With DDoS reflection attacks growing into mammoth events with unforeseen consequences, mitigation firm Verisign believes a radical new approach is needed to head off a pile of trouble – go after the “guys behind the keyboards.”
In any other part of the security industry, Verisign’s recommendation that victims on the receiving end of major DDoS incidents make the effort to work out who attacked them would now be seen as best practice but this is an industry built on mitigation – blocking – rather than investing in deterrence.
DDoS deterrence sounds like a slow, expensive and complex undertaking but according to the firm’s CSO and senior vice president Danny McPherson the capability now exists for firms such as his to trace attacks back through command and control to the controlling keyboard somewhere in the world.
Despite hiding behind botnets, DDoS attackers are no more anonymous than the gangs that control major malware platforms but what is urgently needed is for the industry to push back against not just the packets but the people controlling them.
Right now "they just let providers absorb attacks and they don’t report it,” is McPherson’s description of the victim’s current mindset. It’s more a case of “how high do you build your tsunami wall.”
McPherson’s comments come in the wake of a massive and barely-reported 300Gbps attack the firm mitigated earlier this year on an unnamed data centre that exploited unpatched servers vulnerable to a motherboard level flaw connected to the SuperMicro IPMI interface.
If you’ve never heard of that vulnerability, it didn’t appear that the admins of as many as 100,000 servers VeriSign estimates might have been used to generate the huge traffic volume had either.
But according to McPherson the attack’s vast size at leak was not initially understood by the CDN which believed it to be in the order of 60Gbps to 70Gbps because that was the level at its available bandwidth became exhausted.
Where does the rest of the missed traffic go? The Internet absorbs it, but the effects of this are potentially chaotic. The design of IP makes the Internet incredibly resilient but the routers connecting networks still get congested. Many larger attacks are under-estimated or ignored.
“They didn’t have enough capacity to know what was going on,” said McPherson of the CDN. Meanwhile, “the attackers have no idea how much traffic is going to hit the target. The attacker doesn’t have any idea of their power.”
As large attacks such as the one on the CDN (as well as on Spamhaus and CloudFlare in the last two years) become more common the risk of collateral damage will increase. That is the risk of chaos.
Verisign was now “leaning” on upstream services to deal with the server vulnerabilities that have helped these attacks get off the ground but he remains pessimistic about the success of that strategy while the economic incentive remains low, he said.
“At some point you have to draw a line and go after the guys who launched the attack. We think it is important that people are accountable for their actions.”
McPherson is unable to discuss whether the CDN attack will become one of those actions but the fact that the client even agreed to be referenced at all by Verisign is a sign that something could be in the air. If so, little will be disclosed until a legal or police case has been launched.
Public police actions against DDoS attackers are extremely rare with perhaps the only known example at this end of the DDoS scale being the effort made to track down the group that hit Spamhaus with an equally large DDoS attack in 2013. Launched by the anti-spam organisation itself, that remains the case study for action.
Thus far, the public face of DDoS has been a depressing roll call of statistics that read like an indecipherable code to all but the few familiar with routing protocols and Internet infrastructure. In the very near future, that could change to be more like malware, data breaches and web attacks. DDoS could become another story of true crime.
McPherson’s message is simple: “you have to go after the guys behind the keyboards.”