Science Sunday: Denial of Service Attacks and the Cost of Security
Last week, Skepchick, Freethoughtblogs, and Feminist Frequency all went offline due to distributed denial of service attacks. Those are nasty. It’s an easy attack to launch while being difficult to impossible to defend against without adding lots of costly time-consuming security measures to victimized servers.
The internet, as we know it, was built on trust, and for better or worse, that’s how it will continue, since it’s too big to reengineer at this point. It’s a data packet delivery service. End users send data packets into the network, where the data packets are sent through a series of routers, each of which does its best to sent the packet on to its destination, which will be some endhost server. The server receives the packet, which contains some request for the server’s content, often a web page, and sends back packets containing that requested content. The return packet likewise goes through some series of routers until it reaches the user. This whole process takes milliseconds for most content. More time for large content like very large photos or any streaming media. Where trust comes in is that the routers all send packets on in good faith. Any filtering or authentication has to be done on the server and in software; security is not natively part of the architecture of the internet routing layer.
This becomes a problem because people are evil. A server will do its best to respond to all requests for data packets. That is what a server is. This is where denial of service attacks come in. If I as a user stop using my browser like usual to request data packets, and start programmatically sending way more than my share of requests. I can, in fact, send so many data packet requests to one server that that server becomes overwhelmed and stops functioning. Computing machines can only do so much. If they do too much at once, they start running slowly. If the amount of work their processors are doing continues to increase, the computer will eventually cease to function altogether. In other words, a denial of service attack is when I attempt to make a computer do so much work it shuts down.
There’s a fantastic rewrite of The Three Musketeers, with more magic and the sexism edited out, by Steven Brust called 500 Years After. The novel features an assassination of an emperor. The catch, besides the usual difficulties intrinsic to such endeavors, being that the emperor has a magical orb above his head which protects him from all attacks, magical and physical. The assassin simply throws spells at this orb until it overloads, and then he goes and does his assassin thing no problem. Same idea. Denial of service by creating more work than can be completed.
Anyway, back to the internet. Because denial of service attacks are such a problem, most servers now implement some security that will detect a large number of requests coming from one computer and block it. Even some routers now will actually drop packets from one host that is sending a very large numbers. This is why modern denial of service attacks are typically distributed. This is the era of botnets, zombie computers, proxy servers, and other methods of disguising the origin of data packets. This makes the attack much more difficult to defend against because no one host is obviously abusing the system. Remember, as far as a router is concerned, data packet is a data packet is a data packet, and while too many packets coming from one source is suspicious, it is difficult to impossible to tell that there is any thing suspicious about many packets going to one destination. Servers can get so much traffic legitimately that they go down. This happened to Skepchick due to the popularity of the liveblog of the Nye vs Ham debate. Unless we all start implementing the evil bit protocol,* any filtering of packets for evilness has to happen at the server. This is now harder than a denial of service attack launched from only one host, because it’s so much more difficult to detect and filter many malicious hosts than a single one. This is why DDOS, or distributed denial of service attacks, are so very effective.
There is, in the U.S. some push, by which I mean one paper (that I know of) and an Anonymous petition via whitehouse.gov, to have DDOS attacks treated as a form of civil disobedience analogous to a sit-in. The problem with the analogy, of course, is that sit-ins, as a form of protest, do not damage the business being protested against. Those participating in sit-ins ordered food and paid for it, assuming a lack of retaliatory violence, of course. Denial-of-service attacks are the equivalent of an armed mob outside the restaurant preventing anyone from patronizing the establishment.
Where claiming DDOS as an analogy of civil disobedience becomes even less analogous is that, instead of being a means for the underprivileged to protest prevailing power structures, doing things to block access to the internet damages the rich and powerful the least, and the already internet-deprived the most. The U.S. government may not be good at internetting, as witness the initial roll out of healthcare.gov, but it does have the legal resources to prosecute members of Anonymous for DDOSing. Google may not necessarily be into prosecuting for attacks, but they have millions of servers and employee a lot of security researchers. It’s private website owners who will struggle to keep their websites operational and can’t easily afford redundant systems and security personnel. And as security measures are implemented, we get collateral damage which affects the very very least privileged of internet users.
Think of people who don’t have good internet connectivity in the first place. When I was in Tanzania, I didn’t really have the latency to perform online banking. Bank websites implement lots of security features for very good reasons, but this makes loading their sites take time. Data packets don’t live forever. After some amount of time just expire and get dropped from the internet. This results in time out errors, meaning the time it took to get content exceeded the amount of time the packet lives. What this means is that the necessity to guard against online evil doers is cutting off easy access to global commerce for much of the developing world. Reflections on the badness of this is left as an exercise to the reader. Similarly, the more of the internet that implements time-consuming authentication procedures, the more of the web becomes off limits to people who don’t have good connectivity. Note that blocking access to the internet is a human rights violation. Access to a global society and all its commerce, knowledge, and art, is that important. Loss of access to that is a big flaming deal. Note also that I do think the internet does need an actual mechanism for protest, but it needs to be one that does not cause harm.
*A proposed internet protocol by which one bit of the IP header is used to indicate malicious intent. Any sender with malicious intent must set this bit to true, and all routers are instructed to discard any packets that indicate malicious intent. Proposed in RFC 3514, published April 1, 2003, this would clearly completely solve all internet security problems.