Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Internet Government Security The Military News Politics

Beyond Firewalls — Internet Militarization 83

angry tapir writes "One of the discussions at the Source Boston Security Showcase has been the militarization of the Internet. Governments looking to silence critics and stymie opposition have added DDOS attacks to their censoring methods, according to Jose Nazario, senior security researcher at Arbor Networks, with international political situations spawning DDOS attacks."
This discussion has been archived. No new comments can be posted.

Beyond Firewalls — Internet Militarization

Comments Filter:
  • by Flibberdy ( 780254 ) on Friday March 13, 2009 @07:34AM (#27179345)
    It's not like they started it or... Oh wait... D'oh
  • DMZ became null.
  • Militarization? (Score:3, Insightful)

    by morgan_greywolf ( 835522 ) on Friday March 13, 2009 @07:36AM (#27179361) Homepage Journal

    Oh, come on. This is just more hysteria manufactured by people looking for money, fame and fortune.

    A DDOS attack is hardly the same the thing as a shell and mortar attack. For one thing, a DDOS doesn't do, and by definition, can't do permanent damage, nor can it kill people.

    Can we all just lay off the hype machine a little bit?

    • Re: (Score:1, Funny)

      by Anonymous Coward

      Have you ever had your server vaporised by slashdot paramilitary forces?

    • Re:Militarization? (Score:5, Insightful)

      by Chrisq ( 894406 ) on Friday March 13, 2009 @07:57AM (#27179519)
      Sadly I think that many people would be more upset about a day's outage of their bank than a real shell and mortar attack in Somalia, Iraq, or the Gaza Strip.
      • Re:Militarization? (Score:5, Insightful)

        by morgan_greywolf ( 835522 ) on Friday March 13, 2009 @08:01AM (#27179557) Homepage Journal

        Sadly I think that many people would be more upset about a day's outage of their bank than a real shell and mortar attack in Somalia, Iraq, or the Gaza Strip.

        Well I think that many people would be a lot more upset about a shell and mortar attack on any city in their own country than a day's outage at their bank. I speak from experience.

        • Re:Militarization? (Score:4, Interesting)

          by Chrisq ( 894406 ) on Friday March 13, 2009 @08:06AM (#27179595)
          Surprisingly I think not always, it could depend where it is in the city. I have spoken to people who live in cities with gang-land areas who see attacks (drive by shootings, houses burned out, etc.) as though it was talking about somewhere the other side of the world. If one gang fired a mortar at another's stronghold this probably would not worry them too much.
          • Well, there's a large difference between gang-land violence and an actual military mortar attack. For one, the gangs, at the most, have AK-9s and Uzis and are primarily aiming to kill each other. A rocket-propelled grenade attack by an organized militia will generally be far more destructive and cost many more lives.

            Besides, gang-land areas are probably among the last places a military or paramilitary attack by the enemies of the U.S. are going to attack. I'm sure they could think of much more valuable t

            • Well then do you consider Hamas a gang or a military. They fire hundreds a rockets yet rarely cause deaths with said attacks.

              According to your statement they are no more than a street gang.

              • Re: (Score:2, Informative)

                Nice strawman you got there.

                To begin with, I've visited and even lived in gang-infested neighborhoods. It's not as bad as they make it out to be in the movies or in the news media outlets. Yes, it's bad, but no, it's not the same thing as living in a war zone.

                • by BadERA ( 107121 )

                  Depends on the neighborhood. Two different occasions in Rochester, NY, within two weeks of my moving out, people were killed within eyesight of my former homes. One was a robbery/murder, the other was a gangland initiation, totally random killing of a guy riding his bike on a bridge over the Lower Falls of the Genesee River. The latter neighborhood, my apartment was up on a hill, and some weeks, in the summer, it was very much like being in a war zone -- multiple shots, or bursts of shots, from multiple dir

                • I happen to agree with you, but his statement was worded that gangs use grenades and ak-47's to randomly kill and shoot at each other. they blow things up.

                  yet the death toll is relatively minor compared to that of a war zone.

              • Re: (Score:3, Insightful)

                by PopeRatzo ( 965947 ) *

                No, the West Side of Chicago is not the same as a warzone.

                The conceal/carry law that's trying to work it's way through the Illinois Assembly may improve the chances of making it one, though.

                Think of a gang and drug-ridden neighborhood, now add the easing of restrictions on the purchase and possession of guns.

                I heard a pro-gun writer for Reason Magazine (a dim-wit Libertarian rag) say that there should be "absolutely no restriction" on the sale or possession of any type of firearm" because that's what our Fo

                • Re: (Score:3, Insightful)

                  So you believe that gang members and those involved in the illegal gun trade are sitting around waiting for this law to pass before arming themselves?

                  How are they murdering one another now?

                • Re: (Score:2, Informative)

                  by wizden ( 965907 )

                  I used to live in the west side of Chicago. It needs a conceal/carry law that allows citizens to protect themselves. The criminals there already have AK-47 battles in Humboldt Park. Nice logic with the hole in the ground though. How much more gun control can you get in a city that absolutely bans handguns? At what point will you admit that it isn't working? How does your "more gun control" argument work when the law can't be taken any further? I could get an illegal gun in 10 minutes in Chicago.

                • Re: (Score:3, Interesting)

                  Comment removed based on user account deletion
                  • by Cyberax ( 705495 )

                    So go after the criminals. What's the problem?

                    Or do you think your gun is going to save you from criminals? Ha!

                    • Re: (Score:3, Informative)

                      Comment removed based on user account deletion
                    • The US has some of the least restrictive gun laws of any developed country and we still have one in 31 Americans in jail and a higher rate of violent crime than almost any other large developed country

                      I'm not sure you can make the statement that having an armed population lowers crime.

                      Tell you what, I'll compromise and say that anyone who's served in the armed forces can own and carry a gun as long as they don't have a history of mental illness. But you? No way. You sound too angry to be anywhere near an

                    • Comment removed based on user account deletion
            • Re:Militarization? (Score:4, Insightful)

              by PopeRatzo ( 965947 ) * on Friday March 13, 2009 @09:18AM (#27180197) Journal

              Well, there's a large difference between gang-land violence and an actual military mortar attack.

              Morgan has a point.

              There is a huge difference between preventing terrorism and fighting a war.

              Unfortunately, "war" is something that people who have never been in one think is romantic or exciting. I never thought much about war until my wife and daughter were stuck in Belgrade during the NATO bombing. I'm watching the CNN, seeing US planes, pilots and ordinance doing it's very best to kill my dearest loved-ones.

              So, should we fight terrorism with police action or with a "War on Terror"? Clearly, let the cops handle it and get our people out of Iraq before someone else gets hurt.

              • The age of wars being "soldiers lining up and shooting at each other" is long over. It looks like the neighborhood cop walking a beat is following.

                Things like the Juarez Police Chief [slashdot.org] getting essentially run out of town to the forces that pushed the Russians out of afghanistan (and the USA in Iraq).

                Police in some places have a real fear that simply by being identified as police officers could get their families killed. (masked policemen [bbc.co.uk])

    • For one thing, a DDOS doesn't do, and by definition, can't do permanent damage, nor can it kill people.

      Firstly, I'm interesting in where you got a definition of DDoS that includes the clause 'cannot do permanent damage'? You're probably thinking of of stuff like blowing up buildings though.. sure.. it's not-likely that a DDoS would blow up a building, but there is a likelihood that it could cause permanent damages. If nothing else because of the inaccessibility of real-time data streams.

      If you DDoS a bank during it's nightly batch, you can cause that bank to loose a days worth of interest for example. That's

      • If you DDoS a bank during it's nightly batch, you can cause that bank to loose a days worth of interest for example. That's a real and permanent damage.

        I've never worked in a bank before, but I think it's more likely that interest accrues from the time of the actual transaction recorded by the bank, not from the time the transaction was posted electronically by the bank's nightly batch.

        Am I wrong? Can someone with financial IT experience tell me if I'm right or not?

        • I think thinking more like the transfer of large quantity funds between banks.

          Although I'm totally spitting out of my behind since I don't really understand that much of how high finance bank and ACH transactions really work.

    • Oh, come on. This is just more hysteria manufactured by people looking for money, fame and fortune.

      A DDOS attack is hardly the same the thing as a shell and mortar attack. For one thing, a DDOS doesn't do, and by definition, can't do permanent damage, nor can it kill people.

      Can we all just lay off the hype machine a little bit?

      That's right, because it's only information flow that is being disrupted; the core information is intact. It's not like a hospital, emergency services, electric grid, air traffic control or other networks actually need to pass information to work properly.

    • What about a DDoS on a major stock exchange for example? Or someone brings down bus/train/air traffic control systems? Before anyone comes in with "The US ATC system is protected by..." that isn't the point. The point is, there are many critical systems that could cause great economic and possibly physical harm if successfully attacked. There are definite problems that can be had by this.
  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Friday March 13, 2009 @07:40AM (#27179371)
    Comment removed based on user account deletion
  • by kcbanner ( 929309 ) * on Friday March 13, 2009 @07:41AM (#27179381) Homepage Journal
    I put my computer in the demilitarized zone.
  • Well, yes. (Score:5, Insightful)

    by tygerstripes ( 832644 ) on Friday March 13, 2009 @07:43AM (#27179397)

    It was inevitable, surely. Once governments came to realise that the web was becoming a legitimate medium rather than an entity, they would obviously start to employ it in the same way they have every other.

    I have to ask: is this story about governments wising-up in the ways of the intertubes and turning it to their advantage, or about the fact that this was discussed at a conference? I'd have thought the former was self-evident, and the latter was completely un-newsworthy. Maybe we can discuss specific examples [bbc.co.uk] of political internet jiggery-pokery, but this kind of vague allusion is just going to prompt hot-air discussions with no real content, isn't it?

  • What makes denial of service attacks so hard to respond to technologically? Our pipes are limited in capacity, surely. Is it not possible to build a router that can mask out requests from IP ranges as fast as they can electrically come in?

    Or is the problem more in the "distributed" part than the "denial of service" part? Can a network engineer enlighten me?
    • Re: (Score:2, Insightful)

      What makes denial of service attacks so hard to respond to technologically?

      Really, it's not.

      Our pipes are limited in capacity, surely. Is it not possible to build a router that can mask out requests from IP ranges as fast as they can electrically come in?

      Yes, such routers actually exist, although even some commercial-grade routers tend to made with low end processors and such that if your pipe is fat enough, it can become overwhelmed.

      If you want to stop a DDOS and your firewaall can't seem to mask off IP ranges quickly enough, by far the easiest technological measure is really quite simple: sever the connection. I guarantee you the DDOS will no longer be affecting your equipment at that point.

      Our TCP/IP networks were built to survive conn

      • by Tuoqui ( 1091447 )

        If you want to stop a DDOS and your firewaall can't seem to mask off IP ranges quickly enough, by far the easiest technological measure is really quite simple: sever the connection. I guarantee you the DDOS will no longer be affecting your equipment at that point.

        Congratulations the attacker just won. You've DOS'ed yourself by yanking the plug. Admittedly this might be a consideration if the DDOS is performing attacks on your servers as well as flooding the tubes to keep your data safe.

        • by maxume ( 22995 )

          It often makes sense to abandon a battle. The attacker only wins if you permanently sever the connection, a temporary disconnection may make lots of sense (and it may not make any sense...).

      • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Friday March 13, 2009 @08:11AM (#27179643) Homepage Journal

        Our TCP/IP networks were built to survive connections going down. At least if they were built cluefully, anyway.

        Well, I am not a super-network-nerd, but my impression is that the reality is very different. As has been pointed out repeatedly there are a limited number of choke points which, when interrupted, disrupt large percentages of internet traffic. In addition you have to generally spend some money to get multihoming. For the home user, no big deal; you might lose your connections-in-progress but it's not likely that you'll have any other serious repercussions. So sure, a home user could back up Cable with DSL, for example, and gain all the most important benefits of multi-homing without even doing anything very complicated. But a business user needs to spend, spend, spend to multi-home. Once you're over a certain size you're going to need multiple connections anyway, so the relative cost of doing this drops considerably.

        A lot of things were designed to work much better than they do due to implementation. I suggest that evolution needs to give way to revolution and the internet we know and occasionally love must give way to a somewhat more anarchic mesh-network. Honestly I see a place for both; When I want to communicate with "the system" I'll use "the internet". It is however long past time for the people of the world to just utilize technology to bypass our corporate masters and take control of our own lives.

        On that note, anyone have any ideas on the cheapest possible mesh networking currently available which could scale to at least one access point for every human currently on the planet? I suspect that the carrying capacity of earth has been exceeded, at least as we are practicing life, so this is a reasonable upper bound for now. Besides, you don't actually need that many APs.

        • by m0i ( 192134 )

          But a business user needs to spend, spend, spend to multi-home.

          Wrong. The only cost is implied by the use of potentially bigger pipes sold with BGP service but nowadays you can have a 100mpbs link for $1000.. Technically it costs 0 (open source routers, IPs and routing registries (except RADB) are free.

          • Re: (Score:3, Informative)

            by drinkypoo ( 153816 )

            Wrong. The only cost is implied by the use of potentially bigger pipes sold with BGP service but nowadays you can have a 100mpbs link for $1000.. Technically it costs 0 (open source routers, IPs and routing registries (except RADB) are free.

            Well, correct me if I'm wrong - my understanding of this subject is limited to conversations I've had in the distant past - but isn't it true that in the CIDR era your provider has to agree to carry your route if it is actually going to do you any good? Your ISP allocates you a piece of their network, which is already routed. Don't they have to (at minimum) tweak their routes so that they don't override yours? I mean, otherwise you first have to buy a block of addresses, which is (again, to my understanding

            • by Cyberax ( 705495 )

              That's what BGPs are for - it allows YOU to control how your traffic is routed. Because all major routers on the Internet also use BGP to configure routes.

              The grandparent is also correct in saying that it doesn't cost much. It's possible to have completely OpenSource router and even modest hardware can handle routing.

              • by Cyberax ( 705495 )

                Typo: BGP, not BGPs - I meant BGP-capable routers.

                BGP stands for "Border Gateway Protocol", so it can't be plural.

        • by wizden ( 965907 )

          Super-network-nerd here. Do you own any fiber? Who are you peering with for your magical internet access? Sorry, I don't mean to be a dick but people forget that you actually have to connect to the network at some point. The choke points you speak of are peering points and I have to say if you DDOS them it won't last very long. This is why groups like NANOG exist.

        • Re: (Score:3, Informative)

          On that note, anyone have any ideas on the cheapest possible mesh networking currently available which could scale to at least one access point for every human currently on the planet?

          The short answer is, there isn't one. None of the existing wireless networking schemes are designed with mesh networking in mind. None of them are designed with the range required to achieve sufficient density to qualify as a mesh.

          A device designed to operate in the ultra wideband (UWB) frequency range is a possibility. In theory such a device could achieve 480 mbit/s at 10m ranges. Attempts to date have fallen rather far short, but that could be addressed by better engineering. Actual devices [videsignline.com] (wirel

    • by rhael ( 1351399 )
      Actually firewalls can filter out ip ranges. The problem is indeed the 'distributed' part, the requests don't come from specific ip ranges, they come from machines all over the internet. It's basicly impossible to see the difference between a request that comes from a user and a request generated by a program
    • by Tuoqui ( 1091447 ) on Friday March 13, 2009 @08:06AM (#27179593) Journal

      It's pretty hard to stop because it is a outright brute force method.

      1) All tubes have a limited capacity.
      2) If the packet makes it to your router you've already lost. The router's memory and/or processing power is being expended to 'ignore' or 'throw away' packets coming from certain IP ranges.

      Distributed makes it harder because the IP addresses do not come from any singular location so you cant just perform an IP range ban. Also the distributed part makes it more difficult to filter out 'garbage/attack' data request from legitimate traffic.

      • giving up mod points to say this, but must be said. The internet is tubes? So Senator Stevens was right!
    • by fuzzyfuzzyfungus ( 1223518 ) on Friday March 13, 2009 @08:21AM (#27179729) Journal
      DDOSes are easy, and hard, to stop in roughly the same way that car bombs are easy, and hard, to stop. It is pretty trivial to have a router just drop traffic from any IP range you care to specify, just as it is pretty trivial to stop an ordinary car with nothing more than light weapons. However, an even remotely competent DDOS will involve traffic from huge numbers of otherwise innocent looking systems scattered among your legitimate users, so you identifying the ones to drop is hard, just as it is hard to find the one car among thousands, and you can't just shoot all drivers.
      • I gather that if you have a BGP peering relationship, you may be able to signal to your ISP that they should "black hole" traffic from certain IP address ranges before it reaches you.

        Perhaps it would help if this were something that could be adopted across the whole internet. For example use a digitally signed source quench message to clobber traffic to the IP address range you own (based on your digital signature) right where it enters the internet (or at least where it enters the first compliant node)

  • are we going to see things like specifically targeted viruses designed to put a server out of commission as permanently as can be done?

  • by metageek ( 466836 ) on Friday March 13, 2009 @08:20AM (#27179711)

    DDOS attack is the poor man's slashdotting

  • You think silencing politicians is hard... Critics? Going to have to dish out a few extra bucks in taxes for Government OT.
  • It's inevitable that space and the internet are going to be militarized.

    If I were our government, I'd use big media for military purposes: convince the youth of other countries to engage in selfish, yet self-destructive, activities.

    Oh wait, someone beat me to it!

  • Damn. We are loosely badly to all the lawlessness adware, malware, and viruses out there. I don't really want a cyber gun per se, but I'd like to hire some one to effectively shield myself from them. Current anti-virus, anti-spyware, and anti-malware products just aren't quiet cutting it right at the moment. They are better than nothing, but I want 'em to be much more effective.

    Heck, I want assassin squads sent out after the writers of adware, malware, and viruses. Let's see what happens when these cyber gu

  • I've heard recently that the police forces across all states are given documents suggesting anyone who mentions the US Constitution and espouses their rights (for example, warrantless checkpoints) are being classified as terrorists against the government. It has also mentioned the shutting down of the current internet in favour of Internet II which would be more controlled (for example, anti-government sites would not be allowed...freedom of speech anyone?). See the following for more: the Alex Jones Channe

    • Hmm ... a bunch of ok facts and then a giant leap to a big conspiracy theory ( It's WTO and IMF who are to blame). Come on. You can do better, even on slashdot.

      The Canadian guy is a real comedian. To suggest running the printing press to cover a trade deficit. The Canadian dollar would become worthless over night. The only scandal he points out is fiscal irresponsibility. Nothing new there.

      • by cagrin ( 146191 )

        The main fiscal fact in both the US and Canada is that money is being allowed to be created and controlled by the private banking interests. Governments have the right and obligation to create their own INTEREST FREE money for the continued freedom of their people. Money now is simply debt(with interest!) owed to a bank and no longer based on a hard asset such as gold or silver they simple create it on the 'books', which should ONLY be the right of the government. This at it's root is basically a scam to re

  • Sounds like a rehash of the mid 90's of EFnet....riding the splits.

    So how long before the Pentagon loads up some eggbots, a few BitchX clients and some war scripts...

    Hi Ho, Hi Ho, it's Off to War we go!

  • This trend will only continue as the barrier to entry continues to drop. More and more attackers become resourced enough to perform DDoS and other assaults against online security, while at the same time, the it gets easier and easier to obtain the tools, techniques and knowledge to perform the attacks. As those two curves intersect, these attacks will continue to grow. Cybercrime as a service also plays into this and generates an underground economy that can come to bear on these attacks as well. While I
  • "Governments looking to silence critics and stymie opposition have added DDOS attacks to their censoring methods"

    This was news 8 years ago when China first attacked individuals' pro-Tibet web sites. The attacks were readily traced back to their Ministry of Defense.

    If it were a case of someone foisting old news as new on the knowledgeable, that would be pitiful. However, the conference where it was presented was specifically for newbies (both persons and companies) to the field. While hardly news to /. it wa

  • by b4upoo ( 166390 ) on Friday March 13, 2009 @11:38AM (#27182337)

    Since computers tend to be communication devices the question folds backward into another question. Can any government survive good communications among its citizens? I really doubt it. Understanding government will lead people to realize that for their individual situation the government is a negative. If you end up with any substantial percentage of a population feeling that the government is negative in their lives they will find a way to crash the government. Even 10% who are real disaffected with government will assure failure of a nation.
                Back in the Hippy movement the young understood that. Tune in, turn on, and drop out was every bit as serious as an enemy marching toward a border. Whether the hippie seeking to end the Vietnam War or the kid in the mud in Vietnam was the better patriot is open to debate. But one thing is sure. The hippies did cause that idiotic war to end. Sadly we have so many ruined lives on both sides of that war as living testimony that war is a lousy idea.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...