Chapter 9. Conclusions
As we have seen, distributed DoS attacks are a genuine threat that cause serious damage to many Internet users. The losses being suffered have escalated from being merely annoying to actually being debilitating and disastrous for some users. There is every reason to believe that the rate and seriousness of DDoS attacks will increase. The current limited level of losses caused by DDoS is probably not due to successes in defending against them, difficulties in perpetrating the attacks, or lack of attractive targets to attack. Rather, the level of loss is related more to the motivations and desires of those who are perpetrating the attacks. As more unprincipled and dissatisfied users of the Internet observe the success of DDoS attacks, we should expect the frequency and severity of such attacks to increase.
There are existing examples suggesting that we will indeed see such a trend. Politically motivated DDoS attacks have taken place (such as the attack against Al-Jazeera). DDoS attacks have been used to state political opinions (like the attacks on SCO in protest of their intellectual property claims on Unix and Linux source code). A company in Great Britain may have been put out of business by a DDoS attack. Criminals have begun to investigate ways to turn DDoS attacks into profits (extortion attempts based on threats of unleashing DDoS attacks). For example, Mybet, a German Internet gambling site, was recently hit with a DDoS attack that prevented customers from reaching it for 16 hours, causing more lost income than the extortion attempt associated with the attack demanded [Leb]. Many British gambling sites, including iBetX, William Hill, TotalBet, UKbetting, and SportingOptions, have been targeted by similar attacks when they refused to pay the extortionist’s price [Leyb]. Because of the low technological barrier required to become the commander of an army of DDoS agents that can then be directed at any Internet target, we can expect that DDoS attacks will become more frequent and more targeted toward achieving aims of these sorts.
As long as DDoS attacks prove effective in achieving such aims, attackers are likely to continue using them. Until we find a reasonable defense against some kinds of DDoS attacks, we should expect to see their incidence, power, and seriousness increase. Why? Because network bandwidth, processor speed, and number of available systems that can be attacked and compromised all continue to increase, as does the sophistication of attacker tools for compromising computers and using them to attack. Nor is it common for a DDoS attacker to be arrested, let alone prosecuted or convicted, so legal deterrents are not yet effective. Existing commercial defenses are not likely to be sufficient to stem the tide of increasing attacks.
Obviously, then, something needs to be done. But the way ahead is not clear. Many intelligent researchers have been examining the DDoS problem for several years now, and we do not lack for a variety of approaches to creating a sufficient defense against DDoS attacks. What’s lacking is any consensus among those researchers on which of the approaches actually show sufficient promise to take the step beyond research prototypes to make them effective solutions for real-world deployment. Full consensus has not even been achieved on the nature of the entire problem, even at the level of a common agreement on exactly what constitutes a DDoS attack.
A major reason for the lack of consensus is that we lack any convincing method of demonstrating the effectiveness of solutions. Each researcher or commercial provider performs some series of tests that give them sufficient confidence about their approach to make claims that it works, to some extent, at least. Some of these tests amount to little more than trying a few DDoS attacks against the proposed defense and declaring victory once the defense stops them. Even the best of these tests are rarely more than using parameterized traffic generators with a variety of settings to generate many different forms of attacks, perhaps coupled with some limited blue team/red team testing. No one in either the research or commercial community has provided really convincing evidence that their system handles a wide variety of possible DDoS attacks, nor have they provided a methodology for a head-to-head comparison of proposed DDoS solutions. One outstanding problem, then, that must be overcome before we have any real hope of combating real-world DDoS threats is to find a way to test how well a proposed defensive mechanism works.
We do not propose to go into all the reasons why determining the efficacy of a DDoS mechanism is difficult, but we will suggest a few major ones:
• Security metrics of any kind are hard to come by.
• There is not even complete understanding among all those involved in DDoS defense on what the actual goal of the defense should be. Some claim it should stop the onslaught of the attack traffic, at all cost. Others claim it should make sure legitimate traffic gets through. Both goals are important, since stopping the bad traffic benefits everyone, but getting the legitimate traffic through prevents the DDoS attackers from achieving their real goal.
• There is no well-defined statement of what kind of attacks a good DDoS defense mechanism must handle to be labeled successful.
• There is no common testing methodology or large enough testing environment in which to perform comparisons.
• Any convincing testing methodology would need to observe the behavior of the system in the face of realistic traffic, and producing simulations or generating such traffic is not trivial.
• Skills and strategy/tactics in incident response against DDoS attacks are still not widespread enough to generate sufficient demand for a solution or the motivations to engineer networks that would accommodate such solutions. Without strong demand, the research and development required to understand and evaluate DDoS attacks and defenses will not be performed.
Fortunately, some researchers have recognized this problem and are now starting to tackle it in an organized way. The National Science Foundation and the Department of Homeland Security have funded research to investigate DDoS measurements and benchmarking, and a program to build a substantial testbed for performing evaluations of DDoS and other cybersecurity solutions [USC]. Many of the researchers in the DDoS community are contributing in other ways: by holding workshops and discussions of these issues, by writing papers that seek to better define the DDoS threat, and by investigating both the breadth of the potential DDoS problem and the space of possible solutions.
All of these efforts, however, are mere precursors to finding a fabric of layered solutions that address all aspects of the DDoS problem, from the ability to take control of huge numbers of computers and do with them as the attacker desires, to creating network-level autoimmune-style actions, to improving the efficiency of human incident response. Few in the DDoS research community seem to believe that any proposed solution, in its present form or with minor improvements, would stand up particularly well to the benchmarks and testbeds we hope to have in a few years, much less prove of great efficacy in halting the DDoS threat in the real world. The character of the DDoS threat will evolve over time, probably becoming more difficult to handle. Therefore, even if some existing system handled all of today’s threats well, it would be unlikely to be a complete solution for the future. A more reasonable hope is that better understanding of the performance, strengths, and weaknesses of different defense approaches will ultimately provide guidance on truly effective solutions. Thus, there will be much more research to be done before we can claim to have a full understanding of the problems associated with DDoS attacks and effective countermeasures to the DDoS threat, in the same way that we have relatively good understanding of the nature of viruses and effective ways to handle them.
We must remember that these relatively effective tools for handling other security threats have not eliminated those threats. They have merely reduced them to manageable levels. The same is nearly certain to be true for DDoS threats. The Internet is not just waiting for a magic switch to be thrown that will, at whatever cost, eliminate DDoS attacks forever. Rather, we eventually hope to reach the point where vigilant system administrators who can afford to spend moderate amounts of money on their defenses and even greater amounts of their time on properly configuring them and running them will usually be able to handle common DDoS attacks.
There is good reason to believe we will never be able to make DDoS attacks impossible. Ultimately, a DDoS attack can consist of a vast number of requests coming in to a site that are indistinguishable from real requests for that site’s resources. In many ways, a DDoS attack is a flash crowd with a bad attitude. The physical world’s solutions for dealing with situations in which more people want something than can get it are usually imperfect, and we are unlikely to do much better in cyberspace. However, these sorts of solutions are good enough for most purposes in the real world, and are similarly likely to be good enough for handling most DDoS attacks. Our goal need not be perfection, but just to reduce the threat to the point where we all know how to live with the possibility of DDoS attacks and how to handle them when they do occur. To achieve this more realistic goal, we should enlist all tools at our disposal, including social, financial, legal, and political solutions, as well as purely technical ones.
Any solution we do produce that limits the threat of DDoS to a manageable level will have to be continually improved. Like all other security problems, defending against DDoS attacks is akin to an arms race. As defenses make particular forms of DDoS attacks ineffective, the attackers will seek new weak points that permit them to resume the attacks. The defenders must then improve their defenses to counter those attacks, and the attackers go back to the drawing board to find new ways around the better defenses. Other cybersecurity problems are also arms races, and they have been dealt with sufficiently well to allow us all to go about our cyberbusiness with reasonable safety. It is always possible to invent a new virus that existing virus protection programs will not detect, but once that happens, the virus protection providers find a way to stop it and everyone gets back to business. Similarly, increasingly sophisticated DDoS attacks can quite possibly be met by increasingly powerful defenses.
9.1 Prognosis for DDoS
Given that we expect attacks to become more sophisticated in response to improved defenses, what will the DDoS attacks of the future look like? Answering this question is inherently speculative, and even more so since attacks of the future are likely to be characterized by how they avoid the defenses of the future, and we do not currently have a good sense of what these defenses will be. With those caveats, here are our best guesses on the future of DDoS attacks.
9.1.1 Increase in Size
DDoS attacks of the future are likely to be larger than those perpetrated today. Armies of compromised machines numbering in the tens or hundreds of thousands seem readily available on the black market. A strongly motivated opponent can probably draft a larger army than that. A million-node DDoS network is not beyond the bounds of possibility; indeed, some evidence suggests that such a network might already exist. Thus, researchers would be prudent to investigate defenses that could handle such an immense attack. A system administrator armed only with today’s best target-side defense tools is unlikely to be able to handle an army of anything close to that size, and it may well be that even in the future handling such large armies will require assistance from outside the ISP of the attack’s target.
9.1.2 Increase in Sophistication
Chances are that any successful DDoS defense mechanism will be most effective against attacks that are unsophisticated, especially attacks whose packets are all similar and easy to characterize. Thus, attackers are likely to move away from such attacks to attacks that consist of widely varying types of packets. Indeed, they have already made first steps in that direction. Existing DDoS attack toolkits allow many variations. For example, attackers can vary the proportions of packets that use particular transport protocols; they can alter their spoofing characteristics; or they can vary patterns of which machines in a DDoS army attack at what times, allowing pulsing attacks.
The more sophisticated the defense tools get at picking out the characteristics of attack packets from the entire stream of packets, the more sophisticated the attackers are likely to become. For example, if entropy measurements prove effective in detecting which packets comprise the attack flow, attackers might try to control the entropy of various attack packet characteristics to confuse the defense systems.
In one way, we might see less sophistication in attacks. With a large enough army, an attacker can overwhelm most targets by having each of his machines send a single packet, something as innocuous as a packet requesting that a connection be opened. By mere volume, these packets could overwhelm a server, and finding any difference between the packets sent by legitimate clients trying to open a connection and attackers seeking to overwhelm the service would be challenging.
9.1.3 Increases in Semantic DDoS Attacks
Researchers have discovered a number of ways in which a target machine can be kept busy with a relatively low volume of requests, so-called algorithmic attacks. Attacks on application hash tables, discussed in Chapter 4, have been demonstrated, for example. Others are likely to be discovered and perpetrated in the future.
Generally, these kinds of denial of service problems will be best handled by changing the algorithm under attack to be less susceptible (akin to handling TCP SYN floods), but for some such attacks defenders may be able to use systems that observe the patterns of packets and can deduce which are part of the attack. Then the attack packets could be dropped, altered, or otherwise treated specially to prevent them from causing a DoS attack.
Defending against this type of algorithmic attack will have the good and bad properties of virus defenses. Specific attacks will require specific fixes, but when those fixes are made, that particular attack will become ineffective. Further, finding a new effective attack will require some work by the attacker. Whether genuine creativity will be required or mere slogging persistence will be enough remains to be seen. Regardless, even if a silver bullet is discovered that handles volume-based DDoS attacks, it is unlikely to also handle algorithmic attacks.
9.1.4 Infrastructure Attacks
Another likely trend in DDoS is that attackers may increasingly choose to target something other than the end machine. Effectively, sometimes without knowing it, attackers are already flooding links somewhere upstream of the target machine, but explicitly targeting something else is less common today. One well-known attempt was the attack on the root DNS servers mentioned earlier. The attack obviously attempted to flood those servers, but very likely the true goal was to deny service to the wider Internet by making name lookups slow or impossible. Some DDoS attacks have already targeted routers or other parts of the Internet’s infrastructure. DDoS attacks could again strike DNS servers, or they could be targeted at interrupting the spread of routing information, or they could be specifically designed to overwhelm firewalls, perhaps including algorithmic attack characteristics that cause particularly poor firewall performance.
It is highly likely that this kind of DDoS attack will eventually become part of more sophisticated attacks on both cyber and real-world targets. Attackers wishing to achieve their goals may start by separating their victim from the rest of the network, or cutting off their communications with a particular remote partner. A DoS attack would thus be merely one stage in a more complex plan, in the same way that disabling an alarm is only one step in burglarizing a building.
What might become the target of an infrastructure attack? Anything other than a source node and a destination node that is still required to perform some important action. Beyond DNS servers, routers, and firewalls, other examples might include key distribution servers, certificate servers, LDAP servers, or back-end cookie-based authentication servers. Some electronic cash schemes require online checking of the cash’s validity by a third party. How will they behave if that third party is unavailable due to a DDoS attack? Spam control services often distribute blacklists or other information to their clients over the network. Attackers are already launching DDoS attacks on them to prevent this service from being effective. Perhaps a future worm will combine its spread with DDoS attacks on the virus signature distribution sites of the major security software companies. The possibilities are likely to be limited only by either the imagination of DDoS attackers or that of the designers of new Internet services.
9.1.5 Degradation of Service
We might see a trend toward degradation of service rather than denial of service. Current DDoS attacks try to make a service completely inoperable. If they are effective, they are usually also detected, at which point steps can be taken to stop them. But what if the attacker merely wanted to make your network heavily loaded at all times? Normal customers would get through, but would suffer slow service from your site. Detection would be much harder, since it would not be clear that anything was seriously wrong. Most of the promising DDoS defense strategies assume that the attack is crippling and are designed to detect and respond to that effect. They might not detect or remedy a mere slowing down of your network.
Degradation-of-service attacks lack the kind of instant gratification that casual DDoS perpetrators seem to desire. However, as a tool of economic warfare, they are much more attractive. A competitor’s reputation can be damaged, or he can be forced to make investments in more hardware or bandwidth without any commensurate increase in his business. Someone who wants to keep an undesired news story from receiving wide attention could just make it slow and difficult to get to the site storing the information. Subtlety does not yet seem to be a characteristic of the typical hacker, but time may lead to more sophistication and more complex goals. Such sophistication has been observed in other types of cyber attacks, and will surely come to DDoS, as well.
9.1.6 Motivations for Attacks
The bulk of the DDoS attacks that we have observed to date appear to be typical activities of the hacker subculture. Either they are designed to demonstrate the hacker’s abilities or they are part of an ongoing undercover war among hacker communities. However, there are disturbing signs suggesting that those with more serious and dark motives are starting to embrace DDoS as a tool, and we should expect such trends to increase.
The two major areas of increase are likely to be in politics and crime. We have already mentioned existing examples of both. DDoS is an effective tool for silencing an opponent, at least in the increasingly important world of the Internet. That makes DDoS a good tool for certain kinds of political warfare. Politics should be taken here in its broadest sense, not just applying to national candidates, but to international activities, advocacy for and against various political views, and perhaps even to the elections themselves. Those designing electronic voting systems should beware of connecting them to the Internet during elections, or at least be prepared to provide proper operation of the system despite DDoS attacks causing network disconnections.
Criminals have already embraced the extortion possibilities of DDoS. Cleverer criminals are likely to find more inventive uses of the attack to achieve their goals. Delivery of burglar alarm signals over the Internet would be at risk from such attacks, for example. As police operations increasingly rely on networking, criminals will be increasingly able to prevent coordination by law enforcement. A carefully planned DDoS attack might be able to manipulate the stock market or serve as an adjunct to other kinds of fraud.
Increasing use of Voice-Over IP (VoIP) services makes them a new candidate for DDoS attacks, causing disruption of business services that were formerly performed over very well-secured and difficult-to-attack infrastructures. Convergence of services (such as e-mail and text messaging, voice services, and geo-location) in cell phones and other wireless devices that are starting to use the Internet for their functions will become another target for DDoS attacks. Many of the application-level vulnerabilities discussed in this book—which were mostly solved in the computer world—are recurring as TCP/IP stacks and applications are ported to small, low-powered wireless devices. The result is that old DoS and DDoS attacks will work again against a new, weaker target base. For example, many Internet cell phones may lock up if old Windows TCP/IP packet fragmentation attack tools are used against them.
Generally, as our society relies more on having Internet communications ubiquitously available, the motivations for selectively disrupting them will increase. In the future, the preferred elementary school student excuse for not having completed an assignment might switch from “the dog ate my homework” to “DDoS took down the class Web site.”
9.1.7 Overall Prognosis
At the most general level, the future of DDoS is improved defenses followed by improved attacks. Attackers will move away from the attacks we can readily handle and toward the attacks we find most challenging to deflect. Because the fundamental nature of a DDoS attack is “too much of a good thing,” chances are that we will never be totally free of them, in some form or other. DoS attacks pop up every so often in the real world and are often hard to deal with. The automation of the Internet merely makes them easier for an individual to perpetrate, but not necessarily any easier to handle.
The border between the physical world and the cyberworld has already been breached. A paper by researchers at AT&T Research [BRK02] describes a variant of DDoS attack using a U.S.-based mail carrier for transporting massive amounts of catalogs and brochures ordered “automagically” from online Web forms to the physical target. A subsequent real attack on a notorious real-world spammer’s home followed about a month later (see http://www.infomaticsonline.co.uk/News/1137552). His postal mailbox was inundated with a flood of catalogs, sales offers, and other postal junk mail, sent to him by irate Internet users tired of receiving spam from him. The idea has been extended by Jakobsson et al. into the concept of untraceable e-mail cluster bombs [JM].
One lesson that readers should take from this book is that systems put in the Internet are at risk from many attacks, DDoS among them, and it is not currently possible to fully protect nodes in the Internet. Recent worm incidents have caused unfortunate problems for many Internet-connected systems. As technology allows us to make use of computers and networks for ever-widening classes of applications, it is vital to keep in mind the risks one faces when something is moved onto a network accessible by all. The most important applications, such as control of power grids, hospital equipment, transportation, and military systems, demand especially careful thinking before making them Internet-accessible.
9.2 Social, Moral, and Legal Issues
DDoS is a problem that is unlikely to be solved by any single person or entity. It is a problem for society as a whole. As we have seen, it is difficult for any single computer or network to fully defend itself from all feasible attacks. Help is required to handle huge flooding attacks, at least. There must be a social aspect to DDoS defense.
Social problems are most commonly dealt with using either shared morality or legal authority. Given the many different attitudes people have toward the proper moral behavior of computer and network users, and the international scope of the Internet (and, hence, the DDoS problem), engaging shared morality to make inroads against DDoS attacks seems like an uphill struggle. Perhaps each of us can do our part, taking a bit of extra care to secure our own machine so that it does not become part of someone else’s DDoS problem, but we cannot hope to solve the DDoS problem quickly this way.
Legal actions are somewhat more promising. As described in Chapter 8, many countries, including the United States, have existing laws that are relevant to DDoS attacks, and also have law enforcement agencies that are interested in DDoS attacks and might be able to help. However, the difficulty in tracking down the culprit limits the degree to which law enforcement approaches can be used, at least today. Also, the large numbers of attacks and the limited resources of law enforcement make it impossible for police and federal agents to investigate all DDoS attacks.
However, if you have suffered large damages and are well prepared to work with law enforcement authorities, legal avenues may prove helpful. If you think you might need to resort to legal action against DDoS attacks in the future, you should make preparations now. You should know whom to contact, understand how to gather evidence they can use, and be prepared to help law enforcement in their investigations.
Currently, few DDoS attackers have been caught, prosecuted, and convicted, which limits the desired deterrent effect of laws against performing these attacks. In the future, more successful prosecutions of DDoS perpetrators and better national and international mechanisms for dealing with the legal aspects of DDoS attacks may discourage all but the most motivated attackers.
9.3 Resources for Learning More
While we believe we have provided a good overview of many important aspects of the DDoS problem, there is a lot more information available than we could hope to fit into this book. Also, research into DDoS attacks and potential defense mechanisms is ongoing, and there is sure to be interesting new information available shortly after this book has gone into print, too late for inclusion. We will now tell you about a number of resources you can use to learn more about DDoS attacks and defenses and to keep up to date on the latest research and news in the field.
The resources we will describe are in several categories. First, we will discuss Web sites that have useful information. Next, we will discuss mailing lists. Then we will talk about conferences and journals that typically publish DDoS-related research.
9.3.1 Web Sites
• CERT Coordination Center. One of the most important Web sites for getting information about any type of computer security problem is http://www.cert.org/. This Web site belongs to the CERT Coordination Center (CERT/CC), a university-based, government-supported organization that is tasked with keeping on top of newly emerging computer security problems and providing authoritative information about the nature of the problems. The CERT Coordination Center also helps provide information about measures that should be taken in response. The CERT Coordination Center Web site maintains a current list of known vulnerabilities and ongoing security problems, along with advice on fixing those problems. They have a repository of white papers and other information useful in understanding different forms of attacks and defensive mechanisms. The CERT Coordination Center performs research on survivability of computer systems in the face of various attacks, and many conclusions and results from this research are available from their Web site. The CERT Coordination Center also runs educational programs to train computer professionals in understanding and dealing with common security problems.
The CERT Coordination Center was the first organization of its kind, founded in 1988, but it is by no means the only one in the world. In fact, the CERT Coordination Center has helped many incident response teams around the world get started by providing training, advice, and resource materials. For example, Australia’s AusCERT and Germany’s DFN-CERT were two of the first that the CERT Coordination Center assisted in getting started, and Japan’s JPCERT Coordination Center was another that benefited from early CERT Coordination Center help. The CERT Coordination Center was a founding member of FIRST (Forum of Incident Response and Security Teams; http://www.first.org/), which now has over 100 members. There are more than 300 incident response teams worldwide.
The CERT Coordination Center Web site is the first place to go to seek assistance in handling a security problem you are not familiar with, including brand new attacks that have suddenly popped up on the network. They produce quick, reliable, detailed reports of new types of attacks. The CERT Coordination Center also has a mailing list through which it delivers alerts of new attacks as soon as they have been verified and properly characterized.
• Dave Dittrich’s DDoS Web page. One of the authors of this book maintains a Web page that contains links to large numbers of pages containing interesting material related to DDoS at http://staff.washington.edu/dittrich/misc/ddos/. This page focuses particularly on DDoS attack tools, but contains much useful and interesting information on other aspects of DDoS attacks and defenses, including research papers, white papers analyzing particular attacks and tools, links to Web sites of commercial providers who sell DDoS defense products, news stories on DDoS attacks, articles and papers offering advice on protecting against DDoS attacks and related security problems (such as IP spoofing), discussions of legal issues concerning DDoS, and links to Web sites belonging to other DDoS researchers.
• Dshield. Dshield gathers information about new and ongoing attacks from various sources and provides attack characterizations and other relevant information. This Web site’s primary purpose is to disseminate firewall rules to allow people to filter out new attacks as quickly as possible, but they provide a wide variety of other interesting and useful information about the kinds of attacks going on at the moment and the latest techniques for handling those attacks. Dshield’s home page is http://www.dshield.org/.
• CAIDA. CAIDA, the Cooperative Association for Internet Data Analysis, does precisely what its name suggests: It gathers and analyzes data concerning the performance of the Internet. CAIDA is not specifically dedicated to DDoS measurement, but has done work on measuring the prevalence of DDoS attacks in the Internet [MVS01], and analysis of DDoS attacks is well within their charter and areas of interest. More recently, they published an analysis of a large DDoS attack on SCO. Their Web site has both of these resources posted, and may feature future work on measuring DDoS. CAIDA’s home page is http://www.caida.org/.
9.3.2 Mailing lists
• SANS. The Systems, Audit, Network, and Security Institute (SANS) provides information about many issues of properly installing, running, and maintaining computers and networks. Their Web site (http://www.sans.org) contains much interesting and useful information, but the SANS Newsbites newsletter is of particular interest. This newsletter is published weekly and delivered by e-mail to its subscribers. Several editors (who include some of the most respected names in computer security) scan the recent world news concerning issues of computer security and provide short descriptions of the most important stories, usually with Web links to the original, full-length versions. While not limited to stories on DDoS, major DDoS attacks and significant new developments in DDoS defense mechanisms are usually covered in this newsletter. To subscribe, you need to set up a free account at the SANS Web portal: https://portal.sans.org/login.php.
SANS also publishes a weekly summary of known security flaws in various hardware and software systems called @Risk: The Consensus Security Vulnerability Alert. Generally, this newsletter does not directly discuss DDoS issues, but it may highlight vulnerabilities that will allow attackers to enlist particular machines as agents for DDoS attacks, or semantic-level problems that allow denial of service on particular systems without flooding. It is a good resource for keeping track of which of your systems might need patching. It can be subscribed to in the same way as SANS Newsbites, described above.
• Cryptogram. Bruce Schneier, a noted author and researcher on issues of computer security, publishes a monthly newsletter called Cryptogram, also usually delivered by e-mail. This newsletter contains Web links to many important recent stories on issues of computer security, but it represents a more definite editorial voice and opinion than SANS Newsbites, whose primary goal is to bring important news to the attention of readers. Cryptogram does not concentrate on DDoS issues, but frequently contains stories on the subject. For more information on Cryptogram, including subscription information, go to http://www.counterpane.com/cryptogram.html.
• IEEE Cipher. This newsletter is distributed by the IEEE Computer Society’s Technical Committee on Security and Privacy. It contains announcements of upcoming conferences in the field, summaries of important results reported at such conferences, book reviews, and other materials of interest to those working in the computer security field. It is produced bimonthly, and you can obtain more information on its contents and how to subscribe by visiting http://www.ieeesecurity.org/cipher.html.
• RISKS Digest. The ACM Committee on Computers and Public Policy produces a digest of important information concerning risks faced by various users and groups due to reliance on computer and networking technology, moderated by Peter G. Neumann. Many of these risks arise from security concerns, some of them from DoS threats. RISKS Digest can be read over the Web (at http://catless.ncl.ac.uk/Risks) or through a moderated network newsgroup (comp.risks). If these options are not open to you, visit http://catless.ncl.ac.uk/Risks/info.html#subs for other ways to subscribe to this digest.
9.3.3 Conferences and Workshops
There is no single conference or workshop devoted to research on DDoS attacks and defenses. Instead, papers on these subjects tend to appear in the major computer security conferences and many leading networking conferences. Since these conferences cover a much broader range of topics, one must look through a conference program or proceedings to pull out the papers related to DDoS, but nowadays it is common for most of the conferences listed below to have one or more DDoS-related papers each time they are held. Many of the most important papers on DDoS issues were published by one of these conferences.
• IEEE Symposium on Security and Privacy. Held annually, typically in May. This conference covers the entire range of security research, but often contains some papers on DDoS. For example, the 2003 IEEE Symposium on Security and Privacy contained a paper on using puzzle auctions to defend against DDoS [WR03]. For further information, go to http://www.ieee-security.org and search their conference list.
• USENIX Security Symposium. Held annually, typically in summer. This conference covers the entire range of computer security problems, so DDoS papers appearing here often prove to be important and influential. For example, USENIX 2001 contained a paper on inferring the frequency and characteristics of DDoS attacks using the backscatter technique [MVS01]. For further information, go to http://www.usenix.org/events/.
• Annual Computer Security Applications Conference. Held annually, typically in December. This conference tends to concentrate on security at the application level, but has broad coverage of security issues. For example, ACSAC 2003 contained a paper discussing an extension of IP traceback techniques to deal with reflector attacks [CL03]. For further information, go to http://www.acsac.org/.
• Infocom. Held annually, typically in March or April. This is a large conference covering all topics in networking. For example, Infocom 2001 contained a paper on authentication of marking for traceback solutions to DDoS [SP01]. For further information, go to http://www.ieee-infocom.org/.
• ACM SIGCOMM Conference. Held annually, typically in August. This conference covers the entire range of networking topics and sometimes will have papers on DDoS issues. For example, SIGCOMM 2002 contained the SOS paper describing that DDoS defense system [KMR02]. For further information, go to http://www.acm.org/sigcomm/sigcomm.html.
• IEEE International Conference on Network Protocols (ICNP). Held annually, typically in October or November. This conference covers the entire range of networking topics and sometimes has papers on DDoS issues. For example, ICNP 2002 contained a paper on the D-WARD DoS defense system [MPR02]. For further information, go to http://www.ieee-icnp.org/.
• Network and Distributed System Security Symposium (NDSS). Held annually, typically in February in San Diego, California. NDSS covers a wide range of issues concerning network security, including DoS issues. In recent years, the symposium has typically published one or two papers on DoS issues each year. For example, a major paper on implementing the pushback defense strategy appeared in NDSS 2002 [IB02]. For further information, go to http://www.isoc.org/isoc/conferences/ndss/.
• New Security Paradigms Workshop (NSPW). Held annually, typically in September. This workshop looks for papers on very new issues in computer security and is most likely to publish papers on entirely new approaches to DDoS defense. The papers are more typically about ideas and approaches than completed systems or studies. For example, NSPW 2003 contained a paper on forming alliances between DDoS defense nodes [MRR03]. For further information, go to http://www.nspw.org.
• Black Hat Briefings. Several conferences, held internationally each year. This venue concentrates on practical solutions to real security problems, drawing an audience of working professionals in the fields of networking, system administration, and security. This conference is more likely to draw attendees from the hacker community than some of the more academically oriented conferences. For more information, go to http://www.blackhat.com/.
• CanSecWest. One conference, held in Vancouver, British Columbia, Canada, each year (plus a new Asia-Pacific version held in Japan). This venue concentrates on computer security research of various forms, both theoretical and practical, drawing a similar audience to that of the Black Hat Briefings. Its single-track model, held over three days, allows everyone to hear every talk. For more information, go to http://www.cansecwest.com/.
• The IEEE Information Assurance Workshop. Held annually, typically in June, at the U.S. Military Academy at West Point, New York, (also known as the “West Point Workshop”). This conference covers the entire range of information assurance research, including papers on DDoS, information warfare, etc. For further information, go to West Point’s Web site: http://www.itoc.usma.edu/workshop/.
• The USENIX Technical Conference. In addition to the Security Symposium mentioned previously, the USENIX Association holds a general annual technical conference, typically in June or July. This conference has papers and tutorials on hot and important topics in operating systems, networking, and related areas, including security. Some papers on DDoS defense may appear in this conference. For more information, go to http://www.usenix.org/. The USENIX Association runs a wide variety of conferences on topics in systems and networking areas, and sometimes runs one-time workshops or starts new conferences on hot topics, so it is worthwhile to look at their Web site’s list of upcoming conferences occasionally. The same observation is true of the ACM and IEEE.
9.3.4 Magazines and Journals
A number of publications often contain useful articles on DDoS attacks. We will not cover newspapers and popular magazines directed to the general community, though these may sometimes contain useful articles on DDoS, but will concentrate on the more technical publications.
• ACM Transactions on Information and System Security (TISSEC). The Association for Computing Machinery’s main journal on security issues. Covering the entire range of security issues, ACM TISSEC will only occasionally contain articles on DDoS, but they are likely to be detailed versions of important work. For example, one of the major articles on IP traceback appeared here in an extended version [DFS02]. For more information, go to http://www.acm.org/pubs/tissec/.
• IEEE Security and Privacy. A relatively new magazine that publishes articles that combine technical depth with good comprehensibility by a typical computer professional. This publication is likely to have surveys, general descriptions of problems and solutions, and articles helping readers to understand general problems rather than more academic articles on detailed descriptions of particular systems. For more information, go to http://www.computer.org/security/.
• IEEE Transactions on Dependable and Secure Computing. A new publication starting in 2004 that will publish scholarly papers on fields of reliability and security. Since it is a recent publication, describing what will appear there is premature, but it seems likely to be a premiere venue for high-quality work on security threats and defences, including DDoS characterization and defense. For more information, go to http://www.computer.org/tdsc/index.htm.
• Journal of Computer Security. This journal covers a broad range of computer security issues, and may sometimes contain papers on DDoS issues. For more information, go to http://www.csl.sri.com/programs/security/jcs/.
• IEEE/ACM Transactions on Networking. A highly respected publication that prints academic papers on all aspects of networking. Some issues may contain papers on DDoS issues. For example, one issue of IEEE/ACM Transactions on Networking contained a paper on single-packet IP traceback [SPS+02]. For more information, go to http://www.ton.cc.gatech.edu/.
• Computer Communications Review. This magazine issued by the ACM emphasizes quick publication of timely information on important new topics in networking. Some issues may contain papers on DDoS issues. For more information, go to http://www.acm.org/sigcomm/ccr/.
• USENIX ;login:. This bimonthly publication is included in all USENIX Association memberships, and covers a wide range of topics concerning the design, administration, and use of Unix and Linux systems. It publishes many articles that are helpful for system administrators of Unix machines, including occasional articles on DDoS topics. For more information, go to http://www.usenix.org/publications/login/.
9.4 Conclusion
We wish to leave you with a final thought, quoted from the wise words of Douglas Adams [Ada80]: “Don’t Panic!”
Yes, DDoS attacks are real. Yes, they are serious. Yes, defensive measures are in their infancy and are not always effective against all attacks. And, yes, real people have suffered economic and other forms of damage from DDoS attacks. However, it is equally true that most sites in the Internet have never suffered a DDoS attack (and perhaps never will), most DDoS attacks that do occur are not that serious, and most of these real DDoS attacks can be handled with methods and tools that are available today. We have outlined these defensive approaches in this book. If you take the steps to prepare yourself, the chances are excellent that even should someone direct a DDoS attack at your doorstep, you will withstand the flood and recover quickly.
There is no cause for panic in the foreseeable future, either. As we said earlier, we expect that DDoS attacks will become more common and that use of DDoS attacks for serious purposes, from political statements to crime, will become more prevalent. However, there is much research going on to gain greater understanding of the DDoS threat and to provide more effective and powerful defensive tools. All of the major players in the Internet, including the backbone providers, ISPs, operating systems builders, router and switch manufacturers, governmental and nongovernmental agencies with Internet responsibilities, professional societies of network and system administrators, and the entire computer networking research community, regard DDoS attacks as one of the most significant threats to the future growth and stability of the Internet. All of these groups are committed to providing the Internet’s users with the best possible protections against DDoS attacks. As the threats become worse, rest assured that these groups will do all they can to counter them. You have allies in this fight, and powerful ones at that. Ultimately, we believe that the future of DDoS defense is not a silver bullet technical solution, but stronger cooperation on both the human and the technical level.
Now that you have overcome any panic you might have, you should take a realistic second look at your own situation. Is your organization in a position that might be threatened by a DDoS attack? Have you made reasonable preparations to handle such an attack should one occur? If not, and if you are not comfortable with the risk of a DDoS attack dropping your organization off the Internet for some period, now is the time to make those preparations. Many of them are simple, painless, and even cost free. Most of them will have secondary benefits, like also protecting you against other threats or increasing your knowledge and awareness of how your network operates. If you delay taking these precautions, you are putting yourself unnecessarily at risk.
Finally, while we have done the best we can to educate you, our readers, about the threat of DDoS and the methods available to deal with that threat, we must reiterate that neither the threat nor the defensive methods will stay static. After we have finished writing and you have finished reading this book, progress will march on for the attackers and the defenders alike. Taking the steps we outline will help you today, but remember that one of those steps, a particularly important one, is periodically surveying the world of threats and the measures you have taken to counter them. Tomorrow’s attacks will be different than today’s, and perhaps new countermeasures will be required to deal with them. Like most other security issues, you must remain vigilant. Keep learning, keep watching, keep improving your defenses. Those who follow this final advice are likely to be among the fortunate group who do not fall prey to the DDoS attacks of the future.