John PescatoreI do a lot of presentations on the changing threats in cyberspace. I always start out by saying the economics of developing cyber-threats is very different than for physical threats or traditional warfare. Governments do not have an advantage in developing cyber-threats – that is why the vast majority of the most damaging attacks are first seen in financially motivated attacks, then later against government agencies and political targets.
Inevitably, talk of unstoppable state sponsored attacks always comes from either government agencies jockeying for responsibility and budget, or from security programs that aren’t at due diligence looking for excuses.
Don’t get me wrong – governments will use cyberspace as an attack path for warfare, just as every other technology gets used. But stopping an Internet-carried attack created and launched by a government is no different, and not even more difficult, than stopping an attack launched by organized crime or identity thieves. It all comes down to closing the vulnerability – block the hole and the attacks does not succeed.
I think the early DDoS attacks caused a lot of this “unstoppable state-sponsored attack” myth to develop. There was a misconception that no one could stop an enormous brute force DDoS attack and only governments would have the resources to launch an effective one. Of course, both of those have already been proven false:
- Many large ecommerce and Internet infrastructure companies routinely stop DDoS attacks that are over 10 Gbs and are launched from tens of thousands of machines.
- The biggest DDoS attacks have not had government sponsorship.
It reminds me of back in the 1980s and early 1990s when it was thought that only governments had the resources to develop hardware to break cryptography through brute force – but then most of the advances in breaking crypto came from informal peer-to-peer networking of commercial PCs and servers.
In physical warfare, governments can develop weapons that no business can protect itself against. No Wall Street firm has strong enough physical security to stop a tank. In cyber-warfare, a different story. Every time an attack over the Internet succeeds, it means there was a failure in vulnerability management and intrusion prevention. Now, very often the vulnerabilities are in the people – systems aren’t administered right or users fall for tricks and scams.
These are actually the areas where governments can attack IT systems differently – they can and do go after people using traditional methods. If you are really worried about state sponsored attacks, after you get your vulnerability management and intrusion prevention programs up to snuff, focus on people vetting.
Category: Uncategorized Tags:
9 responses so far ↓
1 IntelliGuard September 23, 2009 at 10:12 pm
Good to see some common sense amonst the hype. However one point about DDoS attacks that needs to be understood is that defending them does not just come down to “closing the vulnerability – block the hole and the attacks does not succeed”. This failing defence strategy is exactly now what makes so many attacks successful because such ineffective defence tactics ensure their success and cause significant collateral damage – just like Afghanistan. Vulnerability cannot be “closed” – the entire Internet structure and every server and service is and always will be vulnerable. And what is the ‘hole’ to be blocked – there is none! Controlling DDoS attacks is not an issue of hunting and killing bad guys (who now look no different to good guys) – it is a problem of intelligently managing traffic so that attacks are ineffective.
2 Faisal Khan September 24, 2009 at 8:14 am
The very large attacks 10Gbps+ are very difficult to stop. Null-routing is the preferred technique. Tier II providers rarely can stop such attacks, Tier I will let it through provided no network latency issues or congestion issues arise, if the attack is purely a transit, but if it is their own customer, BGP route injections are used to blackhole the traffic. 20-30GBps attacks are very very difficult to scrub. Even the largest providers who specialize in this field, think twice about taking a job of scrubbing traffic that is that large in size.
3 DoS Attacks : Gartner Blog Article: The Myth of the Unstoppable “State-Sponsored” Cyber Attack September 24, 2009 at 8:29 am
[...] Here is an interesting short-read article on The Myth of the Unstoppable “State-Sponsored” Cyber Attack. [...]
4 John Pescatore September 24, 2009 at 9:09 am
Agree that DDoS attacks are not solved by the ‘solve the vulnerability’ processes – but all those SQL injection/cross site scripting/etc ones are.
Larger providers have been stopping 10 Gbs DDoS attacks this year, beyond that requires cooperation across providers or offloading some traffic to third party DDoS mitigators.
5 Faisal Khan September 26, 2009 at 9:31 am
Just to further add a little bit. Large providers have handled DDoS attacks as high as 40Gbps. If you read the Arbor Worldwide Infrastructure Security Report (published every 6 months), you will see that 40-50Gbps attacks have been curtailed/mitigated, but purely due to the reasoning that the Tier I service provider did not want any degradation of service in their own network. As a webhost if you’re small and you experience anything like 5-10Gbps, it will cost you an arm and a leg just to have it mitigated, a choice not many web hosts can make.
6 IntelliGuard September 27, 2009 at 5:13 am
10Gbps+ attacks are NOT very difficult to stop – there are DDoS protection appliances that will easily do this instantaneously. Null routing / black holing may be a preferred technique for a service provider that doesn’t care about damaging its customers, but it is foolish and ineffective and creates more unnecessary collateral damage which may be just what the attacker wants.
Let’s also do away with this “scrubbing” marketing jargon- the point is not to “srub” traffic, it is to keep the business online and protect legitimate customers! And also let’s look at the real measure of attack defence – it’s not Gbps, it is packets per sec that is the key criteria of defence capability. Most existing DDoS and IPS defense systems quote Gpbs line rates but don’t say what they mean by line rate. If an attacker sends them all 64 byte packets they can fail at many times less than their stated rates. Is that why they don’t provide technical information about packets per second? IPS systems with grafed on naive DDoS protection are generally useless at defending large or clever DDoS attacks and can actually contribute to making the attacks successful. Only a dedicated DDoS protection system which does not try to “srub” based on signatures and “fingerprints” (more marketing jargon) can mititgate attacks and maintain services without collateral damage.
7 John Pescatore September 29, 2009 at 8:52 am
While it is all well and good to say “it is to keep business online and protect legitimate customers,” I think the actual heavy lifting in DDoS *is* the ability to “scrub” or filter the traffic – and do so without having to have tight integration into the application, so independent of what the business actually is.
Agree about packets per second vs. Gbs but that is the same issue for every claimed network equipment performance figure.
8 DoS Attacks October 9, 2009 at 11:30 am
Isn’t scrubbing the same as DPI? Nomenclature aside, almost everyone who looks at DDOS traffic in line, will be doing DPI if they are to determine which packet is legitimate or not. Fingerprinting (as devised by Arbor Networks) is not a marketing jargon. A signature (essentially is Layer 4-7 based), whilst a fingerprint is Layer 2-3 based with properties like infection rate, IPs that it tends to affect, the ports it will try to connect to, etc. (all your essential NBA characteristics) without necessarily looking at the payload of the packet.
9 IntelliGuard October 10, 2009 at 12:38 am
Srubbing is not the same as DPI. Srubbing is a marketing term for dropping attack and customer traffic to protect service providers. Attackers love this because it acheives their aim of denying services to their victims who are rarely the service providers.
Fingerprinting is useless against anything other than the most naive attacks as it can’t distiquish attack traffic that looks legitimate and can’t stop the more sophisticated attacks such as connection based attacks and back channel attatcks now prevalent. And it can’t do it immediately an attack happens. Just read the news every day for evidence of the failure of these outmoded defense techniques.
Also, an attacker just needs to send all small packets for current defence systems to fail well unders their stated “line rate”.
Larger provides have not been stopping or blocking attacks this year. They have simply been dropping their customers traffic to protect their networks and assisting the attackers acheive their aim of deny services to victims. Worse their scrubbing causes collateral damage to other inocent non- attacked customers.
Every day we see more evidence that the attackers are winning this war by a long shot because they are using clever new weapons against weak outmoded defences.
Leave a Comment