Chapter 9. Conclusions


As we have seen, distributed DoS attacks are a genuine threat that cause serious damage to many Internet users. The losses being suffered have escalated from being merely annoying to actually being debilitating and disastrous for some users. There is every reason to believe that the rate and seriousness of DDoS attacks will increase. The current limited level of losses caused by DDoS is probably not due to successes in defending against them, difficulties in perpetrating the attacks, or lack of attractive targets to attack. Rather, the level of loss is related more to the motivations and desires of those who are perpetrating the attacks. As more unprincipled and dissatisfied users of the Internet observe the success of DDoS attacks, we should expect the frequency and severity of such attacks to increase.

There are existing examples suggesting that we will indeed see such a trend. Politically motivated DDoS attacks have taken place (such as the attack against Al-Jazeera). DDoS attacks have been used to state political opinions (like the attacks on SCO in protest of their intellectual property claims on Unix and Linux source code). A company in Great Britain may have been put out of business by a DDoS attack. Criminals have begun to investigate ways to turn DDoS attacks into profits (extortion attempts based on threats of unleashing DDoS attacks). For example, Mybet, a German Internet gambling site, was recently hit with a DDoS attack that prevented customers from reaching it for 16 hours, causing more lost income than the extortion attempt associated with the attack demanded [Leb]. Many British gambling sites, including iBetX, William Hill, TotalBet, UKbetting, and SportingOptions, have been targeted by similar attacks when they refused to pay the extortionist's price [Leyb]. Because of the low technological barrier required to become the commander of an army of DDoS agents that can then be directed at any Internet target, we can expect that DDoS attacks will become more frequent and more targeted toward achieving aims of these sorts.

As long as DDoS attacks prove effective in achieving such aims, attackers are likely to continue using them. Until we find a reasonable defense against some kinds of DDoS attacks, we should expect to see their incidence, power, and seriousness increase. Why? Because network bandwidth, processor speed, and number of available systems that can be attacked and compromised all continue to increase, as does the sophistication of attacker tools for compromising computers and using them to attack. Nor is it common for a DDoS attacker to be arrested, let alone prosecuted or convicted, so legal deterrents are not yet effective. Existing commercial defenses are not likely to be sufficient to stem the tide of increasing attacks.

Obviously, then, something needs to be done. But the way ahead is not clear. Many intelligent researchers have been examining the DDoS problem for several years now, and we do not lack for a variety of approaches to creating a sufficient defense against DDoS attacks. What's lacking is any consensus among those researchers on which of the approaches actually show sufficient promise to take the step beyond research prototypes to make them effective solutions for real-world deployment. Full consensus has not even been achieved on the nature of the entire problem, even at the level of a common agreement on exactly what constitutes a DDoS attack.

A major reason for the lack of consensus is that we lack any convincing method of demonstrating the effectiveness of solutions. Each researcher or commercial provider performs some series of tests that give them sufficient confidence about their approach to make claims that it works, to some extent, at least. Some of these tests amount to little more than trying a few DDoS attacks against the proposed defense and declaring victory once the defense stops them. Even the best of these tests are rarely more than using parameterized traffic generators with a variety of settings to generate many different forms of attacks, perhaps coupled with some limited blue team/red team testing. No one in either the research or commercial community has provided really convincing evidence that their system handles a wide variety of possible DDoS attacks, nor have they provided a methodology for a head-to-head comparison of proposed DDoS solutions. One outstanding problem, then, that must be overcome before we have any real hope of combating real-world DDoS threats is to find a way to test how well a proposed defensive mechanism works.

We do not propose to go into all the reasons why determining the efficacy of a DDoS mechanism is difficult, but we will suggest a few major ones:

  • Security metrics of any kind are hard to come by.

  • There is not even complete understanding among all those involved in DDoS defense on what the actual goal of the defense should be. Some claim it should stop the onslaught of the attack traffic, at all cost. Others claim it should make sure legitimate traffic gets through. Both goals are important, since stopping the bad traffic benefits everyone, but getting the legitimate traffic through prevents the DDoS attackers from achieving their real goal.

  • There is no well-defined statement of what kind of attacks a good DDoS defense mechanism must handle to be labeled successful.

  • There is no common testing methodology or large enough testing environment in which to perform comparisons.

  • Any convincing testing methodology would need to observe the behavior of the system in the face of realistic traffic, and producing simulations or generating such traffic is not trivial.

  • Skills and strategy/tactics in incident response against DDoS attacks are still not widespread enough to generate sufficient demand for a solution or the motivations to engineer networks that would accommodate such solutions. Without strong demand, the research and development required to understand and evaluate DDoS attacks and defenses will not be performed.

Fortunately, some researchers have recognized this problem and are now starting to tackle it in an organized way. The National Science Foundation and the Department of Homeland Security have funded research to investigate DDoS measurements and benchmarking, and a program to build a substantial testbed for performing evaluations of DDoS and other cybersecurity solutions [USC]. Many of the researchers in the DDoS community are contributing in other ways: by holding workshops and discussions of these issues, by writing papers that seek to better define the DDoS threat, and by investigating both the breadth of the potential DDoS problem and the space of possible solutions.

All of these efforts, however, are mere precursors to finding a fabric of layered solutions that address all aspects of the DDoS problem, from the ability to take control of huge numbers of computers and do with them as the attacker desires, to creating network-level autoimmune-style actions, to improving the efficiency of human incident response. Few in the DDoS research community seem to believe that any proposed solution, in its present form or with minor improvements, would stand up particularly well to the benchmarks and testbeds we hope to have in a few years, much less prove of great efficacy in halting the DDoS threat in the real world. The character of the DDoS threat will evolve over time, probably becoming more difficult to handle. Therefore, even if some existing system handled all of today's threats well, it would be unlikely to be a complete solution for the future. A more reasonable hope is that better understanding of the performance, strengths, and weaknesses of different defense approaches will ultimately provide guidance on truly effective solutions. Thus, there will be much more research to be done before we can claim to have a full understanding of the problems associated with DDoS attacks and effective countermeasures to the DDoS threat, in the same way that we have relatively good understanding of the nature of viruses and effective ways to handle them.

We must remember that these relatively effective tools for handling other security threats have not eliminated those threats. They have merely reduced them to manageable levels. The same is nearly certain to be true for DDoS threats. The Internet is not just waiting for a magic switch to be thrown that will, at whatever cost, eliminate DDoS attacks forever. Rather, we eventually hope to reach the point where vigilant system administrators who can afford to spend moderate amounts of money on their defenses and even greater amounts of their time on properly configuring them and running them will usually be able to handle common DDoS attacks.

There is good reason to believe we will never be able to make DDoS attacks impossible. Ultimately, a DDoS attack can consist of a vast number of requests coming in to a site that are indistinguishable from real requests for that site's resources. In many ways, a DDoS attack is a flash crowd with a bad attitude. The physical world's solutions for dealing with situations in which more people want something than can get it are usually imperfect, and we are unlikely to do much better in cyberspace. However, these sorts of solutions are good enough for most purposes in the real world, and are similarly likely to be good enough for handling most DDoS attacks. Our goal need not be perfection, but just to reduce the threat to the point where we all know how to live with the possibility of DDoS attacks and how to handle them when they do occur. To achieve this more realistic goal, we should enlist all tools at our disposal, including social, financial, legal, and political solutions, as well as purely technical ones.

Any solution we do produce that limits the threat of DDoS to a manageable level will have to be continually improved. Like all other security problems, defending against DDoS attacks is akin to an arms race. As defenses make particular forms of DDoS attacks ineffective, the attackers will seek new weak points that permit them to resume the attacks. The defenders must then improve their defenses to counter those attacks, and the attackers go back to the drawing board to find new ways around the better defenses. Other cybersecurity problems are also arms races, and they have been dealt with sufficiently well to allow us all to go about our cyberbusiness with reasonable safety. It is always possible to invent a new virus that existing virus protection programs will not detect, but once that happens, the virus protection providers find a way to stop it and everyone gets back to business. Similarly, increasingly sophisticated DDoS attacks can quite possibly be met by increasingly powerful defenses.



Internet Denial of Service. Attack and Defense Mechanisms
Internet Denial of Service: Attack and Defense Mechanisms
ISBN: 0131475738
EAN: 2147483647
Year: 2003
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net