Friday, May 16, 2008

Mutually Assured DDoS

Thanks to several of you for asking for my opinion of the article Carpet bombing in cyberspace: Why America needs a military botnet by Col. Charles W. Williamson III. I'd like to cite a few excerpts and comment directly.

The world has abandoned a fortress mentality in the real world, and we need to move beyond it in cyberspace. America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack...

This is interesting. Why do we need to project force in cyberspace to deter our enemies? Cyberwar is usually cited as a means of conducting asymmetric warfare, meaning one side is much weaker than other in conventional means. Cyberwar is expected to be conducted against US assets (critical infrastructure) because the enemy lacks the capability to destroy or degrade that asset using kinetic weapons. If we can deter enemies using our existing, overwhelming kinetic force, why possess an ability to "carpet bomb in cyberspace?"

Today’s air base defense concept still uses a layered defense in depth, but it starts as far as possible from the air bases, then relies on close-in defense only as a last resort. That capability in cyberspace can exist in an af.mil botnet...

The U.S. would not, and need not, infect unwitting computers as zombies. We can build enough power over time from our own resources.

Rob Kaufman, of the Air Force Information Operations Center, suggests mounting botnet code on the Air Force’s high-speed intrusion-detection systems. Defensively, that allows a quick response by directly linking our counterattack to the system that detects an incoming attack. The systems also have enough processing speed and communication capacity to handle large amounts of traffic.


Oh, that's a great idea. Let's tie up the really only useful element of the Air Force's defense -- that which provides some degree of situational awareness -- with the task of packeting someone.

Next, in what is truly the most inventive part of this concept, Lt. Chris Tollinger of the Air Force Intelligence, Surveillance and Reconnaissance Agency envisions continually capturing the thousands of computers the Air Force would normally discard every year for technology refresh, removing the power-hungry and heat-inducing hard drives, replacing them with low-power flash drives, then installing them in any available space every Air Force base can find. Even though those computers may no longer be sufficiently powerful to work for our people, individual machines need not be cutting-edge because the network as a whole can create massive power.

I see... so the very network that is important enough to be deemed a "weapons system," thanks to the logistics, communication, and related traffic it carries, is going to be filled with tons of DDoS traffic from recycled PCs? Do you think QoS is supposed to take care of this problem?

After that, the Air Force could add botnet code to all its desktop computers attached to the Nonsecret Internet Protocol Network (NIPRNet). Once the system reaches a level of maturity, it can add other .mil computers, then .gov machines.

To generate the right amount of power for offense, all the available computers must be under the control of a single commander, even if he provides the capability for multiple theaters. While it cannot be segmented like an orange for individual theater commanders, it can certainly be placed under their tactical control.


I am sure the botnet software installed would be super secure. Can you say "biggest latent botnet" in history? Every single .mil and .gov computer under the control of a single commander -- probably a Russian or Chinese infiltrator? Just who is Col. Williamson working for, anyway?

This is a really dumb idea, at least as presented. I'm all for Taking the Fight to the Enemy, but building a botnet on operational networks, especially on operational defensive systems and even production equipment, is just wrong. If we want to remove someone from the network, it's far simpler to disable the right cable using conventional means.

Let's assume the Air Force did build a botnet, on separate, non-production computers, on dark space, ready to point towards an enemy. Where would that target be? No single, or handful, of computers DDoS'd Estonian infrastructure. (Every military planner loves to cite Estonia these days.) If someone decided to DDoS one or more US computers or routers, where would we point our botnet? Where would Estonia have pointed any botnet it owned -- Russia? Back at the computers DDoSing Estonian assets? How is this supposed to work? "Don't DDoS us or we'll DDoS you?" Mutually Assured DDoS?

There are smarter ways to conduct operations in cyberspace, and this is not one of them. Back to the drawing board, sir.

5 comments:

stretch said...

I sure hope he has devised a major overhaul of the NIPR backbone to support such a scheme.

Even on the off-chance this eventually becomes reality, I wonder how long it would go on before some Tier 1 providers get pissed and pull the plug on the whole thing.

Michael Cloppert said...

Richard,

Another consideration is that this approach goes against the advice of one of the USAF's strategists on information warfare, Col Gregory Rattray (8th AF, ret.). Shameless self promotion, I wrote a brief overview of how this is the case if you're interested.

-Mike

LonerVamp said...

I've read several mentions of this essay and I shake my head each time the topic comes up.

I'm not sure why we would want to "carpet bomb" anyone on the Internet. I actually do not see a reason, unless we're talking about WWIII-esque proportions. And if we are, we have other things to worry about and other kinetic means to do this. We have international economic leverages as well. Why effect cyberspace when we can just go after their power...?

Best laugh of the day was your mention of packeting someone. It just seems so childish to think that the US gov't would have a use for packeting someone using hundreds of old systems sitting in unused corners eating power, address space, and likely not updated for years, etc. What's next, email bombs? AOLNuke?

And not only that, but what about the rest of us using the Internet, just how will this carpet bomb be delivered such that it actually affects the target but doesn't affect the infrastructure as a whole? Col. Williamson's comparison between cyberspace and road systems is noble, but misunderstood.

At any rate, if I were to further attack this essay, I would offer better legal cooperation internationally in order to actually create deterrence. Does Col. Williamson think packeting some attacker is a "credible deterrent?"

I would attack the idea that the fortress mentality is dead in cyberspace. Tell that to my company's stakeholders that our perimeter and other network defenses shouldn't exist. Of note, he completely contradicts himself anyway by saying the fortress model is dead, describes the dead fortress as a series of defenses, then explains how bases currently use a defense in depth approach...huh? Fine, the perimeter is becoming more porous, but that's not a reason to say it is dead and my servers/users should just have a chain link fence up and a DDOSing botnet behind them.

For some reason, there were moments in this essay where I got the impression of the "whack-a-mole-gibson" scene in Hackers where Fisher Stevens' character can't keep up with whacking the attackers in their dramatized final showdown, only instead of Fisher and Penn pressing buttons, it's a large botnet...

I think these ideas do need to be sounded so they can be shot down, but it still feels like something out of an IRC chat room in 1996.

Anonymous said...

I was reading about that kid SoBe who went to jail for botting, and there was a comment about "these are only kids". So it seems only kids want more "power" on the net, noone else.

I find this article kinda funny. The USA have the best military and intelligence on the world, and they still pwned at 911. After these and the Vietnam war, they should realize now, not always the stronger enemy wins. I think that country is gonna burn out sooner or later.

I would give anything to work on projects like this military botnet, but it will never happen so I just keep dreaming :-)

Anonymous said...

"But wait.... if we just reboot their computers we won't have to kill them."

These romanticized variations of the "use cyberspace for offensive operations" mantra really miss the point. Cyberspace doesn't allow for an effective Offensive Battlespace. Sure, there are some pretty cool (and necessary) things you can do and label them "Offensive Warfare", but by and large they are just classes of I, S, or R. Necessary efforts, but not really Offensive Warfare.

Breaking the enemies toys (or their ability to surf pr0n) is not the same as breaking the enemies will. To do that, he needs to see his neighbor's tent blow up spontaneously when he thought nobody knew where he was.. simply causing the blue screen won't break their will -- just look at how successful Microsoft still is. :)