Government, academic, and private-sector officials are collaborating on new ways to prevent and mitigate distributed denial-of-service (DDoS) attacks, based on research years in the making but kicked into high gear by the massive takedown this month of domain name system provider Dyn.
The largest attacks in summer 2015 were about 400 gigabits per second, but September 2016 saw an attack on security blogger Brian Krebs of more than 600Gbps, while Dyn said its own attack may have exceeded 1.2 terabits per second. Government-led research is focusing on the 1-terabit range but with systems that can scale higher, which is already needed due to the proliferation of vulnerable Internet of Things devices too easily commandeered by malicious hackers.
But it means there’s a ton of job security for Dan Massey, a computer science Ph.D. serving as program manager for the U.S. Department of Homeland Security Advanced Research Projects Agency Cyber Security Division. Massey in August 2015 began evaluating and funding new anti-DDoS efforts at the National Institute of Standards and Technology (NIST), private companies, and universities, which share the goal of getting innovative techniques into commercially feasible pilot projects no later than summer 2018. Some are already underway, Massey and others said.
Funded projects include attack information sharing methods from the University of Southern California, University of California-Los Angeles, and University of Oregon. The latter implements a unique peer-to-peer method of letting networks share information about traffic patterns, as does Portland, Ore.-based research contractor Galois. Colorado State University is making a way to distribute the task of packet filtering and intelligence gathering; the University of Delaware and others including IBM are focusing on identifying new kinds of attacks; and the University of Houston is looking at on-demand network capacity for handling attacks when they hit. In addition, Waterford, Va.-based Waverley Labs and the Cloud Security Alliance are working on whitelisting methods to make a network only accept approved traffic. NIST is collaborating with the University of California-San Diego to determine whether the software for stopping DDoS attacks would hurt network performance.
Other anti-DDoS measures are already common for large companies, such as load balancing so that different parts of a network can pick up the slack if others go down, having multiple DNS providers for the same reason, and educating end users on safe internet usage, security experts at Akamai, Radware, and certification specialist (ISC)2 said. It’s unclear why the Dyn network seemingly did not balance itself, although mainstream websites such as The New York Times were able to quickly handle the problem by switching to different DNS servers.
SEE: Security Awareness and Training Policy (Tech Pro Research)
CAIDA’s Spoofer Project: See if your network allows forged packets
Perhaps the longest-standing way to combat DDoS attacks is by using the Internet Engineering Task Force’s Best Current Practice #38–BCP-38, in networking parlance–which emerged in 2000. Implementing this standard prevents a network from sending packets with forged IP addresses. However, there’s no way for internet authorities to enforce the use of such standards, especially outside of the United States, officials at the UCSD’s Center for Applied Internet Data Analysis (CAIDA) said.
CAIDA operates the Spoofer Project, which is software based on 2005 research from the Massachusetts Institute of Technology (MIT) that lets users see if their network allows forged packets. CAIDA currently reports that 75% of 435 million tested IP addresses are unspoofable, although that’s a hard-to-imagine percentage of the internet’s 3.4 undecillion (34×1038) possible IP addresses, CAIDA manager of scientific projects Josh Polterock noted. Nor is there any need to update the 16-year-old BCP-38 standard, because it works fine if people would just use it, explained security expert Jay Ashworth who manages the BCP-38 Wiki.
Thoughts from the father of DNS
Paul Mockapetris, famous in networking circles as the father of DNS, is also thinking outside the box. “Rather than a handful of addresses for contacting [companies such as] Dyn, we need to think about creating multiple paths for getting DNS information between the creator and consumers of that information. This won’t be popular with the business models of DNS providers… but we need to make attacks on the naming infrastructure per se several orders of magnitude harder, so we can depend on DNS services to aid in the defense,” he stated. Charging for packets is one preventative possibility, said Mockapetris, now chief scientist of Carlsbad, Calif.-based ThreatSTOP.
Mockapetris agreed that reputation systems and carrier-level filtering, as already in use by some of the world’s largest networking companies, could be useful. He added that he’d love to see more use of virtualization so applications such as banking could be walled off from common web surfing. Either way, he concluded, “We certainly need more dreams and innovation if the internet is to succeed.”