North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
April 2000 COOK Report published on DDoS and Ideas of E. Gerck
[since I haven't published a message here in about 3 years]
Understanding Distributed Denial of Service pp. 1 - 16
During the second week of February the largest, and most diverse denial of service attacks in the history of the Internet caught several of the most important commercial web sites off guard and exposed what was previously a largely unsuspected operational vulnerability that affects the entire commercial Internet. -- Just as after Reagan was shot Al Haig stepped forward to say 'don't worry we're in charge here, we contend that Gene Spafford's February 19th summation of the White House meeting provides a soothing but superficial explanation of what is really a far more subtle and difficult structural weakness. This weakness is apparently inherent in the basic structure of the Internet and cannot be "enforced" out of existence. We present in Narrative form the NANOG and IETF technical discussions that resulted from the attacks. The discussion demonstrates that Internet backbone engineers are by no means agreed on precisely what happened or on how to deal with it.
On February 9, Lauren Weinstein, partner to Peter G. Neumann of the Risks mail list and co-sponsor with Neumann of People for Internet Responsibility had the following observation. "It seems apparent that the rush to move all manner of important or even critical commercial, medical, government, and other applications onto the Internet and Web has far outstripped the underlying reality of the existing Internet infrastructure. Compared with the overall robustness of the U.S. telephone system, the Internet is a second-class citizen when it comes to these kinds of vulnerabilities. Nor will simply throwing money at the Internet necessarily do much good in this regard. More bandwidth, additional servers, and faster routers--they'd still be open to sophisticated (and even not so sophisticated) attacks which could be triggered from one PC anywhere in the world. In the long run, major alterations will be needed in the fundamental structure of the Internet to even begin to get a handle on these sorts of problems, and a practical path to that goal still remains fuzzy at this time."
Ed Gerck's Ideas pp. 17- 22, 30
Part Two of this issue contains an interview with Ed Gerck as well as two essays by him. He is co-founder of the Meta Certificate Group, http://mcg.org.br , CEO of Safevote, Inc. and Chairman of the IVTA.. We suggest that his ideas form the basis for a fresh and compelling analysis of what we may really be dealing with. We conclude that there is a possibility that the fundamental nature of the attacks may have been completely misunderstood. We also contend that Gerck's theories, published here for the first time, may provide an entirely different mathematical basis for understanding the Internet as a quantum information structure possessing significantly different capabilities and potentials than could be extrapolated from our current understanding. Although this is quite a statement to make, his ideas have reached enough people so that it is likely that research will be rapidly undertaken to ascertain if his own experimental results dating from 1998 are verifiable and reproducible. Gerck's ideas involve the foundation of an entirely new calculus for the operation of the Internet.
Gerck asserts that the major reason the attacks were so successful is that the packets arrived at the target servers with a high degree of coherency - that is to say at almost the same instant. He points out that the technical functionality of the Internet mitigates against the coherent arrival of large numbers of packets at a specific target and thus a ten fold spike in incoming bandwidth would be very unlikely unless other unusual mechanisms are also at play."
How then could the observed effects of the arrival of very large numbers of packets have happened? He explains how his work in the quantum mechanics of lasers in the early 1980s gave him a hypothesis that he successfully tested in a university environment in 1998. Namely he suggests that the number of entities in the Internet has reached a critical mass where a single event such as a packet sent to a trin00 network, can result in an avalanche of coherent data amplification. The result is similar to the coherent amplification process that sets off the sudden flash of a laser. Under such conditions he posits that when this occurs, it creates conditions where packets can provide for a much different behavior as they reach a target. Gerck suggests that such events trigger a kind of quantum behavior, which however always exists but which then becomes visible at the user observed level and strongly contrasts with the classical behavior that it has replaced."
Gerck's ideas represent a paradigmatic shift in the evaluation of the scope, function and behavior of the Internet. One of the problems of communications involved is that to those stuck in the old paradigm, messages defining the new are often unintelligible. For many people his ideas will be quite jarring.
For example, his ideas reach to the root of what we call data. He suggests that data be thought of in terms of a natural quantity and as something that can be modeled with absorption, spontaneous emission and stimulated emission processes -- the last being a behavior associated with quantum systems. He finds that under certain conditions, stimulated data emission can win out over spontaneous data emission. This will happen when a minimum threshold of affected systems is disturbed by what may be a hacker attack, or the interaction of a virus with multiple systems or even by the unexpected appearance of a bug in operating software that everyone assumes to be stable. His findings lead to the conclusion that such perturbations, resulting in web site and or network congestion, will happen with increasing frequency. Of course if he is right, when they do happen the next time, they may have absolutely nothing to do with hackers.
After compiling the technical discussion from NANOG and IETF, it seems to us that the emphasis on traditional security measures is rather futile. The Internet is too large with too many machines under too many levels of control for traditional security measures of confinement of people and machines to be effective.
Gerck has some very interesting ideas about constructing mechanisms where two parties which are not known to each other may use a third neutral environment in which to securely negotiate conditions of trusted operation. He seems to have an uncanny sense of political power and psychology and how to reflect this in technical situations to build trust between parties that have no common grounds for negotiation.
As recently as a week ago we intended to publish only his two essays. However when we called him on the 25th of February to ask for answers to questions about the second essay on coherency, we found ourselves in the midst of a far ranging discussion that opened up some of his ideas of the physics of data and mechanics of trust that we had not heard before. This discussion lead to the interview on pages 17 to 23. This interview which we have further expanded by asking several of our own experts to read and ask their own questions of Ed, begins to thrown some light on the breadth and scope of his ideas.
Gerck's ideas lead to a paradigm change on such fundamental questions as data flow in the internet and the nature of security and trust in computer networking. Having a world view different from the prevailing gestalt often presents problems for everyone involved. We invite readers to ponder his message. We have known of Ed for perhaps almost two years and known him directly for six months. An unusual quality about him is that he is laid back. He is intuitive and skillful in dealing with people. His ideas may succeed precisely because he doesn't push too hard.
We have been a bit gun shy about walking out on the end of a limb on behalf of the ideas of someone who is not yet well known and whose views are so iconoclastic. For the last few weeks we have made some serious efforts to get some sanity checks from people in better positions than we are to judge what he presents. Three very senior people have returned thumbs up. We introduced a forth such person with the strongest technical background of all to Gerck two weeks ago.
When we asked this person how we might describe Gerck in this newsletter he replied: You might describe him as one of those bright people who are so frequently overlooked because he's happier working on hard problems than talking about it all. You might describe him as an Internet Guy who got here "the hard way" -- He's trained as a physicist. He thinks about the world from a perspective of how do you model the stuff you perceive around you in mathematical terms -- and this leads him to different observations than those made by those of us who "grew up" in the Internet and distributed computing in general."
One of the problems facing the Internet, is that we have, sometimes with chewing gum and bailing wire, built it into something on which a very large proportion of our economy is riding. The prevailing opinion in the wake of the DDoS attacks is to call in law enforcement, build the security walls ever higher and hunker down with publicly reassuring words to the effect of don't worry we are in charge here. A careful reading of the technical discussion on pages 2 through 16 of this issue will show the that this position is founded on quicksand. A reading of the Gerck essays and interview will reinforce this conclusion
We contend that the official views issued in the aftermath of the White House meeting of February may be well-intentioned. Nevertheless they are misguided. Without a correct diagnosis of our current problems, we will be unlikely to find solutions. As a result, the Internet's behavior of early February may become more rather than less commonplace.
Essays, pp. 23- 27
We present roughly half of Ed Gerck's Thinking Essay in the belief that readers will begin to understand why we consider it the single best short essay on the topic of information control, DNS Governance and ICANN ever written.
"...there is nothing to be gained by opposing ICANN, because ICANN is just the overseer of problems to which we need a solution.
My point is that there is something basically wrong with the DNS and which precludes a fair solution - as I intend to show in the following text, the DNS design has a single handle of control which becomes its single point of failure. This needs to be overcome with another design, under a more comprehensive principle, but one which must also be backward-compatible with the DNS. [. . . .]
So, the subject is domain names. The subject could also be Internet voting. But I will leave voting aside for a while. In my opinion, the subject, in a broader sense, is information control. If domain names could not be used for information control (as they can now by default under the DNS - see below), I posit that we would not have any problems with domain names.
But, domain names provide even more than mere information control - they provide for a single handle of control. DNS name registration is indeed the single but effective handle for information control in the Internet. No other handle is possible because: (1) there is no distinction in the Internet between information providers and users (e.g., as the radio spectrum is controlled); (2) there is no easily defined provider liability to control the dissemination of information (e.g., as advertisement and trademarks are controlled); (3) there is no user confinement to control information access (e.g., as state or country borders in the Canadian Homolka case), etc.
But, how did we end up in this situation? After all, the Internet was founded under the idea of denying a single point of control - which can be seen also as a single point of failure. The problem is that certain design choices in the evolution of the DNS, made long ago, have made users fully dependent on the DNS for certain critical Internet services. These design choices further strengthened the position of DNS name registration as the single handle of information control in the Internet. And, in the reverse argument, as its single point of failure. [. . . .]
However, without the DNS there is no email service, search engines do not work, and web page links fail. Since email accounts for perhaps 30% of Internet traffic - an old figure, it may be more nowadays - while search engines and links from other sites allow people to find out about web sites in about 85% of the cases (for each type, see http://www.mmgco.com/welcome/ ) I think it is actually an understatement to call the DNS a "handle." The DNS is the very face, hands and feet of the Internet. It is the primary interface for most users - that which people "see". Its importance is compounded by the "inertia" of such a large system to change. Any proposal to change the DNS, or BIND nameservers, or the DNS resolvers in browsers in any substantial way would be impractical.
[. . . .] One of other fallacies in email is to ask the same system you do not trust (DNS, with the in-addr.arpa kludge) to check the name you do not trust (the DNS name), when doing an IP-check on a DNS name. There are more problems and they have just become more acute with the need to stop spam. Now administrators have begun to do a reverse DNS check by default. Under such circumstances you MUST have both DNS and IP.
Further, having witnessed the placing of decisions of network address assignment (IP numbers) together with DNS matters under the ruling of one private policy-setting company (ICANN), we see another example of uniting and making everything depend on what is, by design, separate. The needs of network traffic (IP) are independent of the needs of user services (DNS). They also serve different goals, and different customers. One is a pre-defined address space which can be bulk-assigned and even bulk-owned (you may own the right to use one IP, but not the right to a particular IP), the other is a much larger and open-ended name space which cannot be either bulk-assigned or bulk-owned. They do not belong together - they should not be treated together.
But, there are other examples. In fact, my full study conducted with participation of Einar Stefferud and others has so far catalogued more than forty-one essential problems caused by the current design of the DNS. Thus, a solution to current user wants is not to be reached simply by answering "on what" and "by whom" control is to be exerted, as presently done in all such discussions, without exception - for example, those led by ICANN. In this view, ICANN is not even the problem (as usually depicted by many) but simply the overseer of problems. At least, of 41+ main problems - all of which involve information control.
Thus by realizing both what these 41 and other problems are and the underlying issue of information control in the Internet (which issue is not ignored by governments), the study intended to lay the groundwork to provide for a collaborative solution to information flow in the Internet without the hindrance of these 41+ problems. The study also intends that the possibility of information control will be minimized as a design goal. [. . . .]
Regarding "time" - readers may ask what is the schedule to propose new standards based on what I and my group are working on for domain names? As I see it and as I also comment in regard to the work on advancing standards for Internet voting at the IVTA (where IMO the same principles apply), time is not a trigger for the events needed to get us out of our predicament, but understanding is. Cooperation has its own dynamics and we must allow for things to gel, naturally. We can motivate, we can be proactive but we must not be dominating. We seek collaboration, not domination. Both technically as well as market-wise."
Coherent Effects in Internet Security and Traffic
Here is a paragraph from Gerck's second essay.
"This was not only a DDoS - this was a CDoS. A Coherent Denial of Service attack. The difference is that a distributed but incoherent attack would not have done any major harm. In order to explain how such an attack was possible and why it was effective, one needs to understand first that, normally nothing is coherent in the Internet. All packets travel from source to destination in what may seem to be a random fashion; each host has unsynchronized time - oftentimes, even wrong time zones; and even the path traveled by each packet is also non-deterministic. Thus, achieving the coherent arrival of a stream of packets at one location by sending them from a large number of coordinated locations is a feat.
The COOK Report on Internet Index to 8 years of the COOK Report
431 Greenway Ave, Ewing, NJ 08618 USA http://cookreport.com
(609) 882-2572 (phone & fax) Battle for Cyberspace: How
[email protected] Crucial Technical . . . - 392 pages
just published. See http://cookreport.com/ipbattle.shtml