With DDoS reflection attacks growing into mammoth events with unforeseen consequences, mitigation firm Verisign believes a radical new approach is needed to head off a pile of trouble - go after the "guys behind the keyboards."
In any other part of the security industry, Verisign's recommendation that victims on the receiving end of major DDoS incidents make the effort to work out who attacked them would now be seen as best practice but this is an industry built on mitigation — blocking — rather than investing in deterrence.
DDoS deterrence sounds like a slow, expensive and complex undertaking but according to the firm's CSO and senior vice president Danny McPherson the capability now exists for firms such as his to trace attacks back through command and control to the controlling keyboard somewhere in the world.
Despite hiding behind botnets, DDoS attackers are no more anonymous than the gangs that control major malware platforms but what is urgently needed is for the industry to push back against not just the packets but the people controlling them.
Right now "they just let providers absorb attacks and they don't report it," is McPherson's description of the victim's current mindset. It's more a case of "how high do you build your tsunami wall."
McPherson's comments come in the wake of a massive and barely-reported 300Gbps attack the firm mitigated earlier this year on an unnamed data centre that exploited unpatched servers vulnerable to a motherboard level flaw connected to the SuperMicro IPMI interface.
If you've never heard of that vulnerability, it didn't appear that the admins of as many as 100,000 servers VeriSign estimates might have been used to generate the huge traffic volume had either.
But according to McPherson the attack's vast size at leak was not initially understood by the CDN which believed it to be in the order of 60Gbps to 70Gbps because that was the level at its available bandwidth became exhausted.
Where does the rest of the missed traffic go? The Internet absorbs it, but the effects of this are potentially chaotic. The design of IP makes the Internet incredibly resilient but the routers connecting networks still get congested. Many larger attacks are under-estimated or ignored.
"They didn't have enough capacity to know what was going on," said McPherson of the CDN. Meanwhile, "the attackers have no idea how much traffic is going to hit the target. The attacker doesn't have any idea of their power."
As large attacks such as the one on the CDN (as well as on Spamhaus and CloudFlare in the last two years) become more common the risk of collateral damage will increase. That is the risk of chaos.
Sign up for MIS Asia eNewsletters.