WIRED position Statement
October 2003
Phil Karn, KA9Q
In my opinion, the most crucial omission in the present Internet
routing protocols are mechanisms to automate the detection of and
reaction to denial of service attacks and worms. These attacks have
become endemic on the Internet in recent years, largely due to the
astonishing insecurity of Microsoft software that gives rise to the
ability of some worms (such as Blaster) to propagate throughout the
entire Internet in a matter of minutes.
There is also the widespread deployment, often by worm or virus, of
distributed DoS tools that can conduct a coordinated attack against a
single target by thousands of hijacked computers.
All these attacks threaten to destroy what is left of the end-to-end
model responsible for the Internet's success. They stand as a major
impediment to the deployment of more distributed services such as
end-to-end VoIP, especially on relatively slow and expensive
communication channels such as cellular telephony and satellites.
Even when an attack fails to affect legitimate traffic, the excess
bandwidth charges resulting from the DoS traffic can eventually drive
a service out of business.
Since computers and local area networks have increased greatly in
speed in recent years, DoS attacks generally more successful when they
target a customer's Internet access links rather than his computers.
Defenses at the computers are therefore useless; any effective
defenses must be deployed within the Internet itself.
I envision adding mechanisms to routers that perform the following
functions within the Internet:
1. Block specified packets addressed to a specific IP address UNDER
THE DIRECT CONTROL OF THE USER OF THAT IP ADDRESS.
Static, ISP-configured firewalls are almost always over-broad, clumsy
and inadequate. Desired traffic is often blocked, and it may be too
time-consuming during an attack to call an ISP operator to manually
block specified traffic, which may change rapidly specifically to
evade such filtering. It is therefore essential that the firewalls
within the network be under the direct control of the user of the
target IP address, without the need for human intervention by the
network operators.
A good start would be an open standard for the secure remote control
of a generic packet-filtering firewall. Security on this control path
is obviously important, but it need not be extreme to be effective.
2. Automatically detect a DoS attack and coordinate a response among
the affected routers by filtering the attack packets as close as
possible to their source(s). The detection may be performed by
mechanisms similar to those used to implement quality of service;
e.g., by sustained output queue overflows. Messages could be exchanged
between neighboring routers to cooperatively block or limit traffic
that would be discarded downstream anyway. Care must be taken to avoid
dynamic responses that might allow an attacker to use a relatively
small amount of traffic to trigger the packet-dropping mechanisms in
such a way that legitimate traffic is unduly affected.
I note that these mechanisms may prove useful in blocking spam from
known sources. E.g., user-controlled firewalls could implement IP
blacklists, keeping said traffic off the user's own access link. But
as annoying as spam is to the humans who receive it, it does not yet
present quite the threat to the Internet routing and transmission
infrastructure as worms and DoS attacks.