October 2013

Distributed Solutions for Distributed Attacks Jon Mon, 10/21/2013 - 18:50

Google has been making headlines with their shiny Project Shield which wraps PageSpeed with other tools to defend sites against denial of service attacks. The history of the denial of service, however, runs deep, and underlines that no centralized response to it will ever be able to cost-effectively scale against a distributed attack.

Let's rewind back to the 90s. Denial of service was a very, very different thing then - it was a tool for free expression, not one used to mute dissenting opinions as it is today.
In the dot-com boomtimes of the late 90s, I was absolutely fascinated by the digital protests that sprung up in reaction to Mexico's treatment of the Zapatista Movement. Floodnet was an activist art project by the Electronic Disturbance Theater. Floodnet was simply a website you could visit and it would direct your browser to constantly reload pages on the website of the Mexcian government. In addition to overloading the website with thousands of requests from you and our fellow programmers, you could add in a political message with each page load, to force the government's server to fill their log files with messages like "human rights not found."

"The FloodNet application of error log spamming is conceptual Internet art. This is your chance to voice your political concerns on a targeted server. [...] The server may respond to your intentional mistake with a message like: "human_rights not found on this server." So by creatively selecting phases, you can make the server voice your concerns. It may not use the kind of resources that the constant reloading uses (FloodNet automatically does that too), but it is sassy conceptualism and it invites you to play with clever statements while the background applet is running." (via http://www.thing.net/~rdom/ecd/ZapTact.html)

Floodnet used DoS attacks to protest the Mexican Government
Floodnet used DoS attacks to protest the Mexican Government


This original "denial of service" attack was seen as the digital mirror of a classic "sit-in" protest. It was a way for a David to strike back at a Goliath through technology. However, this, ahem, "sassy" political activism began an arms race that today is dominated by Goliaths alone. Instead of a tool of protest, denial of service attacks are today tools of retribution and ways to mute dissenting voices. They are massively automated and distributed, and are run not by rowdy bands of dissidents, but by well-organized for-hire groups (https://krebsonsecurity.com/2013/05/ragebooter-legit-ddos-service-or-fe…) and even from government infrastructures.

The only defense, so far, has been equally massive, and centralized, commercial services. This is a growing industry with its own round of disruptive innovators all to itself. This current business innovation is helping to move from the monolithic services protecting online infrastructures at high costs to a more scalable model, with services that smaller websites can benefit from. Still, back-end models are the same - providing shelter from DDoS attacks by having sufficient servers and bandwidth to absorb whatever their proprietary tools and filters cannot outright block.

Open source models to fight back have been conspicuous in their absence - until now.

The Deflect Project, created by the eQualit.ie technology collective based out of Montreal and Dublin, is responding to that gap. They focus on providing protection for activists and journalists around the world, who are subject to DDoS attacks from those who disagree with their views all the way to their own governments. Thanks to grant funding, Deflect is able to offer their services for free to independent media sites, NGOs and non-profits -- but the technology model under the hood is the real game-changer.

Jam Echelon Day, Redux

(Or, how to remind anyone snooping your email of your fourth amendment rights)

So clearly we have a situation here where we failed to learn from the past. Fourteen years ago (Exactly in a few days - Oct 21!), we were protesting ECHELON, which was (is) a "worldwide computer spy network [that] reportedly scans all email, packet traffic, telephone conversations, and more in an effort to ferret out potential terrorist or enemy communications. Once a communication is plucked from the electronic cloud, certain keywords allegedly trigger a recording of the conversation or email in question."

In response (along with a short burst in activity around people trying to figure out how to use PGP), hackers added amusing bonus keywords in the parts of emails that humans rarely see (where junk like the path the email took, listserv details, and so on goes) - many, including myself, added the 4th Amendment to the US Constitution, as well as participating in "Jam Echelon day," when everyone added what we presumed at the time were these mythical "trigger words:"

ATF DOD WACO RUBY RIDGE OKC OKLAHOMA CITY MILITIA GUN HANDGUN MILGOV ASSAULT RIFLE TERRORISM BOMB DRUG KORESH PROMIS MOSSAD NASA MI5 ONI CID AK47 M16 C4 MALCOLM X REVOLUTION CHEROKEE HILLARY BILL CLINTON GORE GEORGE BUSH WACKENHUT TERRORIST.

As an aside: maannnnnn, do you remember the 90s? Was that an unpleasant walk down memory lane or what?

Anyhow, this amusing idea that this would work for more than a few minutes just doesn't seem to die, and someone's trying it with a new "security" tool called ScareMail that "takes keywords from an extensive US Department of Homeland Security list used to troll social media websites and utilizes them “to disrupt the NSA’s surveillance efforts by making NSA search results useless.” "

While that's ... well, whatever. It's a nice thought, right? Probably not very useful overall. Anyhow, it gives me a small boost of civic pride to tweak my email settings and put the fourth amendment text back in to almost every email I send out. This requires an actual email client (Thunderbird works nicely), and some configuration hacking:

  • Go to Edit → Preferences → Advanced → General → Config editor
  • Right click, new, "string"
  • For 'Enter the preference name' use "mail.identity.id1.header.header1"
  • For the string, add "X-Fourth-Amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
  • If you have multiple mail accounts, you'll have to do this for each one, using id2, id3, etc. and header2, header3, etc.
  • Restart thunderbird, make sure you didn't break anything. For more details, peek at http://kb.mozillazine.org/Custom_headers
Tags