Gridlock: When DDoS Jams Networks

For decades, Internet infrastructure - the fundamental sets of pipes, servers, and switches that make our Amazon account accessible for last-minute gift shopping, or Netflix for the compulsive evening viewing - has been out of sight, out of mind; never a focus of public attention. For the average non-specialist, the Internet has been an inexplicable mystery, located somewhere out there, but we're not altogether sure where. The tarmac of the information superhighway is all but invisible.

In the past couple of years, however – and especially in recent months – massive attacks against Internet infrastructure have begun to hit the headlines of mainstream press, and public awareness of the foundations of modern communication is beginning to grow. DDoS has moved from being a very complicated and rather uninteresting topic on specialist sites to being the reason why I can't log on to my favorite web shop, why journalists are unable to get important news out, or why you can’t do your Internet banking. For a few moments we think what has become the unimaginable – what would it be like to not to have this global network at our beck and call?

Like many other everyday necessities, the Internet as a physical entity becomes more tangible in the very moment it's not there. In mainstream consciousness, cyber security is more likely to conjure images of bank accounts being emptied and business emails being surreptitiously read (see our feature Building IT Defenses – Keeping the Wolves from the Company Gate for more on business IT security), but the infrastructure that makes all of this possible is also under constant attack. While this may pose no more than an inconvenience for end users, it can have grave consequences for business security and continuity, and, in future, potentially also for our health and safety.

The traffic jam

DDoS ("Distributed Denial of Service") attacks can take a range of forms, but all have pretty much the same goal: flooding a specific point of Internet infrastructure with so many requests for action or so much traffic that it causes a traffic jam. This can nearly paralyze the servers targeted, as such requests demand an automated response and the sheer number of responses required takes up all capacity on the servers, which, in turn, are unable to respond to legitimate requests from customers. This then fills these “pipes”, the fiber backbone of the Internet, with so much malignant traffic, that no other “good” traffic (like legitimate orders) can get through – to the targeted server or others in the locality. If all the traffic were to come from one source, it would be possible to block that street, filter out that traffic, and free up the targeted servers. But DDoS attacks are distributed – traffic arrives from a large number of different sources, making it difficult to filter it out.

The volume and impact of these attacks has exploded in recent years. In 2013, the blacklisting project Spamhaus was victim of what was, at the time, reported as the largest DDoS attack in history, peaking at 300 Gbps – three times that of previously reported attacks. The renowned Krebs on Security blog saw an attack with peak traffic of 620 Gbps in September 2016. The highly publicized attack against DNS specialist Dyn a month later, in October 2016, took down a range of popular services like Twitter and Spotify and generated more than a terabit of peak traffic.

Not only the size of such attacks is increasing, also the frequency is. According to Dr. Thomas King, CIO of DE-CIX in Frankfurt, the public Internet Exchange with the highest traffic through-put in the world, DE-CIX is involved in the mitigation of around 1,200 DDoS attacks across their exchange platform at any one point in time.

Motivations for these attacks range from revenge (e.g. Spamhaus or taking Krebs on Security offline), to political motives (e.g., the attack against the Thai government in October 2015, in response to plans to create the “Great Firewall of Thailand”), vandalism, and on to blackmail. 

Cleaning the streets

Mitigating DDoS attacks takes a range of forms, depending on the attack. ISPs and Internet Exchanges, for example, can offer a “blackholing” service. This is an inexpensive method for dumping traffic originating from specific IP addresses, and can be used to unburden the system under attack. However, the networks leading to the black hole service can still suffer congestion. Remote blackholing, which enables the dumping of traffic closer to its point of origin and away from the target, further reduces the burden on networks. That being said, this technique works a bit like broadband antibiotics – taking both the good and the bad traffic out of the network, so that legitimate requests from customers may also be lost into the black hole. More complex DDoS mitigation services filter the traffic to enable “good” traffic to pass, but such services are costlier, and dealing with a prolonged attack can be outside of the reach of smaller companies.

Many attacks are mitigated so that businesses and end consumers are not affected. Akamai, for example, fielded off an attack against the soccer club FC Bayern Munich in November 2016, keeping the club’s fan website online despite receiving 128 logins per second. These are the quiet success stories of the Internet industry that rarely make the headlines.

But business continuity and end-user convenience are not the only things at risk when a DDoS attack strikes. The European Union Agency For Network And Information Security (ENISA) report on Smart Hospitals rates DDoS as one of the five most significant attack scenarios for smart hospital infrastructure, citing as an example the hacktivist attack against the Boston Children’s Hospital in 2015. The report goes on to say that “The criticality is high. Being victim of a denial-of-service attack can massively affect the operation of a hospital. As smart hospitals are highly dependent on digital records and network connectivity, inability to access systems has potentially far-reaching clinical and business impacts.” With an increasing number of critical systems becoming connected, like police and ambulance services, it brings how dependent we have become on a healthy, functioning Internet infrastructure very close to home (for more on connected services, see Open and Secure Communication Platforms for Cooperation and Innovation). 

Back to the source

Going back to the source of the problem, where does all this traffic originate from? To orchestrate a distributed attack, it is necessary to control a large number of Internet-capable devices from which to send out the attack. This will generally be achieved by infecting a large number of computers with a virus which allows external control, and these infected devices form part of a botnet. Previously, botnets have largely been made up of PCs and mobile phones (information on cleaning infected devices can be found at botfree.eu). But as the world becomes increasingly interconnected, just about any object we own could potentially be caught up in such a net.

In the massive DDoS attacks against KrebsonSecurity and Dyn in 2016, the primary source of attack was compromised IoT devices in the Mirai botnet. And here, mitigation is only the tip of the iceberg in solving the problem. The Mirai botnet is composed of hundreds of thousands of infected IoT devices, with up to half a million devices susceptible to infection, and taking the botnet down long-term will be exceedingly difficult. For some of these IoT devices, owners have no way of changing the default password, so that even if the infection is removed, the device will become re-infected as soon as it goes back online. For devices where the password can be changed, Brian Krebs offers advice on how to go about it. But it requires the owners of these devices to proactively clean the device and change the security settings – a top-down approach by authorities or ISPs is likely to face considerable legal complications, as Peter Meyer, Head of Cyber Security Services at the eco Association, points out. 

Another approach may, however, motivate owners – at least when the devices are owned by companies – to do the dirty work: As Thorsten Jansen, a lawyer at DWF, observes, “Business IT is neither always perfect nor fully secure. But that fact would not necessarily suffice as a viable defense against criminal, administrative, or civil liability, if devices in the company network were found being used as zombies in a DDoS attack. First of all, as soon as the company (IT Department) becomes aware of zombies within their network, such devices must be rendered harmless immediately to avoid liability; both criminal liability for aiding in computer sabotage, and civil, if the injured party were to claim damages. But secondly, … businesses may be liable even without knowing that any of their devices being used in a cyber-attack.”

Internet security is a communal responsibility and the time has long since come for all stakeholders to be actively involved in protecting the integrity of the ever more pervasive Internet. Private and corporate end users, manufacturers if IT hardware, software producers, IT security companies, infrastructure providers, law enforcement agencies and governments are all key elements in creating a secure Internet – to make the information superhighway a safe place for the increasingly critical services that travel along it. Whether we’re talking about business continuity, e-government, e-health or self-driving cars, the risks of not being secure are growing daily.

J.E.