Improving Technical Security Technology

The DDoS Attack Against Liberia – we must take collective action for the future of the Open Internet

If it was not clear yet: the Internet Society condemns those that perform large-scale distributed denial-of-service (DDoS) attacks on Internet infrastructure and services.

These attacks are a threat to all the opportunities that the Internet brings.

Bumping a small nation off the Internet map worries everybody, including those that are most friendly to the open nature of the Internet. These sort of actions will cause reactionary measures that lead to fragmentation, decrease the ability for permissionless innovation, and give rise to calls for measures that prevent any anonymous or privacy-protecting behaviour on the Internet.  If bumping a nation from the Internet doesn’t worry enough Internet-friendly people in positions of power then another DDoS attacks with societal impact will.

I am going to be hopelessly naïve and call upon those that are involved with these botnets: stop spoiling your own nest.

On a less emotional note. “The Internet only just works” was the title of a 2006 paper by Mark Handley. His main argument was that the Internet collectively addresses issues when they get urgent. In the past two years, the dynamics of DDoS attacks seems to have changed in scale and magnitude. Individuals, organisations, companies, and even countries are impacted.  That should make it clear that there is urgency in addressing the root causes of this problem. The outline of the agenda for that l laid out in my previous blogpost:

  • Producers follow, and share, good design practices;
  • For every product sold there is a way that security researchers can responsibly disclose vulnerabilities found;
  • Producers can fix, or patch, these vulnerabilities during the lifetime of the device (Field Upgradability);
  • We clearly understand what happens if the product, or the supporting producers, reach end-of-life (Device Obsolescence);
  • Consumers can make informed choices based on these properties (Cost vs. Security trade-offs);
  • Data that IoT devices collect are protected and dealt with in privacy-honoring ways (Data Confidentiality and Access Control); and
  • Those who go about device security in an irresponsible way get penalised.

The global division in the level of interconnection and human capacity and experience is sadly exposed. I know that the Internet technical community is doing everything in its power to limit the effects of the DDoS attacks, but unfortunately, a western company like Dyn is in a much better position to cope with the effects of a DDoS than the Liberians. That suggests an agenda of capacity building. Capacity building in technical operation and security management around all the world has always been one of our priorities. We have been convening efforts to mobilise the community such as MANRSanti-spoofing work and DNS security.  We, the Internet Society, together with numerous partners, will continue developing and strengthening capacities for coping with this sort of problems, with a special focus on developing countries.

The apparent and sudden rise in scale and frequency of DDoS attacks makes this a very urgent problem, one of those that Handley told us will get fixed. But to get there collective action is needed, across the industry, the public sector, by law enforcement, and consumers, by all stakeholders.

All to protect the Open Internet, an Internet of opportunities.

Image credit: Google Maps