(This likely needs to be edited. Forgive any poor grammar, punctuation, or lapses in logic …)
If you’ve been paying attention to the tech press, you may have noticed an uptick in stories about DDOS (Distributed Denial of Service) attacks. A DDOS, in a nutshell, is when an attacker sends you more traffic/requests than your server or bandwidth provider can handle. It generally results in your servers going down, or your provider taking you down, for the good of their other customers.
DDOSes are being used as the digital equivalent of the old school shakedown. “Hey, I wouldn’t want anything bad to happen to your site. so you should, you know, pay me to make sure nothing untoward were to happen.”
In the physical world, shakedowns are less common (I think … I don’t have hard facts for that) than they were in the old days. The risk is greater to the extorter. The person or business being extorted generally has technology available to capture the extortion, our law enforcement and courts don’t look kindly on them, and since you have to physically be present to commit the extortion, it’s a lot easier to catch someone in the act.
(I’m not claiming extortion and shakedowns don’t happen any more. I just think they’re probably less common—in the US—than they used to be.)
That’s not true on the internet. With cheaply available botnets, ISPs turning a blind eye in favor of the marginal dollars, and the global internet meaning there are countries into which law enforcement cannot easily reach, the internet has become a goldmine for extortion.
There is a solution to this. It comes in two parts, and both of those parts will cost large internet providers money. But, like the music industry with MP3s, these ISPs are going to have to embrace the new cost of doing business, or they’ll slowly watch their systems turn into a barren ghetto where no true businesses will want their servers.
Step 1 of the solution is an ISP crackdown. The vast majority of the computers used in attacks are compromised PCs (often in China, where they’re using a pirated or hacked version of Windows). ISPs need to drop or throttle service the moment someone’s computer shows the signs of being used in an attack. This will hurt ISPs. They will get more support calls, deal with angry customers, and have to help customers get cleaned up. But, if they don’t do it, they’re going to run the risk of getting blocked by other service providers. If your ISP is a constant source of outbound attacks, other providers will drop your packets, and then you’ll have lots of angry customers calling to find out why they can’t get to netflix.com or espn.com.
Beyond just normal ISPs, VPN/Colo/Dedi/cloud providers need to crack down on their customers. The biggest spam networks in the world are all server providers who aren’t cracking down on their outbound traffic—because it makes them money. It’s not just spam though, these same servers and networks are often used for DNS or SNMP attacks. Like home ISPs, network providers should simply start dropping traffic coming from these providers until they clean up their acts. Nothing will speak louder here than money.
There’s a downside of this tactic: internet users in places like China, where the internet is one of the few tools citizens have to fight for democracy, are going to be disproportionately impacted. But, while I’m not a free marketer, this is a place where the free market could win. If a good ISP in China or Africa or some other impacted area were to provide a well regulated internet (not from a content perspsective, but from an outbound attack perspective), they wouldn’t be blocked, an customers would flock to them as the only provider who could see Twitter or YouTube.
Step 2 is for transit providers (the folks providing bandwidth to your favorite site on the internet, in essence) should stop looking at DDOS mitigation as a profit center and start looking at it as a cost of doing business. If a provider is simply charging customers for DDOS mitigation, or worse, not offering it at all, they are rapidly going to be at a competitive disadvantage. Small businesses, especially nascent small businesses or aspirational small businesses, cannot afford to pay for a big DDOS mitigation solution. Some provider is going to offer DDOS mitigation as a feature of their service, and they are going to suck up a good bit of the market. Once that happens, transit providers will have to offer a minimum level of mitigation service as part of their services.
There is one last thing that has to happen to make these digital shakedowns a thing of the past (or at least closer to a thing of the past). Someone is going to need to go to jail. It might end up being this 17 year old kid. And, honestly, it should be. He caused a huge disruption to the internet, potentially disrupted a significant amount of ecommerce, and wasted like many many days of work. It’ll only take a few examples before people realize there’s a much bigger risk in DDOSing someone.
And then we’ll be able to move digital shakedowns into the same category as physical shakedowns. Something from the “good old days.”