9.1. Prognosis for DDoS

Given that we expect attacks to become more sophisticated in response to improved defenses, what will the DDoS attacks of the future look like? Answering this question is inherently speculative, and even more so since attacks of the future are likely to be characterized by how they avoid the defenses of the future, and we do not currently have a good sense of what these defenses will be. With those caveats, here are our best guesses on the future of DDoS attacks.

9.1.1. Increase in Size

DDoS attacks of the future are likely to be larger than those perpetrated today. Armies of compromised machines numbering in the tens or hundreds of thousands seem readily available on the black market. A strongly motivated opponent can probably draft a larger army than that. A million-node DDoS network is not beyond the bounds of possibility; indeed, some evidence suggests that such a network might already exist. Thus, researchers would be prudent to investigate defenses that could handle such an immense attack. A system administrator armed only with today's best target-side defense tools is unlikely to be able to handle an army of anything close to that size, and it may well be that even in the future handling such large armies will require assistance from outside the ISP of the attack's target.

9.1.2. Increase in Sophistication

Chances are that any successful DDoS defense mechanism will be most effective against attacks that are unsophisticated, especially attacks whose packets are all similar and easy to characterize. Thus, attackers are likely to move away from such attacks to attacks that consist of widely varying types of packets. Indeed, they have already made first steps in that direction. Existing DDoS attack toolkits allow many variations. For example, attackers can vary the proportions of packets that use particular transport protocols; they can alter their spoofing characteristics; or they can vary patterns of which machines in a DDoS army attack at what times, allowing pulsing attacks.

The more sophisticated the defense tools get at picking out the characteristics of attack packets from the entire stream of packets, the more sophisticated the attackers are likely to become. For example, if entropy measurements prove effective in detecting which packets comprise the attack flow, attackers might try to control the entropy of various attack packet characteristics to confuse the defense systems.

In one way, we might see less sophistication in attacks. With a large enough army, an attacker can overwhelm most targets by having each of his machines send a single packet, something as innocuous as a packet requesting that a connection be opened. By mere volume, these packets could overwhelm a server, and finding any difference between the packets sent by legitimate clients trying to open a connection and attackers seeking to overwhelm the service would be challenging.

9.1.3. Increases in Semantic DDoS Attacks

Researchers have discovered a number of ways in which a target machine can be kept busy with a relatively low volume of requests, so-called algorithmic attacks. Attacks on application hash tables, discussed in Chapter 4, have been demonstrated, for example. Others are likely to be discovered and perpetrated in the future.

Generally, these kinds of denial of service problems will be best handled by changing the algorithm under attack to be less susceptible (akin to handling TCP SYN floods), but for some such attacks defenders may be able to use systems that observe the patterns of packets and can deduce which are part of the attack. Then the attack packets could be dropped, altered, or otherwise treated specially to prevent them from causing a DoS attack.

Defending against this type of algorithmic attack will have the good and bad properties of virus defenses. Specific attacks will require specific fixes, but when those fixes are made, that particular attack will become ineffective. Further, finding a new effective attack will require some work by the attacker. Whether genuine creativity will be required or mere slogging persistence will be enough remains to be seen. Regardless, even if a silver bullet is discovered that handles volume-based DDoS attacks, it is unlikely to also handle algorithmic attacks.

9.1.4. Infrastructure Attacks

Another likely trend in DDoS is that attackers may increasingly choose to target something other than the end machine. Effectively, sometimes without knowing it, attackers are already flooding links somewhere upstream of the target machine, but explicitly targeting something else is less common today. One well-known attempt was the attack on the root DNS servers mentioned earlier. The attack obviously attempted to flood those servers, but very likely the true goal was to deny service to the wider Internet by making name lookups slow or impossible. Some DDoS attacks have already targeted routers or other parts of the Internet's infrastructure. DDoS attacks could again strike DNS servers, or they could be targeted at interrupting the spread of routing information, or they could be specifically designed to overwhelm firewalls, perhaps including algorithmic attack characteristics that cause particularly poor firewall performance.

It is highly likely that this kind of DDoS attack will eventually become part of more sophisticated attacks on both cyber and real-world targets. Attackers wishing to achieve their goals may start by separating their victim from the rest of the network, or cutting off their communications with a particular remote partner. A DoS attack would thus be merely one stage in a more complex plan, in the same way that disabling an alarm is only one step in burglarizing a building.

What might become the target of an infrastructure attack? Anything other than a source node and a destination node that is still required to perform some important action. Beyond DNS servers, routers, and firewalls, other examples might include key distribution servers, certificate servers, LDAP servers, or back-end cookie-based authentication servers. Some electronic cash schemes require online checking of the cash's validity by a third party. How will they behave if that third party is unavailable due to a DDoS attack? Spam control services often distribute blacklists or other information to their clients over the network. Attackers are already launching DDoS attacks on them to prevent this service from being effective. Perhaps a future worm will combine its spread with DDoS attacks on the virus signature distribution sites of the major security software companies. The possibilities are likely to be limited only by either the imagination of DDoS attackers or that of the designers of new Internet services.

9.1.5. Degradation of Service

We might see a trend toward degradation of service rather than denial of service. Current DDoS attacks try to make a service completely inoperable. If they are effective, they are usually also detected, at which point steps can be taken to stop them. But what if the attacker merely wanted to make your network heavily loaded at all times? Normal customers would get through, but would suffer slow service from your site. Detection would be much harder, since it would not be clear that anything was seriously wrong. Most of the promising DDoS defense strategies assume that the attack is crippling and are designed to detect and respond to that effect. They might not detect or remedy a mere slowing down of your network.

Degradation-of-service attacks lack the kind of instant gratification that casual DDoS perpetrators seem to desire. However, as a tool of economic warfare, they are much more attractive. A competitor's reputation can be damaged, or he can be forced to make investments in more hardware or bandwidth without any commensurate increase in his business. Someone who wants to keep an undesired news story from receiving wide attention could just make it slow and difficult to get to the site storing the information. Subtlety does not yet seem to be a characteristic of the typical hacker, but time may lead to more sophistication and more complex goals. Such sophistication has been observed in other types of cyber attacks, and will surely come to DDoS, as well.

9.1.6. Motivations for Attacks

The bulk of the DDoS attacks that we have observed to date appear to be typical activities of the hacker subculture. Either they are designed to demonstrate the hacker's abilities or they are part of an ongoing undercover war among hacker communities. However, there are disturbing signs suggesting that those with more serious and dark motives are starting to embrace DDoS as a tool, and we should expect such trends to increase.

The two major areas of increase are likely to be in politics and crime. We have already mentioned existing examples of both. DDoS is an effective tool for silencing an opponent, at least in the increasingly important world of the Internet. That makes DDoS a good tool for certain kinds of political warfare. Politics should be taken here in its broadest sense, not just applying to national candidates, but to international activities, advocacy for and against various political views, and perhaps even to the elections themselves. Those designing electronic voting systems should beware of connecting them to the Internet during elections, or at least be prepared to provide proper operation of the system despite DDoS attacks causing network disconnections.

Criminals have already embraced the extortion possibilities of DDoS. Cleverer criminals are likely to find more inventive uses of the attack to achieve their goals. Delivery of burglar alarm signals over the Internet would be at risk from such attacks, for example. As police operations increasingly rely on networking, criminals will be increasingly able to prevent coordination by law enforcement. A carefully planned DDoS attack might be able to manipulate the stock market or serve as an adjunct to other kinds of fraud.

Increasing use of Voice-Over IP (VoIP) services makes them a new candidate for DDoS attacks, causing disruption of business services that were formerly performed over very well-secured and difficult-to-attack infrastructures. Convergence of services (such as e-mail and text messaging, voice services, and geo-location) in cell phones and other wireless devices that are starting to use the Internet for their functions will become another target for DDoS attacks. Many of the application-level vulnerabilities discussed in this book which were mostly solved in the computer world are recurring as TCP/IP stacks and applications are ported to small, low-powered wireless devices. The result is that old DoS and DDoS attacks will work again against a new, weaker target base. For example, many Internet cell phones may lock up if old Windows TCP/IP packet fragmentation attack tools are used against them.

Generally, as our society relies more on having Internet communications ubiquitously available, the motivations for selectively disrupting them will increase. In the future, the preferred elementary school student excuse for not having completed an assignment might switch from "the dog ate my homework" to "DDoS took down the class Web site."

9.1.7. Overall Prognosis

At the most general level, the future of DDoS is improved defenses followed by improved attacks. Attackers will move away from the attacks we can readily handle and toward the attacks we find most challenging to deflect. Because the fundamental nature of a DDoS attack is "too much of a good thing," chances are that we will never be totally free of them, in some form or other. DoS attacks pop up every so often in the real world and are often hard to deal with. The automation of the Internet merely makes them easier for an individual to perpetrate, but not necessarily any easier to handle.

The border between the physical world and the cyberworld has already been breached. A paper by researchers at AT&T Research [BRK02] describes a variant of DDoS attack using a U.S.-based mail carrier for transporting massive amounts of catalogs and brochures ordered "automagically" from online Web forms to the physical target. A subsequent real attack on a notorious real-world spammer's home followed about a month later (see http://www.infomaticsonline.co.uk/News/1137552). His postal mailbox was inundated with a flood of catalogs, sales offers, and other postal junk mail, sent to him by irate Internet users tired of receiving spam from him. The idea has been extended by Jakobsson et al. into the concept of untraceable e-mail cluster bombs [JM].

One lesson that readers should take from this book is that systems put in the Internet are at risk from many attacks, DDoS among them, and it is not currently possible to fully protect nodes in the Internet. Recent worm incidents have caused unfortunate problems for many Internet-connected systems. As technology allows us to make use of computers and networks for ever-widening classes of applications, it is vital to keep in mind the risks one faces when something is moved onto a network accessible by all. The most important applications, such as control of power grids, hospital equipment, transportation, and military systems, demand especially careful thinking before making them Internet-accessible.