Friday, March 7, 2014

DDoS Target: Unknown

A lot of media attention has been given to the unrest in Ukraine and Russia. With so much media focus, it's not surprising that terms like Cyber Security and Cyber Warfare will come up a lot. But there are often gaps in the information presented.

My sister asked an interesting question about this article. Specifically a comment from Cloudflare: How can they not know the target of the attack?

That does seem odd. At it's core, the internet is a structure for transferring information. So how can you not know the intended recipient of the information?

Well, the internet is usually more complicated than it would seem at first glance. For this question there are two factors driving the additional complexity: IPv4 exhaustion and Clouflare being a web hosting company.

Normally when information travels through the internet it is directed to an IP address and a port number. The IP address represents (more or less) a computer on the internet, and the port number represents (more or less) an application running on that computer. For instance most http (web) goes over port 80, https (secure web traffic) goes over port 443.

There are 65,535 available ports so you'll probably never have more applications running on a computer than there are port numbers. But there are only 4,294,967,296 IP addresses available in IPv4. This might sound like a lot, but to put it in perspective Forbes estimated that there were 8.7 billion internet connected devices in 2012. So we're out of IP addresses. Way, way out of IP addresses. So what do we do?

The answer we came up with was changing an IP address from representing one computer to representing a gateway to a number of computers. And instead of port numbers representing applications, they represent a specific computer and an application.

So now our DDoS attacker doesn't have to target a specific computer, he can target that gateway device represented by an IP and potentially impact any computers that are sitting behind it. And he may or may not choose to use a port number to specify a specific application and computer behind that gateway.

Add to that the fact that Cloudflare is a hosting company. That means they run websites and internet services for other companies. One of their computers (represented by an IP address and a port number) could have websites for more than one company on it. The attacker may have been going after website A, but impacted websites B, C, and D in the process.

It can quickly become verify difficult or impossible to determine what an attacker was going after, and answers like "we're not sure who the intended target was" start to sound completely reasonable.