Tuesday, May 13, 2008

Bad military botnet proposal

An article by Col. Charles W. Williamson III titled "Carpet bombing in cyberspace: Why America needs a military botnet" has been published by the Armed Forces Journal.

Col. Williamson, seeing that miscreants are using compromised machines all over the Internet to create botnets used for malicious purposes, has decided that the military needs to create its own, legitimate botnet. He proposes that this would be used in order to respond to online attacks from foreign countries by attacking the attackers, including both government and civilian attacking machines as necessary. He specifically proposes not using compromised machines (which would be illegal), but using machines on the af.mil (U.S. Air Force) network, including all hosts on the NIPRNet (Nonsecret IP Network).

The proposal doesn't really make any sense to me.

First of all, attacks from hostile compromised machines on the Internet occur on a daily basis and are already handled by network service providers. These attacks are never likely to be initiated specifically from an individual attacking country's systems, but rather from compromised systems all over the world--sometimes including compromised systems belonging to the U.S. military. Second, the best way to respond to attacking systems is not by launching hostile traffic back at them, but by filtering them or nullrouting them. Again, network service providers already do this today, and cooperate with each other in addressing major attacks. Thirdly, if the U.S. military sets up a botnet and uses it to launch denial of service attacks, it will be in violation of its own contracts with its network service providers--I don't know of any network service provider that offers a military exception to its terms of service regarding denial of service attacks. Fourth, if all of the U.S. military bots are on its own network, their aggregate bandwidth still can't exceed the bandwidth of its connections to other networks. Fifth, if there are attacks coming from another country that the U.S. is at war with, the recent subsea cable outages in the Middle East suggest that there are other effective mechanisms for disabling their ability to engage in Internet attacks.

Finally, it's not clear to me what benefit would be obtained from the military setting up its own botnet on its own network using its own IPs. Botnets offer two main benefits--(1) offering a distributed platform for computing and traffic generation and (2) creating a buffer of separation between the agent performing an action and the action itself. The second benefit occurs because the miscreant doesn't own the machines that make up the botnet, lots of other people do. A botnet composed entirely of hosts on the military's network is relatively easy to identify, filter, and block--the second benefit doesn't exist. The first benefit is also mostly lost if you use your own network and hosts. The point of a distributed denial of service attack is to use up the other guy's bandwidth, but not your own. That's very easy to do if you're not using your own resources, which is why distributed denial of service attacks use compromised systems and, sometimes, methods to amplify attacks using other people's servers that send out responses that are larger than the requests that prompt them. But if you're using your own resources on your own networks, you're limited to the bandwidth you have at your network interconnection points, and multiplying hosts inside that perimeter gains you nothing except a guarantee that you can saturate your own internetwork connectivity and cut yourself off from the outside unless your target has less bandwidth than you do. It's ironic that Williamson complains about a "fortress mentality," while making a proposal to create a gigantic bot army inside the military's own perimeter. A million-man army doesn't help you if they're inside a fortress with exits that restrict its ability to be deployed, except when you can win the battle with the number of men who can leave the exits at any one time.

I've also posted a comment on the Armed Forces Journal article at the AFJ's forum where I make a few additional points. I also agree with many of the other critical remarks that have been made in the thread there. "Crass Spektakel"'s point that "Whoever controls BGP and the backbone routers controls the internet" and that most of the control of BGP routing and the routing registries resides in the U.S. is a good one. A similar point could be made about DNS.

Other posts on this subject:

Kevin Poulsen at the Wired blog
Jon Stokes at Ars Technica

UPDATE (May 14, 2008): I may take some heat for even suggesting this, but an idea which actually takes advantage of both of the characteristic benefits of botnets I listed above and would be far, far more effective than Williamson's proposal would be if the military produced bot software along the lines of SETI@Home and Folding@Home, which anyone could volunteer to download and run on their home or corporate machines (or better still, made available to run on XBoxes and Play Station 3s), for use by the military when needed. Some of the abuse worries could be defeated if the activation and deactivation of the software was fully under the control of the end user, and the military obtained appropriate permission from upstream ISPs for activities which would otherwise constitute AUP violations by end users.

I hasten to add that this is still a terrible idea--putting such software out in public makes it a certainty that it would be reverse-engineered, and the probability of it being compromised by third parties for their own abuses would correspondingly increase.

UPDATE: Looks like Paul Raven beat me to the "Milnet@Home" idea, as he dubs it. A commenter at Bruce Schneier's blog also came up with the same idea.

F-Secure's blog also offers some good criticisms of Williamson's proposal.


Joshua said...

That's pretty interesting. So is the bottom line that the proposal isn't really injurious to our civil liberties but just breathtakingly stupid?

Lippard said...

The only threat to civil liberties and law I see is that launching DoS attacks violates terms of service of ISPs--the military would be violating its own agreements with its Internet providers--and that DDoS itself is likely to cause collateral damage to people's ability to access resources (including to the military's own network, since the proposal puts all of the bots there).

Breathtakingly stupid is probably accurate.