With yet another announcement of a vulnerability being exploited for DDoS attacks, this time on unprotected memcached processes, I started to wonder: Is this the new standard? What can we do about it? Well, only one thing left to do: redesign the entire Internet.
This week’s DDOS vector comes from memcached, a process that runs on web servers to make them work more efficiently. Amazingly enough, it seems the default configuration leaves the memcached port open to the entire world. A UDP port that is – so it is extremely simple to abuse in a DDOS attack. All that an attacker has to do is to search for hosts with the memcached port open, and then send UDP traffic to it from a fake source address. As you should know well by now – this is far from the first UDP-based DDOS attack – this makes it possible to abuse it heavily.
With this, the umpteenth UDP-based attack, in mind, time for a thought experiment. What if we could throw the current Internet in the trash and start redesigning it from scratch? It would be a great opportunity to save us from a lot of problems. What would I have done differently?
A New Internet
First of all, I would make sure that from the start we would have had enough IP-addresses for everyone. That way, we wouldn’t have to change protocols halfway through such as we’re now trying by going from IPv4 to IPv6. Secondly, I would have all network hardware check the source IP addresses of every packet and dropping it if that source IP address does not live behind that port – and this would be a default setting that cannot be disabled. Finally – do we really need UDP? No UDP and obligatory source address validation would put a stop on most DDoS-attacks already, wouldn’t it?
In that same perspective, I had to think about a former colleague of mine, who (in the beginning of this century) was always saying that we should have never made SMTP the standard protocol for sending e-mail. In the old days of SMTP, e-mails could be sent by everybody to everybody – and even though anti-spam measures are abundant these days, the “wide open” basis is still there. My former colleague was a big fan of the X.400-protocol and he always exclaimed that with X.400, there would not have been any spam.
Some other thoughts that came to mind: standard end-to-end encryption, ADSL should have never been invented (it is the reason fibre optic cables still are not running to every house) and oh, the dream of a worldwide, large MTU size … Oh, how beautiful the Internet could have been!
One can dream
Of course, my ideas are easy with all the knowledge we have today. But in my opinion, the simple fact remains: the current state of the Internet is not the best any more. Will we ever be able to improve it? Or can we only stay day dreaming about a redesign? Today’s question to you is simple:
If you were able to redesign the Internet, what changes would you definitely make?