|
Once again I find myself thinking about the nature of the asymmetric warfare threat posed by politically motivated DDoS (Estonia in 07, Korea in 02, and now China vs. CNN in 08). I keep thinking about it in terms of asymmetric warfare, a class of warfare where one side is a traditional, centrally managed military with superior uniformed numbers, weaponry, and skill. On the other we have smaller numbers, usually untrained fighters with meager weapons, and usually a smaller force. Historical examples include the North Vietnamese in the 20th century and even the American Revolution in the 18th century. Clearly this can be an effective strategy for a band of irregulars.
My reading this morning lead me to this article, Asymmetric Warfare: A Primer, by C. A. “Bert” Fowler, in the IEEE Spectrum. In it, Fowler explores a mathematical basis for how one side can drain the resources of the other. Towards the end he expresses the six fundamentals of an insurgency as described by T. E. Lawrence, or irregular force, in classic warfare. These are reiterated in T.E. Lawrence And the Mind of An Insurgent by James J Schneider. Here they are, with their online—and cybercrime—parallels:
1. A successful guerrilla movement must have an unassailable base.
In this case, the irregulars have such a diffuse base of operations—infected computers, possibly spred globally—that a traditional defender cannot identify or stop them preemptively. We’ve hit this a long time ago with botnets, and now with some DDoS nets we’re there again.
2. The guerrilla must have a technologically sophisticated enemy.
No question about it, most of the targets have substantial bandwidth, server, and infrastructure—and people—resources.
3. The enemy must be sufficiently weak in numbers so as to be unable to occupy the disputed territory in depth with a system of interlocking fortified posts.
This parallel is, I think, best drawn when you think about keeping computers uninfected. Every day, new vulnerabilities come out that can be used to spread malware, and every day new social engineering lures come out that render such vulnerabilities moot (for the purposes of infected client computers with your agent).
4. The guerrilla must have at least the passive support of the populace, if not its full involvement.
Again, computers that are often unknowingly infected with a DDoS agent, or in some cases you have a general population that is all too willing to install an agent on their system that will assist in “the cause”.
5. The irregular force must have the fundamental qualities of speed, endurance, presence, and logistical independence.
No doubt about it, the Internet means that speed is now no problem for malware authors and attackers, endurance is easier to find (automation), and with so many groups operating independently, they’re all attacking—and coming together—at will.
6. The irregular must be sufficiently advanced in weaponry to strike at the enemy’s logistics and signals vulnerabilities.
Again, the Internet has leveled the playing field. The same network that the big, powerful force uses to coordinate their system is vulnerable to attacks and shut down, and it’s accessible by the irregular forces.
In short, I don’t think we’ll see an end to this problem any time soon, not without a fundamental, killer blow to the Internet. Any system that can help the “little guy” achieve business greatness against established companies—like Google vs. Microsoft—can also help other, angry “little guys” strike against a giant and sometimes win.
I don’t know if this is the right metaphor, however. In many ways this feels like the lawless streets of Victorian England created in the story of Charles Dickens’ Oliver Twist. If that’s the case then it’s a whole different solution altogether. In the end it may be a mix of the two.
This article originally appeared on Arbor’s Netoworks Security Blog.
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byCSC
Interesting analogy. You seem to wander a bit between military and commercial, however.
When you’re talking about the US military, it’s not the “same network that the big, powerful force uses to coordinate their system is vulnerable to attacks and shut down, and it’s accessible by the irregular forces.”
I assume (and hope!) that it’s a lot harder to mess with SIPRnet than the regular Internet.