Industry Anti-DDOS Strategy 2018

Posted on

Note to the Readers ……

Yes, there are communities who consult and curate an anti-DDoS strategy to mitigate the risk to the Internet. Starting ~2000, Operators have consulted on ways to build better resilience into the Internet’s infrastructure. These consultations evolved into informal security strategy plans. By 2012, multiple groups were involved (see http://www.senki.org/2012-a-year-of-cyber-security-optimism/). 

A drop off of network-impacting DDoS activity in 2015-2016 resulted in many organizations deprioritizing DDoS Resiliency and Defense. The “community of peers” who worked together in the organization shifted roles, got promoted, or left the industry. This degradation of the DDoS expertise resulted in an unexpected collateral impact from Kreb’s Q4 2016 attacks. A simple DDoS attack resulted in collateral damage in major critical Internet interconnection points. Since then, there has been a reinvestment and request to restart the “Security Strategy” consultation within the Operator and Trust Group communities. This post lists aspirations and observations from 2018.

  • Operator Groups are Carriers, ISPs, Cloud Operators, and other Communications Services providers.
  • Trust Groups are the invitation and vetted membership for security groups focusing on specific collective security interests or criminal activities. 

This is a 2018 consultation document that would promote exploration for collective action. It is posted here for historical reference. The consultations led to various activities from 2018 to 2024 that continue the industry’s effort to suppress DDoS.

Results of the Community Consultation

The objectives for 2018 will focus on re-establishing Operator collaboration in the interest of collective protection, operational resuscitation (or deployment) of the anti-DOS tools and techniques, leverage of existing/new data peering, and tempo of action with industry remediation. The 2016 Krebs postmortem illustrated that many relationships between Operators have been entropy victims. Hence, a central theme in 2018 will be the physical meeting restarts. These will build on the NSP-SEC and early ISOI meetings, with one focused explicitly on Operator/Carrier CISOs). 

The following list is some of the strategy actions that have been explored, and the assistance requested to deploy, and the consideration for action.

2018 Security Strategy Action List

This refined list is based on 1:1 and group consultation with core peers battling DDoS. 

Operator’s Security Toolkit 

It is time to refresh the SP Security materials used by many over the years. In 2002, several people in the emerging “Service Provider Security” field-gathered a list of top practices every Operator should deploy. These “NSP-SEC Top 10” techniques became the foundation of our toolkit used daily in all parts of the Internet. Years later, these materials require a refresh and a new training tour to empower new generations of peers and ensure that as many ASNs as possible have these tools deployed. The new Operator’s Security Toolkit will use materials with all ASNs (Service Providers, Mobile Operators, Cloud Operators, Universities, Enterprises, Government Networks, and Multi-national companies). 

An overview of the “toolkit refresh” can be viewed here:  Operators Security Workshop.

DOS Peering

The Communications Service Provider (CSP) community has explored inter-ASN collaboration for DOS attacks (and other attacks). In general, coordinated action has been done via mailing lists, chats, phone calls, and conference calls. This works, but it has known limitations in the reaction speed and is vulnerable to operational entropy. CTL/L3 and AT&T have demonstrated a new model for DOS Peering. “Anti-DOS Peering” opens new levels of conversations between Operators. The ability to peer requires that each Operator deploy and maintain a range of the Operator Security Tools. The DOS Peering approach “packages” these tools into bilateral and multilateral agreements that impact operational practices inside the Operator. 

DOS Peering uses staged mitigation requests using Flowspec and a DOS peering agreement.  These alliances focus on protecting the critical telecommunications infrastructure which has now migrated to the Internet. The DOS Peering effort is not focused on replacing existing DOS Mitigation Services sold to Enterprises. The focus is on critical backbone infrastructure, Internet Exchange Points (IXPs), Voice Interconnections, and Emergency Services. The rise and light shined on the State Actor threat vectors are part of the motivation for a new investment in inter-operator capabilities that can be formally integrated into their risk planning.


MISP, CIF, and Inter-Operator Data Peering 

Despite what some might think, data peering between regulated carriers does happen. Several carriers wish to explore expanding security data peering with each other, starting with the Malware Information Sharing Platform (MISP) and Collective Intelligence Framework (CIF). These frameworks comply with privacy requirements in many parts of the world. Combined, they provide an expanded surface area measurement that has demonstrated strength in responding to any threat vectors/attacks.

Smokejump Operations “Refresh”

In the past, the community used “smokejumping” as a tool to work with an ASN peer who is severely violated by badness OR to ingratiate into a “grey” ASN that is “unknowingly” hosting badness.  Both approaches have worked but relied on specific vendor capacity. The new “refreshed” multi-party smokejump operations would build on some coordinated “unravelment” activities. Trust Groups using evolved communication tools like Slack can more effectively work with each other inclusively. These inclusive approaches can reach out to ASNs who are victimized (i.e., like in the case of Satori) or who need “nudging” from grey to white (opening the tool for LE action). 

Risk Factors, Themes, and Threat Vectors 

Root Cause of DOS

The Operator community has been very mindful of the Root Cause of the DOS Problem. The core DOS root cause has been known to be the challenge of arresting the perpetrators of DOS. Over the past 20 years of anti-DOS activity, the most significant impact on “DOS activity” is a direct result of arrest. This theme of “attribution,” international law enforcement collaboration, and action will continue. The desire is to optimize and prepare for the increased State Actor DOS Threats. 

Major Threat Vectors

There are four external threat vectors to any organization:

  • Criminal Threats from people who are working to steal, extort, abuse, harass, and manipulate for their criminal gain. These are the most common and growing areas of DDoS. “Follow the money” has become easier with the ability to pay extortion payments via crypto-currency. 
  • Political, Protesting, and Patriotic Threats from people who take it to push their interests. These efforts can be grassroots or manipulated/controlled by external influence. These are often labeled “hacktivists” but can be leveraged to be much more. For example, in the early 2000s, China’s war planning strategy was to leverage the “peasant army cyber-hackers” to defend the country. 
  • Inter-corporate threats from competitors who seek to gain intelligence, intellectual property, and competitive advantage. In the last few years (2018 time frame), new companies specializing in “contract work” have emerged in many parts of the world. They range from the “Beltway Bandits” in the US to the tech industry in Israel, to start-ups in India, to favored subcontractors in China, alongside outsourced firms directly working for Russia. Nothing is stopping one company from hiring another company. 
  • State Actor Threats are a reality in the world. They impost their “battle sphere” on private industry’s infrastructure to achieve state interest. State Actors are the most controlled and dangerous threat actors. The ‘control’ is based on simple State and Military Command and Control. Someone orders who, what, how, and when attacks will happen. These “C&C structures” can call off attacks. The flip side is how the DDoS Attacks will happen—the “how” and “how much damage” are part of the orders. State Threat Actors are not limited by the criminal mindset (don’t get caught so you can make lots of money). 

Three of these four threat actors are criminal. In a local town, city, or state, the local civic society will determine how much crime will be tolerated. They will determine how many police will be on patrol, what laws will exist, how many prosecutors will be employees, how many jail cells will be funded, and how the laws will be enforced. This impacts the level of crime in a specific locality. All of this is negated when we are using the Global Internet/Telecommunications network for the facilitation and execution of crime.

Limitation of International Justice – Why DOS will not be a “Solved” Problem. The only way we will “solve” criminal DOS attacks will be by establishing a viable International Justice system that will allow for the same criminological checks and balances that work locally to be applied globally. Facing reality, an International Justice system is not in our foreseeable future. While citizens, corporations, and organizations can push for change through cases, results will be slow and take a long time to see results. 


We do see results! It must be noted that private-private collaboration with public participation has resulted in arrests. Law Enforcement action has resulted in arrests and takedowns. Private organization civil action has resulted in criminal infrastructure takedowns (where international civil suits are used). We – private industry—do not need to wait for action. Using the existing laws is the best way to determine the path forward to a future International Justice system. 

What happened? 

These consultations help our “anti-DDoS community” explore and focus on approaches to fighting DDoS. They have resulted in several multi-organizational efforts. The M3AAWG Anti-DOS Special Interest Group and several security trust groups invigorated effective peer relationships. These trusted peer relationships and new International Law Enforcement efforts have assisted in the industry’s collective DDoS Defense. But, as you can see in the illustration, the DDoS threat is not going away. By 2022, the projected DDoS impact growth was not stopping. 

The Red data is from Google. The Blue data is from Akamai.

Why does DDoS Continue to Grow?

Read the article – 1 Yottabyte DDoS Attack – The Biggest DDoS Attack in History! There are multiple factors why DDoS continues to grow in intensity. The key consensus from the DDoS experts who were part of this discussion was resignation. Resignation that organizations are not focusing on DDoS. Resignation that community efforts to fund and battle DDoS have no funding. No Funding = no action. No action = the ability of the threat actors to continue to evolve their efforts. The 2018 concern was, “We have to collaborate to survive, but no organization/government is interested in pushing back on DDoS.”

Note: If you are Looking to Take Anti-DDoS Action ….

The DDoS Attack Preparation Workbook contains plenty of materials and SIGs in M3AAWG, IT-ISAC, FS-ISAC, FIRST, and other groups and operator-oriented security trust groups. 

Email Barry Greene (bgreene@senki.org) if you want to plug into any of these activities.