Unwanted Traffic
Elwyn Davies
Loa Andersson
Danny McPherson
Lixia Zhang
The full report of the workshop “Unwanted Internet Traffic Workshop” in March 2006 was published in Andersson, L, Davies, E, Zhang, L ”Report from the IAB workshop on Unwanted Traffic March 9-10, 2006” RFC4948, August 2007.
Acreo is grateful for the privilege to publish this article which is a shorter version of an article previously published in the IETF Journal Vol 3 Issue 3 (Dec 07).
The Internet carries a lot of unwanted traffic today. At its most fundamental, unwanted traffic consists of packets that consume network and computing resources in ways that do not benefit the owners of the resources.
To gain a better understanding of the driving forces behind such unwanted traffic and to assess existing countermeasures, the Internet Architecture Board (IAB) organised an ‘Unwanted Internet Traffic Workshop’ in March 2006 where a number of experts – including operators, vendors, and researchers – exchanged experiences, views, and ideas on this important topic. This article summarizes the findings of the workshop and looks at some developments that have occurred since that time.
The Underground Network Economy
The most important message from the Unwanted Traffic Workshop was that the enormous volume of unwanted traffic is a symptom of a vast criminal underground economy. This economy is a parasite on both open technology and the innovative culture of the Internet as it has developed over the past 20 years.
From Anarchy to Criminality
Early in the life of the Internet, unwanted traffic was largely an expensive nuisance. Much of it was generated by so-called script kiddies, who had no clear motive beyond demonstrating their ability to cause mayhem to their equally mindless peers. Although the consequences for the targeted networks and hosts were generally immediate and catastrophic, with significant economic loss for the victims, the attackers mostly did not profit at all.
Over the past few years, the situation has altered dramatically. The anarchic hackers of the past have been harnessed or displaced by criminals intending to use the Internet for illicit gain.
The underground network economy that has developed within the Internet mirrors the underground economy in the physical world: tools of the [criminal] trade are created and sold to other criminals; stolen information is fenced for use in further criminal activity; and the illicit proceeds laundered electronically allowing the criminals to benefit from their activities.
The underground network economy has evolved quickly, changing from an initial barter system into a gigantic shopping mall for tools and information. This has led to a rapid shift in the nature of unwanted traffic and the ways in which the traffic affects the network. It is now a fully integrated and persistent subculture that sucks many billions of dollars out of the legitimate network economy by exploiting the commercial growth of e-business. The parasites are wholly dependent on the availability of the network to continue making profits: causing significant damage to the network would be counterproductive.
Subverting the Network
The marketplace for the underground network economy is typically hosted on IRC (Internet Relay Chat) servers that provide access to ‘stores’ that sell the tools that are needed to operate in the underground economy. Readily available strong encryption software for e-mail and other communications tools allow deals to be closed with little risk of detection. It is no longer necessary to be a skilled programmer to be a successful miscreant in the underground economy. The malware, bot code, and access to compromised hosts or Web servers can be bought off the shelf, and some of the profits can be used to finance new tools and to set up ‘dirty’ Internet service providers to host IRC servers and fraudulent Web sites.
The network itself provides the means to turn the available tools and stolen information into real assets. Electronic funds transfer between countries and stolen credit card information can facilitate money laundering. The international nature of the Internet, the absence of audit trails, and the ease with which anonymity can be achieved are important features of the network, but they also facilitate misuse.
One of the key weapons used by criminals include compromised hosts, also known as ’bots or zombies. Networks of bots (botnets, for short) are created by exploiting security flaws in networked machines or by inducing naive users to install in their machines certain backdoor remote control capabilities of which they are unaware. Remotely controlled bots can then be used either as means of capturing valuable personal or financial information from the users of the machine or as ways of generating further unwanted traffic, such as e-mail spam or distributed denial-of-service (DDoS) attacks that cannot easily be traced to their true origins.
In most cases, bots do not cause major disruption to the hosting machine by either obviously disrupting operations or clogging the machine’s network connection with large amounts of unwanted traffic. The objective in most cases is to provide a resource that can be used by the miscreants for as long as possible. To use a medical analogy, unwanted traffic no longer creates an acute disease in the compromised host; rather, it creates chronic carriers that may go undiagnosed for a long time and that act as sources of infection that can perpetuate the problem.
A major reason that the underground economy is so successful is the ease with which botnets can be created. Miscreants view them as expendable resources, and they are rarely bothered by operators who may see what they’re doing. As long as their cash flow is not significantly impacted, miscreants simply move on to new venues when ISPs take action to clean up bots and protect their customers. However, taking out one of the IRC servers might provoke a severe and ruthless attack on the ISP, typically through the use of botnets to launch a DDoS attack targeting the ISP’s network. In this way, the attackers create an example that might intimidate other ISPs into leaving them alone.
Simplicity and Power versus Vulnerability and Ignorance
The end-to-end architecture of the Internet emphasises the flexibility of implementing new applications in the end system while keeping the network itself as simple as possible. The network neither enhances nor interferes with end system data flows. The success and adaptability of the Internet demonstrate the power of this model, but it can also make life easy for those who operate in the underground economy.
This flexibility and the wealth of applications in each end host results in increasing complexity that is difficult to analyse and so is liable to be vulnerable to exploits that can turn it into a bot. The majority of hosts are vulnerable to a greater or lesser extent, but miscreants will inevitably target the most common platforms, such as Microsoft Windows, that will give the best return on investment such as a larger botnet.
The ordinary people who own these vulnerable systems are eager to jump into the exciting online world but are rarely trained to fully understand how the system can be abused without them being aware. The software is mostly designed to hide the complexities of the system so novices are not deterred from making use of the system.
It is therefore not surprising that the Internet now boasts a large number of compromised hosts whose owners are unaware that their friendly machine is hiding a bot. Although most of those machines are home PCs, evidence shows that corporate servers or backbone routers — even government firewalls — have also fallen victim to compromise.
Running under the Radar
Although some of the consequences of the flood of unwanted traffic – such as spam e-mails and DDoS attacks – are all too visible, many other types of unwanted traffic are hard to detect and counter.
Hosts are now quietly subverted and linked to botnets while leaving their normal functionality and connectivity essentially unimpaired. Detection of bots and the functions they perform is often hard and may well come too late, because the bot may have already carried out the intended (mal)function if detection relies on monitoring the unwanted traffic.
’Quiet’ botnets are a particularly challenging problem for the security of the Internet. The resulting stolen (financial) information leads to enormous economic losses, but there does not appear to be a quick fix for the problem. Almost any fix needs to be applied at places that see little or no local benefit from the solution. For example, an infection in a home PC is unlikely to be cured if the bot doesn’t stop the owner playing online games, even though the public interest is endangered.
Simplicity at the core of the network and the nature of the routing system can also make life easier for attackers. IP is specifically designed to minimise the amount of state information needed in the data plane to forward traffic from one end to the other. The network core does not record audit trails for individual traffic streams unless special measures have been planned in advance, such as when the police request lawful interception of some particular traffic.
A key capability of the Internet is anywhere-to-anywhere communication. The simplicity of the core combined with worldwide access means not only that there is essentially no limit on what a host can use the network to do, but also that there is no trace – after the event – of what a host may have done. Currently, there is virtually no effective tool available to provide either problem diagnosis or packet traceback. This makes tracking DDoS attacks and other generators of unwanted traffic launched from multiple compromised hosts labour-intensive, requiring sophisticated skills. Even if the compromised hosts and the controller of the botnet can be located, it is likely that more than one organisation has responsibility for the machines and networks involved, which makes investigation difficult. Compounding the problems associated with the high cost and the lack of incentive to report security attacks (see below) is the fact that attacks are rarely traced to their real roots..
The On-Ramp
The Internet is designed to be both friendly and flexible so that it does not constrain new applications. Such a design is, of course, a double-edged sword: capabilities that make it easy to develop useful new applications can be just as easily misused to create unwanted traffic. The aspects of Internet architecture that can be exploited to insinuate unwanted traffic onto the Internet are quite complex. Trying to ensure that the Internet remains open to innovation while denying access to unwanted traffic requires a deep understanding of the ways the Internet is intended to work and of the complex value judgments that need to be applied in order to balance the ease of use with the danger of misuse.
Known Vulnerabilities
According to a survey conducted by Arbor Networks, the first two vulnerabilities discussed here are currently believed to be the most critical for the Internet. Other possibilities certainly exist, and the ones that are most commonly exploited shift over time in the continuing tussle between miscreants and security experts.
Lying about Traffic Source Addresses: In the past, many attacks on networks using unwanted traffic relied on injecting packets with a forged IP source address. Receivers might then be deceived about the source of questionable packets and might therefore accept packets they would not have accepted if the packets’ true source were known, or they may direct return traffic to the forged source address, making them part of a DDoS attack (reflection attack). This process is called address spoofing. The prevalence of botnets that can launch various attacks using the real address of the bot means that address spoofing is no longer as important a technique as it used to be, but many attacks — especially reflection attacks — still use spoofed addresses.
Hijacking Inter-Domain Routing: Attacks can be launched on the Border Gateway Protocol (BGP), which routes Internet traffic between administrative domains. Various attacks can lead to traffic that gets misrouted, but a particularly insidious attack injects routes for IP addresses that are not in genuine use. Because the existence of these routes provides a measure of acceptability for packets sourced from the bogus IP addresses, attackers can use these addresses to source spam messages. Since the additional routes do not affect normal packet delivery and since careful selection of the address prefix used can hide the bogus route among genuine ones, the bogus routes often have little chance of being noticed.
Other Vulnerabilities: Other areas of vulnerability include:
- Misuse of Web Protocols: Application designers frequently misuse HTTP (HyperText Transfer Protocol) as a general transport protocol because it is the only protocol that can be reliably expected to traverse enterprise firewalls. . However, transporting everything over HTTP does not block attacks; it simply moves the vulnerability from one place to another, and the miscreants are following
- Difficulties Authenticating Identity: Authentication is frequently tied to the data link layers in the network and mobility means that a host can move across different authentication domains during a single session (e.g., mobile phone (GPRS) to Wi-Fi). This makes robust user authentication difficult.
The Scale of the Problem
Unwanted traffic is a major problem for network owners and operators today both because of the volume and because of the ubiquitous adverse impact of the traffic on normal operations. The workshop did not look in any detail at the actual volumes of traffic: a look at almost any e-mail in-box is evidence enough that the volumes of spam alone are very large. This section looks briefly at how specific types of network are affected.
Everywhere Is Affected
There are a variety of types of unwanted traffic on the Internet today. The IAB workshop concentrated on DDoS and spam. The impact of unwanted traffic depends on the nature of the network domain through which it is flowing, but it affects almost every part of the network adversely.
The global nature of the Internet and the ease of ubiquitous connectivity allow miscreants to originate unwanted traffic from almost anywhere in the network and to target victims who are equally widely distributed. Attackers are interested in finding targets that offer maximal returns with minimal efforts. Regions with lots of high-speed, high-bandwidth user connections but poorly managed end hosts are ideal targets for originating DDoS traffic.
Effects on Specific Domains
Backbone Providers are generally not directly affected by unwanted traffic as they do not support the main targets – end users – directly. However, the high capacity of their well-provisioned networks can actually facilitate DDoS attacks, and operators may in future need to provide tools to detect and mitigate such attacks.
From the Access Providers’ viewpoint, the most severe impact of unwanted traffic is on their customer support load. Access providers have to deal directly with end users. Residential customers in particular see the access provider as their IT help desk, and the competitive nature of the business means that a single call can possibly wipe out any profits the provider might have made from the customer.
Enterprise Networks can be affected in many different ways. Much unwanted traffic, such as spam, is just a costly nuisance using up valuable resources, but some unwanted traffic has the capacity to seriously damage the enterprise, for example by blocking normal business with a DDoS attack, stealing confidential information through monitoring internal activity, or destroying customer confidence by defacing or subverting an e-business web site. Advance planning is key to responding to attacks, especially DDoS: there is little time to respond when it starts. Working with access providers to provide tools that will detect and suppress the traffic before it concentrates on the intended victim is a key strategy.
Unwanted Traffic and Internet Infrastructure Services
The Internet needs certain infrastructure services – such as provision of the Domain Name System (DNS) – that are potentially vulnerable to DDoS attacks, such as those on the root and top level domain servers reported at the workshop. Those attacks lead to disruption of critical services, and the situation is likely to get worse because the daily peaks of DNS usage have been growing at a much faster rate than the number of Internet users. This trend is expected to continue. The increasing load on the DNS infrastructure has led to an increase in complexity that potentially makes greater targets for attacks.
Defenses: Available but Relatively Ineffective
The Internet is not totally defenseless against the attacks from the underground economy. It is unfortunate that for a variety of reasons, many of the defenses are not as effective as they might be. Many of the reasons are economic and political rather than technical, including lack of resources, a perception that the benefits of deployment are felt by organisations other than those that have to bear the costs, and the need for coordination between competing organisations to achieve best results.
Analysis of the reasons for the ineffectiveness of the Internet’s defenses is critical to the design of future effective approaches to the unwanted traffic problem.
Problems for Today’s Defenses
Although there are some techniques available to protect against the known vulnerabilities, a number of inadequacies exist in the tools themselves; more critically, some of the available tools are not used, and the scale of deployment of the remainder is inadequate, as is education of users and operators in the secure usage and operation of the Internet.
Generally, operators do not have adequate tools for diagnosing network problems. Current approaches rely primarily on the skills and experience of operators. Better and automated tools would help; the same is true for tools that help by mitigating attacks.
Lack of Incentives for Countering Unwanted Traffic
A common theme that runs through the analysis of how unwanted traffic affects networks outside the enterprise is the lack of incentives for network operators to deploy security measures. That lack is due mainly to the low return on investment from what are essentially preventive measures.
There is also a continuing unwillingness to report fraud due to commercial sensitivity. That sensitivity also applies to the reporting of security incidents by network operators who fear that their reputations – or the reputations of their customers – would be damaged. Network reputation is key to gaining new customers, and so, minimising the amount of publicity given to security incidents is important to service providers’ survival. As a result, investment in prevention is minimal, and mitigation work tends to be local so as to avoid releasing commercially sensitive information, hamstringing efforts to coordinate responses to attacks or to track malicious activity.
Notwithstanding the inadequacies of the available techniques, the view of the IAB workshop was that a significant reduction of unwanted traffic could be achieved with the limited tools available if those tools were deployed extensively and operated correctly. Educating users to be more demanding and judicious application of government regulation may assist the incentivization of providers to deploy the tools.
Available Defensive Techniques
Countering DDoS in the Backbone: A recent development offers managed DDoS security services that deliver cleaned traffic to attached customer or lower-level provider sites based on traffic pattern learning, which allows recognition and filtering of abnormal patterns that signal a DDoS attack before they concentrate on the target. However, these solutions are designed to aid particular customers who are willing to pay for the extra service, and because of the perceived low return on investment, there is still little incentive for the backbone provider to deploy these solutions for every connection.
Know Your Sources: Best practice for filtering out traffic with spoofed source addresses has been documented by the IETF in BCP 38 (RFC 2827) and BCP 84 (RFC 3704). Many routers implement these capabilities but network operators have not deployed these techniques universally – at least partially because of the lack of incentive resulting from the heavy management costs of maintaining the filtering and because of the need to ensure that legitimate traffic is not accidentally filtered out.
Managing Access: Customer Behavior: Access providers routinely offer free security software to customers in the hope of avoiding future help calls after a security break-in. Unfortunately, customers are often not educated about the need to install security software, and even when they are, they may lack the skills to correctly configure a complex system and the motivation to do the work.
Behaviour in the face of security breaches is depressing: response (or more usually lack of it) is essentially similar for all users (enterprises often use centralized systems to enforce compliance!). Patching of breaches exhibits a ‘half-life’ behaviour in which typically about 40% of remaining vulnerable systems are patched each month after a patch is issued, leaving a significant number of machines vulnerable for the rest of their working lives.
Maintaining Profitability in Enterprises: Enterprises, particularly large ones, are more willing to investigate security breaches than backbone or access providers are, because they can directly impact the enterprise’s operations and profitability. This also motivates enterprises to spend money on security tools, and a thriving market has emerged to meet the demand. Unfortunately, the tools offered provide mostly reactive solutions, such as regularly updated virus scanner databases to counter newly emerging vulnerability exploits, leading to an ongoing arms race between security exploits and patching solutions. Workshop participants expressed concerns that this was not a sustainable situation because it does not enable us to get ahead of the attackers. Also enterprises are very wary of overly sensitive tools that generate ‘false positive’ responses because of the potential wasted effort if the network has to be shutdown unnecessarily.
Over-engineering the Infrastructure: At present, the only effective mitigation strategy for DDoS attacks on critical infrastructure services is over-engineering. There is some concern that the runaway growth of demand especially for DNS services is eroding the safety margins. The expected widespread deployment of IPv6 and deployment of the new DNS security extensions (DNSSEC) in the near future will bring new and potentially flawed software into widespread use that could be abused to generate new DDoS attacks.
Law and Regulation Playing Catch-up
In human society, legal systems provide protection from and deterrence for criminals. Laws and regulations aim to penalise criminal conduct after the fact, but if the likelihood of detection is low, the deterrent effect is also minimal. At present, the development of legal systems aimed at cyberspace crime is lagging behind the development of the crime that the legal systems are intended to deter, and the likelihood of detection of the real criminals is low.
Some of the reasons for the ineffectiveness and slow development of the law of cyberspace include:
- The international scope of the problem. The Internet spans the globe, and crimes masterminded in one national jurisdiction may be executed by machines in one or more other countries, with victims in yet other jurisdictions. The laws are not uniform across the countries that have legislation, which makes it difficult to prosecute criminals for offences carried out from other jurisdictions. There is also little political incentive to pursue criminals when the victims are not in the same national jurisdiction. Although there is a coalition between countries on collecting evidence of cybercrime worldwide, there is no rigorous way to trace unwanted traffic or to measure the consequences of cybercrime across national borders.
- Pinning down the responsible organisation. A single episode of unwanted traffic and the botnets that are responsible for much of the traffic can involve many different organisations such as owners of hosts, enterprise networks, and service providers of various kinds. Many of these organisations would see themselves as innocent parties, and others, such as the owners of compromised hosts, see no incentive to take action. This makes it extremely difficult to either regulate effectively in advance to make life difficult for the criminals or to make any organisation responsible for cleaning up after an attack has been detected.
- Getting the legal definitions right. Lawmakers are generally unfamiliar with the new world of cyberspace, and therefore they often lack the technical understanding necessary to specify laws precisely and in such a way that they will actually target undesirable acts without limiting legitimate use of the network. As in many areas where there are active innovation and financial incentive, the underground economy will always be seeking to push the limits by using techniques that are borderline legal and conceal evidence through complexity. The lawmakers are inevitably playing catch-up in cyberspace.
- Quantifying the damage. Overstretched authorities are unlikely to take action unless significant damage has been caused. Unfortunately, it is often either difficult to quantify the loss, or, where financial institutions are involved, there is a reluctance to admit the scale of the losses for fear of ongoing commercial damage. Consequently, much cybercrime is either not reported to the authorities or not investigated.
- Defining unwanted traffic. Countries already differ over what is defined as unwanted traffic, and traffic that would be seen as wholly legitimate in many countries may result in criminal prosecutions elsewhere. It needs only a shift in the definition of unwanted to move from constraining the underground economy to facilitating censorship and limiting open access. There is a trade-off between having audit trails to facilitate forensic analysis and providing the means to enforce censorship. Building monitoring capabilities into the network will surely result in stronger pressure from legislators requiring that operators actually carry out monitoring.
- The workshop also emphasised that, while an effective legal system is necessary to create effective deterrence for and sanctions against the parasites, it is by no means sufficient on its own. It can work only in conjunction with effective user education as well as technical solutions to unwanted traffic prevention and detection. Only a well-informed and motivated user community can collectively establish a defense against unwanted traffic in cyberspace.
Consequences
The consequences of the large volumes of unwanted traffic on the Internet today are highly detrimental. The health of the network presents a picture that is far from rosy.
- There are big economic incentives and a rich environment to exploit.
- There is no specific party to carry responsibility.
- There are problems of underdeployment of the limited defensive tools that are available.
- There are no auditing systems to trace back to the sources of attacks.
- There are no well-established legal regulations to punish offenders.
The combination of these factors inevitably leads to ever-increasing types and volumes of unwanted traffic. However, the real threats are not the bots or DDoS attacks but the parasitic criminals behind them. Unwanted traffic is no longer aiming only for maximal disruption; in many cases, it is now a means to illicit ends, and its specific purpose is to generate financial gains for the miscreants. Their crimes cause huge economic losses, counted in multiple billions of dollars and growing.
The Internet community needs to increase its awareness of the problem of unwanted traffic and take action to make the network less friendly to this type of traffic. And it needs to do so without significantly reducing the flexibility of the network that has been the key factor in the economic success of the Internet.
All Internet stakeholders can potentially contribute to the reduction of unwanted traffic. At a high level, actions should include the following.
- Research into specific problems resulting from unwanted traffic
- Development of a uniform global legal framework to support prosecution across national borders. This work needs to be informed by the best possible technical expertise to ensure that it leaves Internet flexibility intact so far as is possible.
- Appropriate regulation of network operators encouraging action against unwanted traffic and sharing of information to help mitigate attacks and drive miscreants out of business
- Increased deployment of available tools, possibly aided by incentivisation through regulation or customer demand
- Vendors applying more appropriate default security settings in equipment so that newly deployed end hosts are less vulnerable to subversion from the moment without the need for sophisticated configuration by users
- Vitally, improved education of users to make them more aware of the risks to their systems, the ways in which these risks can be mitigated, and mobilizing them to demand action from network operators where this is needed to support network security in enterprises and homes.
Above all, the Internet community needs to get ahead of the miscreants. At present, almost all activity for countering unwanted traffic is reactive, by post facto identification of malware and retroactive patching of security holes. Recently, there have been improvements in the use of traffic pattern analysis to identify attacks as they happen, but future work needs to be intelligence led, and it must concentrate on eliminating opportunities for miscreants before such opportunities are deployed.
About the authors:
Elwyn Davies (Folly Consulting Ltd) is a former member of the IAB and a consultant who specializes in Internet Routing and Addressing, IPv6, Security and Delay and Disruption Tolerant Networking.
Loa Andersson (Acreo AB) is a member of the IAB and network architect at Acreo AB.
Danny McPherson (Arbor Networks) is a member of the IAB and currently Chief Security Officer (CSO) with Arbor Networks, an Internet Security and traffic management.
Lixia Zhang (UCLA) is a member of the IAB and Professor of the Computer Science Department at University of California, Los Angeles.