The online community needs to develop industry-based mitigation technologies that incorporate mechanisms to distribute attack source information into ISPs, so they can squelch the attacks closer to the source.
As part of a survey released yesterday, Rodney Joffe, senior vice president and technology fellow at Neustar, said that the industry needs to improve visibility and understanding of activities in the criminal underground, so their command and control structures can be disabled rapidly.
In an email to IT Security Guru, 44CON co-founder Steve Lord said that the problem is that those participating in the DDoS are usually unwitting victims themselves. He said: “While there’s scope for an open source threat intelligence project, is handing out lists of compromised victims the best idea, or will it be treated like a loser list for criminals?
Asked why ISPs do not develop solutions to “squelch the attacks closer to the source”, Lord said that simply it is not the job of the ISP to do that. “Take the recent man in the side attack on GitHub; if an ISP finds the victim do they block access to GitHub? Do they disconnect the user? In this case user systems were not even compromised, it was simply that code was injected into browser sessions. Should ISPs shut down business connectivity because someone had browser content injected into a page they visited? Who’ll pay for it?”
Dave Larson, CTO of Corero agreed, saying that an attacker who has spoofed an IP address in order to effect the attack is virtually untraceable, and the ‘attacking’ machines may be vital to the operation of the network.
He said: “In large reflected or amplified DDoS attacks, the ‘attacking’ machines may be distributed across a wide geographic area – perhaps even globally – so distributing the solution closer to the source would be advantageous in that it would address the problem before the cascade had opportunity to aggregate into an attack of truly large proportions. The difficulty in this approach lies with the difficulty in distributing a solution across geographic distance and beyond ISP control frameworks – hence the need for open DDoS threat signaling.”
Asked if industry could work together to develop solutions that are for the benefit of the industry, rather than just for profit, Lord pointed to offerings from Team Cymru, while Larson said that the industry would be benefited by cooperation among security technology vendors.
“But this problem could benefit by an even more inclusive approach – incorporating perspectives from operators (carriers, service providers, cloud hosters, etc.) as well as application developers,” Larson said.
“In the world of DDoS, it is nearly impossible to treat the problem as one where we can squelch the attack as close to the source as possible, as Neustar implies. This is because a significant fraction of overall DDoS traffic (maybe even a majority) is reflected or amplified DDoS, which is created by spoofing legitimate servers and services to respond in unison to an unwitting victim. Blacklisting these entities would be problematic – in the case of DNS servers, it would be unthinkable. But the basic premise, that the industry should combine forces against this problem is sound. In fact, the beginnings of that are already occurring.”