Beyond Firewalls — Internet Militarization

angry tapir writes "One of the discussions at the Source Boston Security Showcase has been the militarization of the Internet. Governments looking to silence critics and stymie opposition have added DDOS attacks to their censoring methods, according to Jose Nazario, senior security researcher at Arbor Networks, with international political situations spawning DDOS attacks."

Re:What makes DDOS hard to stop?

[Tuoqui]

It's pretty hard to stop because it is a outright brute force method.

1) All tubes have a limited capacity.
2) If the packet makes it to your router you've already lost. The router's memory and/or processing power is being expended to 'ignore' or 'throw away' packets coming from certain IP ranges.

Distributed makes it harder because the IP addresses do not come from any singular location so you cant just perform an IP range ban. Also the distributed part makes it more difficult to filter out 'garbage/attack' data request from legitimate traffic.

Re:What makes DDOS hard to stop?

[drinkypoo]

Our TCP/IP networks were built to survive connections going down. At least if they were built cluefully, anyway.

Well, I am not a super-network-nerd, but my impression is that the reality is very different. As has been pointed out repeatedly there are a limited number of choke points which, when interrupted, disrupt large percentages of internet traffic. In addition you have to generally spend some money to get multihoming. For the home user, no big deal; you might lose your connections-in-progress but it's not likely that you'll have any other serious repercussions. So sure, a home user could back up Cable with DSL, for example, and gain all the most important benefits of multi-homing without even doing anything very complicated. But a business user needs to spend, spend, spend to multi-home. Once you're over a certain size you're going to need multiple connections anyway, so the relative cost of doing this drops considerably.

A lot of things were designed to work much better than they do due to implementation. I suggest that evolution needs to give way to revolution and the internet we know and occasionally love must give way to a somewhat more anarchic mesh-network. Honestly I see a place for both; When I want to communicate with "the system" I'll use "the internet". It is however long past time for the people of the world to just utilize technology to bypass our corporate masters and take control of our own lives.

On that note, anyone have any ideas on the cheapest possible mesh networking currently available which could scale to at least one access point for every human currently on the planet? I suspect that the carrying capacity of earth has been exceeded, at least as we are practicing life, so this is a reasonable upper bound for now. Besides, you don't actually need that many APs.

Re:What makes DDOS hard to stop?

[fuzzyfuzzyfungus]

DDOSes are easy, and hard, to stop in roughly the same way that car bombs are easy, and hard, to stop. It is pretty trivial to have a router just drop traffic from any IP range you care to specify, just as it is pretty trivial to stop an ordinary car with nothing more than light weapons. However, an even remotely competent DDOS will involve traffic from huge numbers of otherwise innocent looking systems scattered among your legitimate users, so you identifying the ones to drop is hard, just as it is hard to find the one car among thousands, and you can't just shoot all drivers.

Re:Militarization?

[morgan_greywolf]

Life critical monitoring equipment is never plugged into the Internet.

Re:Militarization?

[morgan_greywolf]

Nice strawman you got there.

To begin with, I've visited and even lived in gang-infested neighborhoods. It's not as bad as they make it out to be in the movies or in the news media outlets. Yes, it's bad, but no, it's not the same thing as living in a war zone.

Re:What makes DDOS hard to stop?

[drinkypoo]

Wrong. The only cost is implied by the use of potentially bigger pipes sold with BGP service but nowadays you can have a 100mpbs link for $1000.. Technically it costs 0 (open source routers, IPs and routing registries (except RADB) are free.

Well, correct me if I'm wrong - my understanding of this subject is limited to conversations I've had in the distant past - but isn't it true that in the CIDR era your provider has to agree to carry your route if it is actually going to do you any good? Your ISP allocates you a piece of their network, which is already routed. Don't they have to (at minimum) tweak their routes so that they don't override yours? I mean, otherwise you first have to buy a block of addresses, which is (again, to my understanding) now an extremely expensive proposition. And if you can find someone else to resell you a piece of their block, now you're dependent on them to not bone your routes. But please, if it's less fraught with complexity than this, please tell me - and tell me why there's so few people who can do BGP without boning it.

The "Open Source Routers" thing again only typically helps larger shops who can afford to hire their own network admin who understands how to configure such things, or who can apprehend how things are to be done on that platform. A smaller shop is going to need to stick to a well-supported platform so that when they have a problem they can pay for someone to come in and solve it. For most people that means sticking with a major brand with certifications which are worth something, which basically means Cisco. Which means spending big bucks. Also, getting those high-speed links into an open router is itself an expensive proposition; PCI and PCI-E WAN interfaces are pricy. What you save on the service contract you might well lose for lack of a service contract. There is such a thing as TCO and while a DIY approach will work for some shops which already possess the necessary personnel, in most cases something a little more standard (and I don't mean standards-based) is probably a better idea.

Re:Militarization?

[wizden]

I used to live in the west side of Chicago. It needs a conceal/carry law that allows citizens to protect themselves. The criminals there already have AK-47 battles in Humboldt Park. Nice logic with the hole in the ground though. How much more gun control can you get in a city that absolutely bans handguns? At what point will you admit that it isn't working? How does your "more gun control" argument work when the law can't be taken any further? I could get an illegal gun in 10 minutes in Chicago.

Re:What makes DDOS hard to stop?

[Areyoukiddingme]

On that note, anyone have any ideas on the cheapest possible mesh networking currently available which could scale to at least one access point for every human currently on the planet?

The short answer is, there isn't one. None of the existing wireless networking schemes are designed with mesh networking in mind. None of them are designed with the range required to achieve sufficient density to qualify as a mesh.

A device designed to operate in the ultra wideband (UWB) frequency range is a possibility. In theory such a device could achieve 480 mbit/s at 10m ranges. Attempts to date have fallen rather far short, but that could be addressed by better engineering. Actual devices (wireless microphones) built to use UWB can achieve 8 mbit/s at 20m ranges. That device significantly underutilizes the available spectrum, confining itself to frequencies near 6 GHz. It is also quite conservative about its power output, radiating at 40 nanowatts when the FCC limit is closer to 80 nanowatts. A device that uses more spectrum and more power should be capable both of higher throughput and wider range. Whether or not the range could reach a useful minimum for achieving a mesh network is anyone's guess.

Unfortunately for us all, the IEEE working group that was trying to formalize UWB as part of the 802 specification broke up in 2006, unable to reach an agreement on a good design. So UWB-WiFi (so to speak) isn't being worked on in any real fashion. You can bet they weren't trying to design something that was mesh-friendly, in any case.

It's too damn bad that software engineers are still the only people who are broadly involved in open source. I think the only way we're going to get the kind of mesh network you're talking about is a grass roots/open source effort by electrical engineers specializing in radio frequency engineering getting together and designing something for the purpose. It doesn't seem to provoke any corporate interest at all, other than negative interest.

Re:Militarization?

[hairyfeet]

Actually they protect us VERY well, thank you very much. In my little home town we have plenty of drugs, meth labs, etc. but crimes like rape, home invasions, or murder(except one junkie killing another over a dope deal) is almost non existent. Why? Because if you kick someone's door in here you have approximately a 1 in 4 chance of meeting the wrong end of a gun. Now 1 in 4, that's not really good odds when you are lucky to get some cash and maybe a TV.

In the 80s we had crime in a neighboring county shoot up(I think because the previous sheriff there was a "no guns for nobody" type) and when he lost to a law and order guy he cleaned it up REAL quick. How? He said law abiding citizens with no record that could show a need would get a gun permit, and for businesses in high crime neighborhoods he set up these lovely little booths. The booth was basically a large one way mirrored box set up in every store. Below it was a sign "In this booth 4 days a week is an officer with a 12 gauge shotgun ready to defend these premises. You guess which 4." It worked QUITE well, thank you very much.

A 19 year old tweaker with a weapon looking for his next fix or a woman to take his anger out on only respects TWO things: A weapon pointed at his face, or a M.O.M(Mean Old Mutt) and not everyone has the room for a M.O.M. Will some people use their gun to kill themselves? No doubt. Will some use them in anger on a spouse? Again no doubt. But I can get my head bashed in by a tire iron too, but that doesn't mean I should not be able to change a flat. A weapon is just a tool, like any other. If someone uses it irresponsibly to cause another harm or death, punish them severely for it. I would suggest life on a hoe squad. But as we have seen in places like the UK, banning guns does NOT ban violent people from acting out.

But the nice thing about states rights is you are free and can go live in a state that "bans" guns. Won't keep the gangbanger from popping a cap in your ass, but you be sure to tell him he is breaking the law. I'm sure it will help.