May 29, 2017

Security Lessons from the Big DDoS Attacks

Last week saw news of new Distributed Denial of Service (DDoS) attacks. These may be the largest DDoS attacks ever, peaking at about 300 Gbps (that is, 300 billion bits per second) of traffic aimed at the target but, notwithstanding some of the breathless news coverage, these attacks are not vastly larger than anything before. The attacks are news, but not big news.

The attacks were aimed at Spamhaus, which publishes lists of purported spammers. Unsurprisingly, the attackers appear to be associated with spamming—specifically, with Cyberbunker, which is accused of hosting spammers.

One interesting aspect of the attacks is the way they exploited externalities. “Externality” is an economics term. For our purposes, it describes a situation where a party could efficiently prevent harm to others—that is, a dollar’s worth of harm could be prevented by spending less than a dollar on prevention—but the harm is not prevented because the party has little or no incentive to prevent harm to strangers. Externalities are a common problem in security—they’re one of the reasons the market has trouble providing adequate security. The recent DDoS attacks exploited three separate externalities.
[Read more…]

How much does a botnet cost, and the impact on internet voting

A brief article on how much botnets cost to rent (more detail here) shows differing prices depending on whether you want US machines, European machines, etc. Interestingly, the highest prices go to botnets composed of US machines, presumably because the owners of those machines have more purchasing power and hence stealing credentials from those machines is more valuable. Even so, the value of each machine is quite low – $1000 for 10,000 infected US machines vs. $200 for 10,000 random machines around the world. [Reminds me of my youth where stamp collectors could get packets of random canceled stamps at different prices for “world” vs. specific countries – and most of the stuff in the world packets was trash.]

So what does this have to do with voting? Well, at $1000 for 10,000 infected American machines, the cost is $0.10/machine, and less as the quantity goes up. If I can “buy” (i.e., steal) votes in an internet voting scheme for $0.10 each, that’s far cheaper than any form of advertising. In a hard-fought election I’ll get a dozen fliers for each candidate on the ballot, each of which probably costs close to $1 when considering printing, postage, etc. So stealing votes is arguably 100 times cheaper (assuming that a large fraction of the populace were to vote by internet), even when considering the cost of developing the software that runs in the botnet.

Granted, not every machine in a botnet would be used for voting, even under the assumption that everyone voted by internet. But even if only 10% of them are, the cost per vote is still very “reasonable” under this scenario.

And as John Sebes responded in an earlier draft of this posting:

“You compared digital vote stealing costs to the costs of mere persuasion. What about the costs of analog vote stealing? It’s all anecdotal of course but I do hear that the going rate is about $35 from an absentee vote fraudster to a voter willing to sell a pre-signed absentee ballot kit. Even if the bad guys have to spend 100 of those dimes to get a 1-in-a-hundred machine that’s used for i-voting, that $10 is pretty good because $10 is cheaper than $35 and it and saves the trouble of paying the gatherers who are at risk for a felony.”