Tuesday, September 6, 2016

Sunday’s Malicious DDoS Attacks against Linode

Scrapbook #1:  Sunday’s malicious DDoS attacks against Linode and the article, “The Twelve Days of Crisis – A Retrospective on Linode’s Holiday DDoS Attacks” by Alex Forster

Links:

Linode’s Live Status Updates from Sunday, 09/04/2016
https://status.linode.com/

Linonde’s Retrospective by Alex Forster on another DDoS attack, published earlier this year, 01/29/2016
https://blog.linode.com/2016/01/29/christmas-ddos-retrospective/  

The above in PDF format:
https://drive.google.com/a/csumb.edu/file/d/0B3hQr_XgIHuEZmhaNXV2ZWVWMjlQLUpLSktYWkpMcXhHWnlN/view?usp=sharing

https://drive.google.com/a/csumb.edu/file/d/0B3hQr_XgIHuEcURJYzRINlI4RWN1NlFZakdLNlNmM0lPYzkw/view?usp=sharing

https://drive.google.com/a/csumb.edu/file/d/0B3hQr_XgIHuEZ1NVeW1aSmhTMlQ1R0RoVUNyTlBmYUtOMm9F/view?usp=sharing

Summary of the article and status updates:

On Sunday morning, September 4, 2016, Linode, a company that provides virtual private servers (KVMs) or cloud-hosting, began reporting, via their website's status updates page, that their Atlanta regional data center was being hit with dedicated denial of service (DDoS) attacks.

This is not the first time the company has been a target of such a malicious attack meant to damage its business, as I researched to find the article linked above, published in January of this year, in which the company provides a retrospective on an extensive and lengthy attack that took place during the last Christmas/Winter/New Year holiday season. In publishing the article, the company has sought to provide to its clients and interested readers a transparent report of the attack as well as a retrospective account of what was learned.

The specific attacks (numbered in the hundreds) on the Atlanta data center were volumetric in nature, according to Forster  “A volumetric attack is the most common type of DDoS attack in which a cannon of garbage traffic is directed toward an IP address, wiping the intended victim off the Internet. It’s the virtual equivalent to intentionally causing a traffic-jam using a fleet of rental cars, and the pervasiveness of these types of attacks has caused hundreds of billions of dollars in economic loss globally.” Forster writes, further, that it’s typical for Linode to get dozens of such attacks each day, for which there response tool is remote-triggered blackholing. “When an IP address is ‘blackholed,’ the Internet collectively agrees to drop all traffic destined to that IP address, preventing both good and bad traffic from reaching it,” the author writes. Blackholing fails or is ineffective, he goes on to explain, when the targeted IP is a critical piece of their or their colocation providers’ network infrastructure (e.g., API endpoints or DNS servers) that affects many others’ connections. Additionally, the article explains, Linode’s customers have secondary IP addresses on their routers, which are susceptible to attack and, in this case, were subject to dozens of simultaneous attacks. Mitigation was manual, so exceptionally challenging, slow and error-prone; also, only so much blackholing can be done at any one time because it may also be subject to error. Finally, the colocation providers’ crossconnects also became the subject of attacks. He writes, “a crossconnect can generally be thought of as the physical link between any two routers on the Internet. Each side of this physical link needs an IP address so that the two routers can communicate with each other, and it was those IP addresses that were targeted.” The attacks were unpredictable and many in number, if not entirely novel in nature.

In the statement, Forster of Linode additionally shared that they felt apologetic, humbled by the experience and that lessons were learned, specifically: 1) don’t depend on middlemen, i.e., the colocation partners for IP transit; 2) absorb larger attacks, i.e., increase IP transit capacity ; and 3) do a better job of letting customers know what’s happening, which they successfully did on Sunday.

Reason article was selected:

That malicious DDoSing or non-white-hat hacking is unethical is largely uncontested.  (Next week, I will choose to write on an issue that is more controversial, perhaps.)  Still, I selected the article because it’s a timely, fascinating topic regarding the ethics of the internet and computing, when hackers can cause so much harm from the dark depths of the digital realm.

Linode has handled the situation very well, providing informative status updates to its customers in real time, so that customers’ loyalty is likely unshaken.  Indeed, in the comments section of the article, many customers wrote that they were grateful for Linode’s articulated response and its employees’ hard work to correct the issues over their holiday season vacations.  They expressed they were understanding of the difficulty of fighting a fire and simultaneously reporting on it while doing so.

Personal/social values at stake:

The hackers' actions are not only unethical, but illegal, harming an honest company’s services for which customers have paid and have businesses that rely.  As far as who were/are the perpetrators -- one may simply give blame to anonymous, irrational actors, hackers bent on mindless disruption, or, alternatively, perhaps, unscrupulous competitors who wish to damage their opponent’s business.

Credibility of sources:

Both documents are primary sources, provided by Linode company employees, all representatives of the victim of the DDoS hacking itself.

No comments:

Post a Comment