This sponsored post is produced by Kentik.
There is a big problem brewing in the Internet. You may have noticed that big attacks that disrupt networks or servers’ ability to deliver traffic, called Distributed Denial of Service (DDoS), are showing up in the news more often. You may not know that, officially, documented attacks are happening at the scale of several hundred Gigabits per second, and unofficially, have been observed at over a Terabit per second.
Those are scary numbers. But things are going to get a lot scarier. Why, you ask? Because the explosion of devices in the Internet of Things is going to create an Internet of Attacks. How so? Because of a well understood issue that’s had a solution available for decades, but that the industry refuses to fix. And the situation’s getting only worse.
When you see a phone call coming through on your smartphone, you can scan the incoming number and tell immediately whether it’s from someone you know. Imagine, though, that there was no such certainty. Imagine that whenever you get a phone call from your spouse, friend, or relative, that it might not be them — that it could be anyone, and potentially someone who was trying to harm you.
Sound bad? Well, that is precisely the situation in the Internet today. The Internet infrastructure industry basically allows forgery today on a vast scale.
The roots of insecurity
When the Internet started off in the 80’s, it was an academic R&D network, and nobody was thinking of it as something that would become commercial. Yes, there was a government/DoD side of things, but they were more off in their own walled garden. But on the academic side of the Internet, there wasn’t any kind of security used. Nothing was encrypted or authenticated.
By the early 1990’s, the Internet started becoming commercial. By the mid 1990’s, there were at least two commercial ISPs in every city in the country. In fact, when I started the first ISP in Philadelphia in 1992, people were just starting to realize that there were big security issues with the Internet protocols.
Over the 1990’s, I personally observed (and had to deal with) some our customers at Netaxs being the targets of the first denial of service attacks. These were usually people getting pissed off at each other over snarky comments posted to an electronic bulletin board and deciding to take their fellow ISP down for some period of time. The way they’d do it is by changing the IP address on one of their computers to mimic someone else, and send a bunch of requests to the other ISP’s web server, which would then have to answer all those connection requests. But since the address that the web server sent the answer to had never asked the question, the IP “conversations” would kind of hang in mid-air until eventually the web server ran out of memory and crashed. Thus, denial of service attacks were born.
Denial of Service grows up
Shortly thereafter, the automation and hacking and botnet creation, combined with a never-ending series of unanticipated ways the early Internet protocols can be exploited, enabled “Distributed Denial of Service” (DDoS) attacks. With DDoS, packets often come from tens or hundreds of thousands of “apparent” destinations, either from compromised machines, or by “reflection” attacks enabled by clever hacks of essential Internet protocols like DNS, which is used to translate numeric IP addresses to recognizable domain names (e.g. example.com).
But all these attacks rely on the same simple thing that those original attacks did — the ability to forge others’ IP addresses and use them with impunity.
Best current un-practice
The IETF (Internet standards body) developed a Best Current Practice (BCP) proposal in the late 1990’s to solve the problem. It got ratified as BCP38 in May of 2000. Basically, it just says that when an ISP receives traffic, it should make sure that it’s coming from an IP address that it has recorded as registered to the network that is sending it.
Router manufacturers like Cisco and Juniper added what’s called “Reverse Path Forwarding” (RPF) that makes this easy to do for organizations with only one connection to the Internet. There are a few complications for organizations with multiple Internet connections (“multi-homed” in Internet speak), but essentially it’s a solved problem. Its implemented by many, but not all, big Internet backbone providers already. For other network operators (especially those who sell Internet bandwidth on a wholesale basis), it would take some work, but then we’d have way more security.
By the early 2000’s, I was running the networks for Akamai and the attacks kept getting worse. After the 2001 attacks, there was an effort headed by then counter-terrorism czar Richard Clarke to increase security of the country’s telecom infrastructure. His office solicited recommendations from the industry.
One recommendation that came back: the government should use its huge purchasing power to push these best practices using contracting requirements. No regulation, just using market forces. Well, as soon as the recommendation was made, all the big telecom lobbyists started calling lawmakers and the whole idea died before it got anywhere.
How to be part of the cure
Where does that leave us today? Well, probably somewhere between 30 and 40 percent of the Internet allows botnets to operate with no impediment. Ignoring certain, ahem, not to be named, countries that engineer their Internet for such practices, that still leaves a lot of poorly-engineered but correctable networks for botnets to operate in. With IoT spreading billions of poorly-secured network devices across the planet, we need to close ranks.
I don’t believe that regulation is what the industry needs. But you can still help yourself and the Internet. If your business contracts for Internet service, put BCP38 compliance as a requirement in your request for proposal.
What’s in it for you? You’re more likely to get service from a well-engineered network that has its act together. And as an added bonus, you’re much less likely to get blasted by attacks from another customer of that ISP that might be connected to the same network device or region as your business.
Dig deeper: Download Kentik’s whitepaper, “Big-Data SaaS Network Visibility.”
Avi Freedman is CEO of Kentik.
Sponsored posts are content that has been produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. The content of news stories produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact firstname.lastname@example.org.