Home / Blogs

CNN.Com, Politically Motivated DDoS, and Asymmetric Warfare

Once again I find myself thinking about the nature of the asymmetric warfare threat posed by politically motivated DDoS (Estonia in 07, Korea in 02, and now China vs. CNN in 08). I keep thinking about it in terms of asymmetric warfare, a class of warfare where one side is a traditional, centrally managed military with superior uniformed numbers, weaponry, and skill. On the other we have smaller numbers, usually untrained fighters with meager weapons, and usually a smaller force. Historical examples include the North Vietnamese in the 20th century and even the American Revolution in the 18th century. Clearly this can be an effective strategy for a band of irregulars.

My reading this morning lead me to this article, Asymmetric Warfare: A Primer, by C. A. “Bert” Fowler, in the IEEE Spectrum. In it, Fowler explores a mathematical basis for how one side can drain the resources of the other. Towards the end he expresses the six fundamentals of an insurgency as described by T. E. Lawrence, or irregular force, in classic warfare. These are reiterated in T.E. Lawrence And the Mind of An Insurgent by James J Schneider. Here they are, with their online—and cybercrime—parallels:

1. A successful guerrilla movement must have an unassailable base.

In this case, the irregulars have such a diffuse base of operations—infected computers, possibly spred globally—that a traditional defender cannot identify or stop them preemptively. We’ve hit this a long time ago with botnets, and now with some DDoS nets we’re there again.

2. The guerrilla must have a technologically sophisticated enemy.

No question about it, most of the targets have substantial bandwidth, server, and infrastructure—and people—resources.

3. The enemy must be sufficiently weak in numbers so as to be unable to occupy the disputed territory in depth with a system of interlocking fortified posts.

This parallel is, I think, best drawn when you think about keeping computers uninfected. Every day, new vulnerabilities come out that can be used to spread malware, and every day new social engineering lures come out that render such vulnerabilities moot (for the purposes of infected client computers with your agent).

4. The guerrilla must have at least the passive support of the populace, if not its full involvement.

Again, computers that are often unknowingly infected with a DDoS agent, or in some cases you have a general population that is all too willing to install an agent on their system that will assist in “the cause”.

5. The irregular force must have the fundamental qualities of speed, endurance, presence, and logistical independence.

No doubt about it, the Internet means that speed is now no problem for malware authors and attackers, endurance is easier to find (automation), and with so many groups operating independently, they’re all attacking—and coming together—at will.

6. The irregular must be sufficiently advanced in weaponry to strike at the enemy’s logistics and signals vulnerabilities.

Again, the Internet has leveled the playing field. The same network that the big, powerful force uses to coordinate their system is vulnerable to attacks and shut down, and it’s accessible by the irregular forces.

In short, I don’t think we’ll see an end to this problem any time soon, not without a fundamental, killer blow to the Internet. Any system that can help the “little guy” achieve business greatness against established companies—like Google vs. Microsoft—can also help other, angry “little guys” strike against a giant and sometimes win.

I don’t know if this is the right metaphor, however. In many ways this feels like the lawless streets of Victorian England created in the story of Charles Dickens’ Oliver Twist. If that’s the case then it’s a whole different solution altogether. In the end it may be a mix of the two.

This article originally appeared on Arbor’s Netoworks Security Blog.

By Jose Nazario, Senior Security Researcher, Arbor Networks

Filed Under


Christopher Parente  –  Apr 23, 2008 7:53 PM

Interesting analogy. You seem to wander a bit between military and commercial, however.

When you’re talking about the US military, it’s not the “same network that the big, powerful force uses to coordinate their system is vulnerable to attacks and shut down, and it’s accessible by the irregular forces.”

I assume (and hope!) that it’s a lot harder to mess with SIPRnet than the regular Internet.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byVerisign

New TLDs

Sponsored byRadix