Tata admits DoS attacks could create internet islands

INTERNET BACKBONE OPERATOR Tata Communications has revealed its denial of service (DoS) attack mitigation could, in theory, result in the creation of internet islands.

Tata Communications, one of a few Tier 1 internet transit providers, told The INQUIRER that its DoS mitigation service can provide "scrubbed" traffic to users, allowing them to withstand onslaughts from the likes of hactivist group Anonymous. Adam Rice, chief security officer at Tata Communications, said that due to the size of Tata's network, it is able to filter DoS traffic before it gets to the network's edge and in extreme cases drop traffic from a peer altogether.

Rice said that Tata monitors traffic usage patterns for those customers that take up the option of DoS mitigation. Technically there is no way of preventing a DoS attack - they are designed to look like legitimate requests - so dropping the offending packets is the only way to go.

Rice said that real time deep packet inspection is "not possible for 40Gbit/sec". If Tata notices abnormal traffic patterns it confirms with the customer that it is not expecting extra traffic due to flash crowds and if not, the traffic the routed to /dev/null, a black hole.

Rice admited that at times this could mean legitimate requests are dropped, though he added, "If there's a few [legitimate requests] here and there and they have to refresh their browser I would say that's the same as no impact." Rice said that Tata runs a "Q&A process after every attack", allowing it to build up its heuristics in order to drop fewer legitimate packets.

Rice also admitted that if a particular peer has not blackholed DoS traffic originating from its network, Tata has the option of disconnecting that peer from its network. Asked whether a coordinated attack could in theory create 'internet islands' by having Tier 1 transit providers disconnect from each other due to DoS traffic, Rice said, "In theory it could happen but is unlikely."

Tata isn't the only outfit offering firms the ability to mitigate the effects of DoS attacks but Rice said, "When people sell DDoS [protection] they do it like gym memberships, you buy some capacity and the idea is you oversubscribe that capacity according to a model where you are guessing that not everyone will get DDoSed at exactly the same time. If it is a shared environment then there will be more than enough for any one customer. That model breaks down if the attack reaches a certain size or overwhelms your local infrastructure." Rice cited the DDoS attack suffered by Sony as one example where this happened.

According to Rice, the reason why such an attack is unlikely to succeed is due to the need for it to be distributed in order to avoid detection. "Duration is the problem," said Rice, adding that if it was a 20Gbits/s burst for a few seconds, the firm's core network and those of other Tier 1 networks could be able to cope. Rice pointed out that if the attack was from a single route then it would be easy to blackhole that particular route, but to sustain an aggregate throughput of 20Gbits/sec from multiple sources is extremely difficult.

Rice also claims that Tata has foiled attacks on its customers by Anonymous. He said, "We have customers that have had attacks identified by groups like Anonymous and we've stopped it all. The big DDoS threat has been the underground - the extortion and the politically motivated DDoS attacks and that has been going on since the early 2000s."

As hactivist groups use DoS more often as a means of bringing companies to their knees, inadvertently they are helping the transit providers protect their customers against the effects of crippling attacks. Perhaps some credit should be given to Anonymous and groups like it for creating increasingly more robust DoS protection in the core internet infrastructure. µ