Is the Internet doomed to fail? A Commentary…

In other words, has the Internet passed its “use-by” date?

It is interesting conjecture that “The” Internet is doomed. I agree that “The Current State” of the Internet will be different tomorrow and if we declare every variation of what the Internet looked like in the past as being dead then I would urge that the Internet already died and will do so every day into the future as a new one emerges.

The language, or protocols, of the Internet will continually change and the infrastructure that drives it will change along with its owners and the cost and economics for access with change along with it. The Internet has gone from a generic name for the interconnection of a bunch of defense and research networks into really the concept of an interconnected global economy. Should one part of the Internet have better network performance, or should content move to no longer being free doesn’t change the underlying definition of an Internet.

The success of the Internet has been due to its ubiquity and its ability to change with the times. The protocols and devices of an IP network designed to protect against physical failure has grown into something that is adjusting with the times. It is only fitting that in year of Darwin’s 200th anniversary that we have the ability to watch the evolution of an organism (the Internet) that isn’t even biological before our eyes. The Internet has become something beyond any singular definition and new protocols, just like your favorite websites, will come and go and many will not survive. This is the Internet’s strength, not weakness.

Researchers may try and define where the Internet should go but it doesn’t mean the Internet will go that direction. Sometimes the death of one pathway forward has unintentional benefits. SMTP as a protocol for email is fraught with problems and has led to SPAM clogging the Internet yet my son spends more time on instant messenger systems without even the concept of SPAM and I don’t think he would think the Internet died if SMTP went away and I think many wouldn’t care. That’s evolution at its best.

As you might imagine, I don’t believe the Internet can die since you can’t define it nor prevent anything new you create from being percieved as still the Internet. And if Google wants to isolate themselves from the rest of us (which I doubt) they only have thier own history to look back and think about whether we miss Altavista today.

Botnet Blog

Watching modern botnets grow and form themselves into the equivalent of a raging horde of cyber delinquents, I come to wonder why is it that we cannot find a way through the threads of privacy concerns to offer a ray of hope in helping re-introduce these hordes back into society?  So here is the deal that I see happening … those with nafareous intent are building software to seek out unsuspecting victions, the modern consumer, who don’t have the latest security patches or software (http://www.nytimes.com/2008/12/06/technology/internet/06security.html?_r=1).  Without regard for any sort of rules or guidelines, virus and worm developers inject software into the Internet that replicates and self-organizes large scale botnets waiting for action on the scale of millions of systems.  Corporations cringe at the notion of the botnets being sold to high bidders to take action against critical infrastructure.  We spend millions of dollars to build defenses in front of every critical network lying in wait for the attack to occur.  Even with the best of defenses, many networks will wither. 

When we have a virus like the flu infecting the country, we don’t let it spread and lie in wait at hospitals for the sick to show up, we try and stay ahead of it and keep the population healthy and infected.  Likewise, when gangs grow and get out of hand, we don’t wait for their attacks, we try and introduce youth counselors, come up with better activities for them to do like midnight basketball and re-introduce them back into society as productive members.  So while we wait for operating system vendors to patch holes and users to buy and update security products many botnets are growing to the tens of millions in size.  So why is that that we avoid one of the most efficient means to restore a civilized Internet?  If we can understand how the botnets work, and what systems a botnet has exploited based upon a vulnerability, why can we not simply spread the antidote in much the same way? Years ago doctors introduced the concept of kids playing tag to pass germs to build up immune systems, isn’t this the Internet equivalent?

A recent BBC team used a botnet for some research and the backlash was large (http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm). To some this sounds like becoming part of the problem and just another way to make the problems worse.  As I sit here and watch the threats on the Internet over the last decade, I can’t help but see a trend that shows it getting worse at the speed of innovation by the malcontents and the anti-virus, anti-spyware, anti-whatever is next software distribution to clients has already ensured a war for supremacy is raging on.  Last time I checked, those who didn’t realize their systems were getting infecting haven’t been spending much time to fix it, just like those whom are happy being social renegades don’t spend a lot of time pro-actively reforming.  At some point, we need to reach out more than just suggesting that broadband customers download free anti-virus. 

Too bold for us to consider?  Will this always be the demise of the security?  Is there a better way?

Internet Traffic Report: Mounting IP Pressures

Peer-to-Peer (P2P) traffic levels are starting to lose out to streaming , according to a recently released reports. John Timmer from Ars Technica discussed the findings (http://arstechnica.com/web/news/2009/02/internet-traffic-report-p2p-porn-down-games-and-flash-up.ars) a few weeks ago discussed some of the findings.  While they are from a small subset of regions and locations, the interesting point appears to be that the traffic mix is changing.  While the report indicates that while P2P is still the main source of Internet traffic, regardless of which geographical region, it is starting to grow at a slower pace. This can be expected as direct download and streaming video services are becoming more popular. While Web traffic ranged from 16 – 34% of all Internet use growth seems to be driving heavily upwards for different types of streaming media and direct download distribution methods.

For years we saw the growth of web traffic being the key focus prior to the rapid turn to P2P as consumers surveyed the Internet for content of interest.  As content appeared the migration to P2P protocols surged and the race to control the usage of upstream bandwidth became a key concern in the telecom and cable environments.  As privacy and copyright owners battled heavily in the P2P space, it is particularly interesting to see how fast these new forms of direct download and streaming delivery are growing in usage.  Just a couple months after hulu (www.hulu.com) launched reports from service providers like AT&T (http://www.dslreports.com/shownews/ATT-Backbone-Sees-20-P2P-Drop-96602) began showing changes in the usage patterns.  In addition, new network management tools like DOCSIS 3.0 are able control upstream usage without digging into privacy waters.

At CloudShield, we understand the importance of helping service providers consider ways to deal with increases in network traffic stemming from multimedia, full-HTML Web browsing, P2P file sharing, streaming videos and Internet video services. The most effective way of handling the traffic from these services is to ensure that smarter, scalable technology is in place. What has become interesting to watch is how fast the market has turned from one of being able identify protocols (such as Skype, BitTorrent and eDonkey) to hunt out hidden offenders to being more concerned about how to help drive customer experience.  As legal and high quality content is being pushed into the Internet, migrating from finding the content owners to being able to be aware of them and focusing on how to actually increase benefits through the use of cache technology, boosting QoS priorities and enabling peering relationships between content owners and the service providers delivering content to end users is a very different world for DPI and controlling services from what was raging just a few years ago.  In addition, service providers are starting to migrate to billing models (think mobile style billing in broadband) and content delivery agents (think IPTV) that seem to actually enable to continued growth for consumers in a viable model.  It feels like the rise of the CDN’s all over again and this time with the aid of an intelligent network ushering traffic through to end users.  The traffic mix is changing rapidly again, and this time the new source of growth doesn’t seem to have a lot of enemies!

DDoS Attacks Aimed at Security Sites?

As Kelly Jackson Higgins at Dark Reading reported yesterday, white-hat security Web sites Metasploit, Packet Storm, Milw0rm and Immunity have been hit with a wave of DDoS attacks since late last week.  The attack against Metasploit were comprised of botnets generating around 80,000 connections per second, with an incoming connection rate that exceeded 15 Mbps and used SYN and UDP packet flooding.

Just another example of the types of attacks that can hit any Web site – even those focused on security. We’ll continue to keep an eye on the story as the Metasploit site is still under siege, but what becomes interesting to see is the transition in articles about DDoS.  A DDoS attack of this size years ago would have taken down a large site while today it is still quite small compared to the bandwidth and protection levels deployed by Internet giants.  As such, it seems like we are getting to the back side of the DDoS boom where you have botnet owners picking sites without monetary gain but just for a bit of visibility against targets that in many cases aren’t even investing in heavy defenses because of the lack of business impact.  More interesting is how we continue to cover these stories but how they are rapidly moving to the bottom of the news.

The question I think about is which direction will things go in DDoS defense?  Will every site need protection just to make the Internet useful, just like Anti-SPAM is a requirement to get anything done in email?   Or will this be one of those things that is a nuisance now and just fades over time as the benefit of attack doesn’t even highlight an article?

Security issues with DNS

Recent press is brewing up more concerns about security issues with DNS .  This time it pertains to DNS being a possible tool to amplify Denial of Service attacks as an attacker can send a spoofed DNS request that becomes a larger response from the DNS server to the intended victim.  This type of attack is not new as it dates back to earliest of DDoS attacks with other protocols such as the character generator ports in Linux.  The question for the marketplace is will the focus on this attack lead to tangible changes in DNS infrastructure?  Changes are underway and I am not sure this research will necessarily change the prevailing winds but hopefully it will open the eyes of more DNS operators to address these longstanding issues.

One thing to note is that there are really two things at play here.  In the reports, they talk about using DNS to attack another Internet target by using the DNS farm to increase the size of an attack.  In this manner an attacker with a small amount of bandwidth can cause a denial of service larger than what would be nominally attributed to their network connection or size of their botnet.  The second attack is against the root servers or DNS servers in the resolution chain whereby a small request causes an increased amount of processing required on the part of the DNS farm.  Both of these cause denial of service attacks, one bandwidth against an Internet target, the other processor consumption against a DNS farm such as the root servers.  For some time, arguments have been raised for changing DNS to TCP and adding security mechanisms.  These are not going to happen quickly.

By moving DNS queries to TCP only and off of UDP this avoids the described bandwidth attack against an Internet target through spoofed addresses.  The problem is that a DNS server can only turn off UDP queries once every client you are going to support has properly moved off of UDP.  This is going to take some time.  Furthermore, while new security measures are being instituted that can be used to help attribute queries to systems, until they are ubiquitous, we are stuck with the DNS they have.  Fortunately all is not hopeless until some future date when the Internet no longer uses IPv4, have moved away from UDP and DNS is only with full DNSSEC  features.

What is great about this news, however, is it is a perfect example to highlight why there has become a great marketplace for Infrastructure Security Products.  For decades attackers went after comprised web sites or vulnerable clients.  Big web sites are built like Fort Knox today and Anti-Virus is a household term in the most non-technical households leaving what is in the middle, the Internet infrastructure ripe for attack.  DNS Defender^TM for example is one such new breed of security products.  DNS Defender  sits in front of DNS Farms, from enterprises to service provider’s to root servers and is able to, in a sense, fix up the current DNS implementation while we wait for future changes.  For example, if we look at the current amplification attack, DNS Defender can use its DNS rate limiting abilities and caching to protect the DNS farm both from processing attacks on the DNS farm as well as it being used as a amplifier against targeted sites.  DNS Defender provides numerous controls for rate limiting by either query type or by user.  Should a flood of traffic come in from a single IP address of a site that is an intended target, the responses per second can be controlled to some nominal level that prevents any value of using the DNS farm as the amplifier.  Furthermore, should the attacker want to simply send queries for the ‘.’ domain to get a list of .com, .net and similar root domains causing processor time, these queries can be cached and answered using the DNS Defender as a cache server.  The combination of functionality requires zero changes to the DNS farm while also fighting off both cases of using the DNS farm for amplification.

The good thing is that putting defenses like DNS Defender in place in front of key critical infrastructure is not conceptual but already in place in key locations.

GoDaddy Goes Down

A couple weeks ago, Web site hosting company GoDaddy.com was hit with a Distributed Denial of Service (DDoS) attack that took down thousands of its customers’ Web sites for several hours. As CNET reports, this wasn’t the first time the domain name provider was knocked off line – a similar attack in 2005 affected 6,000 of its customers’ Web sites.

Companies like GoDaddy.com that are responsible for safeguarding e-commerce sites and Web infrastructures should ensure they have the proper technology in place to deal with mounting DDoS attacks. With the state of the economy being what it is right now, it’s essential that online stores remain open and running when a customer is ready to make a purchase. In this instance, customers were understandably upset about their sites being down and were quick to complain. Los Angeles based lifestyle blog LA Snark even posted a response to GoDaddy.com.

E-commerce merchants can remain confident that their customers will encounter a positive user experience if their Web-hosting company is well prepared to deal with these kinds of security threats. That said, the problem has grown considerably larger over recent years. In a recent report on DDoS trends published in late 2008, large scale attacks of 40Gbps or more are being seen. (Link To Arbor Report) Most hosting providers are not able to accommodate such levels of attack and this seems to be pointing to more managed security in the Cloud going forward being delivered by Tier 1 carriers and security providers with this kind of bandwidth. The real question becomes at what point with an increasingly Internet based economy does this level of protection become required versus a nice to have?

Technology specifics that are in motion…

Earlier this week the changes being seen from the impact of new regulations was mentioned.  What has been interesting to watch is the technology specifics that are in motion.  Technology for the support of Lawful Interception was often a circuit based such that clipping onto a phone line or Internet connection drove technology scaled to the performance of the one user.  As users moved to many devices and were mobile with thier communications, technology moved upstream interfacing to phone systems and network equipment that based upon awareness of the registered user selected appropriate information.  Today, relationships on the Internet are vast and dynamic and identity of a user is often not tied to a device or circuit.  As such systems must possess many new advanced analysis, inspection and capture capabilities in order to comply with the regulations.  Three notable technology requirements that really seem to clarify what I see in 2009 are: 10 Gigabit Ethernet, Full Content Capture and Protocol Specific User Identification.

Taking a look at 10 Gigabit Ethernet first, it seems off-hand as not new for 2009 but in this field I suggest that the meaning behind it really is.  For years we have seen 10GbE as coming, we have built systems that supported 10GbE and all marketed that we were first.  What is interesting is there really seems to be a migration from 10GbE is in the future or our network links are 10GbE but they really aren’t fully utilized to 10GbE means 10GbE.  What I mean by that is customer expectations and more importantly true need really deals with 10GbE means processing a fully utilized pipe and often bi-directionally for 20Gbps of unique data to inspect.  This has become a dramatic change in processing performance as DPI systems are essentially processing the data and moving from even uni-directional GigE or OC-48 systems to full duplex 10GbE is anywhere from an 8x to 20x processing increase from earlier generation systems in the DPI segment.  With large metro deployments in telcos, multiple 10GbE links are the norm not the exception.  This is where 2009 seems like a year of separating out the technology.

Full Content Capture is another area that directives and regulations appear to be driving change.  In the past, if content was seen of interest in a packet the desire was to capture it.  That evolved to if you see a session, or more specifically flow, that is of interest, capture the rest of it from here on out.  Now, the requests are that if you see information that identifies a flow of interest, make sure that the flow from the “start” of the conversation is captured.  In a sense, this is asking for systems to go back in time and record data.  As this is intersected with the 10GbE requirements this has led to large scale buffering systems to allow for arbitrary window sizes of time to be gathered such that it may be found of interest in the future.  This has led to very different architecture of solutions from the past and appears to be a new trend as we enter into 2009.

Protocol Specific User Identification is something that is old, but really speaks to the Internet age and the growth of protocols.  At its lowest level what I mean is looking at the content of an exchange with a web site and identifying the target based upon the credentials being passed.  As each and every web protocol or site establishes its own mechanism this leads to different methods for each.  Simply trying to do this for emails, within a specific region, can rapidly lead to dozens of variations. 

The interesting thing from a technology point of view is how vastly and fast the requirements throughout the world are changing in response to new regulations.  While the western world appears slower than other areas to pass such regulations the technology development continues to move along at a fast clip to keep up with global needs.  What will be interesting is how quickly these advanced capabilities spread across the landscape of customers and how the solutions will stand the test of time.

Regulations are changing worldwide…

A few weeks ago I had the opportunity to present at the ISS Telestrategies conference on Deep Packet Inspection and Lawful Intercept Technology (http://www.issworldtraining.com/ISS_WASH/).  It was interesting to see how much and how fast this industry is changing.  Regulations are changing worldwide that are driving the demands for new technologies and vendors are rapidly moving towards building those capabilities.  Furthermore, an industry that was heavily positioned for edge technologies sitting on a targeted link are migrating to aggregation points requiring not only performance but changes in the capability sets to appropriately deliver selected data.  As such this has led to segmentation in the deep packet inspection (DPI) market between those delivering what is being called deep packet capture (DPC) versus a broader DPI (http://en.wikipedia.org/wiki/Packet_capture). Each of these macro changes are worth a dialog in themselves, however, touching on the impact as a whole raises new questions.

As the world has begun to change or update regulations, such as those seen in the European Union with regards to data retention for the support of law enforcement DIRECTIVE 2006/24/EC OF THE EUROPEAN PARLIAMENT, these are driving significant new changes to the telecom landscape.  The extent of these regulations drives growth of interception technology at pace with the network growth itself.  The expense of these systems as well as the complexity of protection of the privacy of the data gathered is changing the technology requirements unlike what has been seen before.  The big questions this leads to is how fast can compliance be achieved and will this change the landscape of the class of companies that can support this scale of deployments?  Also, what impact will this have on the architecture of the telecom provider’s networks as data collection is not a small issue but core to even how the network could be architected to support such directives?  Will this lead to specific variants of technology, such as the thesis of some of the DPC specific vendors for technology designed exclusively for these directives or will the costs of such a large scale deployment require common infrastructure with the telco gear to drive down CAPEX and OPEX of supporting the directive?

In many ways, more questions than answers but clearly lots of change.

Read More: International Mandates : Changing the Way Law Enforcement Operates

More Fuel To Put On The Data Center Fire. . .

Competition is an incredible driver of innovation and strong newcomers to any market often have the ability to act and move quickly.  In the Internet age and more importantly modern era of content being king, the cracks in the network have collided the computing at the edge world with the dumb network yielding this open landscape of an Intelligent Internet.  We will see it in many forms from Cloud Computing (http://www.ibm.com/news/us/en/2008/09/24/h700006x16255w91.html) to Intelligent Content Based Routing in the network (http://www.crn.com/networking/207000296) to next generation data center initiatives with grand and glorious names.  The simple fact is that the data center is no longer and end point but is moving to a central role in the network.  At the same time, the network must be more capable of performing new tasks with the flexibility to change quickly.  In a world of purpose built devices, this sounds a lot like software.  So much so that recent blogs hinted of Cisco thinking of offering blade servers in packaging similar to the Nexus systems (http://www.networkworld.com/news/2008/091508-cisco-blade-server.html).

To be fair, I must admit that I am quite biased to believe that the open blade server platforms will engulf routing and switching as delivering services and solutions within the network become a core offering.  With the enterprise economics and volume, data center economonics will win out in the end just like the PC beat down the mainframes and mid-ranges.  While we have had a few friends whom have helped us greatly along the way (http://www-03.ibm.com/systems/info/bladecenter/pn41/index.html), we are just at the beginning of the battle.  For those of us in the networking industry, adding more processing ability deeper into the network isn’t new or rocket science, but developing new services in compelling and manageable ways while ensuring the robustness and scalability of the network is true heavy lifting.  Where the market turns in the end is up for grabs, but the chance to watch first hand for all of us is going to be a great ride.

The Data Center War Is On, Should We Care?

When I think of the big battles for market share in technology, what comes to mind is Microsoft versus Apple, IBM versus HP, and Intel versus AMD.  We have watched these come and go and be drawn out to move the marketing messages and market share needles.  But many of these are very much like title fights where two giants are fighting in their weight class against the expected contenders in a controlled arrangement.  Once in a while we see new players enter the market who want to take on the establishment in new and different ways similar to Skype taking on the long distance industry.  Rarely, however, do we get to see two dominant forces in adjacent and often complementary markets turn their focus on one another.  Enter the new Internet data center and how 12 months can dramatically change the landscape.  Networking incumbent Cisco is leading the charge expanding ownership of the data center by targeting the bread and butter of its partners, IBM and HP.  Likewise, IBM and HP have seen the opportunity to help drive revenue and efficiency in telecom sector by driving servers further into the network core.  So is this a good thing and should we care?

Cisco Nexus

http://gigaom.com/2008/03/21/coming-soon-the-cisco-blade-server/

http://www.cisco.com/en/US/products/ps9402/index.html

IBM Bluehouse targets Webex:

http://blogs.zdnet.com/BTL/?p=10296

https://bluehouse.lotus.com/front/webfront