In his 2006 piece “Beyond Denial of Service: Is Availability a Security Issue?”, Eric Maiwald (from our SRMS team) stated: “Managing the availability of systems, applications, data, and networks is just as much a part of risk management as is the managing of integrity and confidentiality. Yet, in many organizations, availability is not considered a security issue.”
Indeed, the “A” leg of the “C-I-A” (Confidentiality, Integrity, Availability) triad is the one unlike the other two (but then again, any of the three is not like the other two, if you ask me). A lot of folks still relate better to “C” than to “A” (or “I”) and think that security is largely about secrecy. To muddy the waters further, people might doubt that security team has to care about IT availability, but they do not doubt that their organizations face IT availability risks…
In any case, let me focus on one particular threat to availability: Denial of Service attacks. It so happens that this quarter I am working on a research project related to denial of service attacks as well as DoS defense architectures.
The more I dive into the subject, the more little peculiarities I notice:
- The area of anti-DoS (really, “anti-DDoS” in most case) is “certified compliance free” – organizations choose to do something about it since it affects their business in the most visible and material way.
- On a related note, the cost of a “breach” or a persistent penetration is often a subject of some painful debate; DoS costs, on the other hand, are MUCH easier to gather. It makes this domain of security a curious test bed for economic metrics.
- It is also an area where cloud computing (and distributed computing in general) seems like a net-positive force for security, and not a security “challenge”
- I also find it funny that one of the latest DoS “innovations” is essentially voluntary DoS – an attacker convinces people to download the tool and run an attack on a particular target that they collectively “hate” (“hive mind” mode notwithstanding). This reminds us all that we can patch Windows, but we cannot patch stupid.
In any case, I will be sharing what I learn about this area in further blog posts – and a full report due later this year.
Finally, if you do anything interesting in the area of DoS mitigation – and I don’t just mean “make and sell tools”, maybe your network is architected in an interesting DoS-resilient way or you just survived a fun DoS attack – think about giving me a call/email or even a comment below. It will help the others secure their networks and systems using the lessons you learned!