Grand Strategy

towards a Denial of Service Resistant Internet

Denial of Service Resistant Internet working group
Communications Research Network / Communications Futures Programme

Goal of the working group: To galvanise co-ordinated actions to make the Internet more resistant to denial of services attacks, without unduly blocking the emergence of innovative new applications of the Internet.

Goal of this document: To lay out the space of possible activity across the technical, economic, contractual and regulatory fields in order to prioritise activity. In particular:

1. Introduction

It is hard to offer access to an Internet-based service (including the service offered by the network itself), intending it to be openly used, but at the same time being able to protect against its intentional over-use. It is also hard to try to foster innovative new uses of the generic Internet infrastructure but at the same time prevent malicious new uses, given it takes a while to characterise how benign a new use will be. put these two fundamental reasons together, and the above goal is really hard.

2. Technical measures

Various dimensions:

Improved operational practices (not requiring changes to equipment) --- largely refer out to Max's BCP
Improved equipment design (not requiring changes to architecture)
Improved Internet architecture (hopefully, incrementally deployable)

Attacks through infrastructure vs attacks on infrastructure

Mitigating the vectors through which attacks are launched (OS vulnerabilities to viruses/worms, unnecessarily generic communication channels (client-client, server-server), 'certified' software, machines and networks, and re-certification issues with roaming)
Mitigating the force of attacks (traffic filtering/scrubbing, enforcable congestion control (re-feedback))
Mitigating the channels through which DDoS attacks are co-ordinated (IRC etc).

Providing hooks to trace attackers' identities
by path symmetry
by ingress interface: (traceback, re-feedback)
By e2e connection address: (cookies, capabilities)

Payload inspection vs cryptography.
Route anonymisers vs. traffic analysis.

Incremental deployment models

4. Economic & incentive-based measures

Pricing to increase the cost of attacks

Limits of economic approaches: value of attack >> cost?,  irrational attackers

Incentivising the clean up of zombie hosts

Using pricing internal to a network to manage engineering mechanisms like throttles and policers, in order to trade off costs and benefits of particular customers.

3. Contractual measures

Types of contract

End customer acceptable use policies (AUPs) & inter-provider contracts
Pairwise (contracts between neighbours including via peering intermediaries) vs. overlay models (contracts between neighbours at a higher layer, eg. edge to edge) vs. star-wise contractual relationships (contracts with an overseeing body)

Deterrent sanctions after the fact  vs. rights to prevent attacks

Financial vs service-impairment sanctions vs reputation-impairment sanctions (and legitimising vigilante defence - fighting fire with fire)

Defining attacks by behaviour vs. intent

Liability

Paymasters, attack co-ordinators, attack vectors (zombies, carrier networks, software vulnerabilities (OS, e-mail etc).

Attacker identification

Anonymous access: making the party that allows it responsible for the actions of anonymous users? Radio access issues

Strength levels of identification

6. Regulatory

Regulatory requirements for contractual commitments between operators.

Enforcability across borders
Liability (if network hides user, is user responsible?; if country cannot sanction a party, can country be made responsible???)

What law(s) are available in each jurisdiction? generic legal coverage extensible to new forms of attack?

5. Commercial realities

This section is a placeholder in case commentary is needed on the commercial practicality of any of the above. For instance, how valuable preserving an architecture that fosters innovation is relative to the cost of fostering malice. Or how realistic it is to expect ISPs to disconnect customers or peer networks when they are both a source of value and malice. This discussion may end up being sprinkled throughout the rest of the document.

Retail vs. wholesale/interconnect approaches and virtualisation.

Insurance

6. Conclusions

None yet.


Draft 00a
Bob Briscoe
21 Oct 2005