Economy

http://www.nytimes.com/2013/03/30/technology/devices-like-cable-boxes-figured-in-internet-attack.html

In the aftermath this week of one of the most powerful attacks on the Internet, finger-pointing quickly ensued. The organization most suspected, victims said, was Stophaus, an elusive group of disgruntled European Internet users, although Sven Olaf Kamphuis, its spokesman, denied he was responsible for the attacks. At the same time, he shifted blame to Russian Internet service providers, which he said were retaliating against Spamhaus, a European anti-spam group, for blacklisting them. But the real enablers of the attack were the operators of more than 27 million computers around the globe who left their equipment wide open to a motivated attacker. Those enablers are not just companies, but regular people with home cable boxes.

“There is a big possibility that you are part of the problem without even knowing it,” said Paul Vixie, chairman of the Internet Software Consortium, a nonprofit company responsible for the software used by many of the servers that power the Internet. The servers the attackers used — what the Internet community calls open recursive servers or, more commonly, open resolvers — are simply home Internet devices, corporate servers, or virtual machines in the cloud that have been sloppily configured to accept messages from any device around the globe. Open resolvers have been set up in such a way that they are not unlike the naïve users of public Wi-Fi who forget to turn off their file-sharing settings, so that any hacker on the Internet can creep inside the computer. It’s similar to PC users who do not realize that by not updating their software, they let their computers get infected with malware and used as a zombie in a cyberattack. The difference is that if you think of a computer as a digital weapon, then an open resolver is a machine gun. Attackers can use open resolvers to amplify the strength of a cyberattack by a factor of 100.

In this week’s attack on Spamhaus and the company hired to fight it, CloudFlare, attackers made use of more than 100,000 open resolvers to inflict an attack that reached 300 billion bits per second, the largest such attack ever reported. When they could not take down those targets, they aimed and fired open resolvers at the world’s major Internet exchanges, first London, then Amsterdam, Frankfurt and then Hong Kong.

“At some point, we thought, ‘They are going to hit everything at once, and that’s when this gets real,’ ” said Matthew Prince, the chief executive of CloudFlare. “That’s the nightmare scenario that hasn’t happened — yet...We’ve now seen an attack that begins to illustrate the full extent of the problem,” Mr. Prince wrote in a blog post.

Closing an open resolver, unfortunately, is not as simple as flipping a switch or downloading some software. Finding out if your home cable box is an open resolver, for instance, requires you to call your cable company and tell them that you do not want to be running an open resolver — a tough request when most of the world’s population does not even know what an open resolver is. Recent efforts have been made to increase awareness of the issue. Computer security experts have recently started “naming and shaming” the operators of open resolvers. The DNS Measurement Factory, one such group, published a survey of top offenders by network, and more recently the Open Resolver Project published a full list of the 27 million open servers online. The campaign is making slow progress; thousands dropped off those lists in the last few months. But Dr. Vixie calls the open resolvers just the low-hanging fruit. Even if they were all fixed tomorrow, there are other types of servers that could just as easily be used to amplify an attack, a fact that hackers are eager to point out.

“The guys doing the attack indeed use open resolvers, but those are not needed for this type of attack,” Mr. Kamphuis said in an online interview with The New York Times earlier this week. Indeed, there are other servers that amplify attacks — including machines called Simple Network Management Protocol (SNMP) servers — albeit by a significantly smaller magnitude. Dr. Vixie and others have been working on what is called response rate limiting technology, a potential solution to the amplification problem. That technology helps servers decipher between unusual requests and normal traffic, but engineers still need to fine-tune it in such a way that it can be used without slowing Internet speeds. Even if they can pull it off, that still leaves the other half of the problem. To accomplish this week’s attacks, the attackers sent messages forged to look as if they came from their victims, so that when the open resolvers responded, they responded to Spamhaus, CloudFlare and their Internet providers with large blocks of traffic. That digital forging is easy to pull off. But, there too, Internet security specialists have long had a solution. For more than a decade, Dr. Vixie and others have encouraged companies to use what is called Source Address Validation, a technology that filters forged traffic from legitimate traffic. The problem is that the technology is not yet pervasive.

The reason, Dr. Vixie said, was “simple economics.” What incentive do companies have to pay for the cost of adopting the technology and training their engineers to use it when their competitors don’t? The victims of the attacks are usually not those companies, so they bear the expense and reap no direct benefit. Dan Kaminsky, a prominent computer security researcher, said, “The problem is that it’s hard to get someone to care.” This week’s attack, which had halted on Tuesday, resumed Thursday morning. But there is a silver lining. “I’ve been waiting for this attack for a long time,” Dr. Vixie said, “so that we could tell the earth’s population to do something about it.”