The BBC does a wonderful job of summarizing today’s massive DDoS attack, which affect many of ReadyMadeWeb’s customers as well as Internet giants like Netflix. The coverage pointed out that this disruption was three times the size of the previous record-breaking DDoS attack:
Arbor Networks, a firm which specialises in protecting against DDoS attacks, also said it was the biggest such attack they had seen.
“The largest DDoS attack that we have witnessed prior to this was in 2010, which was 100 gb/s. Obviously the jump from 100 to 300 is pretty massive,” said Dan Holden, the company’s director of security research.
Even more disturbing, BoingBoing reports that an anonymous security researcher has found that a much larger botnet could be easily assembled using the world’s glut of unprotected, easily compromised devices:
The researcher reports that 1.2 million such devices are available online (s/he compromised many of these machines in order to run the census). These machines are things like printers and routers with badly secured firmware, visible on the public net. They are often running an old version of GNU/Linux and can be hijacked to form part of a staggeringly large botnet that would be virtually unkillable, since the owners of these devices are vanishingly unlikely to notice that they are silently running attackware, and the devices themselves are completely unregarded.
Is there a game plan for when this day eventually comes? Would the feds need to start a “cash for clunkers” program for old printers and routers? Would the government pass computer security mandates? Or maybe vouchers for copies of Norton antivirus or 2-hours of support time with your local Linux neck beard?
More locally, what am I supposed to do as a business owner who is providing a product to customers? What other product can be shut off remotely by an unrelated party a continent away?
The nature of the Internet makes DDoS attacks possible, but the attacks require a lot of computers to cause the sort of disruptions we say today. Unfortunately, that’s exactly what the pitiful state of computer security provides—the ammunition that rogue groups need to bring down whatever Internet service is no longer to their liking.
This is a distributed problem with localized costs, much like some forms of pollution. Everyone dumps a bit of chemicals here, a few toxins there, and suddenly the people downstream are experiencing astronomical cancer rates. Unlike pollution however, these individual acts of negligence (not updating software, not installing antivirus protection), can be gathered up by bad actors and wielded as a weapon.
So how do we address such a problem? When addressing pollution we used taxes, fines, mandates, and education to change how we treat the environment. But what about this problem? Do we attack the criminals or the innocent people enabling the criminal activity? Maybe both?