The Department of Defense (DoD) says it’s getting ready for the big one, but in this case, it’s not talking about a kinetic attack measured in megatons. It’s referring to a cyberattack measured in terabits.
“We know it’s coming,” Army Lt. Gen. Alan Lynn, director of Defense Information Systems Agency (DISA) and commander of Joint Force Headquarters–DoD Information Networks (DODIN), said this month. Not long ago, attacks that measured at 1 or 2 gigabytes (or gigabits) had an impact on networks, but now, Lynn said, “we get 600-gig attacks on the Internet access points and unique, different ways of attacking that we hadn’t thought of before.”
And the increasing scale of the attacks isn’t slowing down. “There’s now, we would call it the ‘terabyte of death’–there is a terabyte of death that is looming outside the door,” he said. “We’re prepared for it, so we know it’s coming.”
In describing the size of attacks in terms of gigabytes or a terabyte, Lynn is referring to volumetric distributed denial-of-service (DDoS) attacks, which usually are measured by the rate at which attacks arrive, such as gigabits per second (Gbps), or terabits per second (Tbps). Some attacks also are referred to in gigabytes per second depending on the nature of bits and bytes. DDoS attacks are just one of the many kinds of attacks DoD has to reckon with that flood a target website or network with traffic from multiple sources, making it difficult or impossible for legitimate users to access important information and at times forcing a site to shut down.
In the past, some DDoS attacks could be written off as more nuisance than menace, resulting in some downtime but no long-term damage. But for DoD, the escalation of these attacks threaten to disrupt high-priority systems such as command and control networks and also missile defense systems for which uptime is paramount. Attacks could also negatively impact weapons systems such as the F-35 Joint Strike Fighter, which Lynn described as a “flying mega-computer.”
DDoS attacks employ botnets, networks of compromised computers that are often unwittingly enlisted to launch the traffic that can overwhelm a target. The growth in the size of DDoS attacks can be partly attributed to the increasing number of connected devices, including a rash of unsecured devices on the Internet of Things (IoT), as well as new techniques for deploying them and how-to guides being posted online. An Akamai survey found that DDoS attacks increased by 28 percent worldwide in the second quarter of 2017 alone. The scale of the largest attacks, meanwhile, has grown from 300 Gbps in 2013 to 400 Gbps in 2014. It then increased to 500 Gbps in 2015, according to Deloitte Global. The year 2016 saw the first attack that reached the terabit threshold, when a French website was hit with an attack that peaked at 1.1 Tbps.
Considering that attacks have broken the 1T barrier, “and given the rise of IoT devices and the potential to weaponize those devices, the question we should be asking about the likelihood of a large-scale attack is ‘when’ not ‘if,’” said Tom Ruff, vice president of Public Sector at Akamai, which provides web security and DDoS protection to DoD.
Ruff said defense agencies need “on-demand scalability” and built-in resiliencies to withstand volumetric attacks. Akamai, for instance, runs its Domain Name System (DNS) over seven different networks so it can handle losing one or two and still stay up. Many organizations, though, “are running on just one, so future large scale attacks will continue to be catastrophic,” he said. The key is engaging an attack at the edge of the network, just as DoD prefers to engage an enemy away from U.S. borders, he said.
Deloitte, via the Wall Street Journal, recommends similar steps such as decentralizing systems, maintaining extra bandwidth for withstanding an attack, proactively testing for vulnerabilities, and using advanced filtering of traffic to more quickly detect anomalies. DoD also is researching those kinds of steps with programs such as the Defense Advanced Research Projects Agency’s Extreme DDoS Defense, which includes dispersing assets, disguising behaviors, and using adaptive responses to attacks. In the meantime, the military services are changing how they handle web traffic, running more of their operations through the DISA-managed Joint Regional Security Stacks (JRSS) that underlie DoD’s Joint Information Environment.