What the Tallinn Manual and the DDoS attack against Spamhaus have in common
An independent ‘International Group of Experts', invited by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), has recently completed the Tallinn Manual – the results of its three-year research project on the implementation of the existing international humanitarian law on entering and conducting a war (jus ad bellum and jus in bello) in cyberspace. In it, experts elaborate on the cyber aspects of traditional warfare issues such as sovereignty, jurisdiction, and state responsibility. The Manual refers to the war between states (with details about participation of individuals or groups and formations); it does not consider, of course, the cyber-conflicts between private entities or organised groups, as these mostly go under what we usually refer to as cybercrime.
It appears, however, that the two categories of cyberwar, i.e. the ‘traditional’ warfare extended into cyberspace and the cyber-conflict between private entities or organised groups have some things in common. On one hand, some of the possible attacks performed in both scenarios are based on the same, very popular weapon: the Distributed Denial of Service (DDoS). On the other, due to the ‘dual-use of technology’, the fact that the same infrastructure (and often the same services) are used both by the belligerents (be they military or the involved organised groups) and by third parties (government institutions, private sector, civilians), the effects of an attack can go way beyond those envisaged and can be excessive in relation to the direct goal anticipated.
As an example of a cyber-attack initiated by an organised group (or, possibly, by a private entity) against another private entity, let us observe the recent case of a DDoS attack which some media tagged as ‘the biggest ever of such kind’. As reported by BBC and well covered by the New York Times, the initial actors – private entities – of this cyber-thriller are: Spamhaus, an organisation providing blacklists of worldwide spammers and servers that send out spam (these lists are then used by many Internet service providers (ISPs) to disable access to such websites), and CyberBunker, a Dutch company that provides web hosting for any type of content (except child pornography and terrorism-related content), such as the Pirate Bay content and Wikileaks mirrors, but (possibly) also some spam sites. Since 2011, Spamhaus not only added CyberBunker to its blacklists, thereby making them inaccessible to many Internet users, but also forced the CyberBunker’s ISP to cut its service to them (see Tech Week Europe). CyberBunker allegedly responded with the sever DDoS attack against Spamhaus servers.
A DDoS is among the most convenient types of attacks: by sending loads of Internet packages to the victim’s server, the server is overloaded with fake requests which it needs to respond to promptly, and – due to performance being limited by processor power, operational memory or the bandwidth of the connection – it denies service to real requests (visitors, for instance) until it clears out the queue. By repeating the attack occasionally, the server is inaccessible for a longer period. The first D in DDoS – distributed – marks that, instead of sending the fake requests from a single computer, the perpetrators engage numerous computers to act as one; often they rent (illegally of course) an army of hijacked personal computers (bots) around the world called a botnet, which can gather up to millions of bots! (See my previous blog on an army of 4 million bots.)
The distributed attack helps the attacker to hide its own identity behind the proxies, i.e. the computers used for the attack. This makes it very hard to attribute an attack to any particular group or individual, which is an issue not only in the area of cybercrime but also one of the main issues of cyberwarfare. Besides, the distributed attack raises the impact strength by collecting the bandwidth and computing power of all the bots: say, for instance, that an average Internet connection of a user whose computer is misused as a bot is an ADSL of 0.5Mbps (Megabits per second) bandwidth, an attack by a botnet of 10,000 computers (which is a relatively small botnet) produces a burst of 5Gbps (Gigabits per second) of junk messages sent to an attacked server - a similar effect to 10,000 people dumping their daily garbage in the same spot at the same time!
Imagine now that the perpetrator makes every raiding computer (bot) forge its own IP address to become same as the IP address of a victim’s server (a technique known as IP address spoofing). Pretending thereby to be the victim’s server, bots can approach various misconfigured DNS servers (called open resolvers) around the Internet and send them a request (question) which requires an ample response. The approached DNS servers then send large data packages (the responses) back to the IP address from which the request came; this is not the real address of each bot, however, but the IP address of the victim’s server! With this DNS Reflection (or Amplification) attack, not only is the victim’s server overwhelmed with undesired packages, but the size of the packages are hundreds of times larger, assuring that even more powerful servers face denial of (ordinary) service for a longer period of time. (Bill Woodcock of Package Clearing House explains this well in a short video)
Using this approach, the raiders managed to bomb the Spamhaus servers with bursts of up to 300Gbps of undesired (junk) traffic! The truth is that this was one of the largest DDoS attacks ever measured, and something many servers on the Internet could not survive.
But the Spamhaus servers survived, thanks to a (usually very expensive) service from a company that protects from DDoS attacks – CloudFlare. In case of a DDoS attack, CloudFlare takes over the junk traffic from its client and spreads it across large numbers of its own servers, thereby dispersing the attack; since its servers are located worldwide and connected through major Internet links – like big telecoms and Internet eXchange Points (IXP) – the junk traffic is routed throughout the Internet and thereby doesn’t clog the client’s bandwidth. (CloudFlare’s Blog explains the details of the attack and the mitigation.)
Seeing that they cannot disable Spamhaus or CloudFlare servers even with an attack of close to 300Gbps in peaks, the raiders turned to attacking the servers of the very Internet links to which CloudFlare is connected – the networks of major telecom providers and the related IXPs – thereby slowing them down. Since they serve as major interconnections of the global Internet (including services like Google or Facebook), the performances of some of the other networks worldwide were affected as well. The NYT reported that CloudFlare estimated that hundreds of millions of people experienced delays and error messages across the Web.
In spite of CloudFlare’s estimations, not many people probably really felt any remarkable delays in their online work over these few days. But the fact that the consequences of the attack against Spamhaus had an impact on the ordinary user and on objects not related to the target illustrates that the ‘dual use’ of the core infrastructure (the Internet interconnection facilities) makes it difficult to adhere to the jus in bello principle of distinction between (legitimate military) targets and civilians.
Additionally, it is very hard to assess the extent of the impact of a cyber-attack in advance. Even if the raiders could have assessed the effects of their later attack on interconnection (IXP) servers in advance, they couldn’t have known that CloudFlare would be hired and would disperse the load through the other parts of the Internet as its mitigation tactic (which could clog the global net more significantly in the case of an attack of a bigger size). The unexpected effect of a much wider scale illustrates the complexity of the ‘proportionality’ principle of war in cyberspace: prohibiting attacks that may be expected to cause incidental damage to civilian objects that would be excessive in relation to the concrete and direct advantage anticipated.
Let us imagine that the attacker is a more determined and wealthier party willing to invest in a grand botnet of millions, performing a similar attack on any desired target. The undesired spillover effect of such an attack on civilians and the resulting collateral damage could be tremendous. I concur with Chris Buijs’s conclusion in his recent CircleID blog: the way out lies as much in technology as it does in policy and education.