Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
The Rough Men of Digital War
We stand in a silent and invisible maelstrom, a storm of digital violence, of virtual measures and counter-measures executed at nearly incomprehensible speeds.
Three days ago the most powerful internet attack ever launched was directed at an internet site used by millions of software developers. GitHub, the site in question, is home to thousands of important software projects — projects that make the modern internet possible. The motives of the attack are thus far unknown, as are the perpetrators. (A much weaker attack three years ago was likely the work of the Chinese government.)
What makes this particular attack important is not the damage it did — GitHub was shut down for all of nine minutes — but rather the intensity of the assault and what it suggests about the growing capabilities of digital bad actors.
GitHub fell victim to what is known as a DDoS — a Distributed Denial of Service — attack. In a DDoS attack, many computers are used to simultaneously send internet traffic to a single target web site, crashing the server or so clogging it that legitimate traffic can not get through. Computers used in these attacks might be owned by the attacking entity (as, for example, was probably the case with the Chinese government attack), but are more often pressed into service through the exploitation of security faults in “innocent” computers and devices owned by others.
The GitHub attack was one of the latter variety. An obscure flaw in a feature used to speed up processing on many corporate internet servers was used to force those servers to take part in the attack. The resulting deluge of data directed at the GitHub servers reached a sustained rate of more than a trillion bits per second. That’s about the same amount of data as required to watch 130,000 movies simultaneously – in HD.
The intensity of such attacks is increasing. The internet continues to grow rapidly, with hundreds of millions of internet-connected devices being added every year and that number expected to soar in the next few years. Many of these devices, those making up the so-called Internet-of-Things, are poorly secured, unmanaged, and vulnerable to the kinds of exploitation required for DDoS attacks.
These sinister attackers are technically sophisticated, motivated for a variety of reasons ranging from politics to greed to a nihilistic urge to destroy, and sometimes well-funded. Arrayed against them in this constant jockeying for digital superiority are internet security experts and ever-improving firewall and router technology.
There’s a popular saying, attributed to many but traceable to no one, to the effect that people sleep peacefully in their beds at night only because rough men stand ready to do violence on their behalf.
In that spirit: we shop securely on Amazon, stream music and video, enjoy our social media, and, increasingly, earn our livelihoods with the help of the internet only because computer engineers and software geeks stand ready to pound Red Bulls and pull all nighters on our behalf.
Happy computing.
Published in Science & Technology
How about some tips for us average users for preventing our devices from being used this way. And is there a way for a server (hardware or software) to detect and fend off such attacks? Has anyone invented a “reflector” to bounce back attacks onto the attacker?
Is temporarily shutting something down always the purpose of a DDoS attack? The most common use seems to be mere vandalism, while the most dangerous use is state cyberwarfare to weaken defenses against physical attacks.
Or can DDoS attacks be used as smokescreens for data theft or other digital actions?
Was the attack on GitHub presumably an act of vandalism?
Henry,
I am no expert in this field. However, it seems telling that corporate servers that were intentionally monkeyed with by their owners are at fault here. The assumption that corporate environments which can afford their own highly trained staff are more secure isn’t necessarily so. If you remember Comey’s first famous Hillary speech, Hillary’s private custom server had less protection than an ordinary gmail account. Internet security isn’t always what you’d expect.
Regards,
Jim
Jim,
Your essential point is a good one: optimization is the root of all kinds of evil. It’s widely recognized in the software development business that changes made specifically to improve performance are notoriously prone to unintended consequences, and more likely than other modifications to introduce error.
In this particular instance, it isn’t the corporations themselves that introduce the vulnerabilities through their own tinkering. They are using an established memory caching technology to make database access across the internet more effective. It just happens that a common implementation of this feature on some platforms is flawed in a way that technologically savvy hackers can exploit.
H.
My own quite modest website comes under robotic attack at least once a month. It is a target, we presume, simply because I do some very simple e-commerce. (Ironically, the commerce is all handled by a 3rd party offsite – so there is no CC info, or any financial data, at my site.)
My site has some pretty basic protection which shuts the robots out after two attempts. Still, they can bog things down. It can be incredibly aggravating.
I think we should let our government take over cybersecurity to protect us. After all, it has shown its competence in the case of the Hillary e-mails and in the case of the theft of millions of government employee records. Making the feds responsible for private cybersecurity will also effectively nationalize our countries’ businesses and make their executives liable to prison if they don’t follow procedures. It doesn’t really matter what procedures, of course.
I’m closely related to one of them. They are a strange breed, although he started out pretty normal. Here’s a very early photo:
True dat.
S, more power to him and guys (and gals) like him. I’m not cut out for that. I write industrial automation and robotics software, and I’m good at it, but I’m a meat-and-potatoes kind of guy: the work I do is rock solid, crushingly boring, and entirely predictable. It takes a different kind of thinker, someone well outside of the box, to see the world from a hacker’s perspective and find the vulnerabilities they exploit. I’m just not that creative.