The recent Internet outages caused by the DDoS attack on Dyn’s infrastructure highlights deep architectural issues that need resolution. Security and performance are intertwined, and both need fundamental upgrades.
A few days ago I was working at a friend’s house. He likes to have Magic FM on during the day. They regurgitate the same playlist of inoffensive 70s, 80s and 90s pop music, with live drive-time shows. Later in the day I heard the DJ sputter how their Twitter access had gone wonky, so you couldn’t expect to interact with them via that channel. I thought little of it.
Many of you will have seen news stories that explained what was going on: a huge DDoS attack on the infrastructure of Dyn had taken down access to many large websites like Twitter. A great deal of digital ink has since been spilled in the mainstream press on the insecurity of the Internet of Things, as a botnet of webcams was being used.
Here are some additional issues that might get missed in the resulting discussion.
An unfit-for-purpose security model
The Internet’s security model is completely unsuitable for these connected devices. The default is that anyone can route to anyone, and that all routes are always active. This is completely backwards. The default ought to be that nobody can route to anybody until some routing policy is established that is suitable for that device.
This process is called “association”, and it precedes the “connection” that is done by protocols like TCP. The camera needed to be on its own virtual network that should be isolated from websites like Twitter. This is a fundamental architecture issue, and one that cannot be fixed by tinkering around with DDoS mitigation code in routers.
The present Internet has been likened to running MS-DOS. It has a single address space, and doesn’t have any real concept of “multitasking”. We now have to move to the Windows or Unix level of sophistication, where different concurrent users and uses exist, but are suitably isolated from one another in terms of network resource access.
This issue highlights why investment in new modern architectures like RINA is essential. TCP/IP is just the prototype, and lacks the necessary association functions for future demands!
Weak technical contracts on demand
The very nature of a DDoS attack is to aggregate lots of small innocuous flows into a large and dangerous one. The essential nature of the attack is to overload the resources of the target. This means we need to master a new skill: managing network (and networks of networks) in overload.
This is a problem faced by the military, since their networks are under active attack by an enemy. Part of the solution is to have clear technical “performance contracts” between supply and demand at ingress and traffic exchange points. These not only specify a floor on the supply quality, but also impose a ceiling on demand.
With the present Internet we typically have weak contracts at those points, which don’t set a supply quality floor or demand ceiling, or do so in a fashion that can’t sufficiently contain problems. A DDoS attack is merely a special case of performance management in overload, and the real issue is broader than security management.
The Internet needs an upgrade to be able to manage quality issues.
Lack of economic incentives
My final point is that we don’t have good feedback mechanisms in the long run to prevent this problem from getting worse. It’s a kind of “environmental pollution” issue where the cost of insecure devices and poor operational practises is not borne by those who designed and deployed them. There has to be a way of putting more “skin in the game”.
That could partly come from resolving the above two technical issues. Breach of the technical contact on the demand ceiling would result in some kind of commercial penalty for overloading downstream resources. In the extreme case it should be possible to end the association, so that it becomes impossible to route to the destination that is overloaded.
Ultimately the knowledge of which devices are involved in attacks versus legitimate interactions is distributed at the network edge. If a user is willing to pay for the additional resources to raise the contracted quality when the network is stressed, then the traffic probably isn’t a denial of service attack, as the costs don’t scale.
These attacks are exploiting economic arbitrage opportunities of mispriced resources. A solution to DDoS attacks will come from a wider re-thinking of the economic model for the Internet. We need one that favours price signals and market feedback over “net neutrality” style rationing and government diktat.
People demand a better living environment as they get older and richer, and today’s Internet is a shanty town next to a festering garbage dump, built from many ramshackle structures. Now it is time to clean up the neighbourhood and modernise our architecture and engineering.
For the latest fresh thinking on telecommunications, please sign up for the free Geddes newsletter.