Distributed Denial of Service, DDoS for short, is the shooting star in today’s Internet nightmare gallery. Here is a quick overview over what each and everyone of us can do to prevent his. And some hints at manufacturers and researchers.
The three main IT security aspects are C-I-A:
- Confidentiality: No unauthorized person can read the data.
- Integrity: No unauthorized person can modify the data.
- Availability: Unauthorized persons can access the data.
Cryptographic mechanisms and access control can protect the first two aspects. Software developers and system administrators, together with building security, can often maintain them completely on-site, without relying on external help.
Availability, however, is different: The service provider itself can only go a short step to ensure it. In the old days, you just closed the door of your office building so noone could enter. In the Internet-connected world, you want to keep your (virtual) doors open at all costs. To ensure that your services to your customers, partners, and employees are available, the entire Internet needs to be secure and operable.
Even if you think you’re just visiting your favorite web site, your browser is also connecting to dozen other sites, providing graphics, fonts, tools, ads, usage analysis, and much more. If only some of these are unreachable, the web page feels sluggish, looks outright garish, or does not load at all.
DoS and DDoS
Denial of Service (DoS) attacks try to reduce the availability of a service. For example, you can ask a web server to perform a complex operation. So with every short query of your browser, several seconds of computing power will be used on the server. Fire those requests fast enough, and they are hogging most of the resources, making the service unresponsive for everyone (including the attacker, but they don’t mind). This is easy to defend against: Just stop accepting requests from this machine.
Enter DDoS: Now, it’s not a single attacker, but hundreds of thousands to many millions. You could still identify them and blacklist them, but their sheer volume will overwhelm your Internet connection. But attackers add another trick of the trade: They do not send the requests labeled with their correct sender address, but with a randomly chosen one. So everyone seems to attack the poor victim. This was the big change that made DDoS first successful in 2000.
Recent attacks go even further. They do not attack the victim, but they claim to be the victim by spoofing their IP address and ask random servers around the ‘net to send them some data. Because of the spoofed address, this data will not go to the millions of attackers, but to the victim. This is considered an amplification attack, as the traffic of the attackers is amplified by these third-party servers. As an additional benefit, the attacker’s whereabouts are even better hidden through these innocent intermediaries.
The attacks from the last week use an interesting twist: Instead of using computers and laptops as the members of the Botnet, they mainly used Internet-connected devices, such as surveillance cameras. IoT devices seem to currently be the least secured devices.
The entire Internet needs to be secured, ranging from your WiFi-capable lightbulb over servers to the Internet routers at home and with your ISP. What does that mean to me? I’m a …
- Make sure all your Internet-connected devices use the latest software, often known as firmware. Firmware updates for your WiFi light bulbs, printers, surveillance cameras, Internet radios, or recent kitchen appliances are often hard to come by; you may need to dig deep through your manufacturer’s web page (and still be left without security fixes.)
- Tell your vendor that you want security updates for the lifetime of the device, and they should be easy to find. Recommend them to use a secure way of enabling auto-updates. Update 2016-10-22: During the warranty period, insist on security updates.
- Set up secure passwords for all those devices: Set one at all, make sure it differs from the default password, and make it hard to guess (8 chars minimum, with digits and special characters interspersed, not just replacing “l” with “1” or “I” etc.). It should not be memorable, and devices from different vendors should use different passwords. Your password manager is strong at remembering passwords, do not abuse your weak brain for that.
- Make them inaccessible from the Internet, if that is reasonable and possible. You may use a firewall for this, or purposefully configure the device that it does not know your router.
- Check whether your ISP allows spoofing using the Spoofer software that can be downloaded from the Center for Applied Internet Analytics. The data thus collected will be used to encourage ISPs to enable Spoofing protection.
- Ship your devices with a simple and secure mechanism to fetch security updates. Use secure connections and code signing, with certificate checks.
- Ship your devices with a hard-to-guess password on by default. Put the password on a sticker on device. Do not derive it from the MAC address, use a secure random source.
- Make sure customers can reset the password if they have lost it. E.g. have a special power-up-sequence which defaults back to the sticker-printed password.
- Reduce the impact of amplification attacks through your servers. This can be done by limiting the response size especially of UDP services (which are vulnerable to IP address spoofing). This can be done easily for NTP and to some extent for DNS; for other UDP-based services, there probably needs to be some form of rate limiting in place.
- Enable source address spoofing protection according to BCP 38.
- Consider local routing. Many services have primarily a local target group. During an active attack, limiting the BGP announcement of that network can help maintain a halfway reasonable user experience.Update 2018-03-08: An alternative is to use a CDN as a front and retract your routes except to the CDN provider’s network. This has been done by GitHub when under attack 2018-02-28.
- Determine new ways of pairing home devices, which make it easy for a single user or a family to prove that they own these devices and should be able to control them.
- Try to get rid of passwords entirely, and move to certificates or similar. Make sure they are as easy to use as “admin/admin” and “123456”, but without their weaknesses.
- Create rate-limiting mechanisms, which do not hurt normal operation, but significantly reduce the impact of DDoS amplification attacks.
If we all work together, and each add just a tiny little bit of their time, we can massively reduce the impact of the next DDoS attack and reduce the privacy and security risks of the devices used as part of a botnet or reflectors.
Together we can fight the DDoS tragedy of the commons!
[Updated 2016-10-02 to include local routing thanks to Fredy Künzler]