[27652] in North American Network Operators' Group
April 2000 COOK Report published on DDoS and Ideas of E. Gerck
daemon@ATHENA.MIT.EDU (Gordon Cook)
Sun Mar 5 20:44:12 2000
Mime-Version: 1.0
Message-Id: <v04210109b4e8bc99b6cb@[192.168.0.1]>
Date: Sun, 5 Mar 2000 20:38:39 -0500
To: nanog@merit.edu
From: Gordon Cook <cook@cookreport.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Errors-To: owner-nanog-outgoing@merit.edu
[since I haven't published a message here in about 3 years]
Understanding Distributed Denial of Service pp. 1 - 16
During the second week of February the largest, and most diverse
denial of service attacks in the history of the Internet caught
several of the most important commercial web sites off guard and
exposed what was previously a largely unsuspected operational
vulnerability that affects the entire commercial Internet. -- Just
as after Reagan was shot Al Haig stepped forward to say 'don't worry
we're in charge here, we contend that Gene Spafford's February 19th
summation of the White House meeting provides a soothing but
superficial explanation of what is really a far more subtle and
difficult structural weakness. This weakness is apparently inherent
in the basic structure of the Internet and cannot be "enforced" out
of existence. We present in Narrative form the NANOG and IETF
technical discussions that resulted from the attacks. The discussion
demonstrates that Internet backbone engineers are by no means agreed
on precisely what happened or on how to deal with it.
On February 9, Lauren Weinstein, partner to Peter G. Neumann of the
Risks mail list and co-sponsor with Neumann of People for Internet
Responsibility had the following observation. "It seems apparent that
the rush to move all manner of important or even critical commercial,
medical, government, and other applications onto the Internet and Web
has far outstripped the underlying reality of the existing Internet
infrastructure. Compared with the overall robustness of the U.S.
telephone system, the Internet is a second-class citizen when it
comes to these kinds of vulnerabilities. Nor will simply throwing
money at the Internet necessarily do much good in this regard. More
bandwidth, additional servers, and faster routers--they'd still be
open to sophisticated (and even not so sophisticated) attacks which
could be triggered from one PC anywhere in the world. In the long
run, major alterations will be needed in the fundamental structure of
the Internet to even begin to get a handle on these sorts of
problems, and a practical path to that goal still remains fuzzy at
this time."
Ed Gerck's Ideas pp. 17- 22, 30
Part Two of this issue contains an interview with Ed Gerck as well as
two essays by him. He is co-founder of the Meta Certificate Group,
http://mcg.org.br , CEO of Safevote, Inc. and Chairman of the IVTA..
We suggest that his ideas form the basis for a fresh and compelling
analysis of what we may really be dealing with. We conclude that
there is a possibility that the fundamental nature of the attacks may
have been completely misunderstood. We also contend that Gerck's
theories, published here for the first time, may provide an entirely
different mathematical basis for understanding the Internet as a
quantum information structure possessing significantly different
capabilities and potentials than could be extrapolated from our
current understanding. Although this is quite a statement to make,
his ideas have reached enough people so that it is likely that
research will be rapidly undertaken to ascertain if his own
experimental results dating from 1998 are verifiable and
reproducible. Gerck's ideas involve the foundation of an entirely new
calculus for the operation of the Internet.
Gerck asserts that the major reason the attacks were so successful is
that the packets arrived at the target servers with a high degree of
coherency - that is to say at almost the same instant. He points out
that the technical functionality of the Internet mitigates against
the coherent arrival of large numbers of packets at a specific target
and thus a ten fold spike in incoming bandwidth would be very
unlikely unless other unusual mechanisms are also at play."
How then could the observed effects of the arrival of very large
numbers of packets have happened? He explains how his work in the
quantum mechanics of lasers in the early 1980s gave him a hypothesis
that he successfully tested in a university environment in 1998.
Namely he suggests that the number of entities in the Internet has
reached a critical mass where a single event such as a packet sent to
a trin00 network, can result in an avalanche of coherent data
amplification. The result is similar to the coherent amplification
process that sets off the sudden flash of a laser. Under such
conditions he posits that when this occurs, it creates conditions
where packets can provide for a much different behavior as they reach
a target. Gerck suggests that such events trigger a kind of quantum
behavior, which however always exists but which then becomes visible
at the user observed level and strongly contrasts with the classical
behavior that it has replaced."
Gerck's ideas represent a paradigmatic shift in the evaluation of the
scope, function and behavior of the Internet. One of the problems of
communications involved is that to those stuck in the old paradigm,
messages defining the new are often unintelligible. For many people
his ideas will be quite jarring.
For example, his ideas reach to the root of what we call data. He
suggests that data be thought of in terms of a natural quantity and
as something that can be modeled with absorption, spontaneous
emission and stimulated emission processes -- the last being a
behavior associated with quantum systems. He finds that under certain
conditions, stimulated data emission can win out over spontaneous
data emission. This will happen when a minimum threshold of affected
systems is disturbed by what may be a hacker attack, or the
interaction of a virus with multiple systems or even by the
unexpected appearance of a bug in operating software that everyone
assumes to be stable. His findings lead to the conclusion that such
perturbations, resulting in web site and or network congestion, will
happen with increasing frequency. Of course if he is right, when they
do happen the next time, they may have absolutely nothing to do with
hackers.
After compiling the technical discussion from NANOG and IETF, it
seems to us that the emphasis on traditional security measures is
rather futile. The Internet is too large with too many machines
under too many levels of control for traditional security measures of
confinement of people and machines to be effective.
Gerck has some very interesting ideas about constructing mechanisms
where two parties which are not known to each other may use a third
neutral environment in which to securely negotiate conditions of
trusted operation. He seems to have an uncanny sense of political
power and psychology and how to reflect this in technical situations
to build trust between parties that have no common grounds for
negotiation.
As recently as a week ago we intended to publish only his two essays.
However when we called him on the 25th of February to ask for answers
to questions about the second essay on coherency, we found ourselves
in the midst of a far ranging discussion that opened up some of his
ideas of the physics of data and mechanics of trust that we had not
heard before. This discussion lead to the interview on pages 17 to
23. This interview which we have further expanded by asking several
of our own experts to read and ask their own questions of Ed, begins
to thrown some light on the breadth and scope of his ideas.
Gerck's ideas lead to a paradigm change on such fundamental questions
as data flow in the internet and the nature of security and trust in
computer networking. Having a world view different from the
prevailing gestalt often presents problems for everyone involved. We
invite readers to ponder his message. We have known of Ed for perhaps
almost two years and known him directly for six months. An unusual
quality about him is that he is laid back. He is intuitive and
skillful in dealing with people. His ideas may succeed precisely
because he doesn't push too hard.
We have been a bit gun shy about walking out on the end of a limb on
behalf of the ideas of someone who is not yet well known and whose
views are so iconoclastic. For the last few weeks we have made some
serious efforts to get some sanity checks from people in better
positions than we are to judge what he presents. Three very senior
people have returned thumbs up. We introduced a forth such person
with the strongest technical background of all to Gerck two weeks ago.
When we asked this person how we might describe Gerck in this
newsletter he replied: You might describe him as one of those bright
people who are so frequently overlooked because he's happier working
on hard problems than talking about it all. You might describe him as
an Internet Guy who got here "the hard way" -- He's trained as a
physicist. He thinks about the world from a perspective of how do you
model the stuff you perceive around you in mathematical terms -- and
this leads him to different observations than those made by those of
us who "grew up" in the Internet and distributed computing in
general."
One of the problems facing the Internet, is that we have, sometimes
with chewing gum and bailing wire, built it into something on which a
very large proportion of our economy is riding. The prevailing
opinion in the wake of the DDoS attacks is to call in law
enforcement, build the security walls ever higher and hunker down
with publicly reassuring words to the effect of don't worry we are in
charge here. A careful reading of the technical discussion on pages 2
through 16 of this issue will show the that this position is founded
on quicksand. A reading of the Gerck essays and interview will
reinforce this conclusion
We contend that the official views issued in the aftermath of the
White House meeting of February may be well-intentioned.
Nevertheless they are misguided. Without a correct diagnosis of our
current problems, we will be unlikely to find solutions. As a
result, the Internet's behavior of early February may become more
rather than less commonplace.
Essays, pp. 23- 27
Thinking
We present roughly half of Ed Gerck's Thinking Essay in the belief
that readers will begin to understand why we consider it the single
best short essay on the topic of information control, DNS Governance
and ICANN ever written.
"...there is nothing to be gained by opposing ICANN, because ICANN is
just the overseer of problems to which we need a solution.
My point is that there is something basically wrong with the DNS and
which precludes a fair solution - as I intend to show in the
following text, the DNS design has a single handle of control which
becomes its single point of failure. This needs to be overcome with
another design, under a more comprehensive principle, but one which
must also be backward-compatible with the DNS. [. . . .]
So, the subject is domain names. The subject could also be Internet
voting. But I will leave voting aside for a while. In my opinion, the
subject, in a broader sense, is information control. If domain names
could not be used for information control (as they can now by default
under the DNS - see below), I posit that we would not have any
problems with domain names.
But, domain names provide even more than mere information control -
they provide for a single handle of control. DNS name registration is
indeed the single but effective handle for information control in the
Internet. No other handle is possible because: (1) there is no
distinction in the Internet between information providers and users
(e.g., as the radio spectrum is controlled); (2) there is no easily
defined provider liability to control the dissemination of
information (e.g., as advertisement and trademarks are controlled);
(3) there is no user confinement to control information access (e.g.,
as state or country borders in the Canadian Homolka case), etc.
But, how did we end up in this situation? After all, the Internet was
founded under the idea of denying a single point of control - which
can be seen also as a single point of failure. The problem is that
certain design choices in the evolution of the DNS, made long ago,
have made users fully dependent on the DNS for certain critical
Internet services. These design choices further strengthened the
position of DNS name registration as the single handle of information
control in the Internet. And, in the reverse argument, as its single
point of failure. [. . . .]
However, without the DNS there is no email service, search engines do
not work, and web page links fail. Since email accounts for perhaps
30% of Internet traffic - an old figure, it may be more nowadays -
while search engines and links from other sites allow people to find
out about web sites in about 85% of the cases (for each type, see
http://www.mmgco.com/welcome/ ) I think it is actually an
understatement to call the DNS a "handle." The DNS is the very face,
hands and feet of the Internet. It is the primary interface for most
users - that which people "see". Its importance is compounded by the
"inertia" of such a large system to change. Any proposal to change
the DNS, or BIND nameservers, or the DNS resolvers in browsers in any
substantial way would be impractical.
[. . . .] One of other fallacies in email is to ask the same system
you do not trust (DNS, with the in-addr.arpa kludge) to check the
name you do not trust (the DNS name), when doing an IP-check on a DNS
name. There are more problems and they have just become more acute
with the need to stop spam. Now administrators have begun to do a
reverse DNS check by default. Under such circumstances you MUST have
both DNS and IP.
Further, having witnessed the placing of decisions of network address
assignment (IP numbers) together with DNS matters under the ruling of
one private policy-setting company (ICANN), we see another example of
uniting and making everything depend on what is, by design, separate.
The needs of network traffic (IP) are independent of the needs of
user services (DNS). They also serve different goals, and different
customers. One is a pre-defined address space which can be
bulk-assigned and even bulk-owned (you may own the right to use one
IP, but not the right to a particular IP), the other is a much larger
and open-ended name space which cannot be either bulk-assigned or
bulk-owned. They do not belong together - they should not be treated
together.
But, there are other examples. In fact, my full study conducted with
participation of Einar Stefferud and others has so far catalogued
more than forty-one essential problems caused by the current design
of the DNS. Thus, a solution to current user wants is not to be
reached simply by answering "on what" and "by whom" control is to be
exerted, as presently done in all such discussions, without exception
- for example, those led by ICANN. In this view, ICANN is not even
the problem (as usually depicted by many) but simply the overseer of
problems. At least, of 41+ main problems - all of which involve
information control.
Thus by realizing both what these 41 and other problems are and the
underlying issue of information control in the Internet (which issue
is not ignored by governments), the study intended to lay the
groundwork to provide for a collaborative solution to information
flow in the Internet without the hindrance of these 41+ problems. The
study also intends that the possibility of information control will
be minimized as a design goal. [. . . .]
Regarding "time" - readers may ask what is the schedule to propose
new standards based on what I and my group are working on for domain
names? As I see it and as I also comment in regard to the work on
advancing standards for Internet voting at the IVTA (where IMO the
same principles apply), time is not a trigger for the events needed
to get us out of our predicament, but understanding is. Cooperation
has its own dynamics and we must allow for things to gel, naturally.
We can motivate, we can be proactive but we must not be dominating.
We seek collaboration, not domination. Both technically as well as
market-wise."
Coherent Effects in Internet Security and Traffic
Here is a paragraph from Gerck's second essay.
"This was not only a DDoS - this was a CDoS. A Coherent Denial of
Service attack. The difference is that a distributed but incoherent
attack would not have done any major harm. In order to explain how
such an attack was possible and why it was effective, one needs to
understand first that, normally nothing is coherent in the Internet.
All packets travel from source to destination in what may seem to be
a random fashion; each host has unsynchronized time - oftentimes,
even wrong time zones; and even the path traveled by each packet is
also non-deterministic. Thus, achieving the coherent arrival of a
stream of packets at one location by sending them from a large number
of coordinated locations is a feat.
****************************************************************
The COOK Report on Internet Index to 8 years of the COOK Report
431 Greenway Ave, Ewing, NJ 08618 USA http://cookreport.com
(609) 882-2572 (phone & fax) Battle for Cyberspace: How
cook@cookreport.com Crucial Technical . . . - 392 pages
just published. See http://cookreport.com/ipbattle.shtml
****************************************************************
