Home / Blogs

Carpet Bombing in Cyber Space - Say Again?

I was pointed to an article in the Armed Forces Journal where Col Charles W. Williamson III argues that the US Air Force needs to develop a BOTnet army as part of the US military capability for retaliatory strikes. The article brings up some interesting issues, the one that I believe carries the most weight is the argument that we (well, people living on the Internet) are seeing an arms race. It is true that more and more nations are looking into or developing various forms of offensive weapons systems for the use on the Internet. Col Williamson seems to argue that the greatest of these threats is that of DDoS attacks targeted at US systems (I presume any system in the US conducted by a foreign adversary. I will note that he seems to go to some length to not narrow the scope to nation states). Here I would first like to point out that I disagree. The largest threat will be from specially crafted hostile code that leaks secrets or that could be activated when needed to perform a task or incapacitate the infected system.

Col Williamson however, seems to believe that with a US AF DDoS strike capability that was great enough—that would be a deterrent for adversaries to attack US systems. Here he is starting to loose track of some fundamentals of DDoS attacks. He compares a DDoS attack to that of carpet bombing, but misses the point that a DDoS attack would be carpet bombing all the way from take-off at a inside the US located airbase all the way to the home of the adversary and back again. Yes, you might not cause any lasting destruction on the way—but it’s more likely you do and it’s more likely that the countries in the flight path that gets bombed for no reason might turn hostile. Even close their airspace or try and take out the bombers. This is all left unexplained in Col Williamsons article.

But for now, let’s leave the fact that there is no real way to transport the attack traffic to the destination without collateral damage and instead concentrate on why DDoS attacks are successful (if they are). They normally target a very specific target—mostly for blackmail. And the key is that this is successful only for as long as the indented target is down. Often enough infrastructure in the path is what falls over first, taking out the attack traffic and possibly giving the victim breathing space. Col Williamson gives three examples of DDoS attacks. On CNN.com and Yahoo in 2001, and on Estonia in 2007. The first two examples prove the point I made earlier. They where narrowly focused attacks, with (most likely) a commercial gain as goal. The attacks on Estonia are actually very different to what Col Williamson seems to believe. They where actually from a military point of view a failure. They targeted a vast number of destinations, and the reason they actually created any impact at all was due to lesser developed infrastructure in terms of available capacity. This would not be true for the US as a country, but perhaps for individual systems in the US. So which systems does Col Williamson believe are important enough to lead to a retaliatory strike? He doesn’t say.

Further, the article does not seem to take into account how you would handle the fact that if a nation state was the adversary you would need a very small target list for the attack to work, and finding websites that makes a difference and works is not easy. If the adversary was an organization like Al-Quida, the retaliatory strike would be down to taking out their web-page, probably located in a completely innocent country. The effects would be—none I assume.

However, the proposal has some merit—I guess. If the adversary would be a smaller country, where connectivity to the rest of the world could be saturated or the national infrastructure was poor—an attack would have an effect on the national infrastructure. But I guess that if that is the case, it is also fair to assume that their dependency on network infrastructure is less. So DDoS attacks are asymmetric, and asymmetrical treats are hard to carpet bomb out of existence. A lesson you would think the US military (or any military for that matter) had learnt by now.

I believe that there is a real future in cyber warfare and that Col Williamson is right in that there is an arms race. But DDoS attacks are just not part of it.

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byVerisign