Is the Internet doomed to fail? A Commentary…

Posted on April 3, 2009 by Peder

In other words, has the Internet passed its “use-by” date?

It is interesting conjecture that “The” Internet is doomed. I agree that “The Current State” of the Internet will be different tomorrow and if we declare every variation of what the Internet looked like in the past as being dead then I would urge that the Internet already died and will do so every day into the future as a new one emerges.

The language, or protocols, of the Internet will continually change and the infrastructure that drives it will change along with its owners and the cost and economics for access with change along with it. The Internet has gone from a generic name for the interconnection of a bunch of defense and research networks into really the concept of an interconnected global economy. Should one part of the Internet have better network performance, or should content move to no longer being free doesn’t change the underlying definition of an Internet.

The success of the Internet has been due to its ubiquity and its ability to change with the times. The protocols and devices of an IP network designed to protect against physical failure has grown into something that is adjusting with the times. It is only fitting that in year of Darwin’s 200th anniversary that we have the ability to watch the evolution of an organism (the Internet) that isn’t even biological before our eyes. The Internet has become something beyond any singular definition and new protocols, just like your favorite websites, will come and go and many will not survive. This is the Internet’s strength, not weakness.

Researchers may try and define where the Internet should go but it doesn’t mean the Internet will go that direction. Sometimes the death of one pathway forward has unintentional benefits. SMTP as a protocol for email is fraught with problems and has led to SPAM clogging the Internet yet my son spends more time on instant messenger systems without even the concept of SPAM and I don’t think he would think the Internet died if SMTP went away and I think many wouldn’t care. That’s evolution at its best.

As you might imagine, I don’t believe the Internet can die since you can’t define it nor prevent anything new you create from being percieved as still the Internet. And if Google wants to isolate themselves from the rest of us (which I doubt) they only have thier own history to look back and think about whether we miss Altavista today.

Posted in Main | Tagged , , , | Leave a comment

Botnet Blog

Posted on March 24, 2009 by Peder

Watching modern botnets grow and form themselves into the equivalent of a raging horde of cyber delinquents, I come to wonder why is it that we cannot find a way through the threads of privacy concerns to offer a ray of hope in helping re-introduce these hordes back into society?  So here is the deal that I see happening … those with nafareous intent are building software to seek out unsuspecting victions, the modern consumer, who don’t have the latest security patches or software (http://www.nytimes.com/2008/12/06/technology/internet/06security.html?_r=1).  Without regard for any sort of rules or guidelines, virus and worm developers inject software into the Internet that replicates and self-organizes large scale botnets waiting for action on the scale of millions of systems.  Corporations cringe at the notion of the botnets being sold to high bidders to take action against critical infrastructure.  We spend millions of dollars to build defenses in front of every critical network lying in wait for the attack to occur.  Even with the best of defenses, many networks will wither. 

When we have a virus like the flu infecting the country, we don’t let it spread and lie in wait at hospitals for the sick to show up, we try and stay ahead of it and keep the population healthy and infected.  Likewise, when gangs grow and get out of hand, we don’t wait for their attacks, we try and introduce youth counselors, come up with better activities for them to do like midnight basketball and re-introduce them back into society as productive members.  So while we wait for operating system vendors to patch holes and users to buy and update security products many botnets are growing to the tens of millions in size.  So why is that that we avoid one of the most efficient means to restore a civilized Internet?  If we can understand how the botnets work, and what systems a botnet has exploited based upon a vulnerability, why can we not simply spread the antidote in much the same way? Years ago doctors introduced the concept of kids playing tag to pass germs to build up immune systems, isn’t this the Internet equivalent?

A recent BBC team used a botnet for some research and the backlash was large (http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm). To some this sounds like becoming part of the problem and just another way to make the problems worse.  As I sit here and watch the threats on the Internet over the last decade, I can’t help but see a trend that shows it getting worse at the speed of innovation by the malcontents and the anti-virus, anti-spyware, anti-whatever is next software distribution to clients has already ensured a war for supremacy is raging on.  Last time I checked, those who didn’t realize their systems were getting infecting haven’t been spending much time to fix it, just like those whom are happy being social renegades don’t spend a lot of time pro-actively reforming.  At some point, we need to reach out more than just suggesting that broadband customers download free anti-virus. 

Too bold for us to consider?  Will this always be the demise of the security?  Is there a better way?

Posted in Main | Tagged , , , , , , , , , , | 1 Comment

Internet Traffic Report: Mounting IP Pressures

Posted on March 20, 2009 by Peder

Peer-to-Peer (P2P) traffic levels are starting to lose out to streaming , according to a recently released reports. John Timmer from Ars Technica discussed the findings (http://arstechnica.com/web/news/2009/02/internet-traffic-report-p2p-porn-down-games-and-flash-up.ars) a few weeks ago discussed some of the findings.  While they are from a small subset of regions and locations, the interesting point appears to be that the traffic mix is changing.  While the report indicates that while P2P is still the main source of Internet traffic, regardless of which geographical region, it is starting to grow at a slower pace. This can be expected as direct download and streaming video services are becoming more popular. While Web traffic ranged from 16 – 34% of all Internet use growth seems to be driving heavily upwards for different types of streaming media and direct download distribution methods.

For years we saw the growth of web traffic being the key focus prior to the rapid turn to P2P as consumers surveyed the Internet for content of interest.  As content appeared the migration to P2P protocols surged and the race to control the usage of upstream bandwidth became a key concern in the telecom and cable environments.  As privacy and copyright owners battled heavily in the P2P space, it is particularly interesting to see how fast these new forms of direct download and streaming delivery are growing in usage.  Just a couple months after hulu (www.hulu.com) launched reports from service providers like AT&T (http://www.dslreports.com/shownews/ATT-Backbone-Sees-20-P2P-Drop-96602) began showing changes in the usage patterns.  In addition, new network management tools like DOCSIS 3.0 are able control upstream usage without digging into privacy waters.

At CloudShield, we understand the importance of helping service providers consider ways to deal with increases in network traffic stemming from multimedia, full-HTML Web browsing, P2P file sharing, streaming videos and Internet video services. The most effective way of handling the traffic from these services is to ensure that smarter, scalable technology is in place. What has become interesting to watch is how fast the market has turned from one of being able identify protocols (such as Skype, BitTorrent and eDonkey) to hunt out hidden offenders to being more concerned about how to help drive customer experience.  As legal and high quality content is being pushed into the Internet, migrating from finding the content owners to being able to be aware of them and focusing on how to actually increase benefits through the use of cache technology, boosting QoS priorities and enabling peering relationships between content owners and the service providers delivering content to end users is a very different world for DPI and controlling services from what was raging just a few years ago.  In addition, service providers are starting to migrate to billing models (think mobile style billing in broadband) and content delivery agents (think IPTV) that seem to actually enable to continued growth for consumers in a viable model.  It feels like the rise of the CDN’s all over again and this time with the aid of an intelligent network ushering traffic through to end users.  The traffic mix is changing rapidly again, and this time the new source of growth doesn’t seem to have a lot of enemies!

Posted in Main | Tagged , , , , , , , , , , , , , , , | Leave a comment

DDoS Attacks Aimed at Security Sites?

Posted on February 12, 2009 by Peder

As Kelly Jackson Higgins at Dark Reading reported yesterday, white-hat security Web sites Metasploit, Packet Storm, Milw0rm and Immunity have been hit with a wave of DDoS attacks since late last week.  The attack against Metasploit were comprised of botnets generating around 80,000 connections per second, with an incoming connection rate that exceeded 15 Mbps and used SYN and UDP packet flooding.

Just another example of the types of attacks that can hit any Web site – even those focused on security. We’ll continue to keep an eye on the story as the Metasploit site is still under siege, but what becomes interesting to see is the transition in articles about DDoS.  A DDoS attack of this size years ago would have taken down a large site while today it is still quite small compared to the bandwidth and protection levels deployed by Internet giants.  As such, it seems like we are getting to the back side of the DDoS boom where you have botnet owners picking sites without monetary gain but just for a bit of visibility against targets that in many cases aren’t even investing in heavy defenses because of the lack of business impact.  More interesting is how we continue to cover these stories but how they are rapidly moving to the bottom of the news.

The question I think about is which direction will things go in DDoS defense?  Will every site need protection just to make the Internet useful, just like Anti-SPAM is a requirement to get anything done in email?   Or will this be one of those things that is a nuisance now and just fades over time as the benefit of attack doesn’t even highlight an article?

Posted in Main | Tagged , , , , , , , , , , , | Leave a comment

Security issues with DNS

Posted on February 5, 2009 by Peder

Recent press is brewing up more concerns about security issues with DNS .  This time it pertains to DNS being a possible tool to amplify Denial of Service attacks as an attacker can send a spoofed DNS request that becomes a larger response from the DNS server to the intended victim.  This type of attack is not new as it dates back to earliest of DDoS attacks with other protocols such as the character generator ports in Linux.  The question for the marketplace is will the focus on this attack lead to tangible changes in DNS infrastructure?  Changes are underway and I am not sure this research will necessarily change the prevailing winds but hopefully it will open the eyes of more DNS operators to address these longstanding issues.

One thing to note is that there are really two things at play here.  In the reports, they talk about using DNS to attack another Internet target by using the DNS farm to increase the size of an attack.  In this manner an attacker with a small amount of bandwidth can cause a denial of service larger than what would be nominally attributed to their network connection or size of their botnet.  The second attack is against the root servers or DNS servers in the resolution chain whereby a small request causes an increased amount of processing required on the part of the DNS farm.  Both of these cause denial of service attacks, one bandwidth against an Internet target, the other processor consumption against a DNS farm such as the root servers.  For some time, arguments have been raised for changing DNS to TCP and adding security mechanisms.  These are not going to happen quickly.

By moving DNS queries to TCP only and off of UDP this avoids the described bandwidth attack against an Internet target through spoofed addresses.  The problem is that a DNS server can only turn off UDP queries once every client you are going to support has properly moved off of UDP.  This is going to take some time.  Furthermore, while new security measures are being instituted that can be used to help attribute queries to systems, until they are ubiquitous, we are stuck with the DNS they have.  Fortunately all is not hopeless until some future date when the Internet no longer uses IPv4, have moved away from UDP and DNS is only with full DNSSEC  features.

What is great about this news, however, is it is a perfect example to highlight why there has become a great marketplace for Infrastructure Security Products.  For decades attackers went after comprised web sites or vulnerable clients.  Big web sites are built like Fort Knox today and Anti-Virus is a household term in the most non-technical households leaving what is in the middle, the Internet infrastructure ripe for attack.  DNS DefenderTM for example is one such new breed of security products.  DNS Defender  sits in front of DNS Farms, from enterprises to service provider’s to root servers and is able to, in a sense, fix up the current DNS implementation while we wait for future changes.  For example, if we look at the current amplification attack, DNS Defender can use its DNS rate limiting abilities and caching to protect the DNS farm both from processing attacks on the DNS farm as well as it being used as a amplifier against targeted sites.  DNS Defender provides numerous controls for rate limiting by either query type or by user.  Should a flood of traffic come in from a single IP address of a site that is an intended target, the responses per second can be controlled to some nominal level that prevents any value of using the DNS farm as the amplifier.  Furthermore, should the attacker want to simply send queries for the ‘.’ domain to get a list of .com, .net and similar root domains causing processor time, these queries can be cached and answered using the DNS Defender as a cache server.  The combination of functionality requires zero changes to the DNS farm while also fighting off both cases of using the DNS farm for amplification.

The good thing is that putting defenses like DNS Defender in place in front of key critical infrastructure is not conceptual but already in place in key locations.

Posted in Main | Tagged , , , , , , , | Leave a comment