Someone is learning how to take down the Internet

Max Pritchard

Bruce Schneier is a name I have associated with Internet security since the mid-1990s. He is famous for his books on cryptography and security theory in general. In the circles I find myself moving in, he’s a celebrity name and his thoughts and opinions carry weight.

On 13th September 2016, an informal blog article appeared written by Schneier, which was dramatically entitled “Someone Is Learning How to Take Down the Internet.” The thrust of the article seems to be that over the past year or two, owners of infrastructure, critical to the functioning of the public global Internet (such as DNS, and elements of IP addressing and BGP routing), have seen an increase in a certain type of DDoS attack. DDoS attacks which are larger, last longer and are more sophisticated that previously observed.

The article describes DDoS and other attack patterns against specific targets that appear to be being used to find the upper limits of the current defences, as well as the capability of the teams managing those defences. Also DDoS attacks that are routinely using multiple “vectors” – different attack types or patterns that examine various aspects of a system’s DDoS defences simultaneously. These attacks share characteristics with the kind of attack patterns we use in DDoS tests to explore the performance parameters of a target’s systems, people and processes.

Unlike a DDoS test delivered by a reputable security partner, information about the defence systems gained by the probing attacks Schneier is concerned with is ending up in the hands of the attackers.

Schneier’s sources point to a nation-state level actor such as China testing the limits of the public Internet infrastructure. Most people realise that conclusive attribution is notoriously tricksy and I don’t think this is the most interesting part of this article.

Much of the information about probing, or recon DDoS attacks is not new. For years the frequency of DDoS attacks has been on the rise. The potential scale of these attacks has been increasing as has the sophistication. Criminals routinely test defences, sometimes as a prelude to a full-scale attack programme, sometimes to fuel an attempt at extortion. Attacks on critical infrastructure are also not new. The global root DNS servers have been attacked three times in recent memory (Oct 2002, Feb 2007, Nov 2015) and domain registrars, ISPs, peering points and service providers of all types are probed and attacked almost daily. Most of these organizations, when asked, are confident in their ability to defeat these attacks, at least in public statements.

So is this article important? Is this something new that we need to do something about? Without additional detail and information the answer is probably a qualified and annoying “No.” Critical infrastructure providers already consider DDoS a significant threat and invest resources in mitigating that risk. Some of them, probably too few, also routinely test their own DDoS mitigation systems so they can see what “the enemy” can see and can deal with any shortfalls in defence capability.

The frustration, which Schneier admits to in an associated podcast, is that his information comes from contacts in the critical infrastructure industry under the promise of anonymity and he is unable to quote anyone. If it weren’t for Schneier’s name, it would be easy to write-off the article. Bruce Schneier clearly felt it was important that knowledge of this pattern of attacks (nature of targets, capability and likely intent of the attacker) was more widely known and I don’t disagree, but the generalities render the message inert and un-actionable.

I think that the lack of coordinated sharing of observed attack information between critical infrastructure providers seems to be harming everyone’s ability to respond to a potential threat to the public Internet infrastructure. Organizations under attack, with the experience and resources to defend themselves should not be hindered by perceived issues of competition, potential ridicule, complacency or even false modesty when it comes to sharing their observations.

If the mutual threat to the Internet is not incentive enough for them to compare notes with each other, then perhaps respective governments should remind them how important the Internet is to their country.

Perhaps we still believe deep-down that “loose lips sink ships” and that we should “keep mum” rather than talking freely about observed attacks and defence methods. I rather suspect that the nature of digital warfare makes it increasingly imperative that we work against our commercial instincts and collaborate rather than obfuscate for best security results.