>> brian: welcome to the amaconference center in new york city and for those following us online, my name is brian cute. i am the ceo of public interest registry. public interest registry or piris the operator of the dot org, top level domain on the internet. we, along with new york tech, a new yorkcity based technology industry association and the internet society, newyork chapter want to welcome you to today's event mitigating ddos attacks, bestpractices for an evolving threat landscape. for those of you online, today's event isbeing webcast at the isock live stream channel
and on that channel you can also post questions. we welcome questions from our onlineaudience to bring into the q&a session today. you can also follow the event atthe hashtag ddos and with that, let me introduce today'ssession, mitigating ddos attacks, best practices for an evolving threat landscape. distributed denial of serviceattacks are deliberate attempts to make internet connected machines or networkresources unavailable to their intended users by temporarily or indefinitelyinterrupting or suspending dns service. unfortunately ddos attacks are an all to-commonreality across today's internet landscape.
examples abound, most recentlylarge-scale attacks have been directed at major u.s. banks since september of 2012. online service providers and corporationsaround the world are often targeted. ddos attacks have been directed againstgovernment websites and it's quite possible that some attacks were atleast condoned by governments. why a ddos attack is motivated by criminalintent, like cyber extortion or is executed as an extreme form of free expression, the resulting service interruptionscan have wide ranging effects. today's program will explore the motivesbehind and targets of ddos attacks.
we will address ways attacks are carriedout, as well as mitigation techniques and the importance of collaboration. we will also explore the risks of unintendedconsequences related to ddos attacks. now before i introduce our esteem panelists, i wanted to note that pir recentlyconducted a survey in the united states to test the public's awareness ofddos attacks, this very important and growing problem on the internet. among the results, we found that 85% of the respondents did notknow what ad ddos attack was.
when asked, what would you do if you were madeaware that ddos attacks were taking place? among the very revealing responseswere, "call the geek squad," which is a technical service organizationthat comes to fix your home computer. "call my spouse, or go to google." and while we're very happy to have a googlerepresentative here on the panel today, i think these answers reveal the depthand breadth of misunderstanding and lack of awareness about this veryimportant problem in the public. so today we're going to try to beginto chip away and provide some awareness about the important problem of ddos attacks
and how we collectively canaddress them effectively. so with that, let me get on to theintroduction of today's panelists. today's panelists represent avariety of organizations that operate at various points in the internet ecosystem. their wealth of experiences andinsights from industry, government, and civil society perspectives should help usbetter understand the challenges of ddos attacks and identify mitigation practices. first, at the far-end, we have mr. jeff greene. jeff serves as a senior policycouncil at symantec.
jeff focuses on cyber security,identity management, and privacy issues and works extensively with industryand government organizations. prior to joining symantec, jeff was asenior staffer on both the u.s. senate, and house homeland security committeesand before that was an attorney with the washington d.c. law firm. next we have ram mohan. ram is the executive vice president andchief technology officer at afilias limited. ram oversees key strategic managementand technology choices for the dublin, ireland based provider ofinternet infrastructure services.
ram also serves as a director and key advisorto the internet corporation for assigned names and numbers or icann, the internet society,and the anti-phishing working group. next, we have dr. damian menscher. damian is a security engineer at googlewhere he leads the ddos defense team. damian uses his front-line experience defendingtoday's largest attacks to design defenses that will automatically mitigate future attacks. he also reduces botnet sizes by directlyinforming users of infections on their machines that are targeted messaging on google. previously, damian gained experience
in large-scale data analysis while completinghis phd in computational particle physics. i could barely say that. next is miguel ramos. miguel is senior product manager at newstarinc, responsible for newstar site project, a leading cloud-based ddos mitigation service. mr. ramos has extensive experience inproduct management, marketing and technology. previously miguel was a product manager incharge of hosting and email product lines at network solutions, a leading domainregistrar and online services provider. we were also to have woutdenatris from the netherlands.
unfortunately wout is here in new york but camedown with a sudden illness of food poisoning. we regret deeply that he'snot here with us today. he was very eager to be here withyou and we wish him a swift recovery. next on the panel is danny mcpherson. danny is the chief security officerfor verisign, the trusted provider of key internet infrastructure servicesincluding two of the root servers, and the dot com and dot net name spaces. danny is responsible for strategicdirection, research and innovation in infrastructure and information security.
he currently serves on the internetarchitecture board, icann security and stability advisory council, thefccs communication security reliability and interoperability council andseveral other industry forum. and finally, on the near-end,we have miss jillian york. jillian is a director for international freedomof expression at electronic frontier foundation where she specializes in free speech issuesand the effects of corporate intermediaries on freedom of expression and anonymity, as well as the disruptive powerof global, online activism. prior to joining eff, jillian spent 3 years atharvard university's berkman center for internet
and society, where she worked on severalprojects including the open net initiative. thank you all for coming,we appreciate your time. now the way we're going to structuretoday's event and discussion is that i will do a first round of introductoryremarks from each of the panelists. we'll keep it brief and we'rebasically going to try to set the stage, the backgroundon ddos attacks. now before i get there, i just want tooffer a little reaction from the common man. "i've been in the industry myself for 10 years. i have a familiarity with ddosattacks and internet infrastructure,
but in approaching this event and preparingfor it, i went on line and pretended to be an average guy from columbus, ohio. what would i find if i'm trying to educatemyself online about this serious problem? and in doing that, what jumped out to me is anissue of nomenclature, an issue of language, an issue of understanding, potentiallybarriers to understanding and awareness." so i'm going to ask jeff greene to startpainting the picture of what ddos attacks are and while we have a number ofbrilliant engineers on this panel, let me suggest that when one goes onlineas the average guy from columbus, ohio, he runs into things such as, dos, ddos, drdos,smurf attacks, syn floods, ping of death,
attacks that are perpetrated by trojansand zombies, attacks that are combated through techniques like black-holing,sink-holing, and intrusion protection. our job today is to utilize the expertiseof these brilliant folks on our panel to help translate all of these very intimidatingwords around attacks on the internet so that we can raise theawareness for the public. so, jeff if you wouldn'tmind kicking this off for us. >> jeff: sure, thanks again forhaving me and thanks for including me with such a great group of folks up here. i thought i'd give a little background onwhat are some trends we're seeing at symantec
in ddos attacks, motivations also, andhopefully set the table for the conversation. the first thing i would start by saying is,when you're thinking about a ddos attack, don't conceptualize it as asingle event or a siloed activity. you really need to think about it as potentiallypart of a larger effort directed at you or directed at an entity organization. it can still be a one-off butmore often now days, it is not. in terms of motives, they can run the gamut, itcan be harassment, political, it could mischief, you know there's probably still some15-year-old hackers in the basement somewhere. it could be someone you know, annoyed,
frustrated with a particular companyor entity and going after them. it really runs anything. it could extortion, simple "pay me"type activity, or more common now or what we're seeing more of what we're callingmulti-frank attacks and transitioning to talk about some of trends, we'll start there. if you folks saw, i think it was in october,defense secretary panetta was talking about cyber security and one of the thingshe mentioned were these frank attacks and ddos is certainly a part of them and hasbecome less of a blunt-force attack to more of a sophisticated diversionaryattack; i should say it can be.
the goal, basically being drawing attention andresources away from standard security to focus on this response and leaving perhapsyourself open to other activity. one example that we talked about at a conferenceearlier this year, ddos was a big part of it but the ddos attack happenedactually at the end of the activity. this particular effort wasdirected to mid-sized banks. it began with spear-phishing and other efforts to compromise some it administratorsat the bank. once that is successful, the bad guys will thenspend their time figuring out what they need and they want and it was at this pointthat the ddos attack was launched in one
of the cases that our folks talked about. it was done on a friday afternoon when staffingwas light, nationally resources were directed at responding to the denial service attack whichthen left other activities perhaps unmonitored, and that's when the criminal enterprise or individual actually began the moresophisticated attack and actually traded a lot of information that allowed them toclone atm debit and credit cards. there press reports about one bank havinglost 9 million dollars over the next 48 hours. so again, the ddos was a big part of it because it had really facilitated theability to conduct a larger crime.
another trend we're seeing iscrowd sourcing of ddos attack. you may be familiar with operation payback,which is something that anonymous was behind. initially started as a response to someantipiracy efforts and worked into a response when the wikileaks becamevery press-worthy in terms of some companies responding to the wikileaks. so social networking facilitates the crowdsourcing essentially why do you need to go build up or acquire your own botnet toengage in attack when you could get 100 or 1,000 like-minded friends whowill happily do that thinking that they're doing somethingfor the greater good.
and i would also suggest that the criminalenterprises are fully aware of this and why should they expose themselves or spendtheir resources if they can gin up some real or imagined front by a company they'retrying to penetrate and get people to unwittingly support their efforts. another trend is application layer attacks. more sophisticated, generallyyou get more bang-for-your-buck, you can have more impact with less resources. it takes a little more work, but it is something that you will see more of,we suspect going forward.
two more things, one insiderthreat, not strictly ddos but it is certainly can be a part of it. what we're seeing generally with intrusions isan increasing number of compromised insiders. again, often through use of socialmedia, social media is wonderful. so it allows folks to figureout just how to get at someone and a compromising insiderfacilitates the effort and again, often the ddos is part ofthe culmination of it there. finally i would say it'sgetting easier than ever. there are attack kits, there's malware out therethat you can buy, optimized for ddos attacks.
as all the attack kits out there, they're becoming much easierfor less sophisticated users. you don't have to have a lot codingexpertise to get some of these up and running and have yourself an ongoingcriminal enterprise. so, circling back to where i began, iwould say that, you know we're here talking about ddos attacks but i think it's importantin this conversation not to put it in a box and isolate it from other malicious activitiesthat going on and other vulnerabilities and intrusions because the bad guys don'tthink about it that way so we really, as we're talking about responding toit, make sure that we don't do the same.
>> brian: thank you jeff, so in listeningi'm hearing that i have more things to be concerned about, morethings to be afraid of, something called spear-phishing,i'm not sure what that is. that this is a broader attack profile againstthe internet that there's numerous points of attack and it's part a simple attackthat is designed to provide misdirection so a secondary attack can happen. so clearly, this is a troublinglandscape that i'm trying to sort through. ram, as afilias registry operator on theinternet, you provide technical services for dot org, on the internetand other top-level domains.
from the registry operators perspective,what is the scope of this problem? >> ram: thank you brian andthanks for having me here. i guess the very first thing is,if you're a registry operator, really what you're doing isyou're providing a targeted answer for where the main names are on the internet. you're in a target of directory, to a largeextent and that's the biggest job that you do as registry and you get informationfrom people who want to buy domain names or who want to get a website going. you get information from them,store it into a large database,
and the biggest thing you do is propagate itinstantaneously everywhere around the world. and what that means, is that your browser,typing in redcross.org when it's sitting here or on your mobile phone, typing in redcross.orgwhen your perhaps in another part of the world, they all translate to get to the actual redcross site, and that translation is done by the registry, by the directory. so that makes it a really interesting place toattack because after all if you can compromise or if you can take down theauthoritative directory for every dot or, the main-name in the world, there aremore than 10 million dot org domain names. there are more than 10 milliondot org websites in the world.
if you can take down the provider who is givingthe information that says to every computer in the world, hey for a given dotorg, which computer should i go to? where should i go to? if you can take them down, that's not onlya coo, but that also is a global event. it gets you noticed, there are many motivationsbut that's certainly one of them, right? and that makes the order of registry, a[inaudible] of what we run a regular target. up on the screen you see, this issome data from earlier in the year, gives you an idea of the scaling, thekinds of attacks that come through. so that's 2012, february and from 2012 february,to 2012 june, this is the number of queries,
the number of a requests coming into the serversthat we run worldwide asking for information about a daughter of domain name right. and much of this comes from ddos so, thefoundation for ddos is very simple, right? it's a denial of service so all these computersaround the world do it, they send a request in to our server saying hey, tell me wherea particular daughter of domain name is. and before you even respond they're gone andthey come back again and they say tell me where. and they do this hundreds of millions of timesin, it used to be a very short timeframe, but as you can see here,it's an extended timeframe. now what we saw earlier in the yearwas in the space of just a few months,
february through to june, we hada 3x increase, a 3 times increase in the total volume comingin in just 4 months-time. but, if you look further, if you look inthe next screen, that's not the real story. that 3x increase that i showed youearlier, so that was up to 2012, june but look at what happenedfrom there through to september. that was a 9x increase in total volumecoming through to the daughter systems. in total, from february through to september,that was an 18 times increase in volume. not the data is interesting. the real life importance of this is if as aregistry provider, if you're not provisioned
and if you don't have the measures to boot the[inaudible] attacks are coming and then be able to take appropriate counter measureswhen such attacks are coming. you could just go down and going drinkingwater means that every single dot org website in the world, dot org email address, okayevery single thing that depends on dot org, sooner or later is not accessible on theinternet and it's not happened so far, but the gap between what do youprovision, and what the scale of attacks, and who was attacking you. it's a continuous cat and mouse game. the other thing that i've wanted for you toknow about is the ddos words coming from,
it's often coming from your pc that is just onat home, connected to your broadband connection. just sitting there, and youprobably don't even know it. if you have a good isb, if you have a goodinternet provider, they probably have ways to track it and many of the internetproviders these days are putting in measures to understand whether they're a ddosattack, so whether you're part of a botnet. but when we say a zombie,that's really what it is. your computer, your computing device somewhereconnected online, has been taken over, and you don't know it but it's now part of aglobal group of computers that can be harnessed to attack any given target at a moment's notice.
and that is pretty scary, it's apretty impressive feat of engineering, but it's scary because pulling together5 million of these is no big deal. pulling together 40 million of these,takes some effort but it's doable. and if you have 40 million computersthat are just sending a little ping every so many milliseconds, asking forinformation and then just going away, that becomes a massive problem andsomething that you really have to work hard to mitigate before it overwhelms you because if it becomes a tsunami,it's very hard to overcome. >> brian: thank you ram and thank you forgiving pictures are worth a million words
and giving us a sense of the scope ofthe problem and also in your comments, connecting this to the "why shouldi care" question as an individual if all the dot org sites in the world go down,the organization who have that website up, whether they're an ngo or not-for-profittrying to do good in their mission or whether it's an individualor a company in a dot com, having their commercial activitiesinterrupted, that's a very serious impact. so as we move through the discussion,connecting the dots to "why should i care", the individual at home, andalso the interesting thing is that i might be an unwitting participant inan attack, my machine on my desk at home,
and be completely unaware of this. i think we're starting to get tothose issues of "why i should care". so next, let's get to i think,it's dr. damian menscher. so we've heard from a registry operatornow from an online service provider, in this case google, the leading search engine. damian with google's breadth and depth oftechnology and reach, this certainly can't be that big of a concern for acompany the size of google, right? tell me why i'm wrong. >> damian: right because we have a teamof people that worries about this stuff.
so, most people don't realize thatgoogle is actually regularly attacked. the reasons you'd sort of wonder whywould anyone have anything against google? well it turns out we actuallyhost a lot of user content, so blogspy includes random usercontent from people all over the world. sometimes that's controversial. similarly u-tube might havea controversial video on it and so frequently these sortsof sites do get attacked. and it's not just dnss as previously mentioned,it's you know, we see application layer attacks where they'll dispatch the same homepageover and over again at very high rates,
you know upwards of maybea million times a second. so, you've also probably noticed that we'renever actually down so, if you want to talk about how we do that, ifyou go to the first slide. so we benefit a lot from economy of scalewhen you look at most small websites, there might be a thousandwebsites hosted on a single machine because they don't get very much traffic. we sort of turned that around and we mighthave a thousand machines hosting one website. you know google.com is a big website,it doesn't fit on a single machine. so we do benefit a lot from the economy of scale
and pooling our defense resourcesacross our various properties. but, go to the next slide, you haveto be a little bit careful about this if you put everything together,you also have some risk. so, i wanted to talk briefly about howwe deal with this and this also is, as jeff had mentioned, we have to be careful that we don't distract our securityteam when there is a dos attack. if we have one team thatfocuses on all of security, then when there's a dos attack we mightbe looking at that and miss other things. so, what we do actually is, goon, we have layered defenses.
so we have a separate team thatfocuses on dos attacks so that when there's an attack we don'tlose sight of the other attacks that are happening against us every day. and, basically we focus on having layereddefenses so; this is a very rough sketch of what our network might look like. we don't see the internetnecessarily as a single cloud. we see it as multiple clouds because wepeer directly with several major isps. we go through a layer ofload balancing at our network so if any particular network device getsoverloaded, we can work around that.
then we go through a layer of load balancingwithin our own network to eventually get to the backend that are thewebservers, serving the actual content. and so by doing this, we'reable to shift traffic around to avoid any damagefrom the attack traffic. we also have many layers of which wecan filter out the bad traffic so, at the very edge of our network we might be ableto filter out some of the more obvious attacks, but as you get deeper in or more sophisticatedattacks, we filter them at other places. another thing i want to mention though is, thisstyle works really well for a very large company like google, but most of you are probably moreinterested in how to defend the small site
and the best advice i have there is thatthe user comment of going to google, might actually make sense ifthey host their site on google, they automatically benefit from our defenses. they won't even know they're being attacked. and we frequently do see cases oforganizations that are under a heavy, dos attack and they just quickly setup a site onblogger saying, "hey, we're being attacked. we're going to use this forour communication for now." that's actually, at one point, thecountry of georgia had their ministry of foreign affairs host their site on bloggerwhich was entertaining for me to say, like oh,
what are we going to see as a result of this? but the other thing is just making sure thatyou are pooling your resources with others in your organization, there are other cloudbased dos mitigation providers that sort of aggregate resources from several differentclients and can provide good defenses for you. >> brian: thank you damian, and love ice. it's terrific. >> damian: also our pr people wouldwant me to say it's not as weak as eggs, you know like fortified eggs. >> brian: boiled eggs.
[laughter] no terrific, thank you. >> damian: each layer is very strong. >> brian: thank you and you know,fully appreciating your remarks too, one thing that jumped out to me is that ithink one of the challenges we all share in this space is that from the user perspective,and i'm going to try to keep bringing us back to the user and the average person at home,is that this problem, there's a low level of awareness and one of the reasons isbecause as very responsible service providers like google and the other's on this panel,you've taken on the challenge and objective of staying up and not beingtaken down by ddos attack.
you've been successful to date and assuch, users who have their sites on google, the dns is sometimes thought of likeelectricity, you know it's just there. it's my website is up, the internet is up. i only notice it when it goes down. i only become aware there's aproblem when there's a problem. so interesting thought, let'skeep coming back to that "why should the individual,why should the user care?" how do we get this on theirradar screen in a meaningful way so they can become part of the solution?
so with that thought let's go to miguel. and miguel we're going to ask you tofocus on specifically corporate responses from the perspective of a third-partymitigation service provider. >> miguel: sure and thank you brian. i'm going to dovetail on some ofthe things that damian was saying. a lot of organizations and a lot ofpeople don't understand or know about ddos and don't see an issue untilit actually happens to them. and at that point, a lot oforganizations are kind of scrambling, trying to figure out what it is that theycan potentially do to deal with this issue.
and they most likely go to google to tryto determine and try to find an answer. so, a lot of people don't think aboutthis because they assume that their isp or their hoster is actually going totake care of the problem for them. actually, what tends to happen is that whenan organization is under heavy ddos attack, the isp and the hoster is lookingat protecting their own assets and will most likely just shut you down. and so they might contact you andtell you you're under a ddos attack but they may not help you through it. so, there are some things that organizationscan do to help mitigate this risk.
some organizations look at dealingwith the ddos problem themselves. they'll look at buying their own hardware; they'll look at provisioningbandwidth, etcetera. unfortunately a lot of organizations don'thave the resources to be able to do that. and it doesn't necessarily make sense fora lot of organizations because it's sort of an arms-race and it's hard to spendyour way out of dealing with this problem as attacks larger and larger andmore complicated and etcetera. so, there some third-party options thatorganizations can look at that i would kind of consider to be the infrastructure as aservice that can be used on an on-demand basis
to help organizations deal withddos attack when they happen. so the idea is simply, you don't necessarilyhave to over-provision all hardware, bandwidth, etcetera to deal with the risk. you can potentially use the third-party that hasthat capacity and capability when you need it. and you know at that point you're looking atoptions like content distribution networks, they can potentially help deal withabsorbing some of this traffic and keeping that traffic away from your network. there's also cloud-based providers thatspecifically focus on the ddos problem and the idea there is if you're under an attack,
your organization can potentially redirectthe traffic over to a cloud-based provider that can absorb the traffic thatknows how to mitigate and deal with [inaudible] service attacks and thensends you basically the clean traffic. it's sort of kind of putting a shield in frontof your infrastructure on a non-demand basis when you're dealing with these attacks. so, infrastructure as a service is somethingthat is more affordable for organizations and something that organizations arestarting to look at more and more as a way to deal with this ddos issue. and certainly, there's a lotof information about that
on google and it's key to become informed. >> brian: thanks miguel, so we're beginning toget a clear picture of the scope of the problem from a number of different perspectives and inaddition to service providers such as google and afilias, verisign and newstar maintainingtheir services in a way that keeps them up 24/7 and addresses these attacks. there are 4 certain organizationsspecific resources available if needed and that's interesting as we'rebeginning to, after setting the scene, now let's transition towards those solutionsas mitigation efforts, the services that are out there to design specificallyto provide additional protection.
as we transition, danny i want you to help theaudience understand some domestic initiatives such as the anti-botnet workundertaken by csirc and help us to begin to understand how we can begin to collectivelycome together to address this problem. >> danny: yes sir thanks brian. so there have been a large numberof clamber of efforts between public and private sector related to botnet infections,compromised machines, male code proliferation, virulence of threats on the internet, justthis broad swath of malicious activity. it's a nontrivial problem to solve because theisps for example, a lot of folks point fingers at the isps, but the isps don't [inaudible]systems, their [inaudible] system in particular,
the broadband isp user residentialconsumers that acquire service from the isp, and the isp shouldn't be lookingat their traffic and you know and they have privacy concerns or other things. so, what sort of controls the capabilitiesof the isps actually add to help them. so a number of efforts havebeen underway actually. one such example is the fcc sizerk3, working group 7 recently publishedsomething called the abc for isps and it's basically the anti-botnet code andthey develop with a number of other folks in the industry monolog messaging and anib'sworking group as well as some publication
in the ietf and broader participation,actually internationally from folks from japan, cyber clean to australia, finland,germany, other folks and it basically talks about some fundamental things that ispscan do to help educate, protect, notify, detect malicious threats associated with theirconsumers and then activity they might take to help to clean that problem or sanitize or provide a little betterhygiene on their infrastructure. so, one pointer there is one of thereports, the abcs again, for isps, you can find it on the [inaudible] websiteor the fcc sizerk3, working group 7 webpage that you can find easily via googleand so that's certainly one effort.
one of the fundamental things,going back to the user, is there anyone on the receivingend of a ddos attack? what you should definitely be looking atis sort of what enables your business? most of the folks on this panel, youknow network is our business all right, we're going to focus on providingnetwork services and availability. we're absolutely committed to the security andstability of our infrastructure and services, but a lot of folks, networkenables their business. it enables your email or your webpresents or your small business or your e-commerce or retail site.
and so irrespective of whatit is, you absolutely need to consider what the critical network assetsare or the critical assets across the board to your organization and you identify those, yousay what's the impact of an availability issue or security issue or a compromise ofinformation impacting those assets? and how might i put controls in place tohelp mitigate that or to at least have a plan to respond if there's a ddos attack or a breachinside my infrastructure, those sorts of things. you know one of the things that i've seen inthe past, we did this survey for several years, a previous employer of mine, andmost of the folks that responded to this infrastructure security survey didn'tactually even have an incident response team
in place in their organizationeven if it's an over-lay team, much less an incident response plan. and if you don't have an incident response plan,you're certainly not going to exercise that and so you really don't want to be on thereceiving end of something like a ddos attack and not have a book in someone's hand thatsays this is the phone number i call for my isp or for my national curator for my vendor thatprovides a certain service or capability to me, so i think it sort of starts with thosefundamentals, identifying critical assets, understanding what the options are toprotect the things that are critical to you. if it's moving services to cloud infrastructure,acquiring protection services for those,
putting your own controls inplace, but you definitely need to consider that in your environment. consider what the impact would be. these are a real risk to yourbusiness and your operations and so, i think fundamentally that's sort ofwhere i would recommend you start, brian. >> brian: thanks danny, so interestingin your comments, you mentioned isps, we've got registry operators, you've got onlineservice providers, we've got search engines, so we really have a number of differentservice providers in this community that helps keep the internetup in a collaborative way.
the siezerk effort for isps in particularsounds interesting and what we want to get at a little bit later in the conversation isa cross this community of service providers who i assume have different roles and maybedifferent responsibilities in some ways, how do we build on the collaboration that you'vebegun to speak about and also interestingly, you spoke to the organization andwhat they should have in place. understanding what enables your business, havinga plan in place, and the question that raises for me is, well how do organizationsknow they should have these things and how do we educate on that front as well? so we'll get to that in a little bit, butto round out the panel, thank you all so far
for shedding some light on the scope anddimensions of the problem and how we can begin to address it, but let me now go to jillian. jillian, what i'd like you to talk aboutfrom your perspective is what are some of the unintended consequences relatedto ddos attacks and in particular, help us start thinking about potentialover-reactions to ddos attacks. we know that these attacks are of furiousin nature, we know that we have a panelist of good guys who are doing what they canand doing everything we think they should, but tell us about the unintended consequencesboth from the malicious attack side and when a well-intended operator tries totake mitigation techniques against an attack.
>> jillian: sure, so at the beginning of thisi think jeff referred to, actually i'm sorry, brian referred to sometimesthese attacks being used as sort of an extreme form of free expression. i'm not sure i would classifyit as free expression, but we could say civil disobedience that'sbeen argued by many and an example of this that might resonate a little bit better thansay the anonymous attacks against master card and visa, would be sympatheticpeople to the syrian opposition going after syrian government websites. that's something that a lot ofpeople have sympathized with,
have considered civil disobedience in ascenario where the government has shut down the internet sensor,the internet, etcetera. and so nevertheless the vast majority ofthese attacks are malicious, are directed at, not just these big companies and thebig networks, but also at the little guy and that's kind of where myperspective is coming from. a few years ago when i was still at the berkmancenter, we did a study that looked attacks on human rights websites and independentmedia website, and 62% of the respondents to that study said that they had experienced addos attack at some point and as damian said, google is sort of at what wouldyou say, the core of the network.
google has resources, theyhave staff, they own fiber, but then you've got theseother small organizations that are what we would say isat the edge of the network. these are organizations that not only arethey literally at the edge of the network but they also lack the funding andthe staff to ward-off an attack. they often have fairly insecure hosting,their host might jack-up the cost in an effort to help them and so if you are using say,i don't want to throw any specific examples out there although i have a couple, but ifyou're using say a shared hosting provider such as rackspace or bluehost, i'm notspeaking of those companies specifically but,
if you're using one of those, andyou are the victim of an attack, your provider could kick you off, theycould also raise your costs which for many of us would be completely unaffordable. and so, when we're looking at theunintended consequences of these, i mean i think that there's acouple of different aspects here. one is the legal consequences and soi'm not a lawyer and so i should say that i should just preface by saying that,but you know these attacks are largely by most governments at this point consideredhacking and are dealt with as such. and so in the u.s. that's governedby the computer fraud and abuse act
and in europe there are other similarconventions, but i think that we need to start looking at them as alittle bit different, than that. i think that you need to look at the sortof the [inaudible] behind the attack, we need to look at the consequences ofthe attack, and i think a great example of this is an attack that was conducted againstlufthansa, the german airline back in gosh, i'm not going to remember the year, early 2000i believe where a court actually did determine that the intent of that attackwas not coercion and was there-- i'm not a lawyer so i feel likei'm using the wrong language here, but it was dealt with ascivil disobedience and so.
but that's actually not my biggest concern. my biggest concern is the unintendedconsequences on these smaller websites and so when we look at theconsequences on independent human rights and independent media websites, generallythese sites go off line and are not able to quickly get back up and so we'veseen attacks that last a week, 6 weeks, or where the site goes down entirely. and so some of the suggestions thathave already been given are excellent and i think actually what damian said interms of people moving their sites to google, that's actually one of the suggestions thatwe give is, if you are a small website,
sometimes you're just better off hostingyour site on a provider like google where you have those resources to back you up. we've also, my organization along with the tactical technology collective hasalso developed this guide which is really, really basic mitigation techniques. we're not even talking about the kindsof things that a corporate website or even a large-scale organization woulduse, but the things that your blogger, your independent media site might utilize. and this is available, i'll share it after,but it's also available in 9 languages.
and so just to sum up, i would say thatwe need to think about these attacks, not just how they affect major websites, butalso how they affect much smaller organizations. >> brian: thank you. so thank you all. we've now set the scene, i hope, and providesome baseline understanding of the nature of the attacks, the scope of the attacks. we have 2 hours. what we're going to do is as follows, we'regoing to leave 30 minutes at the end for q&a from the folks in the room and from online andwe're looking forward to all of your questions.
we're going to have basically 2 sessions now. what i'm going to do now is engage in some q&awith the panelists and we'll have 45 minutes for that and then we have in the second sessiona scenario that we've built that we want to rollout in front of ourpanelist and ask how they, in their respective rolls wouldreact to that particular scenario. now i've got about 7 questions or so, we'vegot 45 minutes so this isn't rapid-fire but let's leave about 5 or 6 minutes fora response to each of these questions. this is open to anyone on the panel so let'sbe dynamic, raise your hand, don't be shy and we'll kick it off with the first questionwhich is; let's get specific and both
from your perspective andfrom a user's perspective. what mitigation techniquesare available to us today? both you, as a service provider and the user,how do we stop these things at a basic level? who would like to take that on first? ram. >> ram: brian this is ram, let me start; ifi was a user, one of the things that i'd want to do is if i have a good isp, then theyprobably have a botnet mitigation kit or something like that, that gets installedin my computing devices and if not, i would go to my isp and ask themfor a mitigation kit like that.
there pretty commonly available. they're pretty sophisticated and theygive you the first order of protection. i just also want to point out; having antivirussoftware in your computer doesn't protect you from your computer gettingcompromised in a ddos attack. >> brian: that's interesting. most average users would assumethat that addresses that problem. tell us why. >> ram: so earlier, let me give youan example, earlier we were hearing about spear-phishing right, soi give you a specific example,
something that actually happened inone the organizations i work with. a high-level executive in this company,it's a pretty small company, got an email and the email had a very good subject line,you know it's a photograph of their daughter. and it said, took this photograph,she looks great and even had the daughter's name on it, right? and so the executive got the mail, itlooked like a legitimate thing and the, from address in the email was kindof somebody he ran into in random, but there was enough things in the mailthat looked like it was real, you know. it was the daughter's name was right, there wasactually a photograph and so they double-clicked
and they opened up the photograph andthat compromised their machine and ended up compromising the networkfrom there on, right? now that was not a virus in thetraditional sense of a virus. that was something that was customcrafted just for that one individual because the person trying to brake-inhad a clear idea who this person was, they were trying to penetrate, theyunderstood that that person likely had access to other important resources inside of thecompany's corporate network, got through. so, they had antivirus on their computer,but this was not the traditional virus, this was an attack just aimedat you, individually.
>> brian: thank you and getting back to thebotnet protection package from your isp, at a basic level what does that provide? we heard the story of how your own computercan become an unwitting zombie participating in a botnet attack, is it designed topresent that from happening, or other things? that was a follow-up for ram. >> ram: oh, for me specifically. okay, yeah there are many things that this pieceof software or these pieces of software do, but often they look at patterns, they lookat where the attacks may be coming from. they also look at what's happening on yourown device and where it's trying to connect to
and typically you've got certain patterns. you go to a certain set of sites or you sendemails, you know you connect to a known set of places for the most part and if your devicehas been compromised, often your device is going to places that you normally don't go to and your isp typically has anidea of that stored up over time. so let's dig a little bit deeper on that. what was in your answer was, how do weidentify where this problem is coming from? i think it's an important piece of the puzzlehere and you and your service provider capacity, let's turn deeper on preventative measures.
how can we identify where thesemalicious attacks are coming from? is that an easy thing to solvefor, or a harder thing to solve for from the service providerperspective and also from the user? i think ram just started to touch on that. anybody want to take that on? so, danny? >> danny: yeah this is danny, i'll saysomething about that and then move on to others, but one of the things i think i would touch oninitially is that if you're on the receiving end of even a moderate sized ddos attack,
a lot of some of the bigger networkshave the capacity to absorb the attack. what many isps or services in theinfrastructure offer is the capability to absorb the large-scale bits ofmalicious traffic and surgically mitigate and preserve the availability of the services that someone may be concernedwith, so that's sort of one aspect. from an isp side, one of theinteresting things is that ip is a sort of hop-by-hap packet forwarding paradigmfor communications networks and anyone, largely anyone on the internet can emit a packetin the infrastructure that has a source address of anyone else on that infrastructure and sothis is known as ip source address booping.
and it's a common attack factor, it'snot the only attack factor and a lot of times spotted hosts don'tspoof packets at all, but trace back in large networksis fairly complex. there are a lot of techniques people usefrom some things like commercial tools that do net-flow and flow-based analysis totrace back to the ingress of their network. the problem is you then have to havethe capability to say, the upstream or the adjacent network thatattack flows i'm seeing from you. can you trace these back on your network? hope that they have the samecapability and so forth.
and so it's non-trivial when thefact that any sort of advisory on the internet has global projection capabilityand you could be on the receiving end of a lot of packet lull as a result ofthat, right, you know what i mean, and these could be broadlydistributed or single-source attacks. so, tracing these attacks back is one aspect. so you would certainly want to trace backflow-based tools other things and then ideally if you could find sources that wereparticipating in an attack, then you could try and identify command and controlinfrastructure that's used a command or took control those attack sources or thosebotnet hosts and then you would step back
from there, but that's an extremely complexthing and unfortunately what most people do, and to jillian's point actually, is that alot of the controls some people put in place through data mitigate ddos attacks is actuallyto effectively complete those attacks. it's like hey, there's a large-scale attackof 10 gigabytes per second going toward one of the smaller hosts on my network so, whatan isp may do is actually say i'm going to drop all the traffic towards thatdestination at the ingress of my network. so they do is effectively complete the attack. that's why it's so important to havecontrols in place to be able to identify and surgically mitigate those attacks,before the attacks occur, so anyway.
>> brian: thank you, very interesting. anybody else want to pick-up on this point? miguel. >> miguel: just adding to what danny issaying, collaboration to try to figure out what the attacks those sourcesare is key and it's not something that happens very well currently. it's something that the internet community istrying to improve on but we're nowhere near where we need to be and to be able to do someof the things that danny is referring to, you kind of have to have backchannelcommunications between providers.
you have to be able to havesomebody on the inside, somewhere that you can share intelligencewith and that's something that's difficult. the last thing i'll say aboutit is that sometimes, where are who it is that's doing it is notnecessarily that important potentially. when these things are happening,a lot of people might be focused on getting their infrastructure back online,but you do have to temper that with the fact that as jeff was alluding toearlier, this might be something that an organization is doingwhile they're doing something else. it could very well be a diversionary tactic.
>> brian: let me pick-up on one point theremiguel, you know you mentioned the collaboration between and across networkoperators being a challenge. is that a resource challenge, itis a communications challenge, is it a technical sophistication challenge,because it is understood from danny's comment that this is complex investigationthat has to cross a number of different network operatorsto get to the answer. what's the issue there? >> miguel: i would say that there's acorporate privacy challenge that a lot of organizations don't really want theirtechnical staff or the staff that are dealing
with this problem to be collaborating with otheroperators and that's a significant roadblock. jillian-- oh go ahead damian? >> damian: i also wanted to say that ithink that the 3 things that you mentioned, brian it being resources and technical issues and communication are also significantchallenges even if you do get through the communication barrierto talking to somebody at the isp, they might not have the technicalcapability to track it further back or they might not have the resources to spendtime on spending an hour to track it back. just knowing that it will just go to yetanother isp that won't have time to communicate
with you or track it back or anything. >> brian: right, thank you. jillian. >> jillian: sure, i'm justgoing to make my point again to the sort of smaller organizations. i think that it's important for them to sort ofassess beforehand, before this is even an issue, both what their risk is, if they can do that, as well as what their prioritiesare in the event of a ddos attack. and so, for a lot of these organizationsthat i'm thinking of, i'm thinking of sort
of the human right sites in embattled countries. a lot of times there priority is just to stayup and to keep their content on the internet in the event of an attack and sometimes theseattacks are coming during say, election periods, or periods of protest and so a lot of timeswhat that means is choosing their host wisely, so we talked about that a little bit but knowingwhat their host can do to mitigate an attack, but also if they're high-risk,considering a ddos resistant hosting or some programs that are starting to come up. some of these are pretty cost prohibitive forsmaller organizations but, there are a couple that are a little bit more affordable.
one of them is called virtual road. it's hosted by the international--i forget the acronym-- ims-- forget that but based in denmark. another thing is to, you know reallyeasy stuff, keep backups of your site. i know that seems so simple,but that's something that a lot of these sites are not thinking of and so whenthere site goes down, it goes down forever. and then another thing isjust mirroring their site. if we're talking about a site that'ssay in iran that's going to come under attack during elections or something likethat, you know making sure that that content is
up somewhere else can be really important. you know urls don't matter as much asthey used to, thanks to social media. and so just making sure that that contentis still up and available is a lot of times more important than actuallyimmediately mitigating the attack. >> brian: jeff? >> jeff: real briefly, i would say inparticular, if you have limited resources, figure out what your purposein tracking back is. if there's a technical side of it and as smarterfolks up here may appear to have explained it. it's very difficult to get to the end butlet's say you get through all those hurdles
and you find out where it's actually comingfrom, then you walk into a human problem. do you really care what the motivation is? i mean, if your goal is to stay up, you mayonly want to track back far enough to be able to protect yourself and even if you get to theend, you know it's a bunch of computers sitting in country x, you'd have to get to thosepeople to figure out is it a nation state act, is it a bunch of individuals,is it somehow loosely connected? so the track back, you know i would sayjust from my perspective thinking about this when i was up on the hill, there is a technoside, but there's very much the political and security side and you get into humanlitigations there which are even harder
to track back than some of the techno stuff. >> brian: thank you jeff. let me ask a slightly different question. when an attack is happening, does it matter whatthe targeted platform is from your perspective and how you react to it, how do you manage it? for example if it's an attack against the banksas we've been seeing recently, versus an attack, versus a social media site or a small-user site. does the nature of the target affectthe way you address the problem, try to mitigate the problem?
can you give us some dimension on that front? miguel, do you want to go first? >> danny: yeah, sure. yeah so what i would say is that ifyou're trying to mitigate an attack, what you're really trying todo is preserve the availability of the services that you care about. and so you've really got to flip and say youknow, i really want to scrub out the bad stuff and try and be able to absorb this attack. one of the interesting things, when you seenumbers thrown around on scale, frequency,
duration, attack factors, all those things,you might see 10 gigabyte per second attack. well what 10 gigabytes per second attack is on awebserver or on a dns server is very different. that means 10 gigabytes per secondof transaction servicing capacity. right, that's basically i've got to be able toprocess 10 gigabytes per second of dns packets or of web-service packets or ssl packets orwhatever the service is you're concerned with and that's the only way you canpreserve the availability of that. so when it gets more and more complex,is when you have more stay-based and more complex applications that more sophisticated attacksbecome problematic in that manner.
so i think it absolutelydepends on the attack factor. one of the challenges is that sort ofcommodity, off the shelf routers and firewalls and those things don't doapplication [inaudible] mitigation. they don't provide certain capabilities. on the other hand, if it'ssome services it may be simpler to simply absorb a high-rate per second attack or to just drop bad traffic that'snot target a production service. so, yeah in short the answer isyes to your question, i think. >> brian: thank you, miguel.
>> miguel: danny mentionedthat the type of infrastructure that is being attacked matters,i absolutely agree. the type of organization that is beingattacked also plays a factor potentially and how you're dealing with theproblem of mitigating the attack. i think jeff alluded to the factearlier that there are attacks that are potentially, for example extortion. there's activist-type attacks;i'll use the activists' example. these people that are protestingand attacking your site, they're most likely discussing it online, sothey're congregating on twitter, on facebook,
payspin, whatever site it is thatthey're using to irc relay chip, you know internet relay chat rooms,they're discussing attack strategies there. so, what kind of an attack it is, andwhich organization is being attacked, it does matter because you do want to factorin how your monitoring social media based on the particular attack because it canhelp you determine what it is that you need to do and what you need to focus on. >> brian: anyone else? let me shift gears here. i think by now, hopefully we've got afairly good picture of the dimensions
of ddos attacks both from website operator, individual user, serviceprovider, civil society. it's an important problem. it's a growing problem, there'sno doubt about that. it gets bigger each year,it's a big cat and mouse came, we have a hard time identifyingthe bad guys, tracking them down, stopping them from doing what they're doing. who should fix this problem? private sector, government,how do we fix this problem?
collaboration is important, we've heardthat but it seems like it's a game that we're not necessarily winning. anyone want to take that on? pros and cons, damian? >> damian: i'll start off the discussion. so i think a lot of the difficulty we haveis that nobody feels actually responsible so the attacks are often beingsourced from compromised machines and people are saying well it's notmy fault, my machine is compromised. you know they don't know it, it's anend user, they don't actually know how
to secure their machine, they're not even aware that there machine is participatingin the attack. then it goes from that machinethrough an isp and the isp says well, we're just providing networktransit to our customers. we don't actually look at what that content is. and then it might go through multipleisps and eventually get to the victim who really doesn't have any choicebut to just receive this traffic. so i think the root issue here is to figureout who you would actually hold responsible for these attacks and then maybe figure outin what way they would be held responsible.
you know clearly, we don't wantto hold the home user responsible for an attack they weren't aware that they werecommitting, however, if we could inform them and they refuse to fix their machine,maybe after they've had that opportunity to fix their machine and they refuse to,or after we inform a hosting provider that has compromised webserversthat are attacking you. if they don't fix those machines aftera month and they're still attacking, maybe there should be some responsibility there. >> brian: so that's an interesting thoughtdamian because you all do have terms of service and abuse policies that users agreeto when they use your service,
so that's an interesting thought. jeff, i want to throw this to you and iknow this is part of your past experience, but having been in the senate and housecommittee, can you bring a little bit of the government perspectiveto the question i asked of who should be fixing this problem and how? >> jeff: so i guess i would step back and say that we can't definethis problem as just dos attacks. you know you phrase it as, it'snot a game of winning, well, in my mind it's not a game that will ever end.
to the extent it's more of a constantrace, how far ahead or behind are we of the people developing new ways to attack? and to my first point about, it's abroader problem, if someone has a computer that is being used as part of a botnetfor a ddos attack or something else, it's very likely that the folks who are onthat computer could do a lot of other things with that computer or to that person'sidentity or steel their banking credentials, so it is a much broader problem and i thinkdamian made a good point is everyone kind of pushes it back but atsome level it needs to start with users taking more controlover their computers.
not just looking at antivirusbut broader protections. the government's role from my perspectiveand that's something that we worked on the projects i worked on the hill aremuch more critical infrastructure focused, but if it's true there, i think it's evenmore true with a much more commercial side. it's got to be private sector laden andthe government can play a role facilitating and educating and punishing and perhaps in someareas where there is significant possibility of major national impact requiringsome standards, you're not going to do that for john smith who has hiscomputer at home, you're not going to say that there is a minimum security[inaudible] that you have to have
in order to log into the internet. were you even to try that, it would never pass. but the government can play asignificant role educating folks; simple things as patching whatever softwareapplications you have, making it the easiest way for someone to get into your computer. the patch comes out, someone is out theretrying to figure out what was patched and how can we take advantageof the people who don't patch. so the government, i think the role, sortof hopefully i'm answering the question. the role the government is going to play isgoing to depend on what you're talking about.
if it's an attack on water, electrical,other systems the government is going to have a very active role,hopefully ahead of time, protecting and assisting in developing protections. the government will also have a role inthe backend where possible prosecuting, investigating and that'swhere your earlier question about does it matter who is being attacked? maybe it shouldn't, but the government is goingto be much more focused when you have a series of major banks attacked, looking whetherthere's another type of attack going on or there are more laws thatapply [inaudible] after that.
then if it is, you're attacking someone's speechon block spy, so the government's role is going to vary, i think depending upon where you arebut ultimately it can't be government lead because it will end up being lesseffective and more [inaudible], in my view. let me ask for the service providers, you allrun services that are globally accessible. you all have network footprintsthat are global to some extent. specifically, engaging with lawenforcement which i'm sure you do, you all work for law abiding companies whounder the proper circumstances collaborate with law enforcement to addresslegitimate concerns. what are you seeing in yourinteractions with law enforcement
that provides the good seeds for collaboration? what do you think might be missing inyour interactions with law enforcement? i'd like the service providersto address that point. who wants to go first, ram? >> ram: let me start. one of the things that is strikingin interactions with law enforcement, one of the fundamentals here is thatthis is essential a borderless problem and law enforcement has a broader problem. >> brian: okay.
>> ram: not a problem, they have to work within the jurisdictions ofthe borders that they're in. so often when you're collaboratingand working on uncovering, you know somebody is running a botnet that'sgot some significant problems behind it and if you start to do trace-backs,you'll find that the folks in law enforcement would rather workwith you informally than formally because if they go formal, then you gothrough a method where you then have to involve every law enforcement agency atevery boarder that is crossed on the internet. it's pretty damn easy to cross those boarders.
so, that's a, i think that's anessential thing and the real-world hasn't yet caught-up to that reality online. that attacks come from multiple boarders,from across multiple boarders and the morph in real-time, depending what the response lookslike, and so that's a very significant factor when we work for instance on, a year and ahalf ago, we worked on pulling together part of an industry or in a taskforce on child abuseset of sites that were focused on child abuse and they were using that to infect thecomputers of those who had the bad stuff on it to make them part of a zombie network. and it got very snarled up in variousjurisdictions legal restrictions,
the necessity to preserve evidence,versus the imperative to solve the problem and make sure it doesn't become very large. >> brian: interesting. anyone else, danny? >> danny: yeah so i'll point outagain, some of the work that you know with public/private sectorpartnerships, i think that's so important. certainly i don't think you're going toregulate your way out of this, right? from a controls perspective there are 869things that i have to do in my day job just to check boxes and those give memarginally more secure, right,
82% of it security span goes towardscompliance and regulatory controls and then people try and getsecure on top of that. those sorts of things are like antivirussoftware and there's 10 new pieces of male-code a second on theinternet, yet av is a frontline defense to protect the residential user or maybe evena corporate machine, and so i think education of the threat vector, some of the veryfundamental stuff like patching systems and software and collaboration and informationsharing and putting these things in place. from a law enforcement perspective,i think that some of the most successful stuff we've seeninvolves multilateral teaming agreements
and collaboration, those sorts ofthings where there is some coordination and some effort in trying to work together. in general though, in particular withddos attack we've always seen this sort of fragmented response where one isp onthe receiving end, or along the projectory of an attack will drop all the traffictowards the destination and cause, you know effectively completingthe attack for that network, and another one will security research willinfiltrate the command [inaudible] structure and law enforcement may be there and thensomeone will break one of their connections to the c&c infrastructure and all of asudden, you can't even disable the attack
because you've got all these headless machinesout there that are attacking something and depending on where those systemsreside and where they're coming from. i mean we've seen attacks withattack sources in 100s of countries and you're breaking lots of laws. i mean just if you were to try and disablean attack if you had the keys to the command and control infrastructure, that sort of thing. so it's really problematic and there needsto be a lot of collaboration and cooperation and i don't think regulations a way,but i do think harmonizing and working on the international aspects and the informationsharing and collaboration, you know those sort
of things are the only way we're goingto be in a better spot collectively. we're playing a lot of wackemalltoday and i'm not sure it's effective. >> brian: jillian, let me ask you, from yourperspective, from a civil society perspective, what more should industry and governmentin their roles, be doing to address this? and what in their collaborationwould you hope that they avoid? >> jillian: so in terms of what more,i mean i think it's hard for me to say. i mean i think one of the problemshere is that as others have mentioned, law enforcement is going after the folkswho are going after the big targets. and i understand that, but it's not reallyever going to help these smaller targets.
i mean you don't see law enforcement going afterthe perpetrators of small attacks and a lot of the attacks that i'm looking atare happening in other countries where sometimes the perpetratorsare in other countries and so from my perspective i'm notthinking so much about u.s. law enforcement, but in terms of what people can be doingmore about and what they should avoid. i think that a lot of it is about raisingawareness as folks at the other end of the table said in the beginning,i think that making people aware, not only of what might be going on in theirown systems that they can avoid becoming part of a botnet, but also what they can bedoing as individuals and as organizations
to mitigate the potential of ddos attacks. and then as far as industry,i think adding that layer of civil society is really important as well. making sure that industry is collaboratingwith civil society to make more of these systems available tothe smaller user would be great. and as far as what law enforcementshould avoid, i think a lot of it for me is addressing whether ddos attackare a useful form of civil disobedience. i think it kind of comes down to that and mypersonal opinion, this is really not the view of my organization which doesnot have a stated view on this,
but it's just that i don't think it's aparticularly useful form of civil disobedience. i think that in the united states we havemany other paths of recourse to protest and then i think that when you lookat the example like i gave before, attacks against syrian governmentwebsites, it's a bit of a different thing. but nonetheless, i think that the effect ofthese attacks on smaller websites is so great that we should really sort oftry to look at the whole picture and realize how much damage this is doing. and so i guess in thinking about that, ithink that that should also sort of inform where we think about law enforcement.
danny [inaudible]? >> danny: yeah i just wanted to makeone other comment, something she touched on which i think is really actuallyis, one of the things we see a lot of is the internet itselfis inherently multi-tenant. and then you see a lot of, in particulara lot of the smaller folks can aggregate and there's these really high tenantdensities on certain pieces of infrastructure and what ends up happening is that someoneon the infrastructure gets attacked and there's a lot of collateraldamage that everybody is impacted. or a really large attack alonga trajectory fills some links
and not only is the intended target impactedbut there's collateral damage to other people that utilize that infrastructure. and most of the attacks that the folks have beenon the receiving end of seeing is that it's hard for an attacker to gage how much firepower theyactually have and to surgically attack a target with a ddos attack on the internet, usually theysort brute-force flood a whole bunch of traffic of a particular type and thereis collateral damage in that. and that's an important artifactthat you're highlighting there and if you have high-tenantdensities on cloud infrastructure or lots of people behind small links thenit does have a really devastating impact
and not just on the target, but maybe onother people that utilize that infrastructure. and so i think that's important highlight. damian? >> damian: yeah just to follow-upon that, jillian had mentioned that law enforcement doesn't goafter the very small attacks. they tend to focus on the large attacks. but i do see the large attacksas the most damaging, largely because of what danny saidof, it causes collateral damage. if there's collateral damage on other sitesthat they have no other way to mitigate,
they will kill the smallvictim, they'll completely attack by just turning off everything to that site. so by basically preventing any very largeattacks by having law enforcement focus on those we at least give the smaller sites achange of getting some dos mitigation service to help them and basically thatboundary is probably around 10 gigabyte. you know once you get up over 100 gig, there'svery few organizations that are going to be able to help and most are justgoing to turn off the site. >> brian: so right now on this issue,it's the rule of the submarine captain that is the compartment flooding, and theirsailors in there shut it off to save the rest.
and that's where we are. so, this is interesting and i thinkwe've all been very polite so far, so allow me to play devil's advocate and putyour feet to the fire a little bit folks. so what i'm hearing at a high level to pull somethreads together, is there is some coordination across law enforcement which is keyto this solution in collaboration, but it's not nearly what it needs to be. it itself is a barrier to ourability, at least in the industry, to work on these problems with law enforcement. we're hearing that there is some collaborationacross network operators but not as good
as it needs to be all theway up and down the stream. and some lack of sense of responsibilitycoloring that part of the puzzle. we all in this industry trumpet the fact thatthe internet is critical global infrastructure. we all in this industry trumpet thefact that the infrastructure of nations of countries have come to rely on theinternet, banking systems, electric grids soon, governments have a clear interest in thiscritical infrastructure and if i listen to all of this and piece together,i could come at this from, this is a fiddling while rome burnsdynamic going on between industry and governments and civil society.
so, putting your feet back to the fire, whatneeds to happen in terms of collaboration, in concrete terms to break through at theindustry level, at the government level and across those levels and withthe civil society perspective. let's get to it. who wants to take it on? pause. >> ram: sure i'll jump on the grenade. look i think everyone who is here and everyonewho is up here is not part of the problem. when you take it to the globallevel of the impact on society
and the fiddling while rome burns and theimplication that there's an existential or close to a threat to us, everyone up here and iassume because you're here, you all get it. the problem we have are the sectorsthat you mentioned that use technology but are not technology sectors and going backto my government experiences, often, not always but often, the difficulty in those sectors toget nontechnical executives to spend the money or the time to put in place the protections. you know danny, i thought talked earlierabout the need of a mitigation plan in place. if you're under a major denial serviceattack and you're then figuring oh, how do i deal with a denial service attack?
you're toast, you need to have things in placeahead of time and that's where going back to the question about where the governmentcan play a role, my personal view and what we were trying to do onthe hill was create an environment where the truly criticalinfrastructure systems are required to meet some base-level of security. not a technology specific but moreif you're talking about computers that control big machines,water pumps, electric grids, those shouldn't be connected to the internet. a lot of them are.
some of them are connected with open connectionsusing default passwords available through, no offense, google searches. so, what needs to happen, i think is someimpetus, some general understanding of the type of threat that the country faces both inthe digital realm and in the physical realm. but again, i think going back to what i saidearlier a lot of it starts with the individual and i used to be very skeptical as towhether we could actually get most people to do basic hygiene things on their computerand then one of the things that we also covered, the committee worked on was swine flu andas soon as big bird told everyone to cough into their elbows, you have a fast majorityof american's, you see people coughing
or sneezing into their elbows now. we change behavior very quickly and ithink there can be an education campaign that could change enough behavior to help stopthe problem, but without some type of push, i think that we're all going tokeep trying to do what we can, but the people who need tomake the changes may not. >> brian: ram, thank you. >> miguel: thank you, so i'm a bitof a skeptic on these push-measures. folks do push-measures, governments dopush-measures all the time and decades go by and the basic problems don't get resolved.
one thing that does seem to work is events. events result in consequences. michael angelo, the virus got people to installantivirus software, y2k got people to focus on mitigation measures, 9/11caused a series of responses and the georgian cyber warcaused another set of responses. we don't really have a global cyber event,i'm not asking for one, but i'm just saying that if you just look at human behavior andyou want to affect human behavior and you want to get individuals, governments, civilsociety, public sector, everybody together and the private sector together, youneed to have something to unify around.
the threat today doesn't feel real to me untili get attacked and if my friend got attacked, i kind of have some sympathy aboutit but i kind of shrug my shoulders and say, "ain't going to happen to me." and there is not the unifyingsense of impending doom. >> danny: can i just, i agree with everythingram said from the skepticism to the kind of work i was also trying to also do theneed for an event and we would tell a lot of the skeptics who came in is, look youhave congress trying to act proactively. it may not fix everything now but whensomething happens there will be better systems in place to respond to it.
but more importantly, you wantgovernment to act proactively because when government acts reactively, it actsstupidly and that's why there is a strong effort to get some type of performance-based,nontechnology specific standards that are limited to really critical stuff inplace, so hopefully some things will improve and if something happens, we have the frameworkthat is not so regimented that the attempt to fix the problem actually enhances it. but i'm ultimately, because i'm a cynici don't think we're going to do anything until we have something blowup andthat's unfortunate to say the least. >> brian: danny, oh damian thank you.
>> damian: sure, yes i also sort ofagree with the cyber event being needed. not needed but, [laughter] if you lookat history, we've seen that there's like an email worm or virus that comesout approximately once every 6 months because that's how long it takes peopleto forget and start being stupid again. and you know click on everything they see but, you know once every 6 monthseveryone gets infected, everyone is like oh yeah, i shouldn't do that. fortunately no major damage has been caused. nobody has ever actually-- therehaven't been any large-scale cases
where people have lost data. i see this as very similarto how diseases spread. if you killed the person instantly,like if someone gets infected and you format their hard drive rightaway, they don't have time to spread. they don't have time to pass it on to othersand so most of the malware that we've seen so far has been fairly benignand that allows it to spread, but it also means it doesn't cause much damage. i also wanted to say, i think rightnow laws largely favor the attacker. there's a lot of constraints on informationsharing, all of the jurisdiction issues,
and that also means thatthere's a very slow response. if somebody goes to law enforcement, lawenforcement might have to sit on it for weeks or months before they can actuallytake action against the attacker, if they can even get to the attacker. so, some things might need to changein laws to allow the defenders to keep up with the pace of the attacks. and it's also important to note, you knowsometimes the attacker would actually know how to shut down the attack, it's just they'renot legally able to and so there are a lot of inherent delays in the system.
>> miguel: just adding to that,it's worth noting that there's such a stigma associatedwith security incidence. organizations are very unwilling toadmit that something has happened. they don't want to admit so publically. they really, they don't want to collaborateand to be effective, a lot of operators have to work, as i mentioned earlier, theyhave to work through back-channels, people they know where the personthat you're potentially collaborating with would probably get slapped if other peoplewere aware of this collaboration taking place. so, that needs to get formalized,potentially more formal protocols
for collaboration need to be developed. and from an international perspective,governments need to do a better job at. they haven't caught up to thefact that this is a big issue. so, some examples where we, as anoperator, we're seeing attacks happening on small government websites, syria'sas an example, and you actually want to lend your resources andexpertise to help these people, but because of their ownroadblocks, legislation, etcetera they actually can't receive the help that you are potentiallylooking at offering them.
so we've been in situations where we'veseen protest attacks during elections, for example in smaller countries, andwe are willing to help them but then, these governments have restrictionson where their data is etcetera while at the same time they don'thave the infrastructure to deal with this problem themselves, but they'rehandcuffing themselves, so all of that has to change for us to be ableto be more effective. >> brian: danny? >> danny: yeah i think some of this sortof the tragedy of the common sort of thing, the sheep on the commons i guess if you will.
and what's the impact onme or the investment on me? actually the internet security alliance didsomething not long ago called a cfo's guide to cyber risk and in that document theyintroduced the notion of a digital immigrant and they're talking about someone that didn'tgrow up digital native or wasn't prolific with electronic devices and theinternet and the capabilities of those and they were discussing how in many places, they're the ones that control the pursestrings or control the investments. like people don't have problems investing infire suppression systems but if you ask about a, ddos mitigation capability, wellnobody is going to invest in that
until they've been attacked right, orunless you're a very savvy organization or have a lot of the right folks that do that. and then people even question those investmentsafter a long time of not being attacked. so i think definitely looking at what enablesyour business again or whatever size business, because it's all relativeright, i mean we've seen things from animal rights activists attacking zoos, to jersy joe's a local sports memorabiliabeing attacked by a guy across the street for a gold watch and a pair of tennis shoes. and that's a decade old, right?
and so, i think understanding whatthe impact of these things are in your business is extremely important. i think understanding the constraintstoday as well, this is a global problem. the internet is loosely interconnected networkof networks and largely provides any kind of activity and that's a fantastic thing. you know the fact that you can launchddos attack might be considered a success of that substraight or thatinfrastructure, right i don't know. and so you certainly don't wantover-pivot either and compromise privacy, you're a regulator, put controls in placethat might impact that global platform.
that's something important as well, soi think that's why industry partnership, private sector with halook and thingslike information sharing and saying look, these things are impactingreal people, real organizations and law enforcement government needs to goafter that and accommodate those as appropriate. but at the same time, i think we do haveto be careful about over-pivoting as well. >> brian: thanks, jillian. >> jillian: sure, you know i think i'll justgive the civil society perspective what we can be doing better. for example, my organization has come underseveral ddos attacks at different points
and we do have a big enough team in placeto try mitigate those pretty quickly and we've mostly been ableto do that successfully. but i think there's actually a prettystrong lack of information sharing across my type of ngo or ngos in general. i'll give you an example of this, andi don't mean to pick on this group, but i think it's perfectand quite public example. avaz, which i'm sure you're familiar with, afew months back they came under ddos attack and their first reaction was to send a messageout to their members asking for donations. but what they didn't do is they didn'tshare any of the details of the attack,
not that they necessarily needed to publically but they actually straight-uprefused to share the details. we have a group of technologists who hadbeen asking for that information and i think that sometimes that information is actuallyquite helpful for organizations to share with each other so that we canunderstand what type of attacks our allies and friends are coming under and therefore whattypes of attacks we might be at greater risk of. and so i think that that's a reallygood example of how not to respond. in the end they still didn't want to share, andwe said okay, fine but i think that just sort of going and asking for donationsand not kind of collaborating
with other civil site organization is nota particularly helpful way of responding and we'd be much better off ifwe were clearer with each other. so thank you for that. i'm going to draw this part to a close. some takeaways for me in thelast round of questions is that clearly there are some structuralbarriers to the level of collaboration that everyone seems to believe isimportant to addressing the problem, both at the government level,and at the operator level. i guess the understanding at senior managementlevel that investments in the security aspect
of their business are as criticalas any other to their business and have to be central to their planning. and at the government level, clearlyexisting legislative structures and collaborative barriers between governmentsneed to be broken down if we can get to the place where we can be more aggressively and effectively collaboratingto address the problem. so, we all knew that we weren't going to solvethis problem with today's panel and i want to thank you all for giving us a lotto think about and those are some of the takeaways that i've gotten for myself.
so now, let's take a breath and for the next 35minutes or so, try to have a little bit of fun, make it a little bit more dynamic for thepanelists by running through a scenario and then we'll have 30 minutes at the endwhere we want to hear q&a again from folks in the room and from the folks online. so, shift your mindset now onthe panel, we're going to walk through a scenario of a ddos attack. what i'd like you to think aboutis what your specific role would be within the scenario and how would you react? what would be the things that would be importantto you in addressing your part of the problem?
there's a clear understandingand appreciation for the fact that good security also means not divulgingall of your good effective practices. so i'm not asking you to say anythingthat you wouldn't want to say publically. let's get that clear. but i want you to take this on as areal-time event and then in your proper role, tell the audience what's important toyou, what do you need, and in a direction of how would you see or design a bestpractices reaction to this scenario. so let's start this part of the program. so the scenario we've developed is as follows.
the citizens of small country a,let's call it the kingdom of genovia, my 14-year-old daughter insisted that i do that. kingdom of genovia has been criticizingan economic embargo put in place by a regional hodgeman, let's call it mordor,against its neighbor, a small country gilder. the citizens of genovia who have a longstanding alliance with gilder are very upset about mordor's embargo against gilder. condemnations include mass rallies as well as increasingly critical postson blogs and social media sites. while the government of genovia itselfshows no public support for the protestors,
neither does it criticize them forexercising their freedom of expression rights, fueling speculation that itactually condones the protests and may even be behind some of them. large-scale ddos attacks begin against genovia. they are aimed primarily at the socialmedia sites posting the criticisms but also at genovia's financial sector. researchers indicate that the attacks are comingfrom botnets of comprised end-user machines. the financial attacks are perceived tobe an attempt to weaken genovia's economy because the core issue, after all is an embargoand that the financial sector has showed itself
to susceptible to other kinds ofsecurity incidence and breaches. traces show the attacks originatingprimarily in mordor. some of which could be locationsunder government control. some however, appear to comefrom unrelated countries. mordor predictably, denies any responsibility. with those facts, in your respectiveroles and responsibilities, start off with what's important to youin your given role and then we'll move on to what actions you might take. jeff, do you want to tee it up?
>> jeff: i guess the first thing, you know i'mbeing the least technical guy up here i think, you're going to want to really figure out, youknow you talked about the attacks originating from mordor, but does that meanthe commanding control is there? are the machines all over the place? if you're going to respond, you need to figureout first what is your first goal in responding? are you going to try to stabilizeyour systems or are you going to try to somehow get attributionand then seek retribution? so, i guess my first council would be look atwhat you have in place to respond and figure out what your ultimate goals are.
you need to know what you're drivingat so you're not wasting resources, pursuing answers to questions that don'thelp you achieve your ultimate goal. >> brian: thank you, ram. >> ram: four things. one, get contact lists togetherbecause you know people but there are other people involvedhere, so you've got to get that. that's in some ways the top thing. second is to setup an analysis stream work. once you identify the scope of the problem, thenyou need a framework in which to actually work
as new data comes in and you need a structure. so create a structure for it. third thing is to begin working with upstreamproviders, folks who are connecting you and connecting others to the internet. start working with them because you need tohave information sharing and also the ability to take mitigation measures, totake steps if and when you have to. and the fourth is to setup alerts basedon pattern recognition or traffic analysis that your analytical team is already doing. those are the first four things to do.
>> brian: thank you, damian. >> damian: so the first thing i would ask aboutthis would be what style of attack is this? depending on some attacks can bespoofed with the sources, some cannot. so if the sources are definitively like, youknow they're definitively coming from mordor or you know what these sources are, thatcan help a lot more than if it's an attack where you don't really know whereit's coming from, you just know-- you don't know which machineit's coming from in mordor. you know that it's just coming fromthat country in general, maybe. and i think that's the keything to focus on here.
i mean, i agree with what other's said,but i think it's important to start by understanding the details of theattack, figuring out what you actually know and versus what you are assumingor guessing about the attack. and then i would also start thinking aboutwhat type of collateral damage is acceptable. if you really only care about financial servicesin genovia being accessible to people living in genovia, they could at the boarder of theircountry, just block all traffic from mordor and yet people who happen to be onvacation to mordor might not be able to access their bank account,and that would be pretty bad. but you could at least partition theproblem and keep your own country up.
>> brian: thanks for that point and justto note, people on vacation in mordor to my understanding, no one walks into mordor. miguel, please. >> miguel: i might actually repeat some ofthe things that my colleagues here have said. from the perspective of an operatorthat focuses on mitigation and defense, i would probably start bylooking at the affected entities. get a good scope on what thetargets are, what's being affected. move to start looking at determiningwhat the attack vectors are that are being used for this particular attack.
you can do this in a variety of waysand then i'd probably start focusing on starting the mitigation techniques andthe defense against these affected systems. as damian said earlier, i'd look at prioritizingand trying to determine or trying to gauge which affected resources are acceptablecollateral damage which are priorities and need to be available and need to be in place. i'd be sharing information as much as possiblewith both, the public and private sector, the operators in question that managethe assets that are being attacked. so definitely start reaching out to people. another thing that i would be doingis heavily monitoring social media.
typically with an attack on mordor, let'ssay and suspected political motivations for the attack, i would be looking atfacebook, i'd be looking at twitter, i'd be looking at internet relay chat rooms. anywhere where these attackers could potentiallycongregate to organize, i'd be monitoring that and i'd be trying to agleamas much information as i can from that activity that is going on online. so those are some of thethings that i'd be doing. >> brian: thank you, danny. >> danny: so yeah i guess there's both a luxuryin going last and not having much [inaudible],
but there are a few thingsi could offer actually. i think these guys are allspot-on with a lot of this. i think it certainly, whateverdetection capabilities you have for this, whether it was a phone call, hopefullynot, or an alert or some capability, engage your incident responsecapability which you should have now because you've been alerted to that. and the figure out what controlsfor that sort of attack factor, right, exactly as these guys have said. you certainly want to continue with continuousmonitoring and make sure that other devices,
other things aren't impacted in particularwith sort of multi-vector attacks, especially such as this which wehave seen empirically in the past. one of the things that you have to be reallycareful about and we've actually seen this in the past and learned from that, is genoviashould have learned from is that you've got to be really careful about what kind ofcontrols you put in place for attacks as well because you may say, i'm going to bringeverything back into my organization, under control and then i'llturn my internet access back up or inside my nation, or whatever it is. and we've literally seen this at thenational level and so you decide you're going
to break all your connectivity and then yourealize you don't have a root name server, or you realize your cctld is hosted in mordor. or you realize that your emails overthere, your authentication service, your ca that issues your searcher thereor, some other resource that you need. so you really need to numerate those things and understand what enables yourbusiness before these attacks occur. i think i use this statement in the pastbut kind of goes back to mike tyson's, "everyone's got a plan until theyget hit," sort of mentality, right. and so i think that if you haven't donethis and you're on the receiving end
of a large-scale attack, it could be reallyproblematic so certainly absorbing an attack and then refining your controls and mitigatingas surgically as possible and then trying to move those controls further and furtherupstream and then collaborate as much as possible is pretty much what you can do today and then protect any forensics informationassociated with that for whatever it is that you might intend todo with that information. >> brian: thank you, jillian. >> jillian: there is almostnothing left for me to add here. it is the great thing about going last.
but since you did ask what my organizationmight do, i suspect that after the leaks to the mordor times come out that mordorgovernment officials had something to do with the attacks, we would probablycondemn the government of mordor for having double standards-- noi'm just kidding, sort of, but yeah, nothing that i can add froma technical perspective. >> brian: okay, well from-- you know what i'mgoing to reverse order here, so you'll go first and jeff you're going to have todeal with danny's problem next. so this is good and very helpful in terms ofthe first priorities, the first analytical and reaction priorities from yourperspectives very clear and interesting--
not interesting but a lot ofconsistency across the board there. now let's take it from the point of viewof, if this were an ideal scenario in terms of effective mitigation techniques, effectivecollaboration with network operators, effective collaboration withgovernment law enforcement resources. walk us through how you would get to that goodoutcome from that perspective and jillian, from your own point of view, kick it off. >> jillian: i'm not surei can kick that one off. like i said, this is a wonderfuland probably very likely scenario but it's also it's not the level at whichwe're generally dealing with these things
and so i'd actually love it ifsomebody else wants to kick it off and i'll keep thinking through that. >> brian: all right, danny, you're first up. >> danny: wow, an ideal scenariois that it's not my problem anymore and so having the capability to either certainlystop these things from being launched at me with some sort of capability orcollaboration with law enforcement, other folks which in this casemight be very problematic so, at the sort of ultimate ingress point ofyour network, putting controls in place that minimize collateral damage or even scopethe distribution of reachability information
in a certain place on theinfrastructure, that sort of thing so that you have some sustainablecontrols in place and you're not continuously simply filling linksand absorbing that and causing collateral damage to other services or peoplethat may use those links. it's really problematic if there inter-medianetworks with other eyeballs or content or other things that you may ormay not want on your infrastructure and so if it's an adjacentnetwork, it's a lot simpler, right, it simply if you've done your homeworkbefore and then simply shut those links off and you may be fine, but if i'm asmaller network and this is someone,
somewhere that's nonadjacent to me, it could bemuch more problematic because i may have to work with them to push controls further and furtherupstream and that's about their capabilities, the lulls, what sort of technicalor legal framework that they operate under,time scales and other things. and so, it's sort of all relative to perspectiveand why the broad variance of attack factors that occur today, why it's so problematicto just get your cookie cutter out and say this is a solution for thatand so, it's nontrivial i think, so it entirely depends onvectors and other things. i'm not sure if i said anythingthat was actually useful, but--
>> brian: that's fine, miguel please. >> miguel: in an ideal scenariowhere information is being shared, where we've quickly been able to determine whatthe attack vector is, we are looking at ensuring that we can put really precise filters in place to lob off attack traffic whileletting good traffic through. it's easier said than done a lot of the time. as i said, it's in an idealsituation we understand the attack, and we can put the right mitigationstrategies in place to deal with it. so in that ideal situation, most likelywe should be able to get to availability
within minutes if peopleare cooperating correctly and we have the information that we need. the problem is that we don'tlive in an ideal world and beyond that, attackers are smart, right? so they try one thing and then youscramble and get the sites available again and put the right mitigation strategy in place, but then potentially they mightstart trying something else. you know if that's not being effected, they'llgo route b and then potentially will go right to route c, so it's a cat and mouse game andit's far from ideal and it's starting over again
in some sense in terms of putting togetheranother mitigation strategy to deal with the new attack vector or signaturethat comes in and unfortunately, the ideal scenarios never happen andattackers have gotten smart and they know how to [inaudible] it up and do the damage,and put the damage that they need to for the people that are unprepared. >> brian: thank you, damian just letme interject before you go there. so hearing danny and miguel,clearly understanding that again, the problem of the upstream operator andwhat their sophistication capabilities are in helping you diagnose the problem acrossnetworks, if you will you pointed out.
and also the clear understandingof needing to kind of secure your resources andprevent collateral damage. but damian, ram, jeff, bring in also how dowe work effectively with law enforcement? what can they do to help, what canyou do together and the good scenario when it works well with the upstreamprovider, what does that look like? >> damian: yes i'll start by sayingwithout bringing in law enforcement, ideally you would be able to work directly withthe network operator, they do want to track it through their network andstop the attack upstream. there are situations as miguel wassaying; sometimes it's a little tricky.
in this case we don't know if thegovernment of mordor is behind these attacks. so, it's sticking with the scenarioit's never going to be entirely idea because you don't necessarily want to tellthe isp in mordor what your fingerprint of the attack is which maybe would help themfilter it because they might just turn around and tell the government, the governmentwill modify the attack to not match that fingerprint anymore and then you'rein bigger trouble than you were before. so, depending on how paranoid you wantto be, i'm a security person so i'm paid to be paranoid but, you have to be a littlecautious about what information you're sharing. try to share information that'suseful for stopping the attack but,
not sharing everything you know aboutthe attack so you can still trace it. in terms of law enforcement since we'rein the u.s., u.s. cert is a good resource. they have contacts at certs. cert is computer emergency response team. they have contacts at certs at everyother country and so that's very helpful because they're sort of a central point. they might be able to recognize thatyou're not the only victim of an attack, so they might be able to correlate eventsthat you perhaps were not aware of. and they can also assist with language issues.
you know it's very difficult for mepersonally to email an isp in asia because i don't speak any of the asian languageswhereas u.s. cert probably has the ability to handle that translation a little bit better than google translate whichis my fallback option. [laughter] >> ram: thanks, so in this ideal scenarioperhaps one of the things that have to be worked on is the formation of analliance for data sharing. especially identifying who the nextgenovia might be and you go work out who those next genovia's might be andthis kind of an alliance cannot be government
to governments, it's got to be public, private,a combination of that and that takes time to do but this is the time to startdoing it [inaudible]. the second, you know we're talking about thisideal scenario and there is rapid availability. the attack happened, mitigationhappened, everything came back but remember this might simply mordorprofiling you for a bigger attack to come and they've now learned how you countered itand their building counter-measures right now for your counters and that's likely to happen if this is really a seriousact coming up against you. so, you may leave everythingon the floor at this time
and you may just get killedreally online the next time. on the third is law enforcement, this is a casewhere most often this is a source less crime, there is no one to prosecute, there's noone to really go after for the most part. most of the people along the way are intransit and are trying to help to some extent. they're just doing their job passingpackets along, passing information along and they got coopted into something thatwas initially beyond their understanding and eventually beyond theirability to solve individually. so you have to start to change a little bit oflaw enforcement's mindset of who are we going after because this is not so much abouta counter attack, this is often much more
about prevention and you have to startthinking about the online equivalence of a neighborhood watch and one doesn'treally exist in any coordinated way today. >> brian: thanks, jeff. >> jeff: i definitely like going last. i have more time to think about what i'm goingto say and i bounced around with a few ideas but you know they say don't fight the scenario but i was always the kidwho fought the scenario. so i guess i would start kind of wheredamian went, if you're an ideal scenario that means mordor is helping and helpingyou willingly and with no ill intent
in actually wanting to stop theirown citizens who [inaudible] and probably something they believe in. which leads me to point two, i think ram hitwell, if everything is really going that well, that's when you should really start beingscared because things never go that well. so question everything that workedand try to figure out why it worked and is someone just letting you think it worked? in terms of what does it look like to besuccessful on the legal and governmental side, there are a lot of things you need to work. governments that are willing to shareinformation, that have relationships,
that trust each other, but theneven beyond that you need laws that will allow the information sharing bothbetween the private sector and the government within each country and thenbetween the various governments. but then you also need lawsthat protect the privacy of the individuals whose information isbeing shared and assuming you have all that and you get the information that allowsyou to find the actual source of the crime which as ram said is very difficult, youactually have both resources and laws that allow prosecution and not in medieval waysof people who are doing these types of acts. so going back to, you really needto figure out what your end-goal is
out of this before you figureout, it would be great if you'd actually prosecute the people doing it. it would be better if you could getall your systems back up really quickly and try to develop better relationshipsto prevent them in the future. >> brian: so jeff, just pickingup at that point, this will be the last round then we'llturn it over to q&a for the audience and ram mentioned the notion of an alliance. danny the scizrick work thatmentioned at the fcc. very interesting industry, government butclearly, just uniquely isp focused in terms
of best practices or a potential codeof conduct if you will in that exercise. where is this collaboration happening today orthe seeds of this collaboration between industry and government specifically thatclearly has to be globally oriented. that has to be cross-cutting across boundaries. where is that happening, where should it begin to happen more deeply andhow can we make that happen? i'll open to the entire panel. danny. >> danny: so yeah there are a lot of nationallevel stuff that i mentioned certainly as some
of the countries that blazing the trailthere from australia, to germany, to finland, to the u.s. i mean some of the work thatthe fcc and others have done which is about educating folks and sharing information. a lot of this as you'll notice, even thoughthese scenarios comes back to international laws or even national laws or disclosure laws or fairdisclosure laws, right i mean what is the extent of where i can share information and who i canget help from and where can we get collaboration from a nation state versus send in asnatch team or not do anything, right? and so, what are the kinds of capabilities thatyou have, and then you'd really like to operate in meet space and prosecute people thathave real impacts on real businesses
and break walls internationally,but how do you balance that internationally withthe privacy for example? i mean that's a tough balance because if youcan attribute every transaction on the internet, then no one has any privacy or[inaudible] and what does that mean for censorship or for other things. so all these sort of things together is, it is definitely needs moreleadership from the government. i think they've certainlydone a humungous amount, and from local law enforcement folkswe work with, to national level folks,
and certainly jeff and someof the places he'd been. a lot of the folks looking for waysto collaborate and to put frameworks in place allowing information sharing and enablein a sort of protections of private sector and industry and you know that the government'sgot your back for this and that they're going to pull the levers and turn thesteam valves they to make sure that if someone is attacking someone onthis infrastructure and have an impact that it's having a real impact andrepresent their citizens wherever they are. so i think it sort of goes all the way backto that from the international perspective because of the projection capabilitythat advisories have on the internet
and there are a lot of alliances, a lot areprivate sector, public sector, partnerships, everything from internet security alliance,online trust alliance, stop bad ware. i mean there's no shortage. i mean a lot of the outreach that wetalked about, the work that [inaudible] and anti-phishing working group andsome of the other folks have done. so i think that a lot of this is happening butit certainly, the industry level leadership with the recognition by governmentsthat they're captive to this. we're all sort of captive tothis and the only way we're going to get there is if we collaborate.
>> brian: thanks, anybody else? >> you know there are many moreacronyms we could throw out there about the various public/privatecollaboration partnerships. some doing great work, some doing work. [laughter] but i want to get back tosomething i think miguel touched on earlier about information sharing and the need to shareinformation and most folks who would go ahead and share will get slapped down for it. there are two reasons for it, onecorporate strategic secret issues, but also the lawyers willoften slap you down because,
well can we really share that information. that's an area where i think we need changeand we need it soon is changing the laws that limit the ability of companies who want toshare information with other companies, ecpa, electronic communication privacy act, antitrustlaws, all these don't need to be gutted, they need to be reformed andfrankly we got to a very weird place in the [inaudible] legislative cyclethis year where you had the head of the national security agency and you hadprivacy groups all saying this is something we need to do and here's the frameworkthat we all think actually can work. it based our own idea of sharing cybersecurity information narrowly defined
for cyber security purposes, narrowly defined, but congress in its infinitewisdom got you have the nsa and the privacy groups essentiallyagreeing, so congress chose not to act. and that is something that i think is notgoing to solve the problem but would be a step in the right direction toallow information sharing and maybe breakdown some of those barriers. make it happen 5, 10, 15, minutes an hoursoon, sooner or even won't happen at all so that's something that within all thesegroups there are still these limitations that are illegal and need tobe changed by the politicians.
>> brian: thanks, damian. >> damian: i wanted to mention there aresome ways that collaboration can occur without needing to necessarily involvelawyers or worry about user privacy. some of the attacks that we see there'sjust sharing information and about the fact that we're seeking an attack,the size of the attack, the type of the attack can be helpful to others. so as a recent example the dos attacksthat hit the banks recently hit us actually about a week before it started hitting allof the banks and we sent a quick heads-up to a security list of peoplejust letting them know,
hey we're getting this surprisinglylarge attack. this is a bit unusual; thisis what it looks like. you might want to watch out, be prepared. unfortunately two days later, we wroteback and said it just doubled in size, but there are things that youcan do to give out information. we're not giving out necessarily likethe ip addresses that it's coming from because we have talk to lawyersabout the privacy implications of that, but even just the basic information about thetype of attack that you're getting and the size and maybe the general area of the world it'scoming from can be very helpful to others.
>> brian: thanks, any last remarks? okay, thank you panelistsvery much for playing along and for the great informationyou provide with us so far. so let's get to the real important folks heretoday, the audience both here and online. at least for the next 30 minutes, we'llhave an open mic in the middle of the room. i think we have some questionsfrom online, so if you would, please [inaudible] we have--[pause]-- it doesn't work? why don't you come up and use thismicrophone if you would to pose your question. [pause]
>> david: i'm david thaumenal [phonetic]president of the internet society of new york and just as we have software as aservice and infrastructure as a service, there's now crime-ware as a service so if i'm abad person, rather than going to all the trouble of actually attacking somebodyi don't like on the internet, i can actually pay a serviceprovider to do it for me and they're using a commercial business modelso i can have warranties, guarantees of quality of service, support contractsand everything else. so my question is wouldn't it make sensefor whether it's industry or law enforcement or whatever to focus on identifying thesecrime-ware service providers infiltrating them,
targeting them, purchasing theirsoftware and reverse engineering it to disable it, that type of thing? >> brian: anyone on the panel want to take that? >> danny: absolutely in if you go backto the scenario of an ideal world, but a lot of these are happening offshore incountries that aren't particularly mendable to working with our law enforcementto arrest or prosecute. reverse engineering i think goes on, but theproblem is that the software morph so quickly that the signatures old as soon as you know it. and there are other efforts, othertechniques for protecting against it
and i think that's actively underway, butin terms of infiltrating, breaking up, prosecuting, they'd just go somewhere else. >> so i was going to add just thereis one aspect to this certainly lots of folks are looking at when you try tomove it back to meet space and the place where law enforcement usually operatesin a more productive way and better than most information security folks and therehas been a lot more work on follow the money and use that angle for theattribution side of this. i mean some of the recent things you mayhave seen from spam campaigns to phishing and mal-code distributionand those sorts of things.
some recent work actually by steph andsavage and some of the folks at ucsb and was particularly enlightening in thatarea for those of you that haven't seen that. and i know that law enforcement is certainlytaking note and very good at those kind of things and so, i suspect thatbeing aware of that and seeing more on that side i would follow themoney and work on the attribution and the prosecution associated with maliciousactivity, that sort is certainly something that we're going to see more offrom a prosecution perspective. >> brian: and the fbi has hadsome big take downs recently. there was one in [inaudible]early this year, late last year.
>> last year. i've got two questions from online, i'll go to one of them firstand then come back to the room. from vanda [phonetic] the realitythat people don't think it will happen with them is a fact here too. so how can i convince people that theyneed to take preventative measures? jillian? >> jillian: sure, so i don't knowwhat "here" means in that sentence but nonetheless i would say inthinking about how to convince people,
there is a wealth of information on what sortof attacks occurred and who they've targeted and one of the things that thisberkman center study found was that there's really no associatedideology with attacks. there's one example where someconservative muslim groups outside of the u.s. were attackingu.s. conservative website. the u.s. conservative groups were then attackingthese muslim websites outside the u.s. and so on and so forth and sort of in a circleand so, anyone can be a victim. any type of group, any type ideology andso i think that's where we start looking at previous attacks and educating peopleabout those various desperate targets,
that's another way that we can raise awareness. and then like i said just sort of thinkingabout risk assessments not an easy thing in these cases and like i said with havingdesperate ideologies be the target of attacks, it's not easy to really assess whatyour actual risk is and so to assume that you could potentially be a targetof an attack is the first thing. but then to sort of weigh your risk and figureout what you might want to think about in terms of what's important to youand keeping your site up. >> brian: sure, miguel. >> miguel: thank you brian.
what the question refers to is sort of howto make the business case for protection or mitigation against this kind of a threat. danny actually talked about some of thesethings previously in the conversation in terms of really evaluating yourinfrastructure and your needs and kind of asking yourself some basic questions. what would it mean to you if your, let'ssay for example your website was down? what are some of the things that couldpotentially happen if that was the case and what would the impact to you be if your infrastructure wasdown for 12 hours for example?
i'll use some private sector examplesto just kind of illustrate this. maybe obviously there's potentiallythe revenue component. maybe you're making money off your website so there's some tangible resultin terms of not having revenue. but from a customer service perspective forexample, what happens if your website is down for a certain amount of time? maybe your call center getsflooded, gets into code red. people are waiting an hour-and-a-halfto have the phone answered. maybe your email boxes start getting floodedand maybe it's going to take weeks potentially
to dig yourself out of that hole. another thing to kind of think about is,as you make the business case for this or to have some kind of a plan to mitigate theattacks is how long would it actually take you to get your core infrastructure or theinfrastructure you need to be online, back online if something like this happened? potentially it would take you asignificant amount of time just to figure out what's actually happening let alone figuringout what the path is going to be in terms of what the best strategy is to dealwith the problem when it happens. and then on top of that, after thatis once you actually know what to do,
actually putting the planin place to do what needs to be done to get the threat under control. so when you start asking yourselfsome of these fundamental questions and it's not just a privatesector thing where you're worried about your revenue potentiallyor your brand equity. you know the public sector faces this as well because it obviously, there'ssome tangible stuff. it looks really bad when a government websiteis down or a free speech ngo website is down. so there are fundamental questionsthat you can start asking yourself
and when you start asking yourselfthese question and really look at what the impact is going tobe, both short-term and long-term, you really have to think aboutthe long-term impact too. at that point you start to look at thatand the business case for ddos protection or for having a plan in place to dealwith this particular issue if it happens, it starts to become quite apparent thatthis something that is worth doing. >> brian: sounds like good commonsense, anybody else, yeah, damian. >> damian: so i want to highlight like inaddition to just the business financial impact, there is a very strong pr impact to going down.
we saw user comments during the bankattacks, you know comments and articles of our users saying things like, ifmy bank can't handle a dos attack, how do i trust that theyknow how to secure my money? they're completely unrelated things butthe average person doesn't understand that and so there can be a significant pr impactto your organization if it goes down even if it doesn't directly affectthem like with banking yes, some people couldn't do online bankingfor a day, atms were still fine. like there was no actual real risk there but ialso want to point out that i think the going down is actually a viable option.
we're all talking about it as ifthe ultimate goal is to stay online, but economically that mightnot make sense for you and even from a pr standpoint it may not make sense. if you're a human rights organization andyou can get an article in new york times about how you went down due to a dos attack, that's the best publicityyou can possibly imagine. nobody is thinking about humanrights until they see this article. so, it's something to keep in mind, staying upat all costs isn't necessarily the end goal. >> brian: yeah, danny.
>> danny: so i was going to add a littlebit to both of what they said actually, and to vanda's question, howdo sort of get ahead of these. one of the comments that i madeearlier is somewhere between 80% and 85% of it securities spangoes toward regulatory compliance. things you have to do just to check boxeslike these fire suppression systems right, and this is the sort of thing where most of thetraditional controls that are on our network, the 100s and 100s that we have are about keepingprivate information private and more and more so many organizations, particularlyfor internet facing services, the availability of those services,as opposed to just the confidentiality
of the data contained thereinis more and more of an issue and so making sure you understandthat, to miguel's point. risk management 101, basic business resiliencesays take the asset, take what one minute of downtime with that asset may cost you,talk about how long a particular outage may be and then you come up withyour single lost expectancy and then take how many times thismay occur in a year something known as annualize loss expectancy and youmultiply annualize rate of occurance with single loss expectancyand you know in a year, this much downtime could cost youthis much in your organization.
and if you don't do that, and then say okaywhat are we willing to invest in proactively to get residual risk to some levelthat we [inaudible] or go buy insurance or ignore it and hope that it doesn't happen. and so you really need to think about this. actually, i'll reference again theinternet security lines documents. it's a little hefty but it's a really greatread for folks asking just that question. it's a cfo's guide to cyber risk and it sortof talks about some of these sorts of things. i definitely recommend that you have alook at that and try to get ahead of it. so, i'm done now so--
>> brian: okay do we have otherquestions from inside the room? please, okay. >> you were talking about the pr aspect ofit and i took jill's comment to heart earlier about she doesn't think it'sa good idea and we know that pirate bay went anonymous[inaudible] the whole pirate bay came out against it saying they were for freespeech and this was against it and i wonder about how much embarrassment and the moralargument and basically if you've got governments who are doing it, can there be kindof treaties between governments that say this is not acceptable behavior.
and in the activist world,also the same kind of thing so [inaudible] technical solutionsare where social solutions? >> jillian: sure so i'll just give my quicktwo cents because i'm actually more curious to hear others responses to this. so using our example of mordor and not gettinginto real life, let's say that the governor of mordor was partly behindthe attacks against genovia. and so in cases like that,it's really difficult. i'm assuming that mordor alsoprosecutes citizens for hacking and for their own ddos perpitrations andso it's really difficult to look at that
and say that mordor has anymoral ground to stand on when it does prosecute its owncitizens for being behind those attacks. and i think that we have seen,i'm sure you're aware of them, real life examples where this exists. where you know governments are doing one thingwith one hand and something with the other. but to the point about [inaudible] exampleis a great one and i agreed with them and i think john perry barlow one of thefounders of [inaudible] said the same thing that ddos attacks are essentiallyan attack on free expression. i do agree with that.
like i said i think that there are somecircumstances where it's much more difficult to condemn and those are circumstanceswhere you're up against a government that is stifling its own citizens freeexpression and so you're getting into sort of irregular warfare, online warfare in thosecases, but generally speaking i do think that it would be a lot easier ifwe all viewed this as something that was not morally acceptablein terms of free expression. it would certainly be a lot easierto go after the actual bad guys. >> brian: others, jeff? >> jeff: i would say i think thatthere are things that can be improved
through international cooperation,potentially international treaties. there's a pretty healthy debate overwhether that's even possible and enforceable and i think we at least have to try. maybe some of that will filter downinto day-to-day conduct with people, but people still commit crimes allthe time even though they're illegal so i think there's a limitation to how farthat will go to stop the groups that think that they're above the law or independent of law or have a separate obligationthat's different to it. but i think you will see moreeffort in the future to try
out some negotiated agreements remains tobe seen if they're actually verifiable. >> brian: we have an interestingquestion from online. i know we've got anothercouple from in the room. this one is from mikey. what about a global simulation of cyber eventwith a goal of beginning to build a global, who can i call for immediatehelp type mechanism? i know that in certain countries tabletop exercises take place with a number of different participants that createscenarios, what about this idea of a global simulated cyber event?
is the feasible, would that be helpful? ram-- oh sorry, danny. >> ram: i was just going to; i thinkit was miguel that quoted mike tyson. all the simulations are great but reality isoften very different so, we'd have to think about whether the simulationis actually helpful. certainly it helps to get people to be aware of who they should be contactingand who to work with. but the real life scenario isprobably going to be fairly different. >> brian: fair enough, danny.
>> danny: yeah this is working now. i would just add there are some multinationalsimulations today, everything from cyber storm to you name it, lots of nationallevel exercises, international exercises that sort of thing. i think from a global scaleperspective, we have those every day, [laughter] so i'm not sure we actually need one. certainly we're on the receivingend of a lot of love and so i think that exercising [audio issue] andunderstanding those sorts of things, but [audio issue] final turn of attack vectors.
>> brian: okay in the room, ithink we have at least 3 more. okay come on up to the mic-- ohis that one working now joley? >> joley: no. >> brian: okay come on up to the mic please and if you'd introduce yourselfbefore the question please. >> my name is anthony bargese [phonetic] andi'm from john j college of criminal justice. you guys covered some of the parties thatddos and users and also the government, and also the providers and howto be responsible and proactive. but what about software vendors or some ofthe vendors that are putting their products
out there with all these security holesand that's where it starts and ends with the ns providers, the isp providers who sometimes host these commandcontrol servers for these ddos attack. should there be a changeof mentality on their side? i know that google does something that'scalled bug bounties; they offer you money if you find a bug on their software. should this be applied across theboard for all the software vendors and of these providers of products? >> brian: [inaudible]
>> damian: i guess i have to start. so we do find-- what he was referring to isgoogle has a program where we actually pay for people to find bugs in ourproducts so for security critical bugs. so we found that there's a lot of collegekids or independent security researchers who are very interested inlooking for security holes and when they previously basically had nooption but they could give it to us privately, hope that we'd fix it or towhatever vendor of the software was. it could be microsoft or adobe,and hope that they would fix it, but then if the company could justtake no action and they could just wait
and let this vulnerability remainand eventually this kid might say, the security researcher wouldsay why am i waiting on this? everyone is vulnerable to this thingand they would publish this exploit and then you could see lotsof attacks targeting that. so what google has done is basically startoffering money for bugs to compensate their time in finding them so, if you compromise, ifyou find a vulnerability in google chrome, the web browser, we'll pay you for informationon that vulnerability with the agreement that you're going to keep it quiet untilwe fix it which could take a few days. and that way we're able to protect everyoneand also compensate the security researcher.
>> brian: interesting, miguel. >> miguel: the thing that kind of complicatesthis a little bit also is that there is a lot of the internet runs on open source softwarewhich is it gets a little bit more difficult to be able to put these mechanisms in place. with the recent bank attacks,we saw vulnerabilities exploited with open source content managementsystems that are widely deployed like a [inaudible] etcetera at word press. these are open source software that isout there that is used significantly and so it gets a little bit harder.
unfortunately it's difficult for operatorsnecessarily to control the content that is on their system, especially the shared hostingoperators etcetera and it's hard to push people to update their software and as forsoftware developers, as much as they'll try to make things as secure as they can, there'salways going to be some kind of a bug, you can't get it all and it's the fact thatthere's so much open source software out there, it's not like you can point afigure and you are responsible. it's quite difficult to do. >> brian: yeah, ram. >> ram: you know one thing that softwaremanufacturers and the developers of software,
some of them have to start thinking aboutand changing their mindset is due to come to the understanding that many of the devices on which the software is running arealways on and they're always online. there's still a lot of software thatdoes not incorporate automatic updating and regular downloads of patches. that should be the baseline, that should bethe very fundamental thing and that's the kind of thing that ought to be taught in schoolsfor folks learning how to write code. it's not enough to just learn to do thecode, but to have that mechanism in there. it ought to be trivial andit ought to become regular.
unfortunately, it's more the exception thanthe norm today and i think if you'd get to that point that will solve somepart of the problem significantly. >> brian: danny. >> danny: so yeah i think i would beremiss in not mentioning versign's, i defense vulnerability contribution programas well and we do something very similar for any vulnerability that fall within a verybroad spectrum that are multivendor and try and do responsible disclosureassociated with those. to the topic in general, i think bounties arecertainly valuable things in general for people that want to apply exploits in a positive wayand contribute in a positive way to industry.
i think anybody that's payingattention certainly realizes a lot of the commercial vendors while they'realways going to be a long way to go, are leaps and bounds from wherewe were with worm able systems or even patch management systems of thatwe were vulnerable of a few years ago. and so i think microsoft is anexample, but lots of others as well, and so i think we are making progressbut, secure coding practices, application, software security, those things and allthe fundamentals are certainly thing that we're going to have tocontinue to do a much better job at. >> brian: thank you, i know we'vegot two more questions in the room.
go here first and then please identify yourself. >> [inaudible] new york technology council. i was wondering if you couldput this perspective. are ddos attacks the one thing we should befocusing, are there other like syn floods, other attacks that are similar in nature thatthere should be conferences on and keep you up at night or is this wheremost of your energy goes? >> ram: yeah this, the single biggestthing that keeps me up at night. lots of other things end up becoming partof this much larger stream and it used to be that it was a dos attack and then it became addos attack and then you had command and control
and then you have crowd sourced, it's evolving,it's not the same beast as was many years ago. so the definitions from multipleyears ago, is not what it is today. what really scares me about this is theasymmetric nature of the ability for an attacker to mount a significant attack in a veryshort amount of time and keep it sustained for a long period of time and reallydrain you on the responding side of your critical attention resources. that really worries me and i think youlook at syn floods or any of those things; those kind of are subsumed intothe larger scale of this phenomenon that left unchecked i think hasa significant negative impact.
yes jillian. >> jillian: yeah just i actuallyagree with what ram just said. i would add to that to say just say,and if you're thinking about the scale, the most recent stat that ihave off the top of my head is that in 2010 arbor networks was detectingroughly 1300 attacks per day and i guessing that it's much higher than that, the realnumber and so i do think this is a big concern because of the impact that it has. i mean there are certainly plenty of othertypes of attacks but the sort of inability to protect oneself, coupled with everything thatram just said, makes this a much bigger issue
than some of the other thingsthat we're looking at. >> danny: i was going to add that ddosthe two primary vectors volumetric, in other words attacks are gettingbigger, more frequent, longer duration, so forth but the sophistication of those as wellwhere the right query string could drive a lot of backend transactions on the rightpiece of [inaudible] those sorts of things from a denial service perspectiveis the availability side of the information security [inaudible]. the other two sides are the integrityof the information on the infrastructure and the confidentiality andi think certainly for anyone
in the information security fieldpersistent attackers, advance attackers, even general attackers and mobile devicesand bring your own device and sort of a squishy perimeter and softunder belly inside an enterprise or at starbucks or whatever. all those things for information leakageand so forth certainly is something that you should be concerned with as wellbut the availability side for a lot of folks that are in the network services business isa very big piece of that but also the sort of more concerted attackers that might wantto control the right keyboard as opposed to simply disabling is also somethingthat has some pretty far reaching effects.
>> brian: damian. >> damian: so i wanted to sayfrom a defender standpoint, yeah ddos is sort of the largest concernright now but from a global view, i think dos attacks are really a symptom of alarger problem which is that there are a lot of infected machines on the internet. i think at one point i heard an isp say is theyestimated 10% of their customers are infected. so when you take that into account, if we couldactually stop having so many infected machines on the internet or so manyvulnerable machines at least, then that would largely reducethe scope of these dos attacks
and for that we basicallyneed what ram was saying of automatic updates haveto be the normal thing. you should never have any client sidesoftware that doesn't automatically update. brian: thanks, miguel. miguel: just adding to one thing that damianis saying, i absolutely agree with all of that in terms of automatic updates and especially forend user computers which form a significant part of the botnet paradigm these days. when it comes to enterprises, itgets a little bit more difficult. i think as much as i would love to sayautomatically update my production software,
unfortunately, especially for a large-scaleoperators, they're running infrastructure that services a lot of people, youdon't really know what's going to happen when you make an update potentially andthat has to be very carefully controlled, it's got to be regression tested. it's got to go through extensive qa and are weever going to get to a point where it's going to be easy for enterprises to beable to push out security fixes? the idealist in me says i hope so, but i'mskeptical that that's going to be the case because the day-to-day aspects of ensuringbusiness operations, continuity and making sure that assets are available are most likely forthe foreseeable future, going to trump the need
to push out updates as quickly as possible. brian: actually we do have two more questions. this gentleman here first and we dohave time for two more questions. so will you come up please? >> i am [inaudible]. i run a software company called qcd systems. so the question is actuallyvery similar to the previous one but i'll go a little more in detail. so when it comes to security, [inaudible]security off of just data itself.
so there's an attack to intellectualproperty and then we've heard of cases that intellectual property gotstolen [inaudible] of that. movie companies always have their trailersleaked and pieces of movies leaked, so that's one kind of attack out there. then there's other things;like the phishing kind of thing like [inaudible] scams and all that. i'm talking about things thateffect users and companies. and then there's also the risk that yourbank account may have been compromised, your passwords might have beenstolen or is easy to guess.
so in the scheme of all these different things,where will you place the denial of service for a company or for a consumer becausethey have plenty of things to deal with right now when it comes to security? so i was just trying to get a perspectiveon where this distributed denial service, where it fits into the larger scheme of thingsand how relevant it is and the other part is where do you see things goinglet's say five years from now? is this going to be the single biggest thingto worry about or do we have other things also that we should be concerned about? >> brian: thanks.
>> danny: i would just say that youknow for your organization it's going to be specific to your organization. you're going to say here's ourrisk tolerance for these things, for these internet facing properties,this information security or data privacy or data retention, or digital rights management,whatever it is you're concerned with. i don't think that there's a one size fitsall, i think it's all about risk management for your organization becauseif you don't have a lot of internet facing services,it may not be a problem. more than likely you have some things today.
you wouldn't be here if you weren'trelying on the internet in some way so what does that mean to your business? as opposed to some piece of informationfrom either your personal bank records or your corporate information being actuallytraded to the wrong person what would that mean? so i think it all goes back to what arethe critical assets your organization, what enables those and how doyou balance risk to those assets? >> ram: so the way i advise folks or providesome suggestion is, you really have to think about this and look at it as a matrix. you have to think about, which isfurther to what danny is saying,
you have to worry about confidentiality,or integrity, or availability and you have to figure out which of thosematter more for you. you can't have one versus the other, in manycases you want to have all of the above, but you have to decide which of those mattermore for you, and then devote your time, effort and resources towards that. but picking just one, justhaving great availability, ddos mitigation ensure availabilitybut if you have a site that is running on software has not been updated and is prone to buffer overflow attacks thenall the availability is going
to be fantastic for you to get hacked. [laughter] so you have to figure outwhere it is on the spectrum and devote it. one reality is that no matter what the budgetthat is allocated, if you're a corporation, if you're an entity, thebudget that is allocated to it, it seems that it remains thesame, it suddenly doesn't reduce and you simply reallocate the pie depending on what you think your biggestvulnerability is, your biggest risk is. >> brian: anybody else, jeff. >> jeff: i would just say you know you askedabout what's important to a crump company
or [inaudible], i mean it totally depends. i think brian talked about some guy fromohio, more likely to have a problem, it may be inconvenienced by ddos becausethey can't get to whatever website, but they're more likely tohave their computer compromised or identity stolen or other activity. that's going to hit them deeper and for alonger period so it's totally situational. in terms of where we going in 5 years, my guess is that we'll see newnefarious uses for the same old tools. there's some new stuff out there butit's a lot of variations on a theme
and just find a new creative bad waysto use them for bad purposes or profit. so i think the down service attacks are here tostay but how they're used will probably morph and change and cycle back,what's old is new again. >> brian: miguel. >> miguel: the thing that troubles me alittle bit about the future when it comes to ddos attack is that there is becauseit's been in the news a little bit more because it's been publicized a littlebit more, you look at what happened on the bank attacks lately, there's kindof a blueprint now that is out there that people can potentially followto launch these large-scale attacks.
you've got what happened with the banksrecently it's at least at a high level, its public knowledge how it was sort of donefrom a high level, that information is out there and those attacks kind ofproved yes, it's possible. they provide a blueprint for people tofollow for doing it again and the fact that that was done scares the heck out of me. >> brian: thank you and we have onefinal question from the room, please. >> hi, it's lucas from [inaudible]. just following up similarly to the previousquestion, based on the trends that you've seen to date, where do you see these attacks headingboth from like an attacker perspective as well
as from a mitigation perspective? do you see one side winningthe cat versus mouse game? >> brian: great question, damian? >> damian: yeah so attacks are basically growingexponentially i think if you look at most of the data on this you'll see that the sizeof the attacks roughly doubles every year. i have graphs that track this backlike 8 years and it's kind of scary that it's actually continuing, that exponentialgrowth but i think it's important to realize that that's just the internet isgrowing exponentially as the consumers, as the end users, bandwidthincreases, their home,
the website bandwidth is also increasing so,you can kind of keep up but i think that a lot of what we're going to run into is a very smallwebsite, you know especially the types of sites that jillian is worried about aresimply too small to possibly survive. so they're going to be forced to combinedtheir resources and pool with others so what i expect is probably going to happenover the next five years is we're going to start seeing organizationsconsolidate into larger and larger pools until eventually we're going to haveonly like maybe five organizations that offer ddos mitigationin the cloud as a service. it's just my guess of where the world is headed.
>> brian: ram. >> ram: and my fear is that we get at thatpoint and then they get too big to fail. >> brian: well, with that thought,we're going to bring this to a close. [laughter] well done. fear and loathing in new york. public interest registry of the new yorktechnology council, internet society and the internet society's new york chapter want to offer our sincere thanksto the panelist today. thank you so much for your time, your dedication
to helping us understand this really criticalissue and also to thank the audience here and the audience online for following along. we hope that today's event has beenhelpful and that the participants come away with a greater appreciation of the scopeof this problem, steps that should be taken to mitigate ddos attacks, and the potentialfor significant unintended consequences. ddos is a serious issue intoday's interconnect world, one that is not just goingto fade away as we've heard. fortunately there are resources available tohelp us confront the myriad of challenges. i would like to specifically thank joleymcfee [phonetic] from isoc, new york,
eric grimmelman [phonetic] from new york techand paul brigner [phonetic] from isoc here for helping us make this happen in a real sense. along those lines, we at pir intend to makethe recording of this event available online at our website and our social media sitesand push that out and we're also going to post additional backgroundmaterials and encourage anyone to recommend other helpful tools and information like the cff guideline tokeeping your site alive. so again thank you to everyonefor joining us today. thank you so much.
[ applause ]Captain america coloring pages with shield