It’s past time for an improved liability model to disrupt DDoS.
Distributed denial of service (DDoS) has become a major and growing threat to the world’s economy. DDoS is a form of asymmetric warfare where a weak attacker can challenge a strong defender. Think of the playing field as being remarkably non-level, such that an angry ex-customer or competitor can for an investment of about 15 EUR per hour hire an attack that will cost thousands of EUR per day to repel. Every large online service provider either hires a DDoS protection agency or invests heavily in their own defense. And the magnitude of the attacks grows with the capacity of the Internet, with the cost of defense rising faster than the cost of attack.
DDoS thrives because its enablers are beyond reach of any defender, any business, any government, any police force, and any military force. Those enablers are low quality software in connected devices, low quality operations of connected services and networks, and a complete lack of liability for the makers and operators of these devices and networks when they are abused.
What makes DDoS so easy and so successful that the price of hiring a DDoS attack goes down (on a per-gigabit basis) every few months? If this style of attack were occurring in the real world, it would look like drive-by shootings that happened every few minutes in every city in the world. In that scenario, there would be some kind of counter-action by government, police, and perhaps the military. Whereas what we actually do in the face of these ever-growing DDoS attacks is the equivalent of hiring more private security forces with more powerful weapons. It’s as if it never occurred to us that these attacks have enablers – structural defects in our laws and customs – that would be a better focus for our defensive energies.
Let’s look at three major enabling causes of DDoS: botnets, dangerously open servers, and source address forgery.
A botnet is a set of badly designed and poorly constructed devices – could be computers, or smart phones, or home appliances with computers inside – that allow these devices to act cooperatively and to come under the command of someone other than their owners. Software and device quality is terrible on its best day, and most days are far from the best. Developers and entrepreneurs must, in order to succeed, focus on feature level and time to market. Therefore, many connected devices are trivially reprogrammable by any moderately skilled attacker. A botnet is a perfect conduit – powerful, mindless and without conscience – for any attacker and the perfect launch point for DDoS attacks.
Dangerously open servers are network services that either accept requests from the whole Internet rather than only from their intended local customer base, or that must be open to the whole Internet but place no reasonable limit on the number of requests they answer for each end user. An example of the first case would be that tens of millions of DSL modems and wireless access points willing to answer end-user DNS requests for the entire Internet rather than only for the home or business they serve. In the second case, consider the tens of thousands of DNS content servers that must serve the entire Internet but lack response rate-limiting. These dangerously open servers are a perfect reflecting amplifier for DDoS attacks.
Source address forgery means sending an Internet packet that appears to come from somewhere else, such that any response to that packet will go to the purported source of the request. An attacker need only forge the source address of her intended victim on some large number of requests in order to cause that victim to be bombarded with an unstoppable and congestive deluge of unsolicited Internet traffic. Due to the original technical design and culture of the Internet, source address forgery is allowed by default and thus allowed almost anywhere. One reason why source address forgery is usually not prevented by most network operators is that the beneficiaries of such prevention will not be the operator’s customers, but rather, their competitors. These networks are therefore a perfect launch point for reflected DDoS attacks.
Something’s got to be done about these enablers of the Internet’s DDoS problem.
In the world of credit cards, ATM cards, and wire transfers, state and federal law explicitly points the finger of liability for fraudulent transactions toward specific actors. And in that world, those actors make whatever investments they have to make in order to protect themselves from that liability, even if they might feel that the real responsibility for preventing fraud ought to lay elsewhere.
We have nothing like that for DDoS. The makers of devices that become part of botnets, the operators of open servers used to reflect and amplify DDoS attacks, and the owners and operators of networks who permit source address forgery, bear none of the costs of inevitable storms of DDoS traffic that result from their malfeasance.
And that’s a problem deserving a real solution: a solution rooted in liability law.
Right now there is no point in backtracking a DDoS to find out where it’s coming from. The dangerously open servers that reflect and amplify these attacks are generally operated by novices who have little understanding of firewalls or rate limiting, and no incentive to learn more. The far-end edge networks where DDoS attacks originate are generally also operated by novices who don’t know what a source address is or why they might want to prevent forgeries of same, and have in any case no incentive to prevent these forgeries. The remarkably weak devices we all carry or use that form the botnets used to launch DDoS attacks, are often programmed by novices who have very little sense of the scale of the Internet, and we as end users of those devices are generally clueless about how they work. It’s long past time for redress.
In short, a DDoS victim today cannot expect any relief of any kind from locating the reflectors and amplifiers and networks and devices that caused any particular attack. Their only recourse today is to pay for DDoS defense – or to just wait it out. DDoS for hire and DDoS for ransom/extortion are successful and growing business models, due to the asymmetric nature of the attack vs. defense costs. But we can rebalance these costs.
If a device, network, or server, is responsible in any part for a DDoS attack that cripples some online service or business, than the maker of that device or the operator of that network or server should be liable for those damages. This means DDoS victims will be incented to pay for investigation rather than defense, and their goal will be to recover costs rather than to negotiate with criminals.
And it means device makers, server operators, and network operators will be incented toward online safety as an important component of their cost of doing business. For example, mobile phone companies that sell Android devices without having a way to patch Android’s periodic security vulnerabilities, would be liable for the damage done by those unpatched devices.
The Internet changes everything. The Internet is now demanding an improved liability model. Let’s listen — and act.
Dr. Paul Vixie is an Internet pioneer and thought leader who designed, implemented, and deployed several Domain Name System (DNS) protocol extensions and applications that are used throughout the Internet today. He is CEO of Farsight Security Inc. Previously, he served as … View Full Bio