Distributed denial of service (DDOS) attacks have been in the news lately, and a number of people have asked me whether Ridgeback can prevent such an attack. What seems like a simple question actually touches on some complex issues. This post breaks it all down.
First, a DDOS attack consists of:
- An unregulated network connecting everything: The Internet serves as the medium for most DDOS attacks.
- The target: Bad guys look to take down Internet-facing, publicly available resources, such as one or more web servers or DNS servers.
- Ammunition: The meat of the attack is carried out by many Internet-facing, publicly controllable resources, such as poorly secured DNS servers, Linux servers, refrigerators, or whatever else happens to be lying around.
- Command and control: Bad guys control one or more computers that send command and control messages to the ammunition.
Now let’s break down the parts.
An Unregulated Network Connecting Everything
While most of us love the Internet and the practically infinite flow of information it brings, many people fail to realize it is one gigantic unregulated network. That is, when you plug into the Internet you plug into the same network used by the worst-of-the-worst people on the planet. In a practical sense, you are directly connected to every person and every organization that you absolutely hate, fear, and want nothing to do with at all. Isn’t that a curious situation? Perhaps we should better partition or regulate the Internet.
When a person or organization connects a computer to the Internet for the purpose of making information or services publicly available, they do so for everyone on the planet. Logically, everyone on the planet could request access to that resource, all at once. When that happened in the past, we used to call it the Slashdot effect, meaning a news article on the Slashdot web site drove prolific numbers of gawkers to check out the resource. Today we call it a DDOS attack. If you don’t want everyone accessing your resource all at once, then why did you put it on the Internet freely available?
Most people put things on the Internet without too much concern for whether those things will be hacked. I have heard the refrain so many times it makes my head hurt: “Why should I care if my cable modem gets hacked? It won’t hurt me.” Things get dicey when the number of easily hackable thingamajigs grows into the millions or billions. There are easy ways to control all of those resources and use them for the nefarious purpose de jour. Maybe you can’t do it, or maybe you think it is hard. However, I am telling you it can be done, easily, and it will be done, easily. Why is everyone so willing to put devices on the Internet and then invite the worst of humanity to log in and control those devices? To put it crudely, and with only a modicum of hyperbole, consumers are inviting child molesters into their homes, giving them the keys to their cars, and wondering what the problem is.
Command and Control
Finally, there are plenty of bad guys hiding out on computers all across the Internet. These computers may be their own, or they may be hijacked computers like hospital human resource servers. These computers are used to control the ammunition devices. In the cases of the Internet, the target, and the ammunition, people are essentially shooting themselves in the collective foot. The message here is don’t be an idiot and settle for 100% convenience and 0% security. Granted, ammunition devices, such as Internet-connected refrigerators, can also be used for command and control. This makes the whole DDOS attack issue a structural problem. We have collectively decided that a world without doors is a good idea, and then we get frustrated when packs of wild hyenas come rushing in.
Ridgeback and Security
If no one is trying to keep anything secure, then it is hard to place Ridgeback into the equation. To use Ridgeback you need to segment your networks, and then place Ridgebacks into the network segments. At your organization you should have one or more private network segments. Each of these segments should be considered local networks, with no direct route from the Internet. Segmentation by itself greatly increases security posture. Ridgeback operates within a network segment, providing more defensive measures automatically than any human security engineer could manually install or maintain. The point is to keep the insides of a network safe. Keeping the network interior safe means squashing insider threats and dramatically lowering the cost of information security.
DDOS attacks can be a real pain, but strictly speaking the means for these attacks has been designed into the Internet and endorsed by both sellers and consumers. Preventing DDOS attacks requires either structural changes to the Internet or serious cultural changes with respect to how we use the Internet.