As a network security professional, the ongoing WikiLeaks saga certainly is quite concerning. I am not referring to the exposure of documents – but rather the all-out effort to completely wipe WikiLeaks off the Internet… and what that means for your business and your connectivity to the Internet.
I’m NOT talking here about the politics of the WikiLeaks situation. A significant number of you reading this will probably believe that WikiLeaks is an extreme terrorist organization that should be eliminated from the network and the leaders should be hunted down and imprisoned (or worse). And a significant number of you reading this will probably believe that WikiLeaks is a champion of transparency and openness and a leader in fighting against government censorship and secrecy and needs to be supported by all means possible.
Put the politics aside for a moment and think about WikiLeaks in terms of:
an entity that many organizations around the world want to eliminate from the Internet.
Consider the attacks they have been under:
- Multiple reports of large-scale distributed denial-of-service attacks
- Being kicked off of multiple hosting providers, including Amazon Web Services
- Most recently, having the wikileaks.org domain name removed from DNS
and undoubtedly many other forms of attacks…
The Guardian in the UK had a good article up today on the issue:
WikiLeaks fights to stay online after US company withdraws domain name
I definitely understand the difficult decision EveryDNS.net faced (and in full disclosure, I do personally use their free service for some dynamic DNS domains). I know a couple of the folks there, and as they state in the notice on their home page:
More specifically, the services were terminated for violation of the provision which states that “Member shall not interfere with another Member’s use and enjoyment of the Service or another entity’s use and enjoyment of similar services.” The interference at issues arises from the fact that wikileaks.org has become the target of multiple distributed denial of service (DDOS) attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites.
You are a provider of a free domain name service … and suddenly one of those 500,000+ domains comes under extreme attack to such a degree that it could endanger the accessibility for everyone. Though I am sure that the EveryDNS folks will be vilified by some (and probably attacked) and praised by others, as a network and security professional I can understand why they made the choice they did. At some point, there is a need to protect and preserve your own infrastructure and connectivity. They can’t stay in business if they don’t.
But reading that Guardian article and all the other ongoing coverage, I can’t help but think:
We are witnessing a preview of true cyber-war.
Beyond the public pressure from various senators and government officials around the world to shut down WikiLeaks and encourage companies to sever ties, you have to wonder if various intelligence and/or military agencies with different governments aren’t actively trying to shut them down online. Add in all the private groups clamoring for a shut-down… you have to think some of them are engaged in electronic activity. And add in all the individuals out there trying to do their part to shut down WikiLeaks.
How many botnets are probably active right now trying to execute DDoS’ against WikiLeaks?
On the opposite site, you have the WikiLeaks organization itself moving its content to various places and among various providers… desperately seeking a way to keep itself online. But even more you have supporters of WikiLeaks downloading all the content and popping up mirror sites all over the place, trying to keep the organization’s content out there. The distributed and decentralized nature of the Internet allows easily for this type of content propagation.
And every new site or domain name that pops up with WikiLeaks content becomes yet another target for those wishing to knock the organization offline. And undoubtedly there are supporters of WikiLeaks out there who are trying to counter-attack the attackers.
I think it will get uglier before it’s all over.
For us in the security community, there is much to think about:
- Where are your services hosted on the Internet? How well do you know those providers? And how solid and redundant are their services?
- Could your sites become “collateral damage” and be knocked off the ‘Net if some other site hosted at a provider came under attack?
- Where are the single points-of-failure (SPOFs) in your hosting and Internet connectivity?
- Where are your domain names hosted? What if the DNS provider came under attack?
- Do you have alternative domains available? Perhaps through a completely different DNS provider and able to be pointed to a completely different hosting provider?
- What are the Time-To-Live (TTL) values set for your primary domain names? If one provider was knocked out, how quickly could you repoint those domains to another site?
- And if you are hosting your own services, what levels of protection do you have in place? What kind of redundant connections do you have?
- What ability do you have to rapidly move your connectivity (and content) to another site?
- etc., etc.
Bringing this to a VoIP and communications context, if you are using IP-based systems for real-time communications, is your architecture robust enough to withstand attacks? (whether or not those attacks are targeted at you or at others connected near you?) Can you answer those questions above for your real-time communications system? Where are your SPOFs? What are your backup plans? How will you stay online and connected in the face of an overwhelming attack?
This particular saga of WikiLeaks will play out in the days, weeks and months ahead… and whether they stay online or are forced offline remains to be seen… but what we’re publicly witnessing right now is a case study of the time ahead of us.
Are you prepared?
Dan York, CISSP, is chair of the VoIP Security Alliance, author of “Seven Deadliest Unified Communications Attacks” and a frequent speaker on communication security issues.
I’ve thought the same thing, and also thought about the possibility of hardcore netizens actually evolving into a virtual country of sorts. You could have a large percentage of people who consider themselves to be ‘dual citizens’ of sorts willing to wage warfare, if needed, to protect their ‘virtual’ lands. How confused could things get? What would the spillover look like?
What if a botnet’s malware was capable of making a SIP call? The malware would simply need to include a small piece of code from a softphone/traffic generator and a service(s) to originate calls. The target could be using SIP or TDM for their public access. Depending on the number of calls generated, the attack could disrupt virtually any government/enterprise site, even a large contact center.
Mark, Indeed that could be quite a threat. Three years ago in fact I wrote on this blog about a proof-of-concept of just this type of bother:
http://voipsa.org/blog/2007/05/07/ready-or-not-here-come-the-irc-controlled-sipvoip-attack-bots/
Unfortunately I expect we will probably see these type of attacks in the future. 🙁