Can DDoS Attacks Be Prevented by Policies or Legislation?

In the wake of the massive distributed denial of service (DDoS) attack against Domain Name Service provider Dyn a couple of weeks ago, several U.S. lawmakers have called on the government to improve cyber security protections and consider new rules for web traffic.

Senators Angus King (I-Maine) and Martin Heinrich (D-N.M.) sent a letter to President Obama on Oct. 24 requesting his involvement in developing standardized, government-wide policies for detecting vulnerabilities and enlisting the private sector's help in fixing them. Separately, Sen. Mark Warner (D-Va.), co-founder of the Senate Cybersecurity Caucus, is seeking answers from the Federal Communications Commission, the Federal Trade Commission and the Department of Homeland Security. According to Federal Computer Week,

“In an Oct. 25 letter to FCC Chairman Tom Wheeler, Warner asked what network management practices could be adopted by internet service providers to repel traffic that might emanate from botnets and whether it is possible to assess the risks associated with the devices that make up the internet of things, apprise consumers of those risks and encourage users to download operating system and firmware updates when they are available.”

According to a CIO article, Sen. Warner does not want or expect to rely on government to fix the problem. Rather, he seeks tougher, private, industry-led standards that would mandate a security rating system so that consumers would be less likely to buy IoT devices that have security vulnerabilities. In Warner’s letter to the FCC, he asked a series of questions, including whether it would be reasonable to have ISPs to block insecure IoT devices from connecting to the ISP network, in order to prevent the devices from being recruited into a DDoS botnet.

The Bad News

  1. As history could dictate, it’s not very easy to build legislative consensus to change or create laws in a short time. While the governmental process plays out, it’s guaranteed that there will be multitudes of DDoS attacks—large and small—before any meaningful policies or laws can be put into action. Furthermore, government standards are unlikely to be flexible enough to adapt to the ever-changing cyber threat. That is not to suggest that government should not take steps to try and improve the situation right away. However, citizens and organizations should not sit back and expect that government or legislative initiatives will solve the DDoS problem in the short term.
  2. The growth of IoT devices and the inherent security vulnerabilities continue to be a cause for concern. It has also been made clear that device manufacturers need to take security much more seriously now – as we saw with the major disruption of a significant geographic region in the Dyn attack it is no longer a theoretical problem – the problem is real. Sensor/Silicon manufacturers are largely already there – the developers who select various silicon components need to leverage the security capabilities that are largely already present – and they need to mandate that consumers change default passwords, as part of the install process.
  3. The rules of “Net Neutrality” are a dilemma; that is, are ISPs obligated to treat all traffic equally? We at Corero argue that there should be nuances to that rule; DDoS traffic can, and must, be detected and blocked without impacting good traffic.
  4. DDoS attacks show no signs of abating. Experts predict that more attacks will happen, and that large, terabit-sized attacks will become more common, fueled in part by devices connected to the Internet of Things (IoT) that have security weaknesses are exploited to form DDoS botnets.

The Good News

Fortunately, there are anti-DDoS solutions available for organizations. And yes, ISPs can (and some already do) repel bad web traffic by deploying DDoS protection solutions at the edge of their networks. Companies should ask if their Internet service providers provide DDoS protection. In a survey of enterprise IT security professionals earlier this year, 85% of enterprise end users want their ISPs to offer more comprehensive DDoS protection-as-a-service. Some ISPs already offer this service, so it is worth inquiring.

For more information, contact us.