Beyond Firewalls — Internet Militarization

angry tapir writes "One of the discussions at the Source Boston Security Showcase has been the militarization of the Internet. Governments looking to silence critics and stymie opposition have added DDOS attacks to their censoring methods, according to Jose Nazario, senior security researcher at Arbor Networks, with international political situations spawning DDOS attacks."

How dare the military invade our internet

[Flibberdy]

It's not like they started it or... Oh wait... D'oh

Militarization?

[morgan_greywolf]

Oh, come on. This is just more hysteria manufactured by people looking for money, fame and fortune.

A DDOS attack is hardly the same the thing as a shell and mortar attack. For one thing, a DDOS doesn't do, and by definition, can't do permanent damage, nor can it kill people.

Can we all just lay off the hype machine a little bit?

Re:Militarization?

[Chrisq]

Sadly I think that many people would be more upset about a day's outage of their bank than a real shell and mortar attack in Somalia, Iraq, or the Gaza Strip.

Re:Militarization?

[morgan_greywolf]

Sadly I think that many people would be more upset about a day's outage of their bank than a real shell and mortar attack in Somalia, Iraq, or the Gaza Strip.

Well I think that many people would be a lot more upset about a shell and mortar attack on any city in their own country than a day's outage at their bank. I speak from experience.

Re:Militarization?

[Chrisq]

Surprisingly I think not always, it could depend where it is in the city. I have spoken to people who live in cities with gang-land areas who see attacks (drive by shootings, houses burned out, etc.) as though it was talking about somewhere the other side of the world. If one gang fired a mortar at another's stronghold this probably would not worry them too much.

Re:Militarization?

[morgan_greywolf]

Well, there's a large difference between gang-land violence and an actual military mortar attack. For one, the gangs, at the most, have AK-9s and Uzis and are primarily aiming to kill each other. A rocket-propelled grenade attack by an organized militia will generally be far more destructive and cost many more lives.

Besides, gang-land areas are probably among the last places a military or paramilitary attack by the enemies of the U.S. are going to attack. I'm sure they could think of much more valuable targets.

Re:Militarization?

[morgan_greywolf]

Life critical monitoring equipment is never plugged into the Internet.

Re:Militarization?

[morgan_greywolf]

Nice strawman you got there.

To begin with, I've visited and even lived in gang-infested neighborhoods. It's not as bad as they make it out to be in the movies or in the news media outlets. Yes, it's bad, but no, it's not the same thing as living in a war zone.

Re:Militarization?

[PopeRatzo]

Well, there's a large difference between gang-land violence and an actual military mortar attack.

Morgan has a point.

There is a huge difference between preventing terrorism and fighting a war.

Unfortunately, "war" is something that people who have never been in one think is romantic or exciting. I never thought much about war until my wife and daughter were stuck in Belgrade during the NATO bombing. I'm watching the CNN, seeing US planes, pilots and ordinance doing it's very best to kill my dearest loved-ones.

So, should we fight terrorism with police action or with a "War on Terror"? Clearly, let the cops handle it and get our people out of Iraq before someone else gets hurt.

Re:Militarization?

[PopeRatzo]

No, the West Side of Chicago is not the same as a warzone.

The conceal/carry law that's trying to work it's way through the Illinois Assembly may improve the chances of making it one, though.

Think of a gang and drug-ridden neighborhood, now add the easing of restrictions on the purchase and possession of guns.

I heard a pro-gun writer for Reason Magazine (a dim-wit Libertarian rag) say that there should be "absolutely no restriction" on the sale or possession of any type of firearm" because that's what our Founding Fathers wanted. Well, our Founding Fathers also shit in holes in the ground out in the back yard, so we shouldn't have flush toilets?

Re:Militarization?

[Mr.+Slippery]

Life critical monitoring equipment is never plugged into the Internet.

"Should never be" and "never is" are two different things.

And what constitutes "life critical" is fuzzy. Is Google Maps "life critical"? Do you remember the family that got lost and the father froze to death? (It's not clear that the map in this case came from Google Maps, but it show the possibility.)

Is your word processor "life criticial"? Michael Richard was executed after his lawyers were unable to file paperwork by a deadline due to computer problems, under circumstances that would likely have at least postponed his murder by the state.

Is your local park service's database "life critical"? It becomes so when a dead tree that was supposed to be removed falls and kills somebody.

(By the way, if you're a computer professional and you're not reading the RISKS digest, you oughta be.)

Re:Militarization?

[Hijacked+Public]

So you believe that gang members and those involved in the illegal gun trade are sitting around waiting for this law to pass before arming themselves?

How are they murdering one another now?

Re:Militarization?

[wizden]

I used to live in the west side of Chicago. It needs a conceal/carry law that allows citizens to protect themselves. The criminals there already have AK-47 battles in Humboldt Park. Nice logic with the hole in the ground though. How much more gun control can you get in a city that absolutely bans handguns? At what point will you admit that it isn't working? How does your "more gun control" argument work when the law can't be taken any further? I could get an illegal gun in 10 minutes in Chicago.

Re:Militarization?

[hairyfeet]

Silly Silly PopeRatzo, criminals don't follow your stupid laws, that's why we call them criminals. You get rid of all the ways of law abiding citizens to have guns and all you will have is a free for all because the criminals will STILL have guns. You DO realize that, don't you? After all drugs have been illegal for nearly a century, yet I can walk out my door and in less than 30 minutes score any drug I wanted. Do you really think that smuggling a load of guns would be any harder than a load of dope? You anti gun people make me laugh, thinking your silly laws will have any effect on actual criminals. That is just so silly.

Re:Militarization?

[hairyfeet]

Actually they protect us VERY well, thank you very much. In my little home town we have plenty of drugs, meth labs, etc. but crimes like rape, home invasions, or murder(except one junkie killing another over a dope deal) is almost non existent. Why? Because if you kick someone's door in here you have approximately a 1 in 4 chance of meeting the wrong end of a gun. Now 1 in 4, that's not really good odds when you are lucky to get some cash and maybe a TV.

In the 80s we had crime in a neighboring county shoot up(I think because the previous sheriff there was a "no guns for nobody" type) and when he lost to a law and order guy he cleaned it up REAL quick. How? He said law abiding citizens with no record that could show a need would get a gun permit, and for businesses in high crime neighborhoods he set up these lovely little booths. The booth was basically a large one way mirrored box set up in every store. Below it was a sign "In this booth 4 days a week is an officer with a 12 gauge shotgun ready to defend these premises. You guess which 4." It worked QUITE well, thank you very much.

A 19 year old tweaker with a weapon looking for his next fix or a woman to take his anger out on only respects TWO things: A weapon pointed at his face, or a M.O.M(Mean Old Mutt) and not everyone has the room for a M.O.M. Will some people use their gun to kill themselves? No doubt. Will some use them in anger on a spouse? Again no doubt. But I can get my head bashed in by a tire iron too, but that doesn't mean I should not be able to change a flat. A weapon is just a tool, like any other. If someone uses it irresponsibly to cause another harm or death, punish them severely for it. I would suggest life on a hoe squad. But as we have seen in places like the UK, banning guns does NOT ban violent people from acting out.

But the nice thing about states rights is you are free and can go live in a state that "bans" guns. Won't keep the gangbanger from popping a cap in your ass, but you be sure to tell him he is breaking the law. I'm sure it will help.

The usual response

[MikeRT]

"We do it, so we should expect it in return." Yet, where is the proof that the federal government is actively engaging in the sort of network thuggery that Russia and China indulge in? It's just "common knowledge" that "we do it," especially at a tit-for-tat level.

The main reason I've grown impatient with this line of thought is that it's usually used to defend other countries when they're doing wrong. "The US supported dictators, so why not Russia." Might as well say "two wrongs make a right!"

I guess I'm safe

[kcbanner]

I put my computer in the demilitarized zone.

Well, yes.

[tygerstripes]

It was inevitable, surely. Once governments came to realise that the web was becoming a legitimate medium rather than an entity, they would obviously start to employ it in the same way they have every other.

I have to ask: is this story about governments wising-up in the ways of the intertubes and turning it to their advantage, or about the fact that this was discussed at a conference? I'd have thought the former was self-evident, and the latter was completely un-newsworthy. Maybe we can discuss specific examples of political internet jiggery-pokery, but this kind of vague allusion is just going to prompt hot-air discussions with no real content, isn't it?

What makes DDOS hard to stop?

[Late+Adopter]

What makes denial of service attacks so hard to respond to technologically? Our pipes are limited in capacity, surely. Is it not possible to build a router that can mask out requests from IP ranges as fast as they can electrically come in?

Or is the problem more in the "distributed" part than the "denial of service" part? Can a network engineer enlighten me?

Re:What makes DDOS hard to stop?

[morgan_greywolf]

What makes denial of service attacks so hard to respond to technologically?

Really, it's not.

Our pipes are limited in capacity, surely. Is it not possible to build a router that can mask out requests from IP ranges as fast as they can electrically come in?

Yes, such routers actually exist, although even some commercial-grade routers tend to made with low end processors and such that if your pipe is fat enough, it can become overwhelmed.

If you want to stop a DDOS and your firewaall can't seem to mask off IP ranges quickly enough, by far the easiest technological measure is really quite simple: sever the connection. I guarantee you the DDOS will no longer be affecting your equipment at that point.

Our TCP/IP networks were built to survive connections going down. At least if they were built cluefully, anyway.

Re:What makes DDOS hard to stop?

[Tuoqui]

It's pretty hard to stop because it is a outright brute force method.

1) All tubes have a limited capacity.
2) If the packet makes it to your router you've already lost. The router's memory and/or processing power is being expended to 'ignore' or 'throw away' packets coming from certain IP ranges.

Distributed makes it harder because the IP addresses do not come from any singular location so you cant just perform an IP range ban. Also the distributed part makes it more difficult to filter out 'garbage/attack' data request from legitimate traffic.

Re:What makes DDOS hard to stop?

[drinkypoo]

Our TCP/IP networks were built to survive connections going down. At least if they were built cluefully, anyway.

Well, I am not a super-network-nerd, but my impression is that the reality is very different. As has been pointed out repeatedly there are a limited number of choke points which, when interrupted, disrupt large percentages of internet traffic. In addition you have to generally spend some money to get multihoming. For the home user, no big deal; you might lose your connections-in-progress but it's not likely that you'll have any other serious repercussions. So sure, a home user could back up Cable with DSL, for example, and gain all the most important benefits of multi-homing without even doing anything very complicated. But a business user needs to spend, spend, spend to multi-home. Once you're over a certain size you're going to need multiple connections anyway, so the relative cost of doing this drops considerably.

A lot of things were designed to work much better than they do due to implementation. I suggest that evolution needs to give way to revolution and the internet we know and occasionally love must give way to a somewhat more anarchic mesh-network. Honestly I see a place for both; When I want to communicate with "the system" I'll use "the internet". It is however long past time for the people of the world to just utilize technology to bypass our corporate masters and take control of our own lives.

On that note, anyone have any ideas on the cheapest possible mesh networking currently available which could scale to at least one access point for every human currently on the planet? I suspect that the carrying capacity of earth has been exceeded, at least as we are practicing life, so this is a reasonable upper bound for now. Besides, you don't actually need that many APs.

Re:What makes DDOS hard to stop?

[fuzzyfuzzyfungus]

DDOSes are easy, and hard, to stop in roughly the same way that car bombs are easy, and hard, to stop. It is pretty trivial to have a router just drop traffic from any IP range you care to specify, just as it is pretty trivial to stop an ordinary car with nothing more than light weapons. However, an even remotely competent DDOS will involve traffic from huge numbers of otherwise innocent looking systems scattered among your legitimate users, so you identifying the ones to drop is hard, just as it is hard to find the one car among thousands, and you can't just shoot all drivers.

Re:What makes DDOS hard to stop?

[drinkypoo]

Wrong. The only cost is implied by the use of potentially bigger pipes sold with BGP service but nowadays you can have a 100mpbs link for $1000.. Technically it costs 0 (open source routers, IPs and routing registries (except RADB) are free.

Well, correct me if I'm wrong - my understanding of this subject is limited to conversations I've had in the distant past - but isn't it true that in the CIDR era your provider has to agree to carry your route if it is actually going to do you any good? Your ISP allocates you a piece of their network, which is already routed. Don't they have to (at minimum) tweak their routes so that they don't override yours? I mean, otherwise you first have to buy a block of addresses, which is (again, to my understanding) now an extremely expensive proposition. And if you can find someone else to resell you a piece of their block, now you're dependent on them to not bone your routes. But please, if it's less fraught with complexity than this, please tell me - and tell me why there's so few people who can do BGP without boning it.

The "Open Source Routers" thing again only typically helps larger shops who can afford to hire their own network admin who understands how to configure such things, or who can apprehend how things are to be done on that platform. A smaller shop is going to need to stick to a well-supported platform so that when they have a problem they can pay for someone to come in and solve it. For most people that means sticking with a major brand with certifications which are worth something, which basically means Cisco. Which means spending big bucks. Also, getting those high-speed links into an open router is itself an expensive proposition; PCI and PCI-E WAN interfaces are pricy. What you save on the service contract you might well lose for lack of a service contract. There is such a thing as TCO and while a DIY approach will work for some shops which already possess the necessary personnel, in most cases something a little more standard (and I don't mean standards-based) is probably a better idea.

Re:What makes DDOS hard to stop?

[Areyoukiddingme]

On that note, anyone have any ideas on the cheapest possible mesh networking currently available which could scale to at least one access point for every human currently on the planet?

The short answer is, there isn't one. None of the existing wireless networking schemes are designed with mesh networking in mind. None of them are designed with the range required to achieve sufficient density to qualify as a mesh.

A device designed to operate in the ultra wideband (UWB) frequency range is a possibility. In theory such a device could achieve 480 mbit/s at 10m ranges. Attempts to date have fallen rather far short, but that could be addressed by better engineering. Actual devices (wireless microphones) built to use UWB can achieve 8 mbit/s at 20m ranges. That device significantly underutilizes the available spectrum, confining itself to frequencies near 6 GHz. It is also quite conservative about its power output, radiating at 40 nanowatts when the FCC limit is closer to 80 nanowatts. A device that uses more spectrum and more power should be capable both of higher throughput and wider range. Whether or not the range could reach a useful minimum for achieving a mesh network is anyone's guess.

Unfortunately for us all, the IEEE working group that was trying to formalize UWB as part of the 802 specification broke up in 2006, unable to reach an agreement on a good design. So UWB-WiFi (so to speak) isn't being worked on in any real fashion. You can bet they weren't trying to design something that was mesh-friendly, in any case.

It's too damn bad that software engineers are still the only people who are broadly involved in open source. I think the only way we're going to get the kind of mesh network you're talking about is a grass roots/open source effort by electrical engineers specializing in radio frequency engineering getting together and designing something for the purpose. It doesn't seem to provoke any corporate interest at all, other than negative interest.

poor man's slashdotting

[metageek]

DDOS attack is the poor man's slashdotting

New territory means it must be defended

[hessian]

It's inevitable that space and the internet are going to be militarized.

If I were our government, I'd use big media for military purposes: convince the youth of other countries to engage in selfish, yet self-destructive, activities.

Oh wait, someone beat me to it!

War against anybody not supporting our government

[cagrin]

I've heard recently that the police forces across all states are given documents suggesting anyone who mentions the US Constitution and espouses their rights (for example, warrantless checkpoints) are being classified as terrorists against the government. It has also mentioned the shutting down of the current internet in favour of Internet II which would be more controlled (for example, anti-government sites would not be allowed...freedom of speech anyone?). See the following for more: the Alex Jones Channel on YouTube (or infowars.com, a recent show: http://www.youtube.com/watch?v=l1Eizli66bU), http://www.freedomtofascism.com/, and for the Canadians out there... Bill Abram on the 'Crime of the Canadian Banking System' http://www.youtube.com/watch?v=O8Zl1Wax8MI

enjoy...and spread this stuff around :)

Government Intolerance

[b4upoo]

Since computers tend to be communication devices the question folds backward into another question. Can any government survive good communications among its citizens? I really doubt it. Understanding government will lead people to realize that for their individual situation the government is a negative. If you end up with any substantial percentage of a population feeling that the government is negative in their lives they will find a way to crash the government. Even 10% who are real disaffected with government will assure failure of a nation.
            Back in the Hippy movement the young understood that. Tune in, turn on, and drop out was every bit as serious as an enemy marching toward a border. Whether the hippie seeking to end the Vietnam War or the kid in the mud in Vietnam was the better patriot is open to debate. But one thing is sure. The hippies did cause that idiotic war to end. Sadly we have so many ruined lives on both sides of that war as living testimony that war is a lousy idea.