Can ISPs step up and solve the DDoS problem?

Apply best routing practices liberally. Repeat each morning

Image by hobbit

Solve the DDoS problem? No problem. We’ll just get ISPs to rewrite the internet. In this interview Ian Levy, technical director of GCHQ’s National Cyber Security Centre, says it’s up to ISPs to rewrite internet standards and stamp out DDoS attacks coming from the UK. In particular, they should change the Border Gateway Protocol, which lies at the heart of the routing system, he suggests.

He’s right about BGP. It sucks. ENISA calls it the “Achilles’ heel of the Internet”. In an ideal world, it should be rewritten. In the real one, it’s a bit more difficult.

Apart from the ghastly idea of having the government’s surveillance agency helping to rewrite the Internet’s routing layer, it’s also like trying to rebuild a cruise ship from the inside out.

Just because the ship was built a while ago and none of the cabin doors shut properly doesn’t mean that you can just dismantle the thing and start again. It’s a massive ship and it’s at sea and there are people living in it.

In any case, ISPs already have standards to help stop at least one category of DDoS, and it’s been around for the last 16 years. All they have to do is implement it.

Reflecting on the problem

Although there are many subcategories, we can break down DDoS attacks into two broad types. The first is a direct attack, where devices flood a target with traffic directly.

The second is a reflected attack. Here, the attacker impersonates a target by sending packets to another device that look like they’re coming from the target’s address. The device then tries to contact the target, participating in a DDoS attack that knocks it out.

The attacker fools the device by spoofing the source of the IP packet, replacing their IP address in the packet header’s source IP entry with the target’s address. It’s like sending a letter in someone else’s name. The key here is amplification: depending on the type of traffic sent, the response sent to the target can be an order of magnitude greater.

ISPs can prevent this by validating source addresses and using anti-spoofing filters that stop packets with incorrect source IP addresses from entering or leaving the network, explains the Mutually Agreed Norms for Routing Security (MANRS). This is a manifesto produced by a collection of network operators who want to make the routing layer more secure by promoting best practices for service providers.

Return to sender

One way to do this is with an existing standard from 2000 called BCP 38. When implemented in network edge equipment, it checks to see whether incoming packets contain a source IP address that’s approved and linked to a customer (eg, within the appropriate block of IPs). If it isn’t, it drops the packet. Simple. Corero COO & CTO Dave Larson adds, “If you are not following BCP 38 in your environment, you should be. If all operators implemented this simple best practice, reflection and amplification DDoS attacks would be drastically reduced.”

There are other things that ISPs can do to choke off these attacks, such as response rate limiting. Authoritative DNS servers are often used as the unwitting dupe in reflection attacks because they send more traffic to the target than the attacker sends to them. Their operators can limit the number of responses using a mechanism included by default in the BIND DNS server software, for example, which can detect patterns in incoming traffic and limit the responses to avoid flooding a target.

The Internet of Pings

We’d better sort this out, because the stakes are rising. Thanks to the Internet of Things, we’re seeing attackers forklift large numbers of dumb devices such as IP cameras and DVRs, pointing them at whatever targets they want. Welcome to the Internet of Pings.

We’re at the point where some jerk can bring down the Internet using an army of angry toasters. Because of the vast range of IP addresses, it also makes things more difficult for ISPs to detect and solve the problem.

We saw this with the attack on Dyn in late October, which could well be the largest attack ever at this point, hitting the DNS provider with pings from tens of millions of IP addresses. Those claiming responsibility said that it was a dry run.

Bruce Schneier had already reported someone rattling the Internet’s biggest doors. “What can we do about this?” he asked. “Nothing, really.”

Well, we can do something. We can implore our ISPs to pull their collective fingers out and start implementing some preventative technology. We can also encourage IoT manufacturers to impose better security in IoT equipment.

Let’s get to proper code signing later, and start with just avoiding the use of default login credentials first. When a crummy malware strain like Mirai takes down half the web using nothing but a pre-baked list of usernames and passwords, you know something’s wrong.

How do we persuade IoT vendors to do better? Perhaps some government regulation is appropriate. Indeed, organizations are already exploring this on both sides of the pond.

Unfortunately, politicians move like molasses, while DDoS packets move at the speed of light. In the meantime, it’s going to be up to the gatekeepers to solve the problem voluntarily. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say

Biting the hand that feeds IT © 1998–2017