On Blank Stares, Reflecting Ears, and DDoS Attacks . . .

A Guest Post by Dr. Edward G. Amoroso, CEO of TAG Cyber LLC Whenever I get those dreaded blank stares from an audience having trouble understanding my clumsy description of the spoofing, reflection, and amplification inherent in distributed denial of service (DDoS) attacks, my lifeline is to jump to an analogy. Here is one of my favorites:  

“When I speak to all of you, your ears pick up my voice. This works, because my one voice speaks to your many ears. But imagine if you had special ears that could reflect sound. This would allow you to bounce my voice right back at me. And this would be quite a jolt, because it would sound like all of you were speaking back at me simultaneously.”

(This first part of the analogy helps explain what it means to be overwhelmed by a response to some initiated communication.)  

“Now, the Internet allows computers to lie. For example, they can set their “from address” to anything, including another computer. So if I speak to your special ears, but also lie that I am Eve – sitting over there in the corner – then when you bounce back the noise, Eve will be overwhelmed with your responses, not me.”

(This second part of the analogy helps explain what it means to spoof and redirect the response to a service request.)  

“Here is where it gets weird. Suppose we make your special ears also amplifying ones. That is, if I send a sound to your ears, you not only reflect the sound, but also amplify it many times, like a microphone. You can only imagine how this might make things more overwhelming when you all shout back at Eve.”

(This third part of the analogy helps explain what amplification means, as one finds in the use of the Domain Name System or Network Time Protocol to change small questions into big responses.)  

“The most sinister and clever part of a DDoS attack involves training and incenting many speakers to perform this attack on Eve at the same time. It would be like speakers in auditoriums all over the world speaking to those weird reflecting and amplifying ears and having the result aimed at poor Eve over there in the corner. Now how overwhelmed does Eve feel?”

(This fourth part of the analogy explains how a distributed collection of so-called bots can be trained to participate in a DDoS attack aimed at a single target.)  

“Now, finally, suppose that we take the noise from a speaker and actually make it into something intelligible. It would then be possible that Eve could be commanded to do something potentially destructive over and over and over and over again. The possibilities for such craziness are endless. Eve could even be commanded to start this crazy process of sending a voice to a bunch of special ears and to then . . . ” 

(This last part of the analogy explains how DDoS attacks can move from “dumb” layer 3 packet storms to “intelligent” layer 7 attacks.) The threat of DDoS attacks – highlighted in my 2017 TAG Cyber Security Annual, just released for free PDF download – will only grow in intensity with the progression to virtualized cloud and mobility enabled enterprise services. It is therefore more important than ever that we have good means – perhaps through analogy – for explaining this intense challenge.