The world has abandoned a fortress mentality in the real world, and we need to move beyond it in cyberspace. America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.

http://www.armedforcesjournal.com/2008/05/3375884

there are many things wrong with advocating that the u.s. military should have its own botnet.

1) the solution to DDOS attacks is to not have any centralised infrastructure that can be overwhelmed. in other words, you make web sites and every other critical service as distributed peer-to-peer services.

• the microsoft research "millenium project" was an example of how to automatically replicate web services into distributed cooperative infrastructure when one small server became overloaded. beowulf clustering is another example.
  
• from amazon's web site: "Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers."
  
  of course, it would be better if the service was entirely distributed and not proprietary, but at least it proves the point that you can place your web service into a distributed infrastructure
  
• grid computing - e.g. http://grid.org - is a recognised method for perfoming parallel computation.
  

etc. - there is an extensive list of options which, if people utilised them, and designed their services around such options, would make it inordinately difficult to disrupt with DDOS attacks. taken down one computer? so what - big deal. there's one thousand other machines you have to take down as well, and every time you take out one, another takes over its tasks, because that's what the "cloud" is designed to do.

2) where - exactly - should this "magic botnet" come from? perhaps it should be from other people's computers - without their permission? so, you're advocating that the united states military should engage in illegal activities?

or, maybe the united states should fund the deployment of a hundred thousand or so computers across the world, for use in attacks? that's equivalent to asking sovereign states to host missile silos, armies and other weaponry on their sovereign soil, because the sole and exclusive purpose of those computers is to "attack" other computers.

if you limit the botnet computers to be within the united states, then you equally have a problem: firewalls and routers outside of the united states (within a foreign country's borders) can detect that a counter-attack is being initiated from a computer inside the united states (geo ip detection) and simply... block or throttle traffic from the united states.

3) critical services on which the united states is dependent for its military or governmental operation should not be accessible from outside the united states. period.

for example, from outside the united states, why is it possible for me to be able to get to the http://www.gordon.army.mil/ web site?

why is this web site not restricted to a darknet (peer-to-peer anonymous distributed network e.g. i2p or gnunetd) or a VPN?

4) why do people _insist_ on utilising and promoting the microsoft operating system, which is a monoculture operating system with over 95% world-wide exposure?

if you continue to utilise a monoculture operating system, it should come as no surprise that it can be taken over and used for DDOS attack purposes.

5) creation of a retaliatory botnet (out of other people's PCs, running windows) can, due to the overwhelmingly insecure nature of windows, result in you providing a fully-armed network which could potentially be compromised and be used against you.


there is a lot more that can be said here but it's getting a bit long. the bottom line is that it's an exceedingly bad idea to create a retaliatory-attack botnet, from the psychological perspective as well as the practical one, and there are alternative solutions and workarounds.

oh - and the best one: many botnets end up infiltrating military networks. it would be a bit of an own goal to perform a DDOS attack against compromised machines that you accidentally identified as "enemy".

so, overall, getting involved in botnet "tit-for-tat" is just ... _such_ a bad idea.

just _sidestep_ the problem - by moving infrastructure onto IPv6 and with darknets on top of _that_, and distributed peer-to-peer databases and services on top of _that_. and if you want to go _completely_ paranoid, dedicated and/or secure ISP access on a local network, behind a NAT, you simply mandate that all personnel accessing the web site must go through a specific ISP.

that's proper "defense" against DDOS attacks: avoid the circumstances where attacks are even _possible_.

"Also, a smart enemy will use “IP spoofing” by crafting his own DDOS attack packets to appear to come from somewhere other than the Internet Protocol (IP) address of the real node launching the attack."

from what i have heard, i understand that this is not possible to do with IPv6.

"On the other hand, if the U.S. is defending itself against an attack that originates from a computer which was co-opted by an attacker, then there are real questions about whether the owner of that computer is truly innocent."

rubbish. absolute rubbish.

most windows users are utterly ignorant consumers that expect their machines to be "appliances". they should not HAVE to be "well informed".

windows users, on discovering that their machine is infected with spyware and viruses, will quite often THROW THE MACHINE AWAY and buy a new one, fully expecting that if they pay more money, somehow, magically, this will translate into "more resistance to attack".

typically, they then revisit exactly the same web sites as they did with the old machine and then end up running exactly the same spyware and viruses... but just... faster than before.

you cannot possibly expect people to be even _remotely_ vigilant in dealing with something that, not only should they never have to be dealing with, but is entirely beyond their comprehension and is beyond most people's desire to even ACKNOWLEDGE.

and - the very existence of "zero day exploits" makes a complete mockery of this argument. "zero day exploits" are where it takes zero days (under 24 hours) for a security flaw to result in malicious attacks propagating through the internet - far quicker than most people's anti-malware is updated.

overall, i am deeply unimpressed with this "real question" that places "blame" onto innocent and ignorant people.

if a terrorist put a live and activated grenade into a bystander's pocket, would you advocate to the army that it's ok to shoot the bystander?

I agree with most of what the author talks about except for the assumption being made that DDOS attacks must and will originate from within well defined borders. Given the nature of the net and the lax security found on most desktop PC, botnet attacks on Western systems may actually originate from within the borders of NATO countries.
Far more troubling is the possibility of remote controlling a timed attack where the actual origin of the controller may be hidden from plain site. This raises the potential for non state players to trigger a cyber-attack for reasons only known to themselves.
Given all this, I would suggest that not only does America need "carpet bombing" capability but also the ability to surgically strike and expunge selective nodes on the network, something very similar to an auto immune system. Perhaps what is called for is forming a citizen's botnet. One can envisage leveraging something like the Seti@home architecture to install military grade botnet on a larger number of machines that the one the author asks for. Having this capability would result in state players playing by the rules of war, conversely, most of the wars and battles fought on the net will be by non state players and their surrogates.

Keeping my responses brief I won't go into great details, but any computer engineer can explain what I am saying.

Intrusion prevention/detection machines are already being used to their maximum capability. It takes a lot of cycles to look through packets and bump them up against "images" of possible malicious code. Adding extra code in an "offensive" capability at this point wouldn't be smart. Also, this is an area wher packets are going INTO the network; why would you want to use a program which will also send packets OUTBOUND on the same packet highway (so to speak).

Using old machines may or may not be a bad idea. However, removing the hard drive and adding flash memory (better would be some sort of EPROM; if it was feasible) will not make the computer run faster or more efficient. It would still have the same outdated processor and the same outdated bus size.

Launching a DDOS does have its drawbacks. Number one is, when launching one, you are using all your resources and pipes to do it. Therefore, while launching, you pretty much shut down your own networks normal activity (and the infrastructure along the way on your network; DISA would be very unhappy).

Also, you need to have a lot of IP Addresses; something the DoD in general is in short supply of. Of course you could use NAT, however this creates a HUGE choke point, which would pretty much end the DDOS.

If you were going to use a DDOS, it would be best to launch it from networks the enemy has and or trusts. This way, you aren't cutting off your own resources, and most important of all... they cannot just easily shut off your packets at a convinient router. It is easy to drop off packets from a DDOS attack. In fact, most network security systems at the very edge of major gateways do this automatically already. In other words, as soon as your packets got to the first Chinese router, it is dropped off... and so is your attack. If you used a Chinese IP and it comes from outside China, that first in country router is probably smart enough now to say... Yeah, right! Goodbye.

This also kicks your "Spoofing" idea out the window. Again... once a security device sees a large amount of packets coming from somewhere it can drop them. No matter what the IP address is. Especially if it is coming through a router which this particular IP address shouldn't. I could also talk about the defensive capabilities of 'selective routing' within a large infrastructure of networks which can defend against this attack, but you can read about it on your own.

One of the neat things about a large network. The bigger it is, the more stable it is (if put together properly). A millipede can lose a lot of legs before it is no longer mobile.

Are there ways to take down a large network or a countries network infrastructure? Sure there is. However, launching a huge DDOS attack against a foreign military the way you describe it isn't the way to do it.

Most important of all. The DoD needs to properly train its individuals in information assurance and network security a lot better than it is now.
Although implementing DoD 8570.01M is a good start, it isn't enough. It will not bring individuals up to the knowledge standards required by CNSSI 4013 or CNSSI 4014; which should be required for both technicians and leadership.

They also need to do a better job promoting skilled computer personnel; which would happen if they increased the certification requirements and education requirements of DoD 8570.01M to meet standards set by the CNSSI documents.

"They also need to do a better job promoting skilled computer personnel;"

if the selection of personnel for assignment to NATO is anything to go by, then there is a lot left for improvement.

a friend said that he was actually _asked_ - i.e. his CO came into the room and said "anyone got computer experience and want to do a stint at NATO?" and of course he said yes and yes please.

two years later he was still successfully manning one of the most reliable and useful IT departments around.

then it all went to shit. he was reassigned, and the new CO, instead of asking for volunteers for the next shift, went into the barracks and said "you, you you and you, get down to NATO, jumptoit. see you in two years".

of course, my friend now had to watch his carefully-designed and meticulously-maintained network services go completely down the toilet and was often called up to do emergency maintenance, five years later.

my guess is that this story could pretty much be told %s/NATO/militaryofchoice/g pretty much the world over (btw %s///g is a vi or sed macro )

no... overall, you only have to look at the slashdot.org and theregister.co.uk coverage of this story to realise that the article's author just... doesn't have a realistic picture in their head of the issues involved.

critical military networks should not be accessible over the internet. period. problem solved.

civilian networks are not the job of the military to address. that's up to market forces to decide - for civilians to put in place the right infrastructure to detect and terminate DDOS attacks (as aodhhan suggests). that they might get some "surreptitious" help in doing that, from quiet groups such as GCHQ and the NSA, is neither here nor there but it is most definitely NOT THE U.S. MILITARY'S JOB.

problem solved on _that_ score, as well.

advocating that "they might attack us so we have to have attack capability too" just smacks of "arms-racism".

I am always wondering how little western nations are aware about the true power they have over the internet. For example there is a little protocol called BGP, border gateway protocol, which controls dataflow on the big backbones. It basically describes "this bunch of computers is an authonomous system and gets routed following an advanced weighted calculation."

Whoever controls BGP and the backbone routers controls the internet full stop.

The US controls most BGP routers and the BGP central database full stop.

Instead of chopping of your own arms and legs and throwing them at your enemy you better switch of their light and their water, that truelly hurts and is cheap for you.

So whenever chinese hackers ddos american systems... switch of the infected bgp routes, parts of china are offline until the origin is taken care of.

Whenever a russian scam is running you simply block the russian banks involved until they cooperate in catching the evildoer.

This all doesn't cost one cent for additional equipment, you simple tell a technician with access to the core routers to insert a single line like "cost AS1234 add 255" and the authonomous system is offline and he can restore it with "cost AS1234 reset". Big deal.

A botnet provides two basic capabilities:

1. The ability to create a separation between the agent and an action. Bots are geographically and logically distributed across the network and provide a buffer between the agent using them and the actions being taken. Miscreants use this to hide their illegal activity and avoid connections being drawn between that activity and their real-world identities.

2. The ability to make use of distributed computing power and traffic generation. Bots facilitate looking through a lot of data quickly (like the contents of each bot host and the keystrokes their legitimate users enter) and generate a lot of traffic (including denial of service attacks, spam, phishing emails, and click fraud).

The author's proposal, using military machines, only has the second capability, unless a concerted effort is made to put machines on other people's networks and assign them IP addresses that are not registered to the military. Without the first capability, that makes a military botnet much easier to identify, block, and filter.

The author seems to focus on the use of the second capability, and only the traffic generation aspect, for use in brute force attacks to compromise and deny service to other hosts. The latter function--using a botnet to engage in denial of service--strikes me as an absolutely terrible idea for the U.S. military to engage in. This not only violates the acceptable use policies of the major Internet backbones, it is superfluous. The major network service providers have already developed cooperative response capabilities to facilitate the use of routing changes and filtering to shut down malicious hosts. ISPs already cooperate to stop major attacks with nullrouting, host filtering, and even, when necessary, shutting off BGP routing to a bad-acting AS (like when PCCW shut off Pakistan Telecom after the latter inadvertently announced a more-specific route to YouTube instead of locally nullrouting it). Providers that use Arbor Networks for attack detection and mitigation can create and share attack fingerprints with each other.

If a military botnet began a major DDoS attack, providers would likely take action to put a stop to it. If it was interfering with the providers' own services, it's guaranteed that they would do so.

My presumption is that the military already has capabilities for cyber warfare used to attack and compromise remote hosts. It's not clear to me that a military botnet hosted on military IPs would provide any benefit to such capabilities.

The recent Middle East outages due to subsea cable breaks (several of which were due to boat anchors) shows the physical vulnerability of regional networks to certain kinds of attacks. In a military scenario where a particular country needed to be taken out, that kind of vulnerability is likely to exist for most countries the U.S. is likely to be at war with.

I don't think the author's proposal stands up well without taking into consideration the specific features of botnets and how he intends to make use of them. I don't think the proposal makes any sense at all if the desire is to use it for engaging in denial of service attacks--there are already better ways of performing those functions without generating volumes of DDoS traffic.