Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

2015: The year the Internet crashes. Hard.

Steven J. Vaughan-Nichols | Jan. 9, 2015
Someone is going to pull the trigger on a truly gigantic DDoS in 2015. The only question is who.

An Internet joke that goes back at least to the early 1980s consists entirely of the phrase: "Imminent Death of the Net Predicted!" Every year, even more often than you'd hear "This will be the year of the Linux desktop!" someone would predict that the Internet was going to go to hell in a handbasket -- and nothing happened. This year it's my turn, but I fear I'm going to be proved right.

Here's why.

Take a good look at what happened to the Internet in 2014. In February we saw the biggest distributed denial-of-service (DDoS) attack of all time. It hit a high of 400 gigabits per second (Gbps). That's more traffic than the total Internet bandwidth of a small country.

In October. Akamai reported that in the previous quarter it alone had defended its customers, against 17 DDoS attacks flooding targets with traffic greater than 100 Gbps, with the largest topping out at 321 Gbps.

And, as every Xbox and Sony PlayStation gamer knows, Xbox Live and the PlayStation Network were knocked out for about 72 hours during the Christmas holiday weekend by DDoS attacks.

Who thinks we'll see a petabit-per-second DDoS attack in 2014? I do.

An attack of that magnitude may come from hackers, such as Lizard Squad, going after gaming companies for reasons that will undoubtedly remain obscure. But I think it's much more likely that it will come from a nation state.

Cyberwar is not just the stuff of science fiction. It's already happened.

Russia has been accused of taking out Estonia's Internet in 2007 and Georgia's network in 2008. Richard Stiennon, principal at security consulting firm IT-Harvest, expects that if Russia decides to seriously attack Ukraine, Ukraine's Internet would be Russia's first target.

Meanwhile, North Korea has accused the United States of attacking its Internet. And, of course, before that the FBI had said that North Korea was responsible for the Sony intrusion.

Someone is going to pull the trigger on a truly gigantic DDoS in 2015. The only question is who.

How these attacks be made isn't so mysterious. Attackers need only abuse long-existing problems in such basic Internet protocols as Network Time Protocol (NTP) and Domain Name System (DNS). We are running the Internet using decades-old technology, and we've been really, really lazy about upgrading it.

For example, DNS-based attacks could be mitigated by the use of Domain Name System Security Extensions (DNSSEC). DNSSEC has been around since 2010, but it's still being deployed by only a tiny number of companies.

In the meantime, we also saw in 2014 an absolutely core Internet security protocol, OpenSSL, ripped apart by the Heartbleed bug. Months later, long after fixes were available, 300,000-plus Web servers were still vulnerable to that bug.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.