Shostack + Friends Blog Archive

 

Online Extortion

There’s a long article by Joseph Menn in the LATimes about online extortion via DDOS attacks, and how much money it brings in. (Use Bugmenot for a login.)

The threat involved massive denial of service attacks on a gambling site, using thousands of “zombie” computers sending data to the site. Its not clear how clever these zombies were. On theory, its possible to build a very clever zombie that pretends to be a customer, and tries to login on a secure page. (Processing secure pages is slower than processing unsecured ones. Its not really visible on the client side as much as on the server.)

There are three main ways to defend yourself against a DDOS:

  1. Build enough capacity that you don’t care.
  2. Distinguish real and fake traffic, block the fake.
  3. Go undercover and learn about the attackers. Have them arrested.

(1) is hard, even if you’re Google.

(3) is challenging for a bunch of reasons that are clear from Menn’s article.

Let me examine (#2) in more detail. Because these attacks are executed by programs, it’s usually possible to find differences between the attack streams and the real customer streams. It may be possible to throw away attack traffic, and let real traffic through, depending on how programmable your network gear is.

Throwing away attack traffic is procedurally expensive. You need to capture a bunch of baseline traffic, and then compare attack traffic, to see if you can distill out an actionable signature. You then need to test your signature against real traffic and see what it would discard. All of this expense makes DDOS defense an excellent area for a company to come along and do this for you. A company could invest in a collection of experts, custom software to do this, and a regular stream of customers so that they can learn what works and what doesn’t. All that means that for any given DDOS attack, they can defend you cheaper than you can defend yourself. Cool! It’s specialization in action.

Now, what happens when the ACME corp launches their DDOS Defender product line? (As I hope is clear, I’m talking theory. I have no idea if there’s such a product name out there.) Well, the attackers start trying to learn what it does to block traffic, so they can change their code and get around it. Then you’ve got a little arms race going.

Acme’s natural response is to try to hide details about their defenses. The more work they can make an attacker do, the better off Acme customers are. So now Acme’s prospective customers have a problem. How can they tell Acme’s product from a system with the same marketing which does absolutely nothing?

This is an ideal place for signaling, and warranties are an established form. So, does any DDOS prevention company offer a money-back guarantee, or otherwise send a strong signal of their self-confidence? (I don’t know, but I bet my readers do.)