce when the RIAA hands me their generous settlement offer? After all, it was the airforce botnet that offered the download, not me.
What kind of spam does the airforce want to send? That's the secondary job of botnets behind the ddos capability.
The tertiary aim of botnets is to capture end user banking info. The IRS already has it, so this is redundant.
"What kind of spam does the airforce want to send? That's the secondary job of botnets behind the ddos capability."
The obvious thing for any military organization would be to send out propaganda.
I see a few issues:
1) Civilian casualties: big problem in real-world carpet bombing, and likely to be a big problem in the internet equivalent. If this putative botnet starts launching a DDoS,
a) what happens to legitimate, non-target users of the computers being attacked? (Or downstream from those being attacked, such as in the case of a DNS being the target); the author writes this off on the level of "well, stuff happens in war, but we promise we'll target carefully"...I'm not convinced
b) what happens to general internet traffic during the attack? Could this not turn into something of a general internet DDoS, depending on the volume of traffic generated?
2) As always, one must be worried about potential misuse of any tool. What happens when a hacker manages to get their fingers on the button? Or someone on the inside decides to try it out on some site they have a grudge against? (I'm not too worried about the latter, but...)
Yet another crappy idea. When will US policy makers *finally* *learn* that creating threats as a deterrent *will* *not* *work* in the long run...
Can someone please explain to those guys that humiliating .... ah what the heck. There's no point in explaining it.
America, land of the free, what has become of you?
One of the issues I'm finding quite interesting is that of targetting the botnet, especially if the target computers are ones belonging to "innocent parties" whose systems have been compromised.
Col. Williamson acknowledges this:
Some people would fear the possibility of botnet attacks on innocent parties. If the botnet is used in a strictly offensive manner, civilian computers may be attacked, but only if the enemy compels us. [...] But neither the law of armed conflict nor common sense would allow belligerents to hide behind the skirts of its civilians. If the enemy is using civilian computers in his country so as to cause us harm, then we may attack them.
On the other hand, if the U.S. is defending itself against an attack that originates from a computer which was co-opted by an attacker, then there are real questions about whether the owner of that computer is truly innocent. At the least, the owner may be culpably negligent, and that does not, in fairness or law, prevent America from defending itself if the harm is sufficiently grave. Two scenarios reveal that the issues are more political than legal.
Then he explains the scenarios. One of the interesting variants he considers is IP spoofing to direct the mil.botnet against another target.
What about Reagan's policies of creating SDI and deploying intermediate-range ballistic nuclear missiles in Europe? If I remember my history, these policies were crucial in causing the USSR to reduce its nuclear weaponry. Appeasement certainly didn't work, nor negotiation from weakness!
I have to wonder what sort of targets they have in mind...
It sounds like they're talking about an internet-based sort of attack, which would be effective for taking down computers heavily exposed to the internet. But those sorts of computers aren't the ones that would be used offensively by an enemy, I don't think. You can launch a great DDos against a Yahoo or an Amazon type of site, but an enemy would not likely be using a Yahoo or Amazon type of site to attack us, so why treat it as a military target? I would expect an enemy to use a much more obscure computer to attack from, and while this obscure computer could be disabled by a DDoS, it is likely also fairly easy to restart the attack from another obscure computer, requiring a rather expensive whack-a-mole sort of DDoS.
Unless we're talking about targets like critical infrastructure such as DNS, control systems, etc., that are not so interchangeable. In which case, the argument that "we'll target carefully and won't have too many civilian casualties" wouldn't really hold. And again, these are not the sort of computers for *launching* attacks from by an enemy, but rather ones that are likely to inflict damage on the enemy indirectly.
Mainly this reminds me of the fantasy of the "good worm" that would go around benevolently distributing patches, and stuff like that.
My big question is just whom this botnet would be going after. You can't very well DDoS another botnet because, after all, it's distributed, and if you know where to find the command-and-control nodes you have enough information for other kinds of attacks. You could attack individual machines used by evildoers, but that's only effective if they're limited in the addresses they can launch attacks from. You could try to clog an enemy's pipes, but that generally affects more than your enemy, and is susceptible to the same kinds of defenses commercial web sites use against DDoS. So collateral damage would be most of what you can do, and this whole "if you let your machine get infected you're supporting the terrorists" thing creeps me right out.
One thing I could see this kind of effort being useful for is an enormous honeypot, large enough that the machines on it could constute a significant fraction of the total involved in any botnet. (And yes, that would require deploying them on civilian networks, with resulting issues.)
carpet bombing dosent' work, the colonel actually knows that, the US airforce tried that for generations, and it only caused the north vietnamese to renew efforts to prevail, just as goerings luftwaffe did to british. Air Force idiots think in terms of dumping dumb bombs on a whole area, like cambodia 1970-1975 which resulted in the khmer rouge winning. then reagan sent guns to the KR in the early 80's (google search terms "US arms Pol Pot) and you will find the story. its been out there since the early eighties. American foreign and domestic policies are the exclusive province of corrupt pol's who do not want to allow the people to share the power. WE NEED CHANGE, specifically we need to defund the idiot deserters hobby war and cut the pentagon by holding the proper courtmartials for those criminals who allow their buddies to charge so much for toilet seats or hammers. Guantanamo would be a good place for them. Right in the general population, with ahmed and ali.
The pentagon is a huge house of cards with corruption covering everyone of thier backs, A few honest men would be a great danger to our way of power.
This is for NIPRNET, SIPRNET, and JWICS...not your typical game playing, porn downloading, music stealing internet. Calm down.
Given that the botnet software will be developed and implemented by multinational contractors, and not the military, there is a lot to fear here. The US taxpayer may end up footing the bill for botnettery R&D which will produce state-of-the-art software for the badhats to exploit.
If this is the same article I read on slashdot I have two points:
* military has probably faster links so matching to a botnet on dsl the ratio could be 1:10 or even 1:100
* energy consumption is even a major factor for the military, so keeping old equipment running for botnet may not be energy efficient
> as long as they only use computers
> that they legally own
I'd agree with that too, if I knew what "legally" meant. Over the last few years I've seen the Executive break laws, emasculate laws, and create laws that run roughshod over the Constitution. Basically doing whatever the hell it wants. The only ones to call them on anything have been military lawyers. Interestingly ironic. But not the checks and balances the Framers intended.
Sounds like fun. Can I help?
Given what I've read about the DHS & Military efforts to limit the number of ingress points to their internal networks (ot better secure them). I was wondering if this was like putting all your troops in just a few bases.
In order to be effective, offensive military operations need to come from and target unexpected locations. If the military paid for (thus partially subsidizing) high speed access to the various Internet exchange points (IXPs) between the tier 1&2 backbones, they could launch targeted DDOS reprisal attacks with minimal detrimental effect on collateral networks & hosts.
Personally I'm all for it. It is much easier to secure a PC that only runs outbound traffic and has a very limited administrative control interface. If you are willing to play games with custom hardware mods and hand carried crypto keys for auth/link (OTP, etc.) you can make these systems extremely resistant to hacking/tampering.
Note: OTP is normally a bad thing to see in a Crypto system, but I think that there are specific niches where it is the best answer, for example: low data volume military Crypto systems like nuclear launch codes and other arm/fire systems.
I almost wonder if Bruce was being a bit tongue in cheek with his comment.
"Actually, I think this is a fine idea -- as long as they only use computers that they legally own."
I also wonder what Suntzu would have said about the idea (assuming they had denial of service attacks in 500 B.C)?
What I don't get is the way this botnet would be used. The purpose of creating a botnet is to:
1. Access to the aggregate bandwidth of all nodes
2. Being able to attack from many IP addresses, making filtering difficult
But the AF can probably drop a box in some major backbone routing centers and have both, much easier, and with less logistic overhead.
Think about it - instead of having 1000 nodes that must be patched and kept up to date, just have one or two DDOS machines at choke points in the internet backbone.
The Colonel's suggestion seems very much like advocating a "human wave" approach to land warfare just because that is what our enemies have to resort to and despite knowing that it is far from efficient.
Hmm Didn't hollywood already do this? Oh right, the Terminator films. Will they call it Skynet?
Nice, now we can have a debate about strike-back with the military.
Here goes I guess..
"If the botnet is used in a strictly offensive manner, civilian computers may be attacked, but only if the enemy compels us."
Apparently its ok to take out civilians if the enemy baits you. Thank god we're not talking about cruise missiles flying around.
"If the enemy is using civilian computers in his country so as to cause us harm, then we may attack them."
Great, and what if he is using civilian computer in somebody elses country?
"At the least, the owner may be culpably negligent, and that does not, in fairness or law, prevent America from defending itself if the harm is sufficiently grave."
Lets say the originating country gets one of its computers hijacked and then used to attack us, suppose further that the originating country were to have the same policy as us, then this situation will cause the two nations to attack eachother.
"If they spread their code broadly, they increase the incentive for multiple countries to cooperate in finding the truth of the attacks"
You are assuming that it is even possible to determine the source of the attack. In this world it is clearly not, it doesn't matter how many countries get on board.
"In any event, this threat illustrates the urgent need to improve the chance of proper targeting of our response to attack by cooperating to build an Internet version of the Distant Early Warning radars"
Seems like a physical impossibility, China is not going to allow the US to setup spy machines inside its own network. Same for most other nations, especially those that are unfriendly towards the US.
"They include potential choke points at border routers and backbone gateways."
I wonder which backbone provider is going to be ok with the military sending massive amounts of data over its network suddenly.
"One of the advantages of a botnet is that offensive targeteers essentially only need the IP address of the target device"
Ugh.. An IP address does not corrolate to a single device, one device might have multiple addresses and one address might have multiple devices, you can hide entire countries behind NAT gateways.
"In fact, we should do live-fire demonstrations on the Internet against range targets so foreign signals intelligence organizations can observe. Of course, we should fire inert rounds so as to not give away secrets."
Whats an inert round? Considering the amount of attacks I get in my firewall logs; if it doesn't do anything I am not likely to notice it.
"The risk of this occurring is overblown. Hospitals and emergency services already need backup plans in case of many exigencies from natural causes"
If it is possible for emergency services to survive a botnet attack why can't the military?
"Also, target preparation in cyberspace can create no-strike lists just like the physical world."
Thats going to be one big list. Plus, everything on that list is a potential safe haven for attackers.
"The af.mil botnet brings the capability to help defeat an enemy attack or hit him before he hits our shores."
I think the attackers will just shrug and try again.. or even laugh that you are attacking so many civilian computers.
BTW is this the new initiative that Bush signed recently?
@IX "When will US policy makers *finally* *learn* that creating threats as a deterrent *will* *not* *work* in the long run..."
No global nuclear war thus far, so I'd say deterrence has a good track record.
@carbon14 "carpet bombing dosent' work ... WE NEED CHANGE"
We don't actually do carpet bombing any more. Haven't for decades. Be happy with your change.
A botnet on US .mil networks will be ineffective for dDoS or other attacks.
1) It'll be too easy to block the ASNs sourcing the traffic. And that blocking can almost certainly be done without collateral damage to the victim's other connectivity.
2) Any .mil botnet nodes will share upstream connectivity through one of 50 POPs. It will saturate the connectivity before it produces useful effects against the chosen victim.
Bad idea. Stupid idea.
Botnets derive their power from being distributed on systems for which blocking causes too much collateral damage to the blocker.
A despised weapon may now be seen as having been ennobled, sort of like promoting a prison shiv to Excalibur status.
Deterence work(ed)(s) with nuclear weapons because it is obvious that any nuclear war will only destroy both/all sides. It will not work with botnets because the attacker is invulnerable to it. Hitting back will have absolutely no effect.
There are three main reasons we did not have a "hot war", the first was georgraphical in that the US is a couple of thousand miles from most potential enimies the second "Mutualy Assured Destruction" (MAD) thirdly that the cost of proliferation bankrupted the Russians.
Of the three it was the cost that was the real winner. Basicaly due to it's effectivly isolated position the US could not easily be attacked by Russia with conventiuonal weapons. Russia on the otherhand even with it's buffer nations had the U.S. effectivly camped on it's door step.
On top of this the US had for many years a sufficiently large manufacturing capability that they where at the leading edge of technology, and they could afford to re-direct a significant part of the national income to "offensive defense" without significantly affecting the capability or the economy.
The Russians on the other hand did not have anything like the manufacturing capability of the West, also it did not have the level of exports to other countries that would enable it to play catch up.
The West had the advantage that they had conventional weapons on the Russia doorstop and where backed up by the U.S. manufacturing capability. Therefore destroying Russian manufacturing capability was considerably less costly for the West than for the Russians to destroy U.S. manufacturing capability.
For Russia to attack the U.S. manufacturing capability required long distance rapidly deployable weapons. Basicaly this was the rocket and Nuke option. The cost of this sort of capability is very high and requires considerable manufacturing capability, the only way that Russia could do this was by diverting significant resources away from other areas (agriculture, infrustructure and trade).
The only way to reduce the cost for the Russians was to find a willing partner as close to the U.S. as Western Europe was to Russia. In the early sixties the Russians approached the Cubans (who where not communists untill forced to be by the U.S. policy set in motion by Richard Nixon). The Cubans where not realy in a position to refuse the Russian advances due to the U.S. trade embargo. The result was the "Cuban Missile Chrisis" that some of us lived through.
When the RAND Corperation touted MAD as an operational philsophy it was clear that the U.S. manufacturing capability would be less effected by the mass production of Nukes than the Russians.
The result was inevitable the Russian economy started to colapse under the cost of both conventional weaponry to defened against the West but also the rockets and nukes to attack the U.S.
Any body who trys to convince you it was Ronald Regan's "star wars" policy that brought Russia down is either a ScFi writter trying to re-write history or a republican trying to make RR seam like a genius he most certainly was not (With out going into the ins and outs Nancy and Ronny probably did more harm in the U.S. than any other political incumbrent untill the present one).
@Clive: Ronald Reagan was the most effective president in my lifetime (I was born during Eisenhower's term). The US thrived politically as well as economically during Reagan's term like it never did prior to him; and even Bill Clinton got to take credit for the economic Bull Run that Reagan started.
- but switching from politics back to the security topic the post is about, I believe you can model the physical world onto the electronic world too far. I believe Col Williamson has done this.
Furthermore it seems to me that the issue is not saving a couple of bucks by using obsolete computers as bots and simply removing the drive, but rather the main issue is WHERE (geographically as well as IP-wise) you are going to use these bots (I guess they wouldn't be zombies since they are owned in the traditional sense; how about minions?)
It seems like they would be better off developing a single-board processor card that could be dense-packed in "blade" racks and have almost no RAM, just flash memory a la Cisco where a new OS can be written from time to time with the latest attack tool and a single console for every 100 or so units, with the ability to re-flash them all at once.
While the up-front cost would be more, the economy of scale would rapidly overcome the maintenance expense of keeping tens of thousands of old computers running, each of which takes up 9 cubic feet or so of space. (And as we all know, space is the final frontier.)
Clive is absolutely right about Ronald Regan's administration and the long term damage it did to our country economically.
Laugh all you want, but the FACT of the matter is that the internet is NOT something you just dump stuff on! It's NOT a truck! It's a series of TUBES!
WhyTF does the AF think that when they've got a clogged tube problem, then can fix it by putting more things into the tubes?!?!!?!?!?!??!!?!??
"carpet-bombing in cyberspace" - what, carpet-moths?
Cyberspace, like Earth Orbit, isn't a military "frontier" like the "Wild West" this article's author apparently thinks it is - good grief, I run up against the same mismatch of comprehension in nearly every article on the weaponization of Earth Orbit written by members of the US Armed Forces that I've had the misfortune to read - and it's not a very good cure for insomnia either.
Cyberspace is a mix of metaphors, eg, the information superhighway (read some of Harlan Ellison's stories), the Homestead (read some of JG Ballard's stories), the community (read some of B. Traven's stories), etc; to use this sort of absurd metaphor, that it is a "battlefield" a la Austerlitz, shows that one is detached from reality and should be required to disclose and share the restricted chemicals one is imbibing, so others can follow the argument.
Cyberwarfare if it is in any way related to warfare, should be represented by a suitable contact sport; and "cyberwarfare" has no borders, no offside. For a Canuck, the closest comparison would have to be some of the lacrosse and ice hockey variants; for an Aussie, the comparison is Aussie Rules aka Australian Football; for an Irishman, the comparison is with Gaelic Football and Hurling; none of the which have any workable (or working) offside rules.
The Pentagon is bound to lose this "fight" to its great humiliation - it can't think like these "attackers" let alone react as fast as them. Have a re-read of Neuromancer - I feel it calling my name even as I tap this out.
Presuming they are talking about surreptitiously using computers they do not own, I think this may actually run up against the 3rd Amendment...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.