Perimeter
11/18/2015
10:00 AM
Paul Vixie
Paul Vixie
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

DDoS And The Internet's Liability Problem

It's past time for an improved liability model to disrupt DDoS.

Distributed denial of service (DDoS) has become a major and growing threat to the world's economy. DDoS is a form of asymmetric warfare where a weak attacker can challenge a strong defender. Think of the playing field as being remarkably non-level, such that an angry ex-customer or competitor can for an investment of about 15 EUR per hour hire an attack that will cost thousands of EUR per day to repel. Every large online service provider either hires a DDoS protection agency or invests heavily in their own defense. And the magnitude of the attacks grows with the capacity of the Internet, with the cost of defense rising faster than the cost of attack.

DDoS thrives because its enablers are beyond reach of any defender, any business, any government, any police force, and any military force. Those enablers are low quality software in connected devices, low quality operations of connected services and networks, and a complete lack of liability for the makers and operators of these devices and networks when they are abused.

What makes DDoS so easy and so successful that the price of hiring a DDoS attack goes down (on a per-gigabit basis) every few months? If this style of attack were occurring in the real world, it would look like drive-by shootings that happened every few minutes in every city in the world. In that scenario, there would be some kind of counter-action by government, police, and perhaps the military. Whereas what we actually do in the face of these ever-growing DDoS attacks is the equivalent of hiring more private security forces with more powerful weapons. It's as if it never occurred to us that these attacks have enablers – structural defects in our laws and customs – that would be a better focus for our defensive energies.

Let's look at three major enabling causes of DDoS: botnets, dangerously open servers, and source address forgery.

A botnet is a set of badly designed and poorly constructed devices – could be computers, or smart phones, or home appliances with computers inside – that allow these devices to act cooperatively and to come under the command of someone other than their owners. Software and device quality is terrible on its best day, and most days are far from the best. Developers and entrepreneurs must, in order to succeed, focus on feature level and time to market. Therefore, many connected devices are trivially reprogrammable by any moderately skilled attacker. A botnet is a perfect conduit – powerful, mindless and without conscience – for any attacker and  the perfect launch point for DDoS attacks.

Dangerously open servers are network services that either accept requests from the whole Internet rather than only from their intended local customer base, or that must be open to the whole Internet but place no reasonable limit on the number of requests they answer for each end user. An example of the first case would be that tens of millions of DSL modems and wireless access points willing to answer end-user DNS requests for the entire Internet rather than only for the home or business they serve. In the second case, consider the tens of thousands of DNS content servers that must serve the entire Internet but lack response rate-limiting. These dangerously open servers are a perfect reflecting amplifier for DDoS attacks.

Source address forgery means sending an Internet packet that appears to come from somewhere else, such that any response to that packet will go to the purported source of the request. An attacker need only forge the source address of her intended victim on some large number of requests in order to cause that victim to be bombarded with an unstoppable and congestive deluge of unsolicited Internet traffic. Due to the original technical design and culture of the Internet, source address forgery is allowed by default and thus allowed almost anywhere. One reason why source address forgery is usually not prevented by most network operators is that the beneficiaries of such prevention will not be the operator's customers, but rather, their competitors. These networks are therefore a perfect launch point for reflected DDoS attacks.

Something's got to be done about these enablers of the Internet's DDoS problem.

Liability

In the world of credit cards, ATM cards, and wire transfers, state and federal law explicitly points the finger of liability for fraudulent transactions toward specific actors. And in that world, those actors make whatever investments they have to make in order to protect themselves from that liability, even if they might feel that the real responsibility for preventing fraud ought to lay elsewhere.

We have nothing like that for DDoS. The makers of devices that become part of botnets, the operators of open servers used to reflect and amplify DDoS attacks, and the owners and operators of networks who permit source address forgery, bear none of the costs of inevitable storms of DDoS traffic that result from their malfeasance.

And that's a problem deserving a real solution: a solution rooted in liability law.

Right now there is no point in backtracking a DDoS to find out where it's coming from. The dangerously open servers that reflect and amplify these attacks are generally operated by novices who have little understanding of firewalls or rate limiting, and no incentive to learn more. The far-end edge networks where DDoS attacks originate are generally also operated by novices who don't know what a source address is or why they might want to prevent forgeries of same, and have in any case no incentive to prevent these forgeries. The remarkably weak devices we all carry or use that form the botnets used to launch DDoS attacks, are often programmed by novices who have very little sense of the scale of the Internet, and we as end users of those devices are generally clueless about how they work. It's long past time for redress.

In short, a DDoS victim today cannot expect any relief of any kind from locating the reflectors and amplifiers and networks and devices that caused any particular attack. Their only recourse today is to pay for DDoS defense – or to just wait it out. DDoS for hire and DDoS for ransom/extortion are successful and growing business models, due to the asymmetric nature of the attack vs. defense costs. But we can rebalance these costs.

If a device, network, or server, is responsible in any part for a DDoS attack that cripples some online service or business, than the maker of that device or the operator of that network or server should be liable for those damages. This means DDoS victims will be incented to pay for investigation rather than defense, and their goal will be to recover costs rather than to negotiate with criminals.

And it means device makers, server operators, and network operators will be incented toward online safety as an important component of their cost of doing business. For example, mobile phone companies that sell Android devices without having a way to patch Android's periodic security vulnerabilities, would be liable for the damage done by those unpatched devices.

The Internet changes everything. The Internet is now demanding an improved liability model. Let's listen -- and act.

Dr. Paul Vixie is an Internet pioneer and thought leader who designed, implemented, and deployed several Domain Name System (DNS) protocol extensions and applications that are used throughout the Internet today. He is CEO of Farsight Security Inc. Previously, he served as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
paulvixie
50%
50%
paulvixie,
User Rank: Author
11/26/2015 | 1:54:33 AM
Re: Unconvinced
<< Um, pardon me for saying so, but -- to extend your drive-by shooting analogy -- isn't this proposal like saying that the architect and construction workers who built a person's home should be held liable for damages pursuant to a drive-by shooting? >>

your pardon is granted. as with spam before it, spoofed source ddos and irresponsibly open servers have brought out every possible form of apologist. i have heard "there is no problem" and "it is not my problem" literally hundreds of times now. i won't take it personally, and i hope you won't take it personally when i tell you that you're plain and simply and completely wrong.

argument by analogy is fraught with error. as in this case, choosing the wrong analogy leads to absurd results. closer to the situation at hand would be holding the builder and architect of a house responsible if the house catches fire and burns the whole neighborhood down because somebody rang the doorbell too hard.

<< This all seems very huffy.  The reality of crime is that bad guys often get away with their behavior, and we have to live with this unfairness lest we create even more unfairness. >>

you can live with whatever impositions you wish, but, you can't insist that i do the same. "the reality" as you call it is that in the real world, creating or operating a public nuisance is an actionable offense if someone is injured by it, and the internet has thus far yelled and screamed about "stifling innovation" whenever similar accountability and recourse has been proposed. well, i am not here to censor any content or demand that software creators be licensed or anything else that might stifle innovation.

rather, i'm saying that the collective nuisance cost of the internet's irresponsible device makers and server and network operators is now so high that even the most self deceiving apologist cannot successfully pretend that everything will be ok without giving the lawyers and insurance companies a more defined role.

vixie
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/26/2015 | 12:20:40 AM
Re: DDoS Botnets
DDoS attacks in and of themselves are made to be a bigger deal than they are -- outside of victims like retail and other major commercial websites (where those companies lose oodles of dollars for all the time that they are down).

The real solution here, in any case, is to follow the money.  Bust other forms of cybercrime, and you reduce DDoS and other cybercrime because most of it is related.  (Great source on this subject: Brian Krebs's Spam Nation)

Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/26/2015 | 12:18:47 AM
Unconvinced
Um, pardon me for saying so, but -- to extend your drive-by shooting analogy -- isn't this proposal like saying that the architect and construction workers who built a person's home should be held liable for damages pursuant to a drive-by shooting?

This all seems very huffy.  The reality of crime is that bad guys often get away with their behavior, and we have to live with this unfairness lest we create even more unfairness.
PaulV378
50%
50%
PaulV378,
User Rank: Strategist
11/25/2015 | 12:18:46 PM
Re: DDoS without vulnerability
<< There can be a real successful DDoS attach without ant vulnerability, that is what it is always successful form of attack. >>

if you take away botnets (which are created by exploiting vulnerabilities in devices and software), and poorly operated networks lacking source address validation (which allows spoofed-source packet emission, a vulnerability in the internet itself), and you take away poorly operated servers and services (which allow amplification and reflection, another vulnerability in the internet itself), then a successful ddos will have to come from some set of endpoints who use their real ip source addresses. those endpoints can be hired, due to poorly operated cloud service providers, who don't insist on verified identity, and due to poorly operated credit card and payment systems, which allow stolen credit cards to be used to hire online services.

so while vulnerability is not strictly required, demonstrably piss-poor operational practices are, and the same "your problem looked just fine leaving here!" attitude that underlays those irresponsible operational practices are the ones which permit device manufacturers to evade responsibility for the botnets their sloppy unpatchable software creates. those practices whether by operators or manufacturers should create liability which can be exploited in civil lawsuits by ddos victims, and which ought to drive insurance costs upward. we are the frog in the famous aphorism, and we are slowly boiling ourselves to death by not holding enablers accountable for the damage they do by proxy.

vixie
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/25/2015 | 11:22:17 AM
Re: Make it so
Unless there is a way somebody seizes the moment and make money of it, it will work but I do not know who that would be.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/25/2015 | 11:16:56 AM
Re: DDoS Botnets
Agree, once you have the impact does not matter how it happened, this is like using target's resources to attack target itself. :--)).
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/25/2015 | 11:13:58 AM
Re: Make it so
I agree, also public is not aware of this situation, unless there is public support nobody will move or touch anything.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/25/2015 | 11:11:11 AM
Re: Make it so
Anything involving government these days obviously not working, you never know tough. :--)).
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/25/2015 | 11:08:27 AM
DDoS without vulnerability
DDoS without vulnerability

Nice article, enjoyed reading it. There can be a real successful DDoS attach without ant vulnerability, that is what it is always successful form of attack. 
UldisS421
50%
50%
UldisS421,
User Rank: Apprentice
11/22/2015 | 2:00:23 PM
Re: Make it so
Liability for insecure software would make it hard for open source. Not because someone might try suing, they cant do that. But because of people getting afraid of liabilities on them, not the software creators, thus making them choose propriatary software just to stay safe themselves.

Another aspect. Getting liabilities on the senders would mean sending legal notices etc. to thousands of them, many in faraway lands with lots of legal problems, like "it is not illegal in my country" to "we dont care" and just stretching the time.

So, I dont know if this idea would work in real life as it sounds in theory. Still many obstacles.
Page 1 / 2   >   >>
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.