You may have heard that the Internet almost broke last week. That was the story according to a cloud computing and security firm, called CloudFlare, that was called into help SpamHaus, fend off a large-scale distributed denial of service or DDoS attack from an anonymous group. SpamHaus is a non-profit that maintains a spam blacklist used by email service providers and network administrators.
Mainstream media outlets like the New York Times and the BBC picked up the story, saying that the attack “jam[med]” and “slow[ed]” the Internet. But as other observers soon noted, the press probably should have viewed CloudFlare's assertion with a bit more skepticism. After all, worldwide coverage of massive DDoS attacks could be helpful to the firm, whose services include protecting Web companies against such attacks.
Even so, it likely was the largest distributed denial of service attack ever, and it's a worrisome demonstration of how much DDoS attacks can scale. Yet, any major effects appear to have been quite limited to small region of Internet users. CloudFlare pointed to the attacks as a reason for a localized slowdown for Internet users connecting through a major Internet exchange point in London. But Computer World’s Jaikumar Vijayan writes that “[a]ccording to Keynote,” a company that monitors Internet performance, “some network segments in Europe did experience up to 40% slower-than-average response times during a six-hour period Tuesday. However, it is hard to tell whether the Spamhaus attacks caused the slowdown or it arose because so many people were live-streaming a soccer game between France and Spain during that time.”
Unfortunately, it's not easy to tease out what might have caused a significant drop in Web performance, in part because the Internet is a network of networks, with numerous providers all participating in moving traffic. Even security and Internet researchers can struggle to truly understand the impact of such attacks. And while I don't mean to single out the New York Times’ or BBC's reporting, this incident underscores the particular challenge for reporters covering these very technical and dynamic incidents. Getting it right is more important than ever: These stories can affect public discourse on cybersecurity, including how policymakers assess the realities of cyber threats to the Internet and to society more broadly—as well as how government should respond.
For example, most DDoS attacks rely on botnets, computers infected with malicious software that can perform automated tasks, including repeatedly sending requests to servers. The malicious software generally exploits holes in the operating systems or other software on the device without the user’s knowledge. Yet, few policymakers are scrutinizing how software, hardware, and communication companies are addressing security issues with PCs, laptops, smartphones, and other devices that connect to the Internet.
In the same way, the attack exploited a flaw in the configuration of some Domain Name Service servers that allowed the attackers to amplify the amount of traffic going to SpamHaus. (DNS servers translate the domain names you type into your browser into numerical IP addresses.) The strike focused on using these servers to send massive amounts of information to SpamHaus servers that they were not requesting. The attackers likely did this by repeatedly sending requests and spoofing the return address, so that a client (a botnet in this instance) would request information from a DNS server, but the return address would be SpamHaus servers.
DNS servers can be configured to respond only to requests from within their network, but many allow clients outside of the network to make them. In some cases, it’s done intentionally to offer Internet users an alternative to DNS provided by their internet service provider, such as Google Public’s DNS service. In others, it may be a default configuration that was left unchanged.
Either way, there are several good measures you can take to avoid what happened in the SpamHaus attack while maintaining an open DNS server. That’s why a group called the Open DNS Resolver Project has been trying to raise alarm bells among the public. Still, too many network administrators do not implement any fixes. After the recent attack, lack of awareness should no longer be an excuse, but the issue underscores the significant challenge to facilitating widespread adoption of security practices and greater accountability for lax security by tech and Web companies.
At least in the United States, establishing minimum and reasonable security practices seems to be a tough sell. During last year's Senate and House negotiations around comprehensive cybersecurity legislation, disagreement over whether the government should mandate security standards for privately owned critical infrastructure networks was a chief reason legislators failed to reach a consensus Though the government will likely develop a set of voluntary standards as a result of the president's Executive Order on cybersecurity, the revived Cyber Intelligence Sharing and Protection Act (CISPA) is focused on information-sharing and does not include an incentive structure to encourage adoption of those security practices.
It’s not feasible or even desirable to have a perfectly secure Internet. The cost alone would be prohibitive, not to mention the potentially disastrous effects it would have on free speech, privacy, and innovation. What's the answer, then? As security technologist Bruce Schneier noted with respect to global threats to security more broadly, “If security won’t work in the end, what is the solution? Resilience—building systems able to survive unexpected and devastating attacks—is the best answer we have right now.”
And in that respect, the Internet held up pretty well this time. But the reality is that we don't know how it will fare in the future. For example, redundancy and geographic diversity of network infrastructure are critically important for resiliency, but they often run up against more commercial concerns such as efficiency and economies of scale. That's probably not an attention-grabbing headline, but it is something that will likely determine whether a DDoS or similar attack truly does break the Internet.