Denied! Dealing with Global Distributed Denial of Service

Cyber security has recently reached yet a new level of public awareness, as the world learned that an army of bots hosted on internet connected cameras were able to cause outages to well-known internet services such as Twitter, Amzaon, Spotify and Netflix. The global Distributed Denial of Service (DDoS) attack on DYN, a large DNS infrastructure company, caused the downtime, may not have shocked internet security professionals, but it gave yet another demonstration of the fragility of the Internet grid. Fortunately it was not as damaging as it could have been.


The internet is a platform of innovation and inspiration. We can all invent, develop and release our work for free or for payment, as a product or as a service without formal qualification or certification. Products and services are released, improved and updated constantly, often without physical touch between the manufacturer, reseller and consumer. This is very unusual in the engineering world and so far has worked fantastically well.


Security professionals realize this unprecedented freedom to innovate also comes with risks. Many internet connected products are not designed with security in mind and some of them contain very basic flaws that allow attacks such as the one on DYN to take place (in the attack on DYN, unprotected internet connected cameras were accessed easily by hackers using hardcoded or default user credentials). Public awareness of these security oversights is rising as cyberattacks targeting well-known services are becoming common.


Securing the Grid

As our lives are becoming so dependent on the internet, it’s time we thought about ways to protect the grid without hindering continuous innovation


The most widespread grids in the world, alongside the internet, are the electrical grid and the telephone grid.  Both are designed for high-resilience and require every device connected to them be certified to meet various standards that ensure it will not pollute the grid.  Manufacturers are not allowed to sell electrical appliances or telephone equipment without appropriate certification, and authorities of every country of the world enforce that certification.


Some people suggest that a possible conclusion could be to require certification of any and all equipment that is connected to the internet – ensuring that it will conform to basic security and other standards. This may end up being necessary and may develop over time, but would also be a very complicated process, as it will take a very long time to agree on the standards and then implement them.  It’s also likely to slow down the pace of innovation that we enjoy today.


A more practical solution would be for the grid to protect itself.  It would require trust and entails some risks and yet since it involves far fewer parties; it could be done in a sensible and democratic way.  Let’s look at how this could be achieved.


Internet traffic control

The most important internet services we rely on are local to our country of residence (financial services, government services) and sometimes international (DNS, Social Networks, Email services, Search services, etc.).  Attacking these services can be done locally to some degree, and internationally to a very large extent, as demonstrated in recent global DDoS attacks.


The biggest challenge when dealing with Denial of Service attacks is how to separate malicious traffic from legitimate traffic coming from the same origin – even sometimes from the same IP address. Many vendors today offer anomaly detection-based Anti-Denial of Service solutions that try to solve this, and they can be effective, especially when the attack is targeting the computing resources of the victim rather than just try to fill their internet link with traffic in order to disrupt legitimate traffic.


But sometimes, if the link connecting the victim network to the Internet Service Provider (ISP) or moreover the link between the ISP to an up-stream ISP is saturated with attack traffic, then it is too late…


As such, business providing internet services and specially ISPs should continue to protect themselves to the best of their ability. But if they are unable to help themselves, they should be able to call for help to the companies that comprise the internet back bone, the Tier-1 and Tier-2 internet service providers.


The backbone of the Internet comprises is a mesh of networks owned by numerous companies. Six large providers are known today to be Tier-1 (Level 3 Communications, Telia Carrier, NTT, Cogent, GTT, and Tata Communications) as due to their capacity and wide geographical reach they do not have to purchase transit agreements with other providers. Connected to them are about thirty Tier-2 providers. Within each country there are numerous other providers that are connected to these Tier-2 providers. Internet Service Providers (and sometime large Content Delivery Networks) interconnect to each other using Internet Exchange Points (IXP). The aggregated capacity of these providers is the maximum capacity of the internet: no DDoS attack can exceed it.


Blocking attacks at source

As such, less than fifty Tier-1 and Tier-2 providers together have the technical capacity to stop most global DDoS attacks and, in many cases, also country-level attacks – at the source. To do this, accurate attacks patterns need to identified and agreed upon, but most importantly there is a need to define how this can be done in an effective and legitimate way, while maintaining data privacy.


To achieve this, a scalable process with checks and balances could be implemented on these lines:


  1. Internet services are expected to have some means of internal, or cloud scrubbing service to deal with DDoS until their line is saturated.
  2. If a victim (any internet service) determines that it cannot deal with an attack as their internet line is saturated, they should approach their upstream Tier-2 provider (directly or through their local ISP; large providers may be connected directly to Tier-2 or IXPs) and provide details about the attack.
  3. The Tier-2 provider should work with the victim to identify an attack pattern. This may not always be easy, but security professionals can achieve this.
  4. The Tier-2 provider should determine whether they are able to block the attack using their own resources
  5. If the Tier-2 is not able to block, they should issue a “Global Block Request” (GBR) – a set of flow identifiers (Source IP, Destination IP, Source Port, Destination Port, and Protocol) with possible ranges or wildcards and/or regular expressions that identify the attack pattern. The GBR also includes a blocking ratio that would indicate the desired blocking level – 1:1 for blocking all cases or 1:n for just easing the attack.
  6. The GBR should be reviewed, approved and signed by at least three Tier-1 providers or five Tier-2 providers, who will validate and ensure that no significant legitimate traffic or traffic unrelated to the attack is blocked.
  7. Once approved, all Tier-1 and Tier-2 providers should honor the GBR for two hours. After the two-hour period, the GBR can be renewed one more time.
  8. If the attack continues, the GBR can be renewed but need to be reviewed, approved and signed by at least four Tier-1 providers or seven Tier-2 providers each time. In this case the GBR can be renewed again and again at six-hour intervals.


A network/service device would enforce GBR either at the Tier-1/Tier-2 providers upstream or downstream (or at the IXPs). The provider would also inform the ISPs downstream that a specific IP address is generating an attack so the IP owner could be informed. Check Point Software Technologies and some other vendors can provide the technology required for handling GBRs today.


Many attacks, such as the one on DYN, could be effectively mitigated using the above process. In case of attacks within encrypted channels (e.g. SSL), it will not be possible to Identify precise attack patterns using regular expressions within the encrypted traffic, but traffic from attacking IPs could be blocked or reduced using five-tuples that identify the communication pattern even without looking at encrypted traffic.


All too often, major policy changes only occur when a catastrophe has taken place; only then there is enough public demand, urgency and political will to make concessions and drive real change. Solving global Distributed Denial of Service of attacks can be achieved before such a catastrophe strikes. As described here, mitigating many major DDoS attacks is achievable through practical collaboration of just a few global parties. More importantly, it can be an exercise in solving a simple problem by working together, rather than standing alone.