LAS VEGAS–The Internet that we use today was not designed as a cohesive network. It was put together from found bits and pieces over the course of the last few decades, and, as major bugs such as Heartbleed and others have shown, it’s a frighteningly fragile construction.
Attackers know this as well as anyone, and they’ve certainly made a lot of hay in recent years exploiting the fundamental weaknesses of the Internet. Serious flaws in protocols such as SSL, the DNS system and other key pieces of the Internet’s infrastructure have made life easier for the bad guys. But that doesn’t have to continue, experts say.
“Not all bad guys have the same level of skill. We have an advantage as defenders–we don’t have many, but we have the advantage that we get there first. We select the parts on our networks, we select the teams. We’re in a position to define the rules of the game and we’re under no obligation to make them fair, because the attackers certainly don’t make them fair for us,” Dan Kaminsky, chief scientist at White Ops and a longtime security researcher, said in a talk at the DigiCert Security Summit here Friday.
Kaminsky pointed to the problem of DDoS attacks as an illustration of how defenses need to evolve. For most of recorded time, the accepted response to a DDoS attack has been mitigate the effects of the flood by making the inbound pipe larger. Defenders also typically try to target and filter the malicious traffic, but that can have side effects for the legitimate users and services on a targeted network. DDoS attacks have gotten progressively larger as bandwidth has expanded and become cheaper and attack techniques have become more efficient, which makes mitigation efforts more difficult.
Rather than simply continuing to throw larger pipes at the problem, Kaminsky suggested a system that would involve routers along the path of a DDoS attack send a special packet once in every million packets to the target server that would contains some specific information. The data in the packet could tell the targeted server which routers along the attack path are not part of the attack and provide information about the attack itself.
Kaminsky emphasized that while there are quite a few serious problems with the Internet, just being secured–for whatever definition of that word you choose–against the major issues doesn’t begin to address the full scope of the issue.
“A lot of mitigations are basically you taking a pole and sticking it into the ground and hoping that the attacker drives directly into it,” he said. “What happens if he makes a right turn? Even if you were one hundred percent secure against all of these major bugs, it would still only address one percent of the problem.”
Several years ago, Kaminsky discovered a critical vulnerability in the DNS system and was one of the major players in the global response to it, working with certificate authorities and other organizations to address the problem. One of the things he said he learned after going through that experience was how fragile the Internet really is.
“That whole DNS thing kind of sucked. What was surprising is how much duck tape and baling wire the Internet is made from,” he said. “One of the questions we got is how do we find these name servers that are vulnerable. It turns out it’s really hard to secure things you don’t know exist.”