DDoS attack victims need to involve police, says Verisign CSO

Huge attacks spur need for deterrence

With DDoS reflection attacks growing into mammoth events with unforeseen consequences, mitigation firm Verisign believes a radical new approach is needed to head off a pile of trouble - go after the "guys behind the keyboards."

In any other part of the security industry, Verisign's recommendation that victims on the receiving end of major DDoS incidents make the effort to work out who attacked them would now be seen as best practice but this is an industry built on mitigation - blocking - rather than investing in deterrence.

DDoS deterrence sounds like a slow, expensive and complex undertaking but according to the firm's CSO and senior vice president Danny McPherson the capability now exists for firms such as his to trace attacks back through command and control to the controlling keyboard somewhere in the world.

Despite hiding behind botnets, DDoS attackers are no more anonymous than the gangs that control major malware platforms but what is urgently needed is for the industry to push back against not just the packets but the people controlling them.

Right now "they just let providers absorb attacks and they don't report it," is McPherson's description of the victim's current mindset. It's more a case of "how high do you build your tsunami wall."

McPherson's comments come in the wake of a massive and barely-reported 300Gbps attack the firm mitigated earlier this year on an unnamed data centre that exploited unpatched servers vulnerable to a motherboard level flaw connected to the SuperMicro IPMI interface.

If you've never heard of that vulnerability, it didn't appear that the admins of as many as 100,000 servers VeriSign estimates might have been used to generate the huge traffic volume had either.

But according to McPherson the attack's vast size at leak was not initially understood by the CDN which believed it to be in the order of 60Gbps to 70Gbps because that was the level at its available bandwidth became exhausted.

Where does the rest of the missed traffic go? The Internet absorbs it, but the effects of this are potentially chaotic. The design of IP makes the Internet incredibly resilient but the routers connecting networks still get congested. Many larger attacks are under-estimated or ignored.

"They didn't have enough capacity to know what was going on," said McPherson of the CDN. Meanwhile, "the attackers have no idea how much traffic is going to hit the target. The attacker doesn't have any idea of their power."

As large attacks such as the one on the CDN (as well as on Spamhaus and CloudFlare in the last two years) become more common the risk of collateral damage will increase. That is the risk of chaos.

Verisign was now "leaning" on upstream services to deal with the server vulnerabilities that have helped these attacks get off the ground but he remains pessimistic about the success of that strategy while the economic incentive remains low, he said.

"At some point you have to draw a line and go after the guys who launched the attack. We think it is important that people are accountable for their actions."

McPherson is unable to discuss whether the CDN attack will become one of those actions but the fact that the client even agreed to be referenced at all by Verisign is a sign that something could be in the air. If so, little will be disclosed until a legal or police case has been launched.

Public police actions against DDoS attackers are extremely rare with perhaps the only known example at this end of the DDoS scale being the effort made to track down the group that hit Spamhaus with an equally large DDoS attack in 2013. Launched by the anti-spam organisation itself, that remains the case study for action.

Thus far, the public face of DDoS has been a depressing roll call of statistics that read like an indecipherable code to all but the few familiar with routing protocols and Internet infrastructure. In the very near future, that could change to be more like malware, data breaches and web attacks. DDoS could become another story of true crime.

McPherson's message is simple: "you have to go after the guys behind the keyboards."

Join the CSO newsletter!

Error: Please check your email address.

Tags CloudsecurityCSOcloud computinginternet

More about CSOSuperMicro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts