A DDoS focused report released by Neustar earlier this week caught my eye with a statement made by Neustar Senior Vice President and Fellow, Rodney Joffe. Rodney makes an interesting recommendation around the need to “develop industry-based mitigation technologies that incorporate mechanisms to distribute attack source information into ISPs, so they can squelch the attacks closer to the source.” This recommendation spurred some thoughts around how the DDoS defence industry can benefit by cooperation among security technology vendors.
Certainly, the industry would be benefited by stronger cooperation amongst security technology vendors to address the rapidly evolving and dangerous DDoS threat landscape. However this problem could profit by an even more inclusive approach – incorporating perspectives from operators (carriers, service providers, cloud hosters, etc.) as well as application developers. In the world of DDoS it is nearly impossible to treat the problem as one where we can squelch the attack as close to the source as possible. This is because a significant fraction of overall DDoS traffic (maybe even a majority) is reflected or amplified DDoS, which is created by spoofing legitimate servers and services to respond in unison to an unwitting victim. Blacklisting these entities would be problematic – in the case of DNS servers, it would be unthinkable. But the basic premise, that the industry should combine forces against this problem is sound. In fact, the beginnings of that are already occurring with momentum toward fostering cooperation, via standardization and signaling. This concept is already making itself visible within the Internet Engineering Task Force (IETF). At the IETF meetings last week in Dallas there was a well-attended Birds of a Feather discussion around the topic of DDoS Open Threat Signaling, which is a good indication that the industry is generally thinking along these lines already.
Some may question why do ISPs not develop solutions to "squelch the attacks closer to the source", already? First, in large reflected or amplified DDoS attacks the ‘attacking’ machines may be distributed across a wide geographic area – perhaps even globally – so distributing the solution closer to the source would be advantageous in that it would address the problem before the cascade had opportunity to aggregate into an attack of truly large proportions. The difficulty in this approach lies with the difficulty in distributing a solution across geographic distance and beyond ISP control frameworks – hence the need for open DDoS threat signaling. Additionally, these machines may be the source of the attack traffic, but they cannot be confused with the attacker, who has spoofed an IP address in order to affect the attack. In this case, the attacker is virtually untraceable, and the ‘attacking’ machines may be vital to the operation of the network – as is the case with DNS servers or cable modems, which are increasingly being used in SSDP reflection attacks.