A number of gambling websites recently suffered massive distributed denial of service (DDoS) attacks. These are not the first, and certainly not the last massively DDoS attacks. In fact, the problem will only get worse as consumers place ever more unsecured equipment on the Internet via fast (enough) broadband links.
The attacks
The attacks are assumed to be of Eastern European origin, due to the mail servers they choose to use and their broken English. However, even this cannot be guaranteed. What is clear is that they do not write the attack tools, they just use them as part of their extortion racket.
These attacks can be characterized into three major categories:
- spoofed UDP traffic
- spoofed SYN traffic
- HTTP data sinks
The first two are utterly preventable and should have never been able to traverse the Internet. The originating ISPs (wherever they are) are ultimately responsible for their customer’s traffic. My view is simple: if an ISP allows spoofed packets as part of a DDoS network, the proportion of losses should be recoverable from these criminally negligent ISPs.
Countermeasures: network equipment manufacturers
About the only welcome aspect of a shakeout in network equipment manufacturers is that it is simpler to address one of the core sources of the DDoS problem: ISPs letting spoofed traffic through their networks. If all digital modem concentrators, DSLAM’s and HFC headends had default and unstoppable anti-spoofing, high rate spoofed DDoS attacks would be impossible.
How to categorize ISPs into those who do the right thing (block customer traffic with non-routeable source addresses)?
My view is that a scheme which has a dynamic list of BGP AS’s of ISPs who have been audited as “source IP address correct†should be established. After a certain cut off date, any ISP who refuses to be audited, or does not return a audit status, will suffer the consequences of the Internet not passing their traffic.
This would in a short stroke eliminate spoofed IP traffic as a source of DDoS packets. Even the largest bot nets contain only a few thousand hosts, and with real source IP addresses, technical schemes to rate limit IP addresses, dynamically deny IP addresses and other anti-DoS techniques could be implemented.
The next portion of the DDoS answer is how to deal with infected hosts. My personal view is that a responsibility is shared between the owner of the infected equipment, the ISP and the vendor of the application or operating system which allowed the infection to take place.
For example,
- the customer should have a personal firewall on by default and run modern anti-virus software with recent updates;
- the ISP should be aware of customers who have unusual traffic patterns and can easily recognize Trojan ports or activities;
- vendors of software such as (but not limited to) mIRC, Kazaa, or Windows, contribute to the total number of DDoS bots in existence by not putting in controls which prevent distribution or control malware activity;
- by default, any operating system which provides methods which enable direct access to the network card, or allow the creation of arbitrary packets should have an indefeatible error message for which the end user would have to agree prior to the application being able to communicate with the outside world.
Although it can be successfully argued that this would only raise the bar in terms of how clever the malicious bots would need to become under such a regime, the reality is that few possess the skills to create new malware. There are a limited number and heavily inter-related attack bots in existance today. By raising the bar, the bots would be:
- identifiable by source IP address
- have limited spread
- have limited opportunity to run successfully