>> Brian: Welcome to the AMA
Conference Center in New York City
and for those following us on
line, my name is Brian Cute.
I am the CEO of Public Interest Registry.
Public Interest Registry or PIR
is the operator of the dot org,
top level domain on the internet.
We, along with New York Tech, a New York
City based Technology Industry Association
and the Internet Society, New
York Chapter want to welcome you
to today's event Mitigating DDoS Attacks, Best
Practices for an Evolving Threat Landscape.
For those of you online, today's event is
being webcast at the iSock Live Stream Channel
and on that channel you can also post questions.
We welcome questions from our online
audience to bring into the Q&A session today.
You can also follow the event at
the hashtag DDoS and with that,
let me introduce today's
session, Mitigating DDoS Attacks,
Best Practices for an Evolving Threat Landscape.
Distributed denial of service
attacks are deliberate attempts
to make internet connected machines or network
resources unavailable to their intended users
by temporarily or indefinitely
interrupting or suspending DNS service.
Unfortunately DDoS attacks are an all to-common
reality across today's internet landscape.
Examples abound, most recently
large-scale attacks have been directed
at major U.S. banks since September of 2012.
Online service providers and corporations
around the world are often targeted.
DDoS attacks have been directed against
Government websites and it's quite possible
that some attacks were at
least condoned by governments.
Why a DDoS attack is motivated by criminal
intent, like Cyber Extortion or is executed
as an extreme form of free expression,
the resulting service interruptions
can have wide ranging effects.
Today's program will explore the motives
behind and targets of DDoS attacks.
We will address ways attacks are carried
out, as well as mitigation techniques
and the importance of collaboration.
We will also explore the risks of unintended
consequences related to DDoS attacks.
Now before I introduce our esteem panelists,
I wanted to note that PIR recently
conducted a survey in the United States
to test the public's awareness of
DDoS attacks, this very important
and growing problem on the internet.
Among the results, we found that 85%
of the respondents did not
know what AD DDoS Attack was.
When asked, what would you do if you were made
aware that DDoS attacks were taking place?
Among the very revealing responses
were, "Call the geek squad,"
which is a technical service organization
that comes to fix your home computer.
"Call my spouse, or go to Google."
And while we're very happy to have a Google
Representative here on the panel today,
I think these answers reveal the depth
and breadth of misunderstanding and lack
of awareness about this very
important problem in the public.
So today we're going to try to begin
to chip away and provide some awareness
about the important problem of DDoS attacks
and how we collectively can
address them effectively.
So with that, let me get on to the
introduction of today's panelists.
Today's panelists represent a
variety of organizations that operate
at various points in the internet ecosystem.
Their wealth of experiences and
insights from industry, government,
and civil society perspectives should help us
better understand the challenges of DDoS attacks
and identify mitigation practices.
First, at the far-end, we have Mr. Jeff Greene.
Jeff serves as a senior policy
council at Symantec.
Jeff focuses on cyber security,
identity management, and privacy issues
and works extensively with industry
and government organizations.
Prior to joining Symantec, Jeff was a
senior staffer on both the U.S. Senate,
and House Homeland Security Committees
and before that was an Attorney
with the Washington D.C. law firm.
Next we have Ram Mohan.
Ram is the Executive Vice President and
Chief Technology Officer at Afilias Limited.
Ram oversees key strategic management
and technology choices for the Dublin,
Ireland based provider of
internet infrastructure services.
Ram also serves as a Director and Key Advisor
to the Internet Corporation for Assigned Names
and Numbers or ICANN, The Internet Society,
and the Anti-Phishing Working Group.
Next, we have Dr. Damian Menscher.
Damian is a Security Engineer at Google
where he leads the DDoS Defense Team.
Damian uses his front-line experience defending
today's largest attacks to design defenses
that will automatically mitigate future attacks.
He also reduces botnet sizes by directly
informing users of infections on their machines
that are targeted messaging on Google.
Previously, Damian gained experience
in large-scale data analysis while completing
his PhD in Computational Particle Physics.
I could barely say that.
Next is Miguel Ramos.
Miguel is Senior Product Manager at NewStar
Inc, responsible for NewStar site project,
a leading cloud-based DDoS Mitigation Service.
Mr. Ramos has extensive experience in
product management, marketing and technology.
Previously Miguel was a Product Manager in
charge of hosting and email product lines
at Network Solutions, a leading domain
registrar and online services provider.
We were also to have Wout
DeNatris from the Netherlands.
Unfortunately Wout is here in New York but came
down with a sudden illness of food poisoning.
We regret deeply that he's
not here with us today.
He was very eager to be here with
you and we wish him a swift recovery.
Next on the panel is Danny McPherson.
Danny is the Chief Security Officer
for Verisign, the trusted provider
of key internet infrastructure services
including two of the root servers,
and the dot com and dot net name spaces.
Danny is responsible for strategic
direction, research and innovation
in infrastructure and information security.
He currently serves on the internet
architecture board, ICANN security
and stability advisory council, the
FCCs communication security reliability
and interoperability council and
several other industry forum.
And finally, on the near-end,
we have Miss Jillian York.
Jillian is a Director for International Freedom
of Expression at Electronic Frontier Foundation
where she specializes in free speech issues
and the effects of corporate intermediaries
on freedom of expression and anonymity,
as well as the disruptive power
of global, online activism.
Prior to joining EFF, Jillian spent 3 years at
Harvard University's Berkman Center for Internet
and Society, where she worked on several
projects including the open net initiative.
Thank you all for coming,
we appreciate your time.
Now the way we're going to structure
today's event and discussion is
that I will do a first round of introductory
remarks from each of the panelists.
We'll keep it brief and we're
basically going to try
to set the stage, the background
on DDoS attacks.
Now before I get there, I just want to
offer a little reaction from the common man.
"I've been in the industry myself for 10 years.
I have a familiarity with DDoS
attacks and internet infrastructure,
but in approaching this event and preparing
for it, I went on line and pretended
to be an average guy from Columbus, Ohio.
What would I find if I'm trying to educate
myself online about this serious problem?
And in doing that, what jumped out to me is an
issue of nomenclature, an issue of language,
an issue of understanding, potentially
barriers to understanding and awareness."
So I'm going to ask Jeff Greene to start
painting the picture of what DDoS attacks are
and while we have a number of
brilliant engineers on this panel,
let me suggest that when one goes online
as the average guy from Columbus, Ohio,
he runs into things such as, dos, DDoS, DRDoS,
Smurf attacks, SYN floods, ping of death,
attacks that are perpetrated by Trojans
and Zombies, attacks that are combated
through techniques like Black-holing,
sink-holing, and intrusion protection.
Our job today is to utilize the expertise
of these brilliant folks on our panel
to help translate all of these very intimidating
words around attacks on the internet
so that we can raise the
awareness for the public.
So, Jeff if you wouldn't
mind kicking this off for us.
>> Jeff: Sure, thanks again for
having me and thanks for including me
with such a great group of folks up here.
I thought I'd give a little background on
what are some trends we're seeing at Symantec
in DDoS attacks, motivations also, and
hopefully set the table for the conversation.
The first thing I would start by saying is,
when you're thinking about a DDoS attack,
don't conceptualize it as a
single event or a siloed activity.
You really need to think about it as potentially
part of a larger effort directed at you
or directed at an entity organization.
It can still be a one-off but
more often now days, it is not.
In terms of motives, they can run the gamut, it
can be harassment, political, it could mischief,
you know there's probably still some
15-year-old hackers in the basement somewhere.
It could be someone you know, annoyed,
frustrated with a particular company
or entity and going after them.
It really runs anything.
It could extortion, simple "pay me"
type activity, or more common now
or what we're seeing more of what we're calling
multi-frank attacks and transitioning to talk
about some of trends, we'll start there.
If you folks saw, I think it was in October,
Defense Secretary Panetta was talking
about cyber security and one of the things
he mentioned were these frank attacks
and DDoS is certainly a part of them and has
become less of a blunt-force attack to more
of a sophisticated diversionary
attack; I should say it can be.
The goal, basically being drawing attention and
resources away from standard security to focus
on this response and leaving perhaps
yourself open to other activity.
One example that we talked about at a conference
earlier this year, DDoS was a big part of it
but the DDoS attack happened
actually at the end of the activity.
This particular effort was
directed to mid-sized banks.
It began with spear-phishing and other efforts
to compromise some IT administrators
at the bank.
Once that is successful, the bad guys will then
spend their time figuring out what they need
and they want and it was at this point
that the DDoS attack was launched in one
of the cases that our folks talked about.
It was done on a Friday afternoon when staffing
was light, nationally resources were directed
at responding to the denial service attack which
then left other activities perhaps unmonitored,
and that's when the criminal enterprise
or individual actually began the more
sophisticated attack and actually traded a lot
of information that allowed them to
clone ATM Debit and Credit Cards.
There press reports about one bank having
lost 9 million dollars over the next 48 hours.
So again, the DDoS was a big part of it
because it had really facilitated the
ability to conduct a larger crime.
Another trend we're seeing is
crowd sourcing of DDoS attack.
You may be familiar with operation payback,
which is something that Anonymous was behind.
Initially started as a response to some
antipiracy efforts and worked into a response
when the wikileaks became
very press-worthy in terms
of some companies responding to the wikileaks.
So social networking facilitates the crowd
sourcing essentially why do you need to go build
up or acquire your own botnet to
engage in attack when you could get 100
or 1,000 like-minded friends who
will happily do that thinking
that they're doing something
for the greater good.
And I would also suggest that the criminal
enterprises are fully aware of this
and why should they expose themselves or spend
their resources if they can gin up some real
or imagined front by a company they're
trying to penetrate and get people
to unwittingly support their efforts.
Another trend is application layer attacks.
More sophisticated, generally
you get more bang-for-your-buck,
you can have more impact with less resources.
It takes a little more work, but it is something
that you will see more of,
we suspect going forward.
Two more things, one insider
threat, not strictly DDoS
but it is certainly can be a part of it.
What we're seeing generally with intrusions is
an increasing number of compromised insiders.
Again, often through use of social
media, social media is wonderful.
So it allows folks to figure
out just how to get at someone
and a compromising insider
facilitates the effort and again,
often the DDoS is part of
the culmination of it there.
Finally I would say it's
getting easier than ever.
There are attack kits, there's malware out there
that you can buy, optimized for DDoS attacks.
As all the attack kits out there,
they're becoming much easier
for less sophisticated users.
You don't have to have a lot coding
expertise to get some of these up and running
and have yourself an ongoing
criminal enterprise.
So, circling back to where I began, I
would say that, you know we're here talking
about DDoS attacks but I think it's important
in this conversation not to put it in a box
and isolate it from other malicious activities
that going on and other vulnerabilities
and intrusions because the bad guys don't
think about it that way so we really,
as we're talking about responding to
it, make sure that we don't do the same.
>> Brian: Thank you Jeff, so in listening
I'm hearing that I have more things
to be concerned about, more
things to be afraid of,
something called spear-phishing,
I'm not sure what that is.
That this is a broader attack profile against
the internet that there's numerous points
of attack and it's part a simple attack
that is designed to provide misdirection
so a secondary attack can happen.
So clearly, this is a troubling
landscape that I'm trying to sort through.
Ram, as Afilias Registry Operator on the
internet, you provide technical services
for dot org, on the internet
and other top-level domains.
From the Registry Operators perspective,
what is the scope of this problem?
>> Ram: Thank you Brian and
thanks for having me here.
I guess the very first thing is,
if you're a Registry Operator,
really what you're doing is
you're providing a targeted answer
for where the main names are on the internet.
You're in a target of directory, to a large
extent and that's the biggest job that you do
as Registry and you get information
from people who want to buy domain names
or who want to get a website going.
You get information from them,
store it into a large database,
and the biggest thing you do is propagate it
instantaneously everywhere around the world.
And what that means, is that your browser,
typing in redcross.org when it's sitting here
or on your mobile phone, typing in redcross.org
when your perhaps in another part of the world,
they all translate to get to the actual Red
Cross site, and that translation is done
by the registry, by the directory.
So that makes it a really interesting place to
attack because after all if you can compromise
or if you can take down the
authoritative directory for every dot or,
the main-name in the world, there are
more than 10 million dot org domain names.
There are more than 10 million
dot org websites in the world.
If you can take down the provider who is giving
the information that says to every computer
in the world, hey for a given dot
org, which computer should I go to?
Where should I go to?
If you can take them down, that's not only
a coo, but that also is a global event.
It gets you noticed, there are many motivations
but that's certainly one of them, right?
And that makes the order of registry, a
[inaudible] of what we run a regular target.
Up on the screen you see, this is
some data from earlier in the year,
gives you an idea of the scaling, the
kinds of attacks that come through.
So that's 2012, February and from 2012 February,
to 2012 June, this is the number of queries,
the number of a requests coming into the servers
that we run worldwide asking for information
about a daughter of domain name right.
And much of this comes from DDoS so, the
foundation for DDoS is very simple, right?
It's a denial of service so all these computers
around the world do it, they send a request
in to our server saying hey, tell me where
a particular daughter of domain name is.
And before you even respond they're gone and
they come back again and they say tell me where.
And they do this hundreds of millions of times
in, it used to be a very short timeframe,
but as you can see here,
it's an extended timeframe.
Now what we saw earlier in the year
was in the space of just a few months,
February through to June, we had
a 3X increase, a 3 times increase
in the total volume coming
in in just 4 months-time.
But, if you look further, if you look in
the next screen, that's not the real story.
That 3X increase that I showed you
earlier, so that was up to 2012,
June but look at what happened
from there through to September.
That was a 9X increase in total volume
coming through to the daughter systems.
In total, from February through to September,
that was an 18 times increase in volume.
Not the data is interesting.
The real life importance of this is if as a
registry provider, if you're not provisioned
and if you don't have the measures to boot the
[inaudible] attacks are coming and then be able
to take appropriate counter measures
when such attacks are coming.
You could just go down and going drinking
water means that every single dot org website
in the world, dot org email address, okay
every single thing that depends on dot org,
sooner or later is not accessible on the
internet and it's not happened so far,
but the gap between what do you
provision, and what the scale
of attacks, and who was attacking you.
It's a continuous cat and mouse game.
The other thing that I've wanted for you to
know about is the DDoS words coming from,
it's often coming from your PC that is just on
at home, connected to your broadband connection.
Just sitting there, and you
probably don't even know it.
If you have a good ISB, if you have a good
internet provider, they probably have ways
to track it and many of the internet
providers these days are putting in measures
to understand whether they're a DDoS
attack, so whether you're part of a botnet.
But when we say a zombie,
that's really what it is.
Your computer, your computing device somewhere
connected online, has been taken over,
and you don't know it but it's now part of a
global group of computers that can be harnessed
to attack any given target at a moment's notice.
And that is pretty scary, it's a
pretty impressive feat of engineering,
but it's scary because pulling together
5 million of these is no big deal.
Pulling together 40 million of these,
takes some effort but it's doable.
And if you have 40 million computers
that are just sending a little ping every
so many milliseconds, asking for
information and then just going away,
that becomes a massive problem and
something that you really have to work hard
to mitigate before it overwhelms you
because if it becomes a tsunami,
it's very hard to overcome.
>> Brian: Thank you Ram and thank you for
giving pictures are worth a million words
and giving us a sense of the scope of
the problem and also in your comments,
connecting this to the "why should
I care" question as an individual
if all the dot org sites in the world go down,
the organization who have that website up,
whether they're an NGO or not-for-profit
trying to do good in their mission
or whether it's an individual
or a company in a dot com,
having their commercial activities
interrupted, that's a very serious impact.
So as we move through the discussion,
connecting the dots to "why should I care",
the individual at home, and
also the interesting thing is
that I might be an unwitting participant in
an attack, my machine on my desk at home,
and be completely unaware of this.
I think we're starting to get to
those issues of "why I should care".
So next, let's get to I think,
it's Dr. Damian Menscher.
So we've heard from a Registry Operator
now from an online service provider,
in this case Google, the leading search engine.
Damian with Google's breadth and depth of
technology and reach, this certainly can't be
that big of a concern for a
company the size of Google, right?
Tell me why I'm wrong.
>> Damian: Right because we have a team
of people that worries about this stuff.
So, most people don't realize that
Google is actually regularly attacked.
The reasons you'd sort of wonder why
would anyone have anything against Google?
Well it turns out we actually
host a lot of user content,
so blogspy includes random user
content from people all over the world.
Sometimes that's controversial.
Similarly u-Tube might have
a controversial video on it
and so frequently these sorts
of sites do get attacked.
And it's not just DNSs as previously mentioned,
it's you know, we see application layer attacks
where they'll dispatch the same homepage
over and over again at very high rates,
you know upwards of maybe
a million times a second.
So, you've also probably noticed that we're
never actually down so, if you want to talk
about how we do that, if
you go to the first slide.
So we benefit a lot from economy of scale
when you look at most small websites,
there might be a thousand
websites hosted on a single machine
because they don't get very much traffic.
We sort of turned that around and we might
have a thousand machines hosting one website.
You know Google.com is a big website,
it doesn't fit on a single machine.
So we do benefit a lot from the economy of scale
and pooling our defense resources
across our various properties.
But, go to the next slide, you have
to be a little bit careful about this
if you put everything together,
you also have some risk.
So, I wanted to talk briefly about how
we deal with this and this also is,
as Jeff had mentioned, we have to be careful
that we don't distract our security
team when there is a dos attack.
If we have one team that
focuses on all of security,
then when there's a dos attack we might
be looking at that and miss other things.
So, what we do actually is, go
on, we have layered defenses.
So we have a separate team that
focuses on dos attacks so that
when there's an attack we don't
lose sight of the other attacks
that are happening against us every day.
And, basically we focus on having layered
defenses so; this is a very rough sketch
of what our network might look like.
We don't see the internet
necessarily as a single cloud.
We see it as multiple clouds because we
peer directly with several major ISPs.
We go through a layer of
load balancing at our network
so if any particular network device gets
overloaded, we can work around that.
Then we go through a layer of load balancing
within our own network to eventually get
to the backend that are the
webservers, serving the actual content.
And so by doing this, we're
able to shift traffic
around to avoid any damage
from the attack traffic.
We also have many layers of which we
can filter out the bad traffic so,
at the very edge of our network we might be able
to filter out some of the more obvious attacks,
but as you get deeper in or more sophisticated
attacks, we filter them at other places.
Another thing I want to mention though is, this
style works really well for a very large company
like Google, but most of you are probably more
interested in how to defend the small site
and the best advice I have there is that
the user comment of going to Google,
might actually make sense if
they host their site on Google,
they automatically benefit from our defenses.
They won't even know they're being attacked.
And we frequently do see cases of
organizations that are under a heavy, dos attack
and they just quickly setup a site on
blogger saying, "Hey, we're being attacked.
We're going to use this for
our communication for now."
That's actually, at one point, the
country of Georgia had their ministry
of foreign affairs host their site on blogger
which was entertaining for me to say, like oh,
what are we going to see as a result of this?
But the other thing is just making sure that
you are pooling your resources with others
in your organization, there are other cloud
based dos mitigation providers that sort
of aggregate resources from several different
clients and can provide good defenses for you.
>> Brian: Thank you Damian, and love ice.
It's terrific.
>> Damian: Also our PR people would
want me to say it's not as weak
as eggs, you know like fortified eggs.
>> Brian: Boiled eggs.
[Laughter] No terrific, thank you.
>> Damian: Each layer is very strong.
>> Brian: Thank you and you know,
fully appreciating your remarks too,
one thing that jumped out to me is that I
think one of the challenges we all share
in this space is that from the user perspective,
and I'm going to try to keep bringing us back
to the user and the average person at home,
is that this problem, there's a low level
of awareness and one of the reasons is
because as very responsible service providers
like Google and the other's on this panel,
you've taken on the challenge and objective
of staying up and not being
taken down by DDoS attack.
You've been successful to date and as
such, users who have their sites on Google,
the DNS is sometimes thought of like
electricity, you know it's just there.
It's my website is up, the internet is up.
I only notice it when it goes down.
I only become aware there's a
problem when there's a problem.
So interesting thought, let's
keep coming back to that
"why should the individual,
why should the user care?"
How do we get this on their
radar screen in a meaningful way
so they can become part of the solution?
So with that thought let's go to Miguel.
And Miguel we're going to ask you to
focus on specifically corporate responses
from the perspective of a third-party
mitigation service provider.
>> Miguel: Sure and thank you Brian.
I'm going to dovetail on some of
the things that Damian was saying.
A lot of organizations and a lot of
people don't understand or know about DDoS
and don't see an issue until
it actually happens to them.
And at that point, a lot of
organizations are kind of scrambling,
trying to figure out what it is that they
can potentially do to deal with this issue.
And they most likely go to Google to try
to determine and try to find an answer.
So, a lot of people don't think about
this because they assume that their ISP
or their hoster is actually going to
take care of the problem for them.
Actually, what tends to happen is that when
an organization is under heavy DDoS attack,
the ISP and the hoster is looking
at protecting their own assets
and will most likely just shut you down.
And so they might contact you and
tell you you're under a DDoS attack
but they may not help you through it.
So, there are some things that organizations
can do to help mitigate this risk.
Some organizations look at dealing
with the DDoS problem themselves.
They'll look at buying their own hardware;
they'll look at provisioning
bandwidth, etcetera.
Unfortunately a lot of organizations don't
have the resources to be able to do that.
And it doesn't necessarily make sense for
a lot of organizations because it's sort
of an arms-race and it's hard to spend
your way out of dealing with this problem
as attacks larger and larger and
more complicated and etcetera.
So, there some third-party options that
organizations can look at that I would kind
of consider to be the infrastructure as a
service that can be used on an on-demand basis
to help organizations deal with
DDoS attack when they happen.
So the idea is simply, you don't necessarily
have to over-provision all hardware,
bandwidth, etcetera to deal with the risk.
You can potentially use the third-party that has
that capacity and capability when you need it.
And you know at that point you're looking at
options like content distribution networks,
they can potentially help deal with
absorbing some of this traffic and keeping
that traffic away from your network.
There's also cloud-based providers that
specifically focus on the DDoS problem
and the idea there is if you're under an attack,
your organization can potentially redirect
the traffic over to a cloud-based provider
that can absorb the traffic that
knows how to mitigate and deal
with [inaudible] service attacks and then
sends you basically the clean traffic.
It's sort of kind of putting a shield in front
of your infrastructure on a non-demand basis
when you're dealing with these attacks.
So, infrastructure as a service is something
that is more affordable for organizations
and something that organizations are
starting to look at more and more
as a way to deal with this DDoS issue.
And certainly, there's a lot
of information about that
on Google and it's key to become informed.
>> Brian: Thanks Miguel, so we're beginning to
get a clear picture of the scope of the problem
from a number of different perspectives and in
addition to service providers such as Google
and Afilias, Verisign and NewStar maintaining
their services in a way that keeps them
up 24/7 and addresses these attacks.
There are 4 certain organizations
specific resources available if needed
and that's interesting as we're
beginning to, after setting the scene,
now let's transition towards those solutions
as mitigation efforts, the services that are
out there to design specifically
to provide additional protection.
As we transition, Danny I want you to help the
audience understand some domestic initiatives
such as the anti-botnet work
undertaken by CSIRC and help us to begin
to understand how we can begin to collectively
come together to address this problem.
>> Danny: Yes sir thanks Brian.
So there have been a large number
of clamber of efforts between public
and private sector related to botnet infections,
compromised machines, male code proliferation,
virulence of threats on the internet, just
this broad swath of malicious activity.
It's a nontrivial problem to solve because the
ISPs for example, a lot of folks point fingers
at the ISPs, but the ISPs don't [inaudible]
systems, their [inaudible] system in particular,
the broadband ISP user residential
consumers that acquire service from the ISP,
and the ISP shouldn't be looking
at their traffic and you know
and they have privacy concerns or other things.
So, what sort of controls the capabilities
of the ISPs actually add to help them.
So a number of efforts have
been underway actually.
One such example is the FCC sizerk3,
working group 7 recently published
something called the ABC for ISPs
and it's basically the anti-botnet code and
they develop with a number of other folks
in the industry monolog messaging and ANIB's
working group as well as some publication
in the IETF and broader participation,
actually internationally from folks from Japan,
Cyber Clean to Australia, Finland,
Germany, other folks and it basically talks
about some fundamental things that ISPs
can do to help educate, protect, notify,
detect malicious threats associated with their
consumers and then activity they might take
to help to clean that problem or sanitize
or provide a little better
hygiene on their infrastructure.
So, one pointer there is one of the
reports, the ABCs again, for ISPs,
you can find it on the [inaudible] website
or the FCC sizerk3, working group 7 webpage
that you can find easily via Google
and so that's certainly one effort.
One of the fundamental things,
going back to the user,
is there anyone on the receiving
end of a DDoS attack?
What you should definitely be looking at
is sort of what enables your business?
Most of the folks on this panel, you
know network is our business all right,
we're going to focus on providing
network services and availability.
We're absolutely committed to the security and
stability of our infrastructure and services,
but a lot of folks, network
enables their business.
It enables your email or your web
presents or your small business
or your e-commerce or retail site.
And so irrespective of what
it is, you absolutely need
to consider what the critical network assets
are or the critical assets across the board
to your organization and you identify those, you
say what's the impact of an availability issue
or security issue or a compromise of
information impacting those assets?
And how might I put controls in place to
help mitigate that or to at least have a plan
to respond if there's a DDoS attack or a breach
inside my infrastructure, those sorts of things.
You know one of the things that I've seen in
the past, we did this survey for several years,
a previous employer of mine, and
most of the folks that responded
to this infrastructure security survey didn't
actually even have an incident response team
in place in their organization
even if it's an over-lay team,
much less an incident response plan.
And if you don't have an incident response plan,
you're certainly not going to exercise that
and so you really don't want to be on the
receiving end of something like a DDoS attack
and not have a book in someone's hand that
says this is the phone number I call for my ISP
or for my national curator for my vendor that
provides a certain service or capability to me,
so I think it sort of starts with those
fundamentals, identifying critical assets,
understanding what the options are to
protect the things that are critical to you.
If it's moving services to cloud infrastructure,
acquiring protection services for those,
putting your own controls in
place, but you definitely need
to consider that in your environment.
Consider what the impact would be.
These are a real risk to your
business and your operations and so,
I think fundamentally that's sort of
where I would recommend you start, Brian.
>> Brian: Thanks Danny, so interesting
in your comments, you mentioned ISPs,
we've got registry operators, you've got online
service providers, we've got search engines,
so we really have a number of different
service providers in this community
that helps keep the internet
up in a collaborative way.
The siezerk effort for ISPs in particular
sounds interesting and what we want to get
at a little bit later in the conversation is
a cross this community of service providers
who I assume have different roles and maybe
different responsibilities in some ways,
how do we build on the collaboration that you've
begun to speak about and also interestingly,
you spoke to the organization and
what they should have in place.
Understanding what enables your business, having
a plan in place, and the question that raises
for me is, well how do organizations
know they should have these things
and how do we educate on that front as well?
So we'll get to that in a little bit, but
to round out the panel, thank you all so far
for shedding some light on the scope and
dimensions of the problem and how we can begin
to address it, but let me now go to Jillian.
Jillian, what I'd like you to talk about
from your perspective is what are some
of the unintended consequences related
to DDoS attacks and in particular,
help us start thinking about potential
over-reactions to DDoS attacks.
We know that these attacks are of furious
in nature, we know that we have a panelist
of good guys who are doing what they can
and doing everything we think they should,
but tell us about the unintended consequences
both from the malicious attack side
and when a well-intended operator tries to
take mitigation techniques against an attack.
>> Jillian: Sure, so at the beginning of this
I think Jeff referred to, actually I'm sorry,
Brian referred to sometimes
these attacks being used as sort
of an extreme form of free expression.
I'm not sure I would classify
it as free expression,
but we could say civil disobedience that's
been argued by many and an example of this
that might resonate a little bit better than
say the anonymous attacks against Master Card
and Visa, would be sympathetic
people to the Syrian opposition going
after Syrian Government websites.
That's something that a lot of
people have sympathized with,
have considered civil disobedience in a
scenario where the government has shut
down the internet sensor,
the internet, etcetera.
And so nevertheless the vast majority of
these attacks are malicious, are directed at,
not just these big companies and the
big networks, but also at the little guy
and that's kind of where my
perspective is coming from.
A few years ago when I was still at the Berkman
Center, we did a study that looked attacks
on human rights websites and independent
media website, and 62% of the respondents
to that study said that they had experienced a
DDoS attack at some point and as Damian said,
Google is sort of at what would
you say, the core of the network.
Google has resources, they
have staff, they own fiber,
but then you've got these
other small organizations
that are what we would say is
at the edge of the network.
These are organizations that not only are
they literally at the edge of the network
but they also lack the funding and
the staff to ward-off an attack.
They often have fairly insecure hosting,
their host might jack-up the cost in an effort
to help them and so if you are using say,
I don't want to throw any specific examples
out there although I have a couple, but if
you're using say a shared hosting provider
such as Rackspace or Bluehost, I'm not
speaking of those companies specifically but,
if you're using one of those, and
you are the victim of an attack,
your provider could kick you off, they
could also raise your costs which for many
of us would be completely unaffordable.
And so, when we're looking at the
unintended consequences of these,
I mean I think that there's a
couple of different aspects here.
One is the legal consequences and so
I'm not a lawyer and so I should say
that I should just preface by saying that,
but you know these attacks are largely
by most governments at this point considered
hacking and are dealt with as such.
And so in the U.S. that's governed
by the Computer Fraud and Abuse Act
and in Europe there are other similar
conventions, but I think that we need
to start looking at them as a
little bit different, than that.
I think that you need to look at the sort
of the [inaudible] behind the attack,
we need to look at the consequences of
the attack, and I think a great example
of this is an attack that was conducted against
Lufthansa, the German airline back in gosh,
I'm not going to remember the year, early 2000
I believe where a court actually did determine
that the intent of that attack
was not coercion and was there--
I'm not a lawyer so I feel like
I'm using the wrong language here,
but it was dealt with as
civil disobedience and so.
But that's actually not my biggest concern.
My biggest concern is the unintended
consequences on these smaller websites
and so when we look at the
consequences on independent human rights
and independent media websites, generally
these sites go off line and are not able
to quickly get back up and so we've
seen attacks that last a week, 6 weeks,
or where the site goes down entirely.
And so some of the suggestions that
have already been given are excellent
and I think actually what Damian said in
terms of people moving their sites to Google,
that's actually one of the suggestions that
we give is, if you are a small website,
sometimes you're just better off hosting
your site on a provider like Google
where you have those resources to back you up.
We've also, my organization along
with the tactical technology collective has
also developed this guide which is really,
really basic mitigation techniques.
We're not even talking about the kinds
of things that a corporate website
or even a large-scale organization would
use, but the things that your blogger,
your independent media site might utilize.
And this is available, I'll share it after,
but it's also available in 9 languages.
And so just to sum up, I would say that
we need to think about these attacks,
not just how they affect major websites, but
also how they affect much smaller organizations.
>> Brian: Thank you.
So thank you all.
We've now set the scene, I hope, and provide
some baseline understanding of the nature
of the attacks, the scope of the attacks.
We have 2 hours.
What we're going to do is as follows, we're
going to leave 30 minutes at the end for Q&A
from the folks in the room and from online and
we're looking forward to all of your questions.
We're going to have basically 2 sessions now.
What I'm going to do now is engage in some Q&A
with the panelists and we'll have 45 minutes
for that and then we have in the second session
a scenario that we've built that we want
to rollout in front of our
panelist and ask how they,
in their respective rolls would
react to that particular scenario.
Now I've got about 7 questions or so, we've
got 45 minutes so this isn't rapid-fire
but let's leave about 5 or 6 minutes for
a response to each of these questions.
This is open to anyone on the panel so let's
be dynamic, raise your hand, don't be shy
and we'll kick it off with the first question
which is; let's get specific and both
from your perspective and
from a user's perspective.
What mitigation techniques
are available to us today?
Both you, as a service provider and the user,
how do we stop these things at a basic level?
Who would like to take that on first?
Ram.
>> Ram: Brian this is Ram, let me start; if
I was a user, one of the things that I'd want
to do is if I have a good ISP, then they
probably have a botnet mitigation kit
or something like that, that gets installed
in my computing devices and if not,
I would go to my ISP and ask them
for a mitigation kit like that.
There pretty commonly available.
They're pretty sophisticated and they
give you the first order of protection.
I just also want to point out; having antivirus
software in your computer doesn't protect you
from your computer getting
compromised in a DDoS attack.
>> Brian: That's interesting.
Most average users would assume
that that addresses that problem.
Tell us why.
>> Ram: So earlier, let me give you
an example, earlier we were hearing
about spear-phishing right, so
I give you a specific example,
something that actually happened in
one the organizations I work with.
A high-level executive in this company,
it's a pretty small company, got an email
and the email had a very good subject line,
you know it's a photograph of their daughter.
And it said, took this photograph,
she looks great
and even had the daughter's name on it, right?
And so the executive got the mail, it
looked like a legitimate thing and the,
from address in the email was kind
of somebody he ran into in random,
but there was enough things in the mail
that looked like it was real, you know.
It was the daughter's name was right, there was
actually a photograph and so they double-clicked
and they opened up the photograph and
that compromised their machine and ended
up compromising the network
from there on, right?
Now that was not a virus in the
traditional sense of a virus.
That was something that was custom
crafted just for that one individual
because the person trying to brake-in
had a clear idea who this person was,
they were trying to penetrate, they
understood that that person likely had access
to other important resources inside of the
company's corporate network, got through.
So, they had antivirus on their computer,
but this was not the traditional virus,
this was an attack just aimed
at you, individually.
>> Brian: Thank you and getting back to the
botnet protection package from your ISP,
at a basic level what does that provide?
We heard the story of how your own computer
can become an unwitting zombie participating
in a botnet attack, is it designed to
present that from happening, or other things?
That was a follow-up for Ram.
>> Ram: Oh, for me specifically.
Okay, yeah there are many things that this piece
of software or these pieces of software do,
but often they look at patterns, they look
at where the attacks may be coming from.
They also look at what's happening on your
own device and where it's trying to connect to
and typically you've got certain patterns.
You go to a certain set of sites or you send
emails, you know you connect to a known set
of places for the most part and if your device
has been compromised, often your device is going
to places that you normally don't go to
and your ISP typically has an
idea of that stored up over time.
>> Brian: Thank you.
So let's dig a little bit deeper on that.
What was in your answer was, how do we
identify where this problem is coming from?
I think it's an important piece of the puzzle
here and you and your service provider capacity,
let's turn deeper on preventative measures.
How can we identify where these
malicious attacks are coming from?
Is that an easy thing to solve
for, or a harder thing to solve
for from the service provider
perspective and also from the user?
I think Ram just started to touch on that.
Anybody want to take that on?
So, Danny?
>> Danny: Yeah this is Danny, I'll say
something about that and then move on to others,
but one of the things I think I would touch on
initially is that if you're on the receiving end
of even a moderate sized DDoS attack,
a lot of some of the bigger networks
have the capacity to absorb the attack.
What many ISPs or services in the
infrastructure offer is the capability
to absorb the large-scale bits of
malicious traffic and surgically mitigate
and preserve the availability of the services
that someone may be concerned
with, so that's sort of one aspect.
From an ISP side, one of the
interesting things is that IP is a sort
of hop-by-hap packet forwarding paradigm
for communications networks and anyone,
largely anyone on the internet can emit a packet
in the infrastructure that has a source address
of anyone else on that infrastructure and so
this is known as IP source address booping.
And it's a common attack factor, it's
not the only attack factor and a lot
of times spotted hosts don't
spoof packets at all,
but trace back in large networks
is fairly complex.
There are a lot of techniques people use
from some things like commercial tools
that do net-flow and flow-based analysis to
trace back to the ingress of their network.
The problem is you then have to have
the capability to say, the upstream
or the adjacent network that
attack flows I'm seeing from you.
Can you trace these back on your network?
Hope that they have the same
capability and so forth.
And so it's non-trivial when the
fact that any sort of advisory
on the internet has global projection capability
and you could be on the receiving end of a lot
of packet lull as a result of
that, right, you know what I mean,
and these could be broadly
distributed or single-source attacks.
So, tracing these attacks back is one aspect.
So you would certainly want to trace back
flow-based tools other things and then ideally
if you could find sources that were
participating in an attack, then you could try
and identify command and control
infrastructure that's used a command
or took control those attack sources or those
botnet hosts and then you would step back
from there, but that's an extremely complex
thing and unfortunately what most people do,
and to Jillian's point actually, is that a
lot of the controls some people put in place
through data mitigate DDoS attacks is actually
to effectively complete those attacks.
It's like hey, there's a large-scale attack
of 10 gigabytes per second going toward one
of the smaller hosts on my network so, what
an ISP may do is actually say I'm going
to drop all the traffic towards that
destination at the ingress of my network.
So they do is effectively complete the attack.
That's why it's so important to have
controls in place to be able to identify
and surgically mitigate those attacks,
before the attacks occur, so anyway.
>> Brian: Thank you, very interesting.
Anybody else want to pick-up on this point?
Miguel.
>> Miguel: Just adding to what Danny is
saying, collaboration to try to figure
out what the attacks those sources
are is key and it's not something
that happens very well currently.
It's something that the internet community is
trying to improve on but we're nowhere near
where we need to be and to be able to do some
of the things that Danny is referring to,
you kind of have to have backchannel
communications between providers.
You have to be able to have
somebody on the inside,
somewhere that you can share intelligence
with and that's something that's difficult.
The last thing I'll say about
it is that sometimes,
where are who it is that's doing it is not
necessarily that important potentially.
When these things are happening,
a lot of people might be focused
on getting their infrastructure back online,
but you do have to temper that with the fact
that as Jeff was alluding to
earlier, this might be something
that an organization is doing
while they're doing something else.
It could very well be a diversionary tactic.
>> Brian: Let me pick-up on one point there
Miguel, you know you mentioned the collaboration
between and across network
operators being a challenge.
Is that a resource challenge, it
is a communications challenge,
is it a technical sophistication challenge,
because it is understood from Danny's comment
that this is complex investigation
that has to cross a number
of different network operators
to get to the answer.
What's the issue there?
>> Miguel: I would say that there's a
corporate privacy challenge that a lot
of organizations don't really want their
technical staff or the staff that are dealing
with this problem to be collaborating with other
operators and that's a significant roadblock.
>> Brian: Thank you.
Jillian-- oh go ahead Damian?
>> Damian: I also wanted to say that I
think that the 3 things that you mentioned,
Brian it being resources and technical issues
and communication are also significant
challenges even if you do get
through the communication barrier
to talking to somebody at the ISP,
they might not have the technical
capability to track it further back
or they might not have the resources to spend
time on spending an hour to track it back.
Just knowing that it will just go to yet
another ISP that won't have time to communicate
with you or track it back or anything.
>> Brian: Right, thank you.
Jillian.
>> Jillian: Sure, I'm just
going to make my point again
to the sort of smaller organizations.
I think that it's important for them to sort of
assess beforehand, before this is even an issue,
both what their risk is, if they can do that,
as well as what their priorities
are in the event of a DDoS attack.
And so, for a lot of these organizations
that I'm thinking of, I'm thinking of sort
of the human right sites in embattled countries.
A lot of times there priority is just to stay
up and to keep their content on the internet
in the event of an attack and sometimes these
attacks are coming during say, election periods,
or periods of protest and so a lot of times
what that means is choosing their host wisely,
so we talked about that a little bit but knowing
what their host can do to mitigate an attack,
but also if they're high-risk,
considering a DDoS Resistant Hosting
or some programs that are starting to come up.
Some of these are pretty cost prohibitive for
smaller organizations but, there are a couple
that are a little bit more affordable.
One of them is called Virtual Road.
It's hosted by the international--
I forget the acronym-- IMS--
forget that but based in Denmark.
Another thing is to, you know really
easy stuff, keep backups of your site.
I know that seems so simple,
but that's something that a lot
of these sites are not thinking of and so when
there site goes down, it goes down forever.
And then another thing is
just mirroring their site.
If we're talking about a site that's
say in Iran that's going to come
under attack during elections or something like
that, you know making sure that that content is
up somewhere else can be really important.
You know URLs don't matter as much as
they used to, thanks to social media.
And so just making sure that that content
is still up and available is a lot
of times more important than actually
immediately mitigating the attack.
>> Brian: Jeff?
>> Jeff: Real briefly, I would say in
particular, if you have limited resources,
figure out what your purpose
in tracking back is.
If there's a technical side of it and as smarter
folks up here may appear to have explained it.
It's very difficult to get to the end but
let's say you get through all those hurdles
and you find out where it's actually coming
from, then you walk into a human problem.
Do you really care what the motivation is?
I mean, if your goal is to stay up, you may
only want to track back far enough to be able
to protect yourself and even if you get to the
end, you know it's a bunch of computers sitting
in country x, you'd have to get to those
people to figure out is it a nation state act,
is it a bunch of individuals,
is it somehow loosely connected?
So the track back, you know I would say
just from my perspective thinking about this
when I was up on the hill, there is a techno
side, but there's very much the political
and security side and you get into human
litigations there which are even harder
to track back than some of the techno stuff.
>> Brian: Thank you Jeff.
Let me ask a slightly different question.
When an attack is happening, does it matter what
the targeted platform is from your perspective
and how you react to it, how do you manage it?
For example if it's an attack against the banks
as we've been seeing recently, versus an attack,
versus a social media site or a small-user site.
Does the nature of the target affect
the way you address the problem,
try to mitigate the problem?
Can you give us some dimension on that front?
Miguel, do you want to go first?
>> Danny: Yeah, sure.
Yeah so what I would say is that if
you're trying to mitigate an attack,
what you're really trying to
do is preserve the availability
of the services that you care about.
And so you've really got to flip and say you
know, I really want to scrub out the bad stuff
and try and be able to absorb this attack.
One of the interesting things, when you see
numbers thrown around on scale, frequency,
duration, attack factors, all those things,
you might see 10 gigabyte per second attack.
Well what 10 gigabytes per second attack is on a
webserver or on a DNS server is very different.
That means 10 gigabytes per second
of transaction servicing capacity.
Right, that's basically I've got to be able to
process 10 gigabytes per second of DNS packets
or of web-service packets or SSL packets or
whatever the service is you're concerned with
and that's the only way you can
preserve the availability of that.
So when it gets more and more complex,
is when you have more stay-based
and more complex applications
that more sophisticated attacks
become problematic in that manner.
So I think it absolutely
depends on the attack factor.
One of the challenges is that sort of
commodity, off the shelf routers and firewalls
and those things don't do
application [inaudible] mitigation.
They don't provide certain capabilities.
On the other hand, if it's
some services it may be simpler
to simply absorb a high-rate per second attack
or to just drop bad traffic that's
not target a production service.
So, yeah in short the answer is
yes to your question, I think.
>> Brian: Thank you, Miguel.
>> Miguel: Danny mentioned
that the type of infrastructure
that is being attacked matters,
I absolutely agree.
The type of organization that is being
attacked also plays a factor potentially
and how you're dealing with the
problem of mitigating the attack.
I think Jeff alluded to the fact
earlier that there are attacks
that are potentially, for example extortion.
There's activist-type attacks;
I'll use the activists' example.
These people that are protesting
and attacking your site,
they're most likely discussing it online, so
they're congregating on twitter, on Facebook,
Payspin, whatever site it is that
they're using to IRC relay chip,
you know internet relay chat rooms,
they're discussing attack strategies there.
So, what kind of an attack it is, and
which organization is being attacked,
it does matter because you do want to factor
in how your monitoring social media based
on the particular attack because it can
help you determine what it is that you need
to do and what you need to focus on.
>> Brian: Anyone else?
Let me shift gears here.
I think by now, hopefully we've got a
fairly good picture of the dimensions
of DDoS attacks both from website operator,
individual user, service
provider, civil society.
It's an important problem.
It's a growing problem, there's
no doubt about that.
It gets bigger each year,
it's a big cat and mouse came,
we have a hard time identifying
the bad guys, tracking them down,
stopping them from doing what they're doing.
Who should fix this problem?
Private sector, government,
how do we fix this problem?
Collaboration is important, we've heard
that but it seems like it's a game
that we're not necessarily winning.
Anyone want to take that on?
Pros and cons, Damian?
>> Damian: I'll start off the discussion.
So I think a lot of the difficulty we have
is that nobody feels actually responsible
so the attacks are often being
sourced from compromised machines
and people are saying well it's not
my fault, my machine is compromised.
You know they don't know it, it's an
end user, they don't actually know how
to secure their machine, they're not even aware
that there machine is participating
in the attack.
Then it goes from that machine
through an ISP and the ISP says well,
we're just providing network
transit to our customers.
We don't actually look at what that content is.
And then it might go through multiple
ISPs and eventually get to the victim
who really doesn't have any choice
but to just receive this traffic.
So I think the root issue here is to figure
out who you would actually hold responsible
for these attacks and then maybe figure out
in what way they would be held responsible.
You know clearly, we don't want
to hold the home user responsible
for an attack they weren't aware that they were
committing, however, if we could inform them
and they refuse to fix their machine,
maybe after they've had that opportunity
to fix their machine and they refuse to,
or after we inform a hosting provider
that has compromised webservers
that are attacking you.
If they don't fix those machines after
a month and they're still attacking,
maybe there should be some responsibility there.
>> Brian: So that's an interesting thought
Damian because you all do have terms of service
and abuse policies that users agree
to when they use your service,
so that's an interesting thought.
Jeff, I want to throw this to you and I
know this is part of your past experience,
but having been in the Senate and House
Committee, can you bring a little bit
of the government perspective
to the question I asked
of who should be fixing this problem and how?
>> Jeff: So I guess I would step back
and say that we can't define
this problem as just dos attacks.
You know you phrase it as, it's
not a game of winning, well,
in my mind it's not a game that will ever end.
To the extent it's more of a constant
race, how far ahead or behind are we
of the people developing new ways to attack?
And to my first point about, it's a
broader problem, if someone has a computer
that is being used as part of a botnet
for a DDoS attack or something else,
it's very likely that the folks who are on
that computer could do a lot of other things
with that computer or to that person's
identity or steel their banking credentials,
so it is a much broader problem and I think
Damian made a good point is everyone kind
of pushes it back but at
some level it needs to start
with users taking more control
over their computers.
Not just looking at antivirus
but broader protections.
The government's role from my perspective
and that's something that we worked
on the projects I worked on the hill are
much more critical infrastructure focused,
but if it's true there, I think it's even
more true with a much more commercial side.
It's got to be private sector laden and
the government can play a role facilitating
and educating and punishing and perhaps in some
areas where there is significant possibility
of major national impact requiring
some standards, you're not going to do
that for John Smith who has his
computer at home, you're not going to say
that there is a minimum security
[inaudible] that you have to have
in order to log into the internet.
Were you even to try that, it would never pass.
But the government can play a
significant role educating folks;
simple things as patching whatever software
applications you have, making it the easiest way
for someone to get into your computer.
The patch comes out, someone is out there
trying to figure out what was patched
and how can we take advantage
of the people who don't patch.
So the government, I think the role, sort
of hopefully I'm answering the question.
The role the government is going to play is
going to depend on what you're talking about.
If it's an attack on water, electrical,
other systems the government is going
to have a very active role,
hopefully ahead of time, protecting
and assisting in developing protections.
The government will also have a role in
the backend where possible prosecuting,
investigating and that's
where your earlier question
about does it matter who is being attacked?
Maybe it shouldn't, but the government is going
to be much more focused when you have a series
of major banks attacked, looking whether
there's another type of attack going on
or there are more laws that
apply [inaudible] after that.
Then if it is, you're attacking someone's speech
on block spy, so the government's role is going
to vary, I think depending upon where you are
but ultimately it can't be government lead
because it will end up being less
effective and more [inaudible], in my view.
>> Brian: Thank you.
Let me ask for the service providers, you all
run services that are globally accessible.
You all have network footprints
that are global to some extent.
Specifically, engaging with law
enforcement which I'm sure you do,
you all work for law abiding companies who
under the proper circumstances collaborate
with law enforcement to address
legitimate concerns.
What are you seeing in your
interactions with law enforcement
that provides the good seeds for collaboration?
What do you think might be missing in
your interactions with law enforcement?
I'd like the service providers
to address that point.
Who wants to go first, Ram?
>> Ram: Let me start.
One of the things that is striking
in interactions with law enforcement,
one of the fundamentals here is that
this is essential a borderless problem
and law enforcement has a broader problem.
>> Brian: Okay.
>> Ram: Not a problem, they have to work
within the jurisdictions of
the borders that they're in.
So often when you're collaborating
and working on uncovering,
you know somebody is running a botnet that's
got some significant problems behind it
and if you start to do trace-backs,
you'll find that the folks
in law enforcement would rather work
with you informally than formally
because if they go formal, then you go
through a method where you then have
to involve every law enforcement agency at
every boarder that is crossed on the internet.
It's pretty damn easy to cross those boarders.
So, that's a, I think that's an
essential thing and the real-world hasn't
yet caught-up to that reality online.
That attacks come from multiple boarders,
from across multiple boarders and the morph
in real-time, depending what the response looks
like, and so that's a very significant factor
when we work for instance on, a year and a
half ago, we worked on pulling together part
of an industry or in a taskforce on child abuse
set of sites that were focused on child abuse
and they were using that to infect the
computers of those who had the bad stuff on it
to make them part of a zombie network.
And it got very snarled up in various
jurisdictions legal restrictions,
the necessity to preserve evidence,
versus the imperative to solve the problem
and make sure it doesn't become very large.
>> Brian: Interesting.
Anyone else, Danny?
>> Danny: Yeah so I'll point out
again, some of the work that you know
with public/private sector
partnerships, I think that's so important.
Certainly I don't think you're going to
regulate your way out of this, right?
From a controls perspective there are 869
things that I have to do in my day job just
to check boxes and those give me
marginally more secure, right,
82% of IT security span goes towards
compliance and regulatory controls
and then people try and get
secure on top of that.
Those sorts of things are like antivirus
software and there's 10 new pieces
of male-code a second on the
internet, yet AV is a frontline defense
to protect the residential user or maybe even
a corporate machine, and so I think education
of the threat vector, some of the very
fundamental stuff like patching systems
and software and collaboration and information
sharing and putting these things in place.
From a law enforcement perspective,
I think that some
of the most successful stuff we've seen
involves multilateral teaming agreements
and collaboration, those sorts of
things where there is some coordination
and some effort in trying to work together.
In general though, in particular with
DDoS attack we've always seen this sort
of fragmented response where one ISP on
the receiving end, or along the projectory
of an attack will drop all the traffic
towards the destination and cause,
you know effectively completing
the attack for that network,
and another one will security research will
infiltrate the command [inaudible] structure
and law enforcement may be there and then
someone will break one of their connections
to the C&C infrastructure and all of a
sudden, you can't even disable the attack
because you've got all these headless machines
out there that are attacking something
and depending on where those systems
reside and where they're coming from.
I mean we've seen attacks with
attack sources in 100s of countries
and you're breaking lots of laws.
I mean just if you were to try and disable
an attack if you had the keys to the command
and control infrastructure, that sort of thing.
So it's really problematic and there needs
to be a lot of collaboration and cooperation
and I don't think regulations a way,
but I do think harmonizing and working
on the international aspects and the information
sharing and collaboration, you know those sort
of things are the only way we're going
to be in a better spot collectively.
We're playing a lot of wackemall
today and I'm not sure it's effective.
>> Brian: Jillian, let me ask you, from your
perspective, from a civil society perspective,
what more should industry and government
in their roles, be doing to address this?
And what in their collaboration
would you hope that they avoid?
>> Jillian: So in terms of what more,
I mean I think it's hard for me to say.
I mean I think one of the problems
here is that as others have mentioned,
law enforcement is going after the folks
who are going after the big targets.
And I understand that, but it's not really
ever going to help these smaller targets.
I mean you don't see law enforcement going after
the perpetrators of small attacks and a lot
of the attacks that I'm looking at
are happening in other countries
where sometimes the perpetrators
are in other countries
and so from my perspective I'm not
thinking so much about U.S. law enforcement,
but in terms of what people can be doing
more about and what they should avoid.
I think that a lot of it is about raising
awareness as folks at the other end
of the table said in the beginning,
I think that making people aware,
not only of what might be going on in their
own systems that they can avoid becoming part
of a botnet, but also what they can be
doing as individuals and as organizations
to mitigate the potential of DDoS attacks.
And then as far as industry,
I think adding that layer
of civil society is really important as well.
Making sure that industry is collaborating
with civil society to make more
of these systems available to
the smaller user would be great.
And as far as what law enforcement
should avoid, I think a lot of it
for me is addressing whether DDoS attack
are a useful form of civil disobedience.
I think it kind of comes down to that and my
personal opinion, this is really not the view
of my organization which does
not have a stated view on this,
but it's just that I don't think it's a
particularly useful form of civil disobedience.
I think that in the United States we have
many other paths of recourse to protest
and then I think that when you look
at the example like I gave before,
attacks against Syrian government
websites, it's a bit of a different thing.
But nonetheless, I think that the effect of
these attacks on smaller websites is so great
that we should really sort of
try to look at the whole picture
and realize how much damage this is doing.
And so I guess in thinking about that, I
think that that should also sort of inform
where we think about law enforcement.
>> Brian: Thank you.
Danny [inaudible]?
>> Danny: Yeah I just wanted to make
one other comment, something she touched
on which I think is really actually
is, one of the things we see a lot
of is the internet itself
is inherently multi-tenant.
And then you see a lot of, in particular
a lot of the smaller folks can aggregate
and there's these really high tenant
densities on certain pieces of infrastructure
and what ends up happening is that someone
on the infrastructure gets attacked
and there's a lot of collateral
damage that everybody is impacted.
Or a really large attack along
a trajectory fills some links
and not only is the intended target impacted
but there's collateral damage to other people
that utilize that infrastructure.
And most of the attacks that the folks have been
on the receiving end of seeing is that it's hard
for an attacker to gage how much firepower they
actually have and to surgically attack a target
with a DDoS attack on the internet, usually they
sort brute-force flood a whole bunch of traffic
of a particular type and there
is collateral damage in that.
And that's an important artifact
that you're highlighting there
and if you have high-tenant
densities on cloud infrastructure
or lots of people behind small links then
it does have a really devastating impact
and not just on the target, but maybe on
other people that utilize that infrastructure.
And so I think that's important highlight.
>> Brian: Thank you.
Damian?
>> Damian: Yeah just to follow-up
on that, Jillian had mentioned
that law enforcement doesn't go
after the very small attacks.
They tend to focus on the large attacks.
But I do see the large attacks
as the most damaging,
largely because of what Danny said
of, it causes collateral damage.
If there's collateral damage on other sites
that they have no other way to mitigate,
they will kill the small
victim, they'll completely attack
by just turning off everything to that site.
So by basically preventing any very large
attacks by having law enforcement focus
on those we at least give the smaller sites a
change of getting some dos mitigation service
to help them and basically that
boundary is probably around 10 gigabyte.
You know once you get up over 100 gig, there's
very few organizations that are going to be able
to help and most are just
going to turn off the site.
>> Brian: So right now on this issue,
it's the rule of the submarine captain
that is the compartment flooding, and their
sailors in there shut it off to save the rest.
And that's where we are.
So, this is interesting and I think
we've all been very polite so far,
so allow me to play devil's advocate and put
your feet to the fire a little bit folks.
So what I'm hearing at a high level to pull some
threads together, is there is some coordination
across law enforcement which is key
to this solution in collaboration,
but it's not nearly what it needs to be.
It itself is a barrier to our
ability, at least in the industry,
to work on these problems with law enforcement.
We're hearing that there is some collaboration
across network operators but not as good
as it needs to be all the
way up and down the stream.
And some lack of sense of responsibility
coloring that part of the puzzle.
We all in this industry trumpet the fact that
the internet is critical global infrastructure.
We all in this industry trumpet the
fact that the infrastructure of nations
of countries have come to rely on the
internet, banking systems, electric grids soon,
governments have a clear interest in this
critical infrastructure and if I listen to all
of this and piece together,
I could come at this from,
this is a fiddling while Rome burns
dynamic going on between industry
and governments and civil society.
So, putting your feet back to the fire, what
needs to happen in terms of collaboration,
in concrete terms to break through at the
industry level, at the government level
and across those levels and with
the civil society perspective.
Let's get to it.
Who wants to take it on?
Pause.
>> Ram: Sure I'll jump on the grenade.
Look I think everyone who is here and everyone
who is up here is not part of the problem.
When you take it to the global
level of the impact on society
and the fiddling while Rome burns and the
implication that there's an existential or close
to a threat to us, everyone up here and I
assume because you're here, you all get it.
The problem we have are the sectors
that you mentioned that use technology
but are not technology sectors and going back
to my government experiences, often, not always
but often, the difficulty in those sectors to
get nontechnical executives to spend the money
or the time to put in place the protections.
You know Danny, I thought talked earlier
about the need of a mitigation plan in place.
If you're under a major denial service
attack and you're then figuring oh,
how do I deal with a denial service attack?
You're toast, you need to have things in place
ahead of time and that's where going back
to the question about where the government
can play a role, my personal view
and what we were trying to do on
the hill was create an environment
where the truly critical
infrastructure systems are required
to meet some base-level of security.
Not a technology specific but more
if you're talking about computers
that control big machines,
water pumps, electric grids,
those shouldn't be connected to the internet.
A lot of them are.
Some of them are connected with open connections
using default passwords available through,
no offense, Google searches.
So, what needs to happen, I think is some
impetus, some general understanding of the type
of threat that the country faces both in
the digital realm and in the physical realm.
But again, I think going back to what I said
earlier a lot of it starts with the individual
and I used to be very skeptical as to
whether we could actually get most people
to do basic hygiene things on their computer
and then one of the things that we also covered,
the committee worked on was swine flu and
as soon as big bird told everyone to cough
into their elbows, you have a fast majority
of American's, you see people coughing
or sneezing into their elbows now.
We change behavior very quickly and I
think there can be an education campaign
that could change enough behavior to help stop
the problem, but without some type of push,
I think that we're all going to
keep trying to do what we can,
but the people who need to
make the changes may not.
>> Brian: Ram, thank you.
>> Miguel: Thank you, so I'm a bit
of a skeptic on these push-measures.
Folks do push-measures, governments do
push-measures all the time and decades go by
and the basic problems don't get resolved.
One thing that does seem to work is events.
Events result in consequences.
Michael Angelo, the virus got people to install
antivirus software, Y2K got people to focus
on mitigation measures, 9/11
caused a series of responses
and the Georgian Cyber War
caused another set of responses.
We don't really have a global cyber event,
I'm not asking for one, but I'm just saying
that if you just look at human behavior and
you want to affect human behavior and you want
to get individuals, governments, civil
society, public sector, everybody together
and the private sector together, you
need to have something to unify around.
The threat today doesn't feel real to me until
I get attacked and if my friend got attacked,
I kind of have some sympathy about
it but I kind of shrug my shoulders
and say, "Ain't going to happen to me."
And there is not the unifying
sense of impending doom.
>> Danny: Can I just, I agree with everything
Ram said from the skepticism to the kind
of work I was also trying to also do the
need for an event and we would tell a lot
of the skeptics who came in is, look you
have Congress trying to act proactively.
It may not fix everything now but when
something happens there will be better systems
in place to respond to it.
But more importantly, you want
government to act proactively
because when government acts reactively, it acts
stupidly and that's why there is a strong effort
to get some type of performance-based,
nontechnology specific standards
that are limited to really critical stuff in
place, so hopefully some things will improve
and if something happens, we have the framework
that is not so regimented that the attempt
to fix the problem actually enhances it.
But I'm ultimately, because I'm a cynic
I don't think we're going to do anything
until we have something blowup and
that's unfortunate to say the least.
>> Brian: Danny, oh Damian thank you.
>> Damian: Sure, yes I also sort of
agree with the cyber event being needed.
Not needed but, [Laughter] if you look
at history, we've seen that there's
like an email worm or virus that comes
out approximately once every 6 months
because that's how long it takes people
to forget and start being stupid again.
And you know click on everything they see but,
you know once every 6 months
everyone gets infected,
everyone is like oh yeah, I shouldn't do that.
Fortunately no major damage has been caused.
Nobody has ever actually-- there
haven't been any large-scale cases
where people have lost data.
I see this as very similar
to how diseases spread.
If you killed the person instantly,
like if someone gets infected
and you format their hard drive right
away, they don't have time to spread.
They don't have time to pass it on to others
and so most of the malware that we've seen
so far has been fairly benign
and that allows it to spread,
but it also means it doesn't cause much damage.
I also wanted to say, I think right
now laws largely favor the attacker.
There's a lot of constraints on information
sharing, all of the jurisdiction issues,
and that also means that
there's a very slow response.
If somebody goes to law enforcement, law
enforcement might have to sit on it for weeks
or months before they can actually
take action against the attacker,
if they can even get to the attacker.
So, some things might need to change
in laws to allow the defenders
to keep up with the pace of the attacks.
And it's also important to note, you know
sometimes the attacker would actually know how
to shut down the attack, it's just they're
not legally able to and so there are a lot
of inherent delays in the system.
>> Brian: Thank you, Miguel.
>> Miguel: Just adding to that,
it's worth noting that there's
such a stigma associated
with security incidence.
Organizations are very unwilling to
admit that something has happened.
They don't want to admit so publically.
They really, they don't want to collaborate
and to be effective, a lot of operators have
to work, as I mentioned earlier, they
have to work through back-channels,
people they know where the person
that you're potentially collaborating
with would probably get slapped if other people
were aware of this collaboration taking place.
So, that needs to get formalized,
potentially more formal protocols
for collaboration need to be developed.
And from an international perspective,
governments need to do a better job at.
They haven't caught up to the
fact that this is a big issue.
So, some examples where we, as an
operator, we're seeing attacks happening
on small government websites, Syria's
as an example, and you actually want
to lend your resources and
expertise to help these people,
but because of their own
roadblocks, legislation,
etcetera they actually can't receive the help
that you are potentially
looking at offering them.
So we've been in situations where we've
seen protest attacks during elections,
for example in smaller countries, and
we are willing to help them but then,
these governments have restrictions
on where their data is etcetera while
at the same time they don't
have the infrastructure to deal
with this problem themselves, but they're
handcuffing themselves, so all of that has
to change for us to be able
to be more effective.
>> Brian: Danny?
>> Danny: Yeah I think some of this sort
of the tragedy of the common sort of thing,
the sheep on the commons I guess if you will.
And what's the impact on
me or the investment on me?
Actually the Internet Security Alliance did
something not long ago called a CFO's Guide
to Cyber Risk and in that document they
introduced the notion of a digital immigrant
and they're talking about someone that didn't
grow up digital native or wasn't prolific
with electronic devices and the
internet and the capabilities of those
and they were discussing how in many places,
they're the ones that control the purse
strings or control the investments.
Like people don't have problems investing in
fire suppression systems but if you ask about a,
DDoS mitigation capability, well
nobody is going to invest in that
until they've been attacked right, or
unless you're a very savvy organization
or have a lot of the right folks that do that.
And then people even question those investments
after a long time of not being attacked.
So I think definitely looking at what enables
your business again or whatever size business,
because it's all relative
right, I mean we've seen things
from animal rights activists attacking zoos,
to Jersy Joe's a local sports memorabilia
being attacked by a guy across the street
for a gold watch and a pair of tennis shoes.
And that's a decade old, right?
And so, I think understanding what
the impact of these things are
in your business is extremely important.
I think understanding the constraints
today as well, this is a global problem.
The internet is loosely interconnected network
of networks and largely provides any kind
of activity and that's a fantastic thing.
You know the fact that you can launch
DDoS attack might be considered a success
of that substraight or that
infrastructure, right I don't know.
And so you certainly don't want
over-pivot either and compromise privacy,
you're a regulator, put controls in place
that might impact that global platform.
That's something important as well, so
I think that's why industry partnership,
private sector with halook and things
like information sharing and saying look,
these things are impacting
real people, real organizations
and law enforcement government needs to go
after that and accommodate those as appropriate.
But at the same time, I think we do have
to be careful about over-pivoting as well.
>> Brian: Thanks, Jillian.
>> Jillian: Sure, you know I think I'll just
give the civil society perspective what we can
be doing better.
For example, my organization has come under
several DDoS attacks at different points
and we do have a big enough team in place
to try mitigate those pretty quickly
and we've mostly been able
to do that successfully.
But I think there's actually a pretty
strong lack of information sharing
across my type of NGO or NGOs in general.
I'll give you an example of this, and
I don't mean to pick on this group,
but I think it's perfect
and quite public example.
Avaz, which I'm sure you're familiar with, a
few months back they came under DDoS attack
and their first reaction was to send a message
out to their members asking for donations.
But what they didn't do is they didn't
share any of the details of the attack,
not that they necessarily needed to publically
but they actually straight-up
refused to share the details.
We have a group of technologists who had
been asking for that information and I think
that sometimes that information is actually
quite helpful for organizations to share
with each other so that we can
understand what type of attacks our allies
and friends are coming under and therefore what
types of attacks we might be at greater risk of.
And so I think that that's a really
good example of how not to respond.
In the end they still didn't want to share, and
we said okay, fine but I think that just sort
of going and asking for donations
and not kind of collaborating
with other civil site organization is not
a particularly helpful way of responding
and we'd be much better off if
we were clearer with each other.
>> Brian: Thank you.
So thank you for that.
I'm going to draw this part to a close.
Some takeaways for me in the
last round of questions is
that clearly there are some structural
barriers to the level of collaboration
that everyone seems to believe is
important to addressing the problem,
both at the government level,
and at the operator level.
I guess the understanding at senior management
level that investments in the security aspect
of their business are as critical
as any other to their business
and have to be central to their planning.
And at the government level, clearly
existing legislative structures
and collaborative barriers between governments
need to be broken down if we can get
to the place where we can be more aggressively
and effectively collaborating
to address the problem.
So, we all knew that we weren't going to solve
this problem with today's panel and I want
to thank you all for giving us a lot
to think about and those are some
of the takeaways that I've gotten for myself.
So now, let's take a breath and for the next 35
minutes or so, try to have a little bit of fun,
make it a little bit more dynamic for the
panelists by running through a scenario
and then we'll have 30 minutes at the end
where we want to hear Q&A again from folks
in the room and from the folks online.
So, shift your mindset now on
the panel, we're going to walk
through a scenario of a DDoS attack.
What I'd like you to think about
is what your specific role would be
within the scenario and how would you react?
What would be the things that would be important
to you in addressing your part of the problem?
There's a clear understanding
and appreciation for the fact
that good security also means not divulging
all of your good effective practices.
So I'm not asking you to say anything
that you wouldn't want to say publically.
Let's get that clear.
But I want you to take this on as a
real-time event and then in your proper role,
tell the audience what's important to
you, what do you need, and in a direction
of how would you see or design a best
practices reaction to this scenario.
So let's start this part of the program.
So the scenario we've developed is as follows.
The citizens of small country A,
let's call it the Kingdom of Genovia,
my 14-year-old daughter insisted that I do that.
Kingdom of Genovia has been criticizing
an economic embargo put in place
by a regional Hodgeman, let's call it Mordor,
against its neighbor, a small country Gilder.
The citizens of Genovia who have a long
standing alliance with Gilder are very upset
about Mordor's embargo against Gilder.
Condemnations include mass rallies as well
as increasingly critical posts
on blogs and social media sites.
While the government of Genovia itself
shows no public support for the protestors,
neither does it criticize them for
exercising their freedom of expression rights,
fueling speculation that it
actually condones the protests
and may even be behind some of them.
Large-scale DDoS attacks begin against Genovia.
They are aimed primarily at the social
media sites posting the criticisms
but also at Genovia's financial sector.
Researchers indicate that the attacks are coming
from botnets of comprised end-user machines.
The financial attacks are perceived to
be an attempt to weaken Genovia's economy
because the core issue, after all is an embargo
and that the financial sector has showed itself
to susceptible to other kinds of
security incidence and breaches.
Traces show the attacks originating
primarily in Mordor.
Some of which could be locations
under government control.
Some however, appear to come
from unrelated countries.
Mordor predictably, denies any responsibility.
With those facts, in your respective
roles and responsibilities,
start off with what's important to you
in your given role and then we'll move
on to what actions you might take.
Jeff, do you want to tee it up?
>> Jeff: I guess the first thing, you know I'm
being the least technical guy up here I think,
you're going to want to really figure out, you
know you talked about the attacks originating
from Mordor, but does that mean
the commanding control is there?
Are the machines all over the place?
If you're going to respond, you need to figure
out first what is your first goal in responding?
Are you going to try to stabilize
your systems or are you going to try
to somehow get attribution
and then seek retribution?
So, I guess my first council would be look at
what you have in place to respond and figure
out what your ultimate goals are.
You need to know what you're driving
at so you're not wasting resources,
pursuing answers to questions that don't
help you achieve your ultimate goal.
>> Brian: Thank you, Ram.
>> Ram: Four things.
One, get contact lists together
because you know people
but there are other people involved
here, so you've got to get that.
That's in some ways the top thing.
Second is to setup an analysis stream work.
Once you identify the scope of the problem, then
you need a framework in which to actually work
as new data comes in and you need a structure.
So create a structure for it.
Third thing is to begin working with upstream
providers, folks who are connecting you
and connecting others to the internet.
Start working with them because you need to
have information sharing and also the ability
to take mitigation measures, to
take steps if and when you have to.
And the fourth is to setup alerts based
on pattern recognition or traffic analysis
that your analytical team is already doing.
Those are the first four things to do.
>> Brian: Thank you, Damian.
>> Damian: So the first thing I would ask about
this would be what style of attack is this?
Depending on some attacks can be
spoofed with the sources, some cannot.
So if the sources are definitively like, you
know they're definitively coming from Mordor
or you know what these sources are, that
can help a lot more than if it's an attack
where you don't really know where
it's coming from, you just know--
you don't know which machine
it's coming from in Mordor.
You know that it's just coming from
that country in general, maybe.
And I think that's the key
thing to focus on here.
I mean, I agree with what other's said,
but I think it's important to start
by understanding the details of the
attack, figuring out what you actually know
and versus what you are assuming
or guessing about the attack.
And then I would also start thinking about
what type of collateral damage is acceptable.
If you really only care about financial services
in Genovia being accessible to people living
in Genovia, they could at the boarder of their
country, just block all traffic from Mordor and
yet people who happen to be on
vacation to Mordor might not be able
to access their bank account,
and that would be pretty bad.
But you could at least partition the
problem and keep your own country up.
>> Brian: Thanks for that point and just
to note, people on vacation in Mordor
to my understanding, no one walks into Mordor.
Miguel, please.
>> Miguel: I might actually repeat some of
the things that my colleagues here have said.
From the perspective of an operator
that focuses on mitigation and defense,
I would probably start by
looking at the affected entities.
Get a good scope on what the
targets are, what's being affected.
Move to start looking at determining
what the attack vectors are
that are being used for this particular attack.
You can do this in a variety of ways
and then I'd probably start focusing
on starting the mitigation techniques and
the defense against these affected systems.
As Damian said earlier, I'd look at prioritizing
and trying to determine or trying to gauge
which affected resources are acceptable
collateral damage which are priorities and need
to be available and need to be in place.
I'd be sharing information as much as possible
with both, the public and private sector,
the operators in question that manage
the assets that are being attacked.
So definitely start reaching out to people.
Another thing that I would be doing
is heavily monitoring social media.
Typically with an attack on Mordor, let's
say and suspected political motivations
for the attack, I would be looking at
Facebook, I'd be looking at Twitter,
I'd be looking at internet relay chat rooms.
Anywhere where these attackers could potentially
congregate to organize, I'd be monitoring that
and I'd be trying to agleam
as much information as I can
from that activity that is going on online.
So those are some of the
things that I'd be doing.
>> Brian: Thank you, Danny.
>> Danny: So yeah I guess there's both a luxury
in going last and not having much [inaudible],
but there are a few things
I could offer actually.
I think these guys are all
spot-on with a lot of this.
I think it certainly, whatever
detection capabilities you have for this,
whether it was a phone call, hopefully
not, or an alert or some capability,
engage your incident response
capability which you should have now
because you've been alerted to that.
And the figure out what controls
for that sort of attack factor,
right, exactly as these guys have said.
You certainly want to continue with continuous
monitoring and make sure that other devices,
other things aren't impacted in particular
with sort of multi-vector attacks,
especially such as this which we
have seen empirically in the past.
One of the things that you have to be really
careful about and we've actually seen this
in the past and learned from that, is Genovia
should have learned from is that you've got
to be really careful about what kind of
controls you put in place for attacks as well
because you may say, I'm going to bring
everything back into my organization,
under control and then I'll
turn my internet access back up
or inside my nation, or whatever it is.
And we've literally seen this at the
national level and so you decide you're going
to break all your connectivity and then you
realize you don't have a root name server,
or you realize your CCTLD is hosted in Mordor.
Or you realize that your emails over
there, your authentication service,
your CA that issues your searcher there
or, some other resource that you need.
So you really need to numerate those things
and understand what enables your
business before these attacks occur.
I think I use this statement in the past
but kind of goes back to Mike Tyson's,
"Everyone's got a plan until they
get hit," sort of mentality, right.
And so I think that if you haven't done
this and you're on the receiving end
of a large-scale attack, it could be really
problematic so certainly absorbing an attack
and then refining your controls and mitigating
as surgically as possible and then trying
to move those controls further and further
upstream and then collaborate as much
as possible is pretty much what you can do today
and then protect any forensics information
associated with that for whatever it is
that you might intend to
do with that information.
>> Brian: Thank you, Jillian.
>> Jillian: There is almost
nothing left for me to add here.
It is the great thing about going last.
But since you did ask what my organization
might do, I suspect that after the leaks
to the Mordor times come out that Mordor
government officials had something to do
with the attacks, we would probably
condemn the government of Mordor
for having double standards-- no
I'm just kidding, sort of, but yeah,
nothing that I can add from
a technical perspective.
>> Brian: Okay, well from-- you know what I'm
going to reverse order here, so you'll go first
and Jeff you're going to have to
deal with Danny's problem next.
So this is good and very helpful in terms of
the first priorities, the first analytical
and reaction priorities from your
perspectives very clear and interesting--
not interesting but a lot of
consistency across the board there.
Now let's take it from the point of view
of, if this were an ideal scenario in terms
of effective mitigation techniques, effective
collaboration with network operators,
effective collaboration with
government law enforcement resources.
Walk us through how you would get to that good
outcome from that perspective and Jillian,
from your own point of view, kick it off.
>> Jillian: I'm not sure
I can kick that one off.
Like I said, this is a wonderful
and probably very likely scenario
but it's also it's not the level at which
we're generally dealing with these things
and so I'd actually love it if
somebody else wants to kick it off
and I'll keep thinking through that.
>> Brian: All right, Danny, you're first up.
>> Danny: Wow, an ideal scenario
is that it's not my problem anymore
and so having the capability to either certainly
stop these things from being launched at me
with some sort of capability or
collaboration with law enforcement,
other folks which in this case
might be very problematic so,
at the sort of ultimate ingress point of
your network, putting controls in place
that minimize collateral damage or even scope
the distribution of reachability information
in a certain place on the
infrastructure, that sort of thing
so that you have some sustainable
controls in place
and you're not continuously simply filling links
and absorbing that and causing collateral damage
to other services or people
that may use those links.
It's really problematic if there inter-media
networks with other eyeballs or content
or other things that you may or
may not want on your infrastructure
and so if it's an adjacent
network, it's a lot simpler, right,
it simply if you've done your homework
before and then simply shut those links off
and you may be fine, but if I'm a
smaller network and this is someone,
somewhere that's nonadjacent to me, it could be
much more problematic because I may have to work
with them to push controls further and further
upstream and that's about their capabilities,
the lulls, what sort of technical
or legal framework
that they operate under,
time scales and other things.
And so, it's sort of all relative to perspective
and why the broad variance of attack factors
that occur today, why it's so problematic
to just get your cookie cutter out
and say this is a solution for that
and so, it's nontrivial I think,
so it entirely depends on
vectors and other things.
I'm not sure if I said anything
that was actually useful, but--
>> Brian: That's fine, Miguel please.
>> Miguel: In an ideal scenario
where information is being shared,
where we've quickly been able to determine what
the attack vector is, we are looking at ensuring
that we can put really precise filters in place
to lob off attack traffic while
letting good traffic through.
It's easier said than done a lot of the time.
As I said, it's in an ideal
situation we understand the attack,
and we can put the right mitigation
strategies in place to deal with it.
So in that ideal situation, most likely
we should be able to get to availability
within minutes if people
are cooperating correctly
and we have the information that we need.
The problem is that we don't
live in an ideal world
and beyond that, attackers are smart, right?
So they try one thing and then you
scramble and get the sites available again
and put the right mitigation strategy in place,
but then potentially they might
start trying something else.
You know if that's not being effected, they'll
go route B and then potentially will go right
to route C, so it's a cat and mouse game and
it's far from ideal and it's starting over again
in some sense in terms of putting together
another mitigation strategy to deal
with the new attack vector or signature
that comes in and unfortunately,
the ideal scenarios never happen and
attackers have gotten smart and they know how
to [inaudible] it up and do the damage,
and put the damage that they need
to for the people that are unprepared.
>> Brian: Thank you, Damian just let
me interject before you go there.
So hearing Danny and Miguel,
clearly understanding that again,
the problem of the upstream operator and
what their sophistication capabilities are
in helping you diagnose the problem across
networks, if you will you pointed out.
And also the clear understanding
of needing to kind
of secure your resources and
prevent collateral damage.
But Damian, Ram, Jeff, bring in also how do
we work effectively with law enforcement?
What can they do to help, what can
you do together and the good scenario
when it works well with the upstream
provider, what does that look like?
>> Damian: Yes I'll start by saying
without bringing in law enforcement,
ideally you would be able to work directly with
the network operator, they do want to track it
through their network and
stop the attack upstream.
There are situations as Miguel was
saying; sometimes it's a little tricky.
In this case we don't know if the
government of Mordor is behind these attacks.
So, it's sticking with the scenario
it's never going to be entirely idea
because you don't necessarily want to tell
the ISP in Mordor what your fingerprint
of the attack is which maybe would help them
filter it because they might just turn around
and tell the government, the government
will modify the attack to not match
that fingerprint anymore and then you're
in bigger trouble than you were before.
So, depending on how paranoid you want
to be, I'm a security person so I'm paid
to be paranoid but, you have to be a little
cautious about what information you're sharing.
Try to share information that's
useful for stopping the attack but,
not sharing everything you know about
the attack so you can still trace it.
In terms of law enforcement since we're
in the U.S., U.S. CERT is a good resource.
They have contacts at CERTs.
CERT is Computer Emergency Response Team.
They have contacts at CERTs at every
other country and so that's very helpful
because they're sort of a central point.
They might be able to recognize that
you're not the only victim of an attack,
so they might be able to correlate events
that you perhaps were not aware of.
And they can also assist with language issues.
You know it's very difficult for me
personally to email an ISP in Asia
because I don't speak any of the Asian languages
whereas U.S. CERT probably has the ability
to handle that translation a little bit better
than Google Translate which
is my fallback option.
[Laughter]
>> Brian: Thank you, Ram.
>> Ram: Thanks, so in this ideal scenario
perhaps one of the things that have to be worked
on is the formation of an
alliance for data sharing.
Especially identifying who the next
Genovia might be and you go work
out who those next Genovia's might be and
this kind of an alliance cannot be government
to governments, it's got to be public, private,
a combination of that and that takes time to do
but this is the time to start
doing it [inaudible].
The second, you know we're talking about this
ideal scenario and there is rapid availability.
The attack happened, mitigation
happened, everything came back
but remember this might simply Mordor
profiling you for a bigger attack to come
and they've now learned how you countered it
and their building counter-measures right now
for your counters and that's likely to happen
if this is really a serious
act coming up against you.
So, you may leave everything
on the floor at this time
and you may just get killed
really online the next time.
On the third is law enforcement, this is a case
where most often this is a source less crime,
there is no one to prosecute, there's no
one to really go after for the most part.
Most of the people along the way are in
transit and are trying to help to some extent.
They're just doing their job passing
packets along, passing information along
and they got coopted into something that
was initially beyond their understanding
and eventually beyond their
ability to solve individually.
So you have to start to change a little bit of
law enforcement's mindset of who are we going
after because this is not so much about
a counter attack, this is often much more
about prevention and you have to start
thinking about the online equivalence
of a neighborhood watch and one doesn't
really exist in any coordinated way today.
>> Brian: Thanks, Jeff.
>> Jeff: I definitely like going last.
I have more time to think about what I'm going
to say and I bounced around with a few ideas
but you know they say don't fight the scenario
but I was always the kid
who fought the scenario.
So I guess I would start kind of where
Damian went, if you're an ideal scenario
that means Mordor is helping and helping
you willingly and with no ill intent
in actually wanting to stop their
own citizens who [inaudible]
and probably something they believe in.
Which leads me to point two, I think Ram hit
well, if everything is really going that well,
that's when you should really start being
scared because things never go that well.
So question everything that worked
and try to figure out why it worked
and is someone just letting you think it worked?
In terms of what does it look like to be
successful on the legal and governmental side,
there are a lot of things you need to work.
Governments that are willing to share
information, that have relationships,
that trust each other, but then
even beyond that you need laws
that will allow the information sharing both
between the private sector and the government
within each country and then
between the various governments.
But then you also need laws
that protect the privacy
of the individuals whose information is
being shared and assuming you have all that
and you get the information that allows
you to find the actual source of the crime
which as Ram said is very difficult, you
actually have both resources and laws
that allow prosecution and not in medieval ways
of people who are doing these types of acts.
So going back to, you really need
to figure out what your end-goal is
out of this before you figure
out, it would be great
if you'd actually prosecute the people doing it.
It would be better if you could get
all your systems back up really quickly
and try to develop better relationships
to prevent them in the future.
>> Brian: So Jeff, just picking
up at that point,
this will be the last round then we'll
turn it over to Q&A for the audience
and Ram mentioned the notion of an alliance.
Danny the scizrick work that
mentioned at the FCC.
Very interesting industry, government but
clearly, just uniquely ISP focused in terms
of best practices or a potential code
of conduct if you will in that exercise.
Where is this collaboration happening today or
the seeds of this collaboration between industry
and government specifically that
clearly has to be globally oriented.
That has to be cross-cutting across boundaries.
Where is that happening, where should it begin
to happen more deeply and
how can we make that happen?
I'll open to the entire panel.
Danny.
>> Danny: So yeah there are a lot of national
level stuff that I mentioned certainly as some
of the countries that blazing the trail
there from Australia, to Germany, to Finland,
to the U.S. I mean some of the work that
the FCC and others have done which is
about educating folks and sharing information.
A lot of this as you'll notice, even though
these scenarios comes back to international laws
or even national laws or disclosure laws or fair
disclosure laws, right I mean what is the extent
of where I can share information and who I can
get help from and where can we get collaboration
from a nation state versus send in a
snatch team or not do anything, right?
And so, what are the kinds of capabilities that
you have, and then you'd really like to operate
in meet space and prosecute people that
have real impacts on real businesses
and break walls internationally,
but how do you balance
that internationally with
the privacy for example?
I mean that's a tough balance because if you
can attribute every transaction on the internet,
then no one has any privacy or
[inaudible] and what does that mean
for censorship or for other things.
So all these sort of things together is,
it is definitely needs more
leadership from the government.
I think they've certainly
done a humungous amount,
and from local law enforcement folks
we work with, to national level folks,
and certainly Jeff and some
of the places he'd been.
A lot of the folks looking for ways
to collaborate and to put frameworks
in place allowing information sharing and enable
in a sort of protections of private sector
and industry and you know that the government's
got your back for this and that they're going
to pull the levers and turn the
steam valves they to make sure
that if someone is attacking someone on
this infrastructure and have an impact
that it's having a real impact and
represent their citizens wherever they are.
So I think it sort of goes all the way back
to that from the international perspective
because of the projection capability
that advisories have on the internet
and there are a lot of alliances, a lot are
private sector, public sector, partnerships,
everything from internet security alliance,
online trust alliance, stop bad ware.
I mean there's no shortage.
I mean a lot of the outreach that we
talked about, the work that [inaudible]
and anti-phishing working group and
some of the other folks have done.
So I think that a lot of this is happening but
it certainly, the industry level leadership
with the recognition by governments
that they're captive to this.
We're all sort of captive to
this and the only way we're going
to get there is if we collaborate.
>> Brian: Thanks, anybody else?
>> You know there are many more
acronyms we could throw out there
about the various public/private
collaboration partnerships.
Some doing great work, some doing work.
[Laughter] But I want to get back to
something I think Miguel touched on earlier
about information sharing and the need to share
information and most folks who would go ahead
and share will get slapped down for it.
There are two reasons for it, one
corporate strategic secret issues,
but also the lawyers will
often slap you down because,
well can we really share that information.
That's an area where I think we need change
and we need it soon is changing the laws
that limit the ability of companies who want to
share information with other companies, ECPA,
Electronic Communication Privacy Act, antitrust
laws, all these don't need to be gutted,
they need to be reformed and
frankly we got to a very weird place
in the [inaudible] legislative cycle
this year where you had the head
of the national security agency and you had
privacy groups all saying this is something we
need to do and here's the framework
that we all think actually can work.
It based our own idea of sharing cyber
security information narrowly defined
for cyber security purposes, narrowly defined,
but Congress in its infinite
wisdom got you have the NSA
and the privacy groups essentially
agreeing, so Congress chose not to act.
And that is something that I think is not
going to solve the problem but would be a step
in the right direction to
allow information sharing
and maybe breakdown some of those barriers.
Make it happen 5, 10, 15, minutes an hour
soon, sooner or even won't happen at all
so that's something that within all these
groups there are still these limitations
that are illegal and need to
be changed by the politicians.
>> Brian: Thanks, Damian.
>> Damian: I wanted to mention there are
some ways that collaboration can occur
without needing to necessarily involve
lawyers or worry about user privacy.
Some of the attacks that we see there's
just sharing information and about the fact
that we're seeking an attack,
the size of the attack,
the type of the attack can be helpful to others.
So as a recent example the dos attacks
that hit the banks recently hit us actually
about a week before it started hitting all
of the banks and we sent a quick heads-up
to a security list of people
just letting them know,
hey we're getting this surprisingly
large attack.
This is a bit unusual; this
is what it looks like.
You might want to watch out, be prepared.
Unfortunately two days later, we wrote
back and said it just doubled in size,
but there are things that you
can do to give out information.
We're not giving out necessarily like
the IP addresses that it's coming
from because we have talk to lawyers
about the privacy implications of that,
but even just the basic information about the
type of attack that you're getting and the size
and maybe the general area of the world it's
coming from can be very helpful to others.
>> Brian: Thanks, any last remarks?
Okay, thank you panelists
very much for playing along
and for the great information
you provide with us so far.
So let's get to the real important folks here
today, the audience both here and online.
At least for the next 30 minutes, we'll
have an open mic in the middle of the room.
I think we have some questions
from online, so if you would,
please [inaudible] we have--
[Pause]-- it doesn't work?
Why don't you come up and use this
microphone if you would to pose your question.
[Pause]
>> David: I'm David Thaumenal [phonetic]
President of The Internet Society of New York
and just as we have software as a
service and infrastructure as a service,
there's now crime-ware as a service so if I'm a
bad person, rather than going to all the trouble
of actually attacking somebody
I don't like on the internet,
I can actually pay a service
provider to do it for me
and they're using a commercial business model
so I can have warranties, guarantees of quality
of service, support contracts
and everything else.
So my question is wouldn't it make sense
for whether it's industry or law enforcement
or whatever to focus on identifying these
crime-ware service providers infiltrating them,
targeting them, purchasing their
software and reverse engineering it
to disable it, that type of thing?
>> Brian: Anyone on the panel want to take that?
>> Danny: Absolutely in if you go back
to the scenario of an ideal world,
but a lot of these are happening offshore in
countries that aren't particularly mendable
to working with our law enforcement
to arrest or prosecute.
Reverse engineering I think goes on, but the
problem is that the software morph so quickly
that the signatures old as soon as you know it.
And there are other efforts, other
techniques for protecting against it
and I think that's actively underway, but
in terms of infiltrating, breaking up,
prosecuting, they'd just go somewhere else.
>> So I was going to add just there
is one aspect to this certainly lots
of folks are looking at when you try to
move it back to meet space and the place
where law enforcement usually operates
in a more productive way and better
than most information security folks and there
has been a lot more work on follow the money
and use that angle for the
attribution side of this.
I mean some of the recent things you may
have seen from spam campaigns to phishing
and mal-code distribution
and those sorts of things.
Some recent work actually by Steph and
Savage and some of the folks at UCSB
and was particularly enlightening in that
area for those of you that haven't seen that.
And I know that law enforcement is certainly
taking note and very good at those kind
of things and so, I suspect that
being aware of that and seeing more
on that side I would follow the
money and work on the attribution
and the prosecution associated with malicious
activity, that sort is certainly something
that we're going to see more of
from a prosecution perspective.
>> Brian: And the FBI has had
some big take downs recently.
There was one in [inaudible]
early this year, late last year.
>> Last year.
>> Brian: Thank you.
I've got two questions from online,
I'll go to one of them first
and then come back to the room.
From Vanda [phonetic] the reality
that people don't think it will happen
with them is a fact here too.
So how can I convince people that they
need to take preventative measures?
Jillian?
>> Jillian: Sure, so I don't know
what "here" means in that sentence
but nonetheless I would say in
thinking about how to convince people,
there is a wealth of information on what sort
of attacks occurred and who they've targeted
and one of the things that this
Berkman Center study found was
that there's really no associated
ideology with attacks.
There's one example where some
conservative Muslim groups outside
of the U.S. were attacking
U.S. Conservative website.
The U.S. Conservative Groups were then attacking
these Muslim websites outside the U.S. And so on
and so forth and sort of in a circle
and so, anyone can be a victim.
Any type of group, any type ideology and
so I think that's where we start looking
at previous attacks and educating people
about those various desperate targets,
that's another way that we can raise awareness.
And then like I said just sort of thinking
about risk assessments not an easy thing
in these cases and like I said with having
desperate ideologies be the target of attacks,
it's not easy to really assess what
your actual risk is and so to assume
that you could potentially be a target
of an attack is the first thing.
But then to sort of weigh your risk and figure
out what you might want to think about in terms
of what's important to you
and keeping your site up.
>> Brian: Sure, Miguel.
>> Miguel: Thank you Brian.
What the question refers to is sort of how
to make the business case for protection
or mitigation against this kind of a threat.
Danny actually talked about some of these
things previously in the conversation in terms
of really evaluating your
infrastructure and your needs and kind
of asking yourself some basic questions.
What would it mean to you if your, let's
say for example your website was down?
What are some of the things that could
potentially happen if that was the case
and what would the impact to you be
if your infrastructure was
down for 12 hours for example?
I'll use some private sector examples
to just kind of illustrate this.
Maybe obviously there's potentially
the revenue component.
Maybe you're making money off your website
so there's some tangible result
in terms of not having revenue.
But from a customer service perspective for
example, what happens if your website is
down for a certain amount of time?
Maybe your call center gets
flooded, gets into code red.
People are waiting an hour-and-a-half
to have the phone answered.
Maybe your email boxes start getting flooded
and maybe it's going to take weeks potentially
to dig yourself out of that hole.
Another thing to kind of think about is,
as you make the business case for this
or to have some kind of a plan to mitigate the
attacks is how long would it actually take you
to get your core infrastructure or the
infrastructure you need to be online,
back online if something like this happened?
Potentially it would take you a
significant amount of time just to figure
out what's actually happening let alone figuring
out what the path is going to be in terms
of what the best strategy is to deal
with the problem when it happens.
And then on top of that, after that
is once you actually know what to do,
actually putting the plan
in place to do what needs
to be done to get the threat under control.
So when you start asking yourself
some of these fundamental questions
and it's not just a private
sector thing where you're worried
about your revenue potentially
or your brand equity.
You know the public sector faces this as well
because it obviously, there's
some tangible stuff.
It looks really bad when a government website
is down or a free speech NGO website is down.
So there are fundamental questions
that you can start asking yourself
and when you start asking yourself
these question and really look
at what the impact is going to
be, both short-term and long-term,
you really have to think about
the long-term impact too.
At that point you start to look at that
and the business case for DDoS protection
or for having a plan in place to deal
with this particular issue if it happens,
it starts to become quite apparent that
this something that is worth doing.
>> Brian: Sounds like good common
sense, anybody else, yeah, Damian.
>> Damian: So I want to highlight like in
addition to just the business financial impact,
there is a very strong PR impact to going down.
We saw user comments during the bank
attacks, you know comments and articles
of our users saying things like, if
my bank can't handle a dos attack,
how do I trust that they
know how to secure my money?
They're completely unrelated things but
the average person doesn't understand that
and so there can be a significant PR impact
to your organization if it goes down even
if it doesn't directly affect
them like with banking yes,
some people couldn't do online banking
for a day, ATMs were still fine.
Like there was no actual real risk there but I
also want to point out that I think the going
down is actually a viable option.
We're all talking about it as if
the ultimate goal is to stay online,
but economically that might
not make sense for you and even
from a PR standpoint it may not make sense.
If you're a human rights organization and
you can get an article in New York Times
about how you went down due to a dos attack,
that's the best publicity
you can possibly imagine.
Nobody is thinking about human
rights until they see this article.
So, it's something to keep in mind, staying up
at all costs isn't necessarily the end goal.
>> Brian: Yeah, Danny.
>> Danny: So I was going to add a little
bit to both of what they said actually,
and to Vanda's question, how
do sort of get ahead of these.
One of the comments that I made
earlier is somewhere between 80%
and 85% of IT securities span
goes toward regulatory compliance.
Things you have to do just to check boxes
like these fire suppression systems right,
and this is the sort of thing where most of the
traditional controls that are on our network,
the 100s and 100s that we have are about keeping
private information private and more and more
so many organizations, particularly
for internet facing services,
the availability of those services,
as opposed to just the confidentiality
of the data contained therein
is more and more of an issue
and so making sure you understand
that, to Miguel's point.
Risk management 101, basic business resilience
says take the asset, take what one minute
of downtime with that asset may cost you,
talk about how long a particular outage may be
and then you come up with
your single lost expectancy
and then take how many times this
may occur in a year something known
as annualize loss expectancy and you
multiply annualize rate of occurance
with single loss expectancy
and you know in a year,
this much downtime could cost you
this much in your organization.
And if you don't do that, and then say okay
what are we willing to invest in proactively
to get residual risk to some level
that we [inaudible] or go buy insurance
or ignore it and hope that it doesn't happen.
And so you really need to think about this.
Actually, I'll reference again the
internet security lines documents.
It's a little hefty but it's a really great
read for folks asking just that question.
It's a CFO's guide to cyber risk and it sort
of talks about some of these sorts of things.
I definitely recommend that you have a
look at that and try to get ahead of it.
So, I'm done now so--
>> Brian: Okay do we have other
questions from inside the room?
Please, okay.
>> You were talking about the PR aspect of
it and I took Jill's comment to heart earlier
about she doesn't think it's
a good idea and we know
that Pirate Bay went anonymous
[inaudible] the whole Pirate Bay came
out against it saying they were for free
speech and this was against it and I wonder
about how much embarrassment and the moral
argument and basically if you've got governments
who are doing it, can there be kind
of treaties between governments
that say this is not acceptable behavior.
And in the activist world,
also the same kind of thing
so [inaudible] technical solutions
are where social solutions?
>> Jillian: Sure so I'll just give my quick
two cents because I'm actually more curious
to hear others responses to this.
So using our example of Mordor and not getting
into real life, let's say that the governor
of Mordor was partly behind
the attacks against Genovia.
And so in cases like that,
it's really difficult.
I'm assuming that Mordor also
prosecutes citizens for hacking
and for their own DDoS perpitrations and
so it's really difficult to look at that
and say that Mordor has any
moral ground to stand
on when it does prosecute its own
citizens for being behind those attacks.
And I think that we have seen,
I'm sure you're aware of them,
real life examples where this exists.
Where you know governments are doing one thing
with one hand and something with the other.
But to the point about [inaudible] example
is a great one and I agreed with them
and I think John Perry Barlow one of the
founders of [inaudible] said the same thing
that DDoS attacks are essentially
an attack on free expression.
I do agree with that.
Like I said I think that there are some
circumstances where it's much more difficult
to condemn and those are circumstances
where you're up against a government
that is stifling its own citizens free
expression and so you're getting into sort
of irregular warfare, online warfare in those
cases, but generally speaking I do think
that it would be a lot easier if
we all viewed this as something
that was not morally acceptable
in terms of free expression.
It would certainly be a lot easier
to go after the actual bad guys.
>> Brian: Others, Jeff?
>> Jeff: I would say I think that
there are things that can be improved
through international cooperation,
potentially international treaties.
There's a pretty healthy debate over
whether that's even possible and enforceable
and I think we at least have to try.
Maybe some of that will filter down
into day-to-day conduct with people,
but people still commit crimes all
the time even though they're illegal
so I think there's a limitation to how far
that will go to stop the groups that think
that they're above the law or independent of law
or have a separate obligation
that's different to it.
But I think you will see more
effort in the future to try
out some negotiated agreements remains to
be seen if they're actually verifiable.
>> Brian: We have an interesting
question from online.
I know we've got another
couple from in the room.
This one is from Mikey.
What about a global simulation of cyber event
with a goal of beginning to build a global,
who can I call for immediate
help type mechanism?
I know that in certain countries table
top exercises take place with a number
of different participants that create
scenarios, what about this idea
of a global simulated cyber event?
Is the feasible, would that be helpful?
Ram-- oh sorry, Danny.
>> Ram: I was just going to; I think
it was Miguel that quoted Mike Tyson.
All the simulations are great but reality is
often very different so, we'd have to think
about whether the simulation
is actually helpful.
Certainly it helps to get people to be aware
of who they should be contacting
and who to work with.
But the real life scenario is
probably going to be fairly different.
>> Brian: Fair enough, Danny.
>> Danny: Yeah this is working now.
I would just add there are some multinational
simulations today, everything from cyber storm
to you name it, lots of national
level exercises,
international exercises that sort of thing.
I think from a global scale
perspective, we have those every day,
[Laughter] so I'm not sure we actually need one.
Certainly we're on the receiving
end of a lot of love and so I think
that exercising [audio issue] and
understanding those sorts of things,
but [audio issue] final turn of attack vectors.
>> Brian: Okay in the room, I
think we have at least 3 more.
Okay come on up to the mic-- oh
is that one working now Joley?
>> Joley: No.
>> Brian: Okay come on up to the mic please
and if you'd introduce yourself
before the question please.
>> My name is Anthony Bargese [phonetic] and
I'm from John J College of Criminal Justice.
You guys covered some of the parties that
DDoS and users and also the government,
and also the providers and how
to be responsible and proactive.
But what about software vendors or some of
the vendors that are putting their products
out there with all these security holes
and that's where it starts and ends
with the NS providers, the ISP providers
who sometimes host these command
control servers for these DDoS attack.
Should there be a change
of mentality on their side?
I know that Google does something that's
called bug bounties; they offer you money
if you find a bug on their software.
Should this be applied across the
board for all the software vendors
and of these providers of products?
>> Brian: [inaudible]
>> Damian: I guess I have to start.
So we do find-- what he was referring to is
Google has a program where we actually pay
for people to find bugs in our
products so for security critical bugs.
So we found that there's a lot of college
kids or independent security researchers
who are very interested in
looking for security holes
and when they previously basically had no
option but they could give it to us privately,
hope that we'd fix it or to
whatever vendor of the software was.
It could be Microsoft or Adobe,
and hope that they would fix it,
but then if the company could just
take no action and they could just wait
and let this vulnerability remain
and eventually this kid might say,
the security researcher would
say why am I waiting on this?
Everyone is vulnerable to this thing
and they would publish this exploit
and then you could see lots
of attacks targeting that.
So what Google has done is basically start
offering money for bugs to compensate their time
in finding them so, if you compromise, if
you find a vulnerability in Google Chrome,
the web browser, we'll pay you for information
on that vulnerability with the agreement
that you're going to keep it quiet until
we fix it which could take a few days.
And that way we're able to protect everyone
and also compensate the security researcher.
>> Brian: Interesting, Miguel.
>> Miguel: The thing that kind of complicates
this a little bit also is that there is a lot
of the internet runs on open source software
which is it gets a little bit more difficult
to be able to put these mechanisms in place.
With the recent bank attacks,
we saw vulnerabilities exploited
with open source content management
systems that are widely deployed
like a [inaudible] etcetera at word press.
These are open source software that is
out there that is used significantly
and so it gets a little bit harder.
Unfortunately it's difficult for operators
necessarily to control the content that is
on their system, especially the shared hosting
operators etcetera and it's hard to push people
to update their software and as for
software developers, as much as they'll try
to make things as secure as they can, there's
always going to be some kind of a bug,
you can't get it all and it's the fact that
there's so much open source software out there,
it's not like you can point a
figure and you are responsible.
It's quite difficult to do.
>> Brian: Yeah, Ram.
>> Ram: You know one thing that software
manufacturers and the developers of software,
some of them have to start thinking about
and changing their mindset is due to come
to the understanding that many of the devices
on which the software is running are
always on and they're always online.
There's still a lot of software that
does not incorporate automatic updating
and regular downloads of patches.
That should be the baseline, that should be
the very fundamental thing and that's the kind
of thing that ought to be taught in schools
for folks learning how to write code.
It's not enough to just learn to do the
code, but to have that mechanism in there.
It ought to be trivial and
it ought to become regular.
Unfortunately, it's more the exception than
the norm today and I think if you'd get
to that point that will solve some
part of the problem significantly.
>> Brian: Danny.
>> Danny: So yeah I think I would be
remiss in not mentioning Versign's,
I Defense Vulnerability Contribution Program
as well and we do something very similar
for any vulnerability that fall within a very
broad spectrum that are multivendor and try
and do responsible disclosure
associated with those.
To the topic in general, I think bounties are
certainly valuable things in general for people
that want to apply exploits in a positive way
and contribute in a positive way to industry.
I think anybody that's paying
attention certainly realizes a lot
of the commercial vendors while they're
always going to be a long way to go,
are leaps and bounds from where
we were with worm able systems
or even patch management systems of that
we were vulnerable of a few years ago.
And so I think Microsoft is an
example, but lots of others as well,
and so I think we are making progress
but, secure coding practices, application,
software security, those things and all
the fundamentals are certainly thing
that we're going to have to
continue to do a much better job at.
>> Brian: Thank you, I know we've
got two more questions in the room.
Go here first and then please identify yourself.
>> [Inaudible] New York Technology Council.
I was wondering if you could
put this perspective.
Are DDoS attacks the one thing we should be
focusing, are there other like SYN floods,
other attacks that are similar in nature that
there should be conferences on and keep you
up at night or is this where
most of your energy goes?
>> Ram: Yeah this, the single biggest
thing that keeps me up at night.
Lots of other things end up becoming part
of this much larger stream and it used to be
that it was a dos attack and then it became a
DDoS attack and then you had command and control
and then you have crowd sourced, it's evolving,
it's not the same beast as was many years ago.
So the definitions from multiple
years ago, is not what it is today.
What really scares me about this is the
asymmetric nature of the ability for an attacker
to mount a significant attack in a very
short amount of time and keep it sustained
for a long period of time and really
drain you on the responding side
of your critical attention resources.
That really worries me and I think you
look at SYN floods or any of those things;
those kind of are subsumed into
the larger scale of this phenomenon
that left unchecked I think has
a significant negative impact.
>> Brian: Anyone else?
Yes Jillian.
>> Jillian: Yeah just I actually
agree with what Ram just said.
I would add to that to say just say,
and if you're thinking about the scale,
the most recent stat that I
have off the top of my head is
that in 2010 Arbor Networks was detecting
roughly 1300 attacks per day and I guessing
that it's much higher than that, the real
number and so I do think this is a big concern
because of the impact that it has.
I mean there are certainly plenty of other
types of attacks but the sort of inability
to protect oneself, coupled with everything that
Ram just said, makes this a much bigger issue
than some of the other things
that we're looking at.
>> Danny: I was going to add that DDoS
the two primary vectors volumetric,
in other words attacks are getting
bigger, more frequent, longer duration,
so forth but the sophistication of those as well
where the right query string could drive a lot
of backend transactions on the right
piece of [inaudible] those sorts of things
from a denial service perspective
is the availability side
of the information security [inaudible].
The other two sides are the integrity
of the information on the infrastructure
and the confidentiality and
I think certainly for anyone
in the information security field
persistent attackers, advance attackers,
even general attackers and mobile devices
and bring your own device and sort
of a squishy perimeter and soft
under belly inside an enterprise
or at Starbucks or whatever.
All those things for information leakage
and so forth certainly is something
that you should be concerned with as well
but the availability side for a lot of folks
that are in the network services business is
a very big piece of that but also the sort
of more concerted attackers that might want
to control the right keyboard as opposed
to simply disabling is also something
that has some pretty far reaching effects.
>> Brian: Damian.
>> Damian: So I wanted to say
from a defender standpoint,
yeah DDoS is sort of the largest concern
right now but from a global view,
I think dos attacks are really a symptom of a
larger problem which is that there are a lot
of infected machines on the internet.
I think at one point I heard an ISP say is they
estimated 10% of their customers are infected.
So when you take that into account, if we could
actually stop having so many infected machines
on the internet or so many
vulnerable machines at least,
then that would largely reduce
the scope of these dos attacks
and for that we basically
need what Ram was saying
of automatic updates have
to be the normal thing.
You should never have any client side
software that doesn't automatically update.
Brian: Thanks, Miguel.
Miguel: Just adding to one thing that Damian
is saying, I absolutely agree with all of that
in terms of automatic updates and especially for
end user computers which form a significant part
of the botnet paradigm these days.
When it comes to enterprises, it
gets a little bit more difficult.
I think as much as I would love to say
automatically update my production software,
unfortunately, especially for a large-scale
operators, they're running infrastructure
that services a lot of people, you
don't really know what's going to happen
when you make an update potentially and
that has to be very carefully controlled,
it's got to be regression tested.
It's got to go through extensive QA and are we
ever going to get to a point where it's going
to be easy for enterprises to be
able to push out security fixes?
The idealist in me says I hope so, but I'm
skeptical that that's going to be the case
because the day-to-day aspects of ensuring
business operations, continuity and making sure
that assets are available are most likely for
the foreseeable future, going to trump the need
to push out updates as quickly as possible.
Brian: Actually we do have two more questions.
This gentleman here first and we do
have time for two more questions.
So will you come up please?
>> I am [inaudible].
I run a software company called QCD Systems.
So the question is actually
very similar to the previous one
but I'll go a little more in detail.
So when it comes to security, [inaudible]
security off of just data itself.
So there's an attack to intellectual
property and then we've heard of cases
that intellectual property got
stolen [inaudible] of that.
Movie companies always have their trailers
leaked and pieces of movies leaked,
so that's one kind of attack out there.
Then there's other things;
like the phishing kind of thing
like [inaudible] scams and all that.
I'm talking about things that
effect users and companies.
And then there's also the risk that your
bank account may have been compromised,
your passwords might have been
stolen or is easy to guess.
So in the scheme of all these different things,
where will you place the denial of service
for a company or for a consumer because
they have plenty of things to deal
with right now when it comes to security?
So I was just trying to get a perspective
on where this distributed denial service,
where it fits into the larger scheme of things
and how relevant it is and the other part is
where do you see things going
let's say five years from now?
Is this going to be the single biggest thing
to worry about or do we have other things also
that we should be concerned about?
>> Brian: Thanks.
Danny.
>> Danny: I would just say that you
know for your organization it's going
to be specific to your organization.
You're going to say here's our
risk tolerance for these things,
for these internet facing properties,
this information security or data privacy
or data retention, or digital rights management,
whatever it is you're concerned with.
I don't think that there's a one size fits
all, I think it's all about risk management
for your organization because
if you don't have a lot
of internet facing services,
it may not be a problem.
More than likely you have some things today.
You wouldn't be here if you weren't
relying on the internet in some way
so what does that mean to your business?
As opposed to some piece of information
from either your personal bank records
or your corporate information being actually
traded to the wrong person what would that mean?
So I think it all goes back to what are
the critical assets your organization,
what enables those and how do
you balance risk to those assets?
>> Brian: Yeah, Ram.
>> Ram: So the way I advise folks or provide
some suggestion is, you really have to think
about this and look at it as a matrix.
You have to think about, which is
further to what Danny is saying,
you have to worry about confidentiality,
or integrity, or availability and you have
to figure out which of those
matter more for you.
You can't have one versus the other, in many
cases you want to have all of the above,
but you have to decide which of those matter
more for you, and then devote your time,
effort and resources towards that.
But picking just one, just
having great availability,
DDoS mitigation ensure availability
but if you have a site that is running
on software has not been updated and is prone
to buffer overflow attacks then
all the availability is going
to be fantastic for you to get hacked.
[Laughter] So you have to figure out
where it is on the spectrum and devote it.
One reality is that no matter what the budget
that is allocated, if you're a corporation,
if you're an entity, the
budget that is allocated to it,
it seems that it remains the
same, it suddenly doesn't reduce
and you simply reallocate the pie depending
on what you think your biggest
vulnerability is, your biggest risk is.
>> Brian: Anybody else, Jeff.
>> Jeff: I would just say you know you asked
about what's important to a crump company
or [inaudible], I mean it totally depends.
I think Brian talked about some guy from
Ohio, more likely to have a problem,
it may be inconvenienced by DDoS because
they can't get to whatever website,
but they're more likely to
have their computer compromised
or identity stolen or other activity.
That's going to hit them deeper and for a
longer period so it's totally situational.
In terms of where we going in 5 years,
my guess is that we'll see new
nefarious uses for the same old tools.
There's some new stuff out there but
it's a lot of variations on a theme
and just find a new creative bad ways
to use them for bad purposes or profit.
So I think the down service attacks are here to
stay but how they're used will probably morph
and change and cycle back,
what's old is new again.
>> Brian: Miguel.
>> Miguel: The thing that troubles me a
little bit about the future when it comes
to DDoS attack is that there is because
it's been in the news a little bit more
because it's been publicized a little
bit more, you look at what happened
on the bank attacks lately, there's kind
of a blueprint now that is out there
that people can potentially follow
to launch these large-scale attacks.
You've got what happened with the banks
recently it's at least at a high level,
its public knowledge how it was sort of done
from a high level, that information is out there
and those attacks kind of
proved yes, it's possible.
They provide a blueprint for people to
follow for doing it again and the fact
that that was done scares the heck out of me.
>> Brian: Thank you and we have one
final question from the room, please.
[Pause]
>> Hi, it's Lucas from [inaudible].
Just following up similarly to the previous
question, based on the trends that you've seen
to date, where do you see these attacks heading
both from like an attacker perspective as well
as from a mitigation perspective?
Do you see one side winning
the cat versus mouse game?
>> Brian: Great question, Damian?
>> Damian: Yeah so attacks are basically growing
exponentially I think if you look at most
of the data on this you'll see that the size
of the attacks roughly doubles every year.
I have graphs that track this back
like 8 years and it's kind of scary
that it's actually continuing, that exponential
growth but I think it's important to realize
that that's just the internet is
growing exponentially as the consumers,
as the end users, bandwidth
increases, their home,
the website bandwidth is also increasing so,
you can kind of keep up but I think that a lot
of what we're going to run into is a very small
website, you know especially the types of sites
that Jillian is worried about are
simply too small to possibly survive.
So they're going to be forced to combined
their resources and pool with others
so what I expect is probably going to happen
over the next five years is we're going
to start seeing organizations
consolidate into larger and larger pools
until eventually we're going to have
only like maybe five organizations
that offer DDoS mitigation
in the cloud as a service.
It's just my guess of where the world is headed.
>> Brian: Ram.
>> Ram: And my fear is that we get at that
point and then they get too big to fail.
>> Brian: Well, with that thought,
we're going to bring this to a close.
[Laughter] Well done.
Fear and loathing in New York.
Public Interest Registry of the New York
Technology Council, Internet Society
and the Internet Society's New York Chapter want
to offer our sincere thanks
to the panelist today.
Thank you so much for your time, your dedication
to helping us understand this really critical
issue and also to thank the audience here
and the audience online for following along.
We hope that today's event has been
helpful and that the participants come away
with a greater appreciation of the scope
of this problem, steps that should be taken
to mitigate DDoS attacks, and the potential
for significant unintended consequences.
DDoS is a serious issue in
today's interconnect world,
one that is not just going
to fade away as we've heard.
Fortunately there are resources available to
help us confront the myriad of challenges.
I would like to specifically thank Joley
McFee [phonetic] from iSoc, New York,
Eric Grimmelman [phonetic] from New York Tech
and Paul Brigner [phonetic] from iSoc here
for helping us make this happen in a real sense.
Along those lines, we at PIR intend to make
the recording of this event available online
at our website and our social media sites
and push that out and we're also going
to post additional background
materials and encourage anyone
to recommend other helpful tools and information
like the CFF Guideline to
keeping your site alive.
So again thank you to everyone
for joining us today.
Thank you so much.
[ Applause ]