Last week my cable modem suddenly died and that single point of failure cast me into the prehistoric world of no internet. While I was sorting that mess out, computer security hero Brian Krebs was also having internet trouble. He came back on line today after being squeezed off the internet for a few days by a distributed denial of service (DDoS) attack, a rather nasty one it seems. He wrote an interesting report and a follow up, worth taking a look at. It kind of makes my head spin. A lot of technical details but it seems like the internet is sick.
Let’s take a look at some of the rotten parts. First is DDoS itself. I never much paid this too much attention. It seemed like a craven and clumsy kind of petulance more than anything serious. "These are non-professionals who use DDoS…to instigate attacks out of boredom or spite" says this report. Do we really need to be worried about bored punks? Maybe. It seems this stuff is becoming professionalized which is making it more prevalent. Beyond denying you service to a legitimate resource you’d like to have access to, the aforementioned DDoS clumsiness pollutes the entire internet with junk packets. It basically degrades everyone’s bandwidth or increases everyone’s cost or both. I can’t find a solid number but it seems like between 2% and 5% of the internet are bogus packets. I don’t even know if that counts spam.
Brian mentions the Internet of Things. I find the notion somewhat cloying since I’ve been waiting for computers to interact with the real world for a long time. And like the sadly clumsy applications that have been contrived for our marvelously small and efficient new computers, the dumb things that are being envisioned for the IoT makes me think, don’t bother. Brian’s experience (many of the attacking hosts were IP webcams) show that these devices, which are really just difficult-to-manage computers with bad proprietary controls, are a security nightmare and a threat to the internet of data.
Brian mentions border gateway protocol, BGP, in his last article before the recent attack (perhaps not coincidence). I’ve been concerned about BGP hijacking since last year when I learned about it. (It didn’t cause my problem, but it easily could have. You have been warned.) We’ve already figured out that DNS is pretty much sucker bait for computer criminals. We knew that when you typed in a name, you might go to the wrong number. I think we’re going to see a rise in cases where you get the right number, but the mysterious routers deep in the internet send you to the wrong machine anyway. All I can tell you is learn to appreciate SSH host keys and don’t use the WWW for anything serious.
These Krebs articles also tipped me off to RFC1701, Generic Routing Encapsulation. Is this some kind of joke? You’ve heard of Voice over IP; this is IP over IP. Or am I missing something here? But should I be surprised? VMs run the world now and the virtual machine, like IP over IP is an admission of failure. It’s basically saying, ok, we’ve mismanaged (the OS|the network) so badly let’s just start again with a pristine one, (emulated|encapsulated) in the mismanaged one. On the other hand, if you screw that up, the same recursive solution is always available to you. So there’s that.
Oh well, enjoy your internet while it lasts. Hopefully it all just stumbles along sufficient to requirements. But it might be wise to cultivate a lifestyle, or at least some hobbies, that don’t require it at all. A prolonged internet outage would probably do many of us some good.