Page 5 - Cyber Warnings
P. 5
The second thing that changed was that more and more attacks were motivated by commercial
or geopolitical purposes, which meant that attackers could apply much more resources to
developing and launching attacks.
The result is that we are entering into the age of Multi-Terabit DDoS attacks. With IoT, we may
be looking at attacks that are large enough to paralyze even large Internet service provider
networks.
An Old-Time Remedy, If Not a Cure
There is no complete cure for hackers or DDoS attacks. As long as humans have a financial
incentive to break things, they will continue to innovate ways to do just that to Internet
security. However, there is a significant remedial action that could help in a big way that has
existed for over a decade, but that is not being used.
Back in 2000, the Internet Engineering Task Force (IETF) – the global standards body – had
introduced a Best Current Practice (BCP38) to address the IP address spoofing problem.
BCP38 directs Internet Service Providers to check incoming data traffic to ensure that it is
coming from an IP address registered to the network that sent it out.
To verify that IP addresses line up with their sending networks, major networking gear
companies such as Cisco developed Reverse Path Forwarding technologies inside their routers.
This approach is also known as network ingress filtering.
A packet filter is placed at the edge of a network to spot IP sources that have adopted an
address belonging to some other network.
About 80 percent of large Internet backbone providers today have implemented ingress filtering.
If other network operators around the world followed suit, this would significantly tamp down the
number, scale, and effect of DDoS attacks.
When BCP38 made its debut, industry watchers suggested that the federal government should
use its massive purchasing power to include ingress filtering as part of its contracting
requirements.
In this way, the industry could rely on market forces to improve network security, rather than
imposing new regulations.
However, the powerful telecom lobby quickly pushed back, and Congress did not pass federal
contracting requirements.
5 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide