An Internet joke that goes back at least to the early 1980s consists entirely of the phrase: “Imminent Death of the Net Predicted!” Every year, even more often than you’d hear “This will be the year of the Linux desktop!” someone would predict that the Internet was going to go to hell in a handbasket — and nothing happened. This year it’s my turn, but I fear I’m going to be proved right.
Take a good look at what happened to the Internet in 2014. In February we saw the biggest distributed denial-of-service (DDoS) attack of all time. It hit a high of 400 gigabits per second (Gbps). That’s more traffic than the total Internet bandwidth of a small country.
In October. Akamai reported that in the previous quarter it alone had defended its customers, against 17 DDoS attacks flooding targets with traffic greater than 100 Gbps, with the largest topping out at 321 Gbps.
And, as every Xbox and Sony PlayStation gamer knows, Xbox Live and the PlayStation Network were knocked out for about 72 hours during the Christmas holiday weekend by DDoS attacks.
Who thinks we’ll see a petabit-per-second DDoS attack in 2015? I do.
An attack of that magnitude may come from hackers, such as Lizard Squad, going after gaming companies for reasons that will undoubtedly remain obscure. But I think it’s much more likely that it will come from a nation state.
Cyberwar is not just the stuff of science fiction. It’s already happened.
Russia has been accused of taking out Estonia’s Internet in 2007 and Georgia’s network in 2008. Richard Stiennon, principal at security consulting firm IT-Harvest, expects that if Russia decides to seriously attack Ukraine, Ukraine’s Internet would be Russia’s first target.
Meanwhile, North Korea has accused the United States of attacking its Internet. And, of course, before that the FBI had said that North Korea was responsible for the Sony intrusion.
Someone is going to pull the trigger on a truly gigantic DDoS in 2015. The only question is who.
How these attacks be made isn’t so mysterious. Attackers need only abuse long-existing problems in such basic Internet protocols as Network Time Protocol (NTP) and Domain Name System (DNS). We are running the Internet using decades-old technology, and we’ve been really, really lazy about upgrading it.
For example, DNS-based attacks could be mitigated by the use of Domain Name System Security Extensions (DNSSEC). DNSSEC has been around since 2010, but it’s still being deployed by only a tiny number of companies.
In the meantime, we also saw in 2014 an absolutely core Internet security protocol, OpenSSL, ripped apart by the Heartbleed bug. Months later, long after fixes were available, 300,000-plus Web servers were still vulnerable to that bug.
I have no doubt that other security holes are hiding in old, fundamental Internet protocol programs, and we’ll find out about them the hard way in 2015.
Finally, let’s not forget good old human error. Logins and passwords are also being swiped by cyber-crooks from companies all the time As former FBI director Robert Mueller said this summer, “There are only two types of companies — those that have been hacked, and those that will be.”
Even the tech elite are vulnerable. Earlier in December, ICANN, which oversees DNS, was hacked. The attacker got access to user information, including email and postal addresses. ISC, makers of BIND, the world’s most popular DNS software, also got hit, but we don’t know what, if any, information was taken from the site.
Ever since I got into technology, security has been an afterthought. Security is what you do after you’ve been hacked and you’ve fired your CIO. 2015 is the year that attitude catches up with us.
I don’t know how or when it will happen, but I do know what will happen. There will be a DDoS attack, probably exploiting some zero-day vulnerability of a fundamental Internet program. It will be big enough that it won’t just knock some company or small country off the Internet; everyone in the world will feel its effects. And it may or may not make use of information stolen from a major IT company or Internet service body.
2015 will be the year our Internet security laziness will catch up with us. Frankly, I’ll be happy if I’m dead wrong about this, but I don’t think I am.