>> Brian: Welcome to the AMA Conference Center in New York City and for those following us on line, my name is Brian Cute. I am the CEO of Public Interest Registry. Public Interest Registry or PIR is the operator of the dot org, top level domain on the internet. We, along with New York Tech, a New York City based Technology Industry Association and the Internet Society, New York Chapter want to welcome you to today's event Mitigating DDoS Attacks, Best Practices for an Evolving Threat Landscape. For those of you online, today's event is being webcast at the iSock Live Stream Channel and on that channel you can also post questions. We welcome questions from our online audience to bring into the Q&A session today. You can also follow the event at the hashtag DDoS and with that, let me introduce today's session, Mitigating DDoS Attacks, Best Practices for an Evolving Threat Landscape. Distributed denial of service attacks are deliberate attempts to make internet connected machines or network resources unavailable to their intended users by temporarily or indefinitely interrupting or suspending DNS service. Unfortunately DDoS attacks are an all to-common reality across today's internet landscape. Examples abound, most recently large-scale attacks have been directed at major U.S. banks since September of 2012. Online service providers and corporations around the world are often targeted. DDoS attacks have been directed against Government websites and it's quite possible that some attacks were at least condoned by governments. Why a DDoS attack is motivated by criminal intent, like Cyber Extortion or is executed as an extreme form of free expression, the resulting service interruptions can have wide ranging effects. Today's program will explore the motives behind and targets of DDoS attacks. We will address ways attacks are carried out, as well as mitigation techniques and the importance of collaboration. We will also explore the risks of unintended consequences related to DDoS attacks. Now before I introduce our esteem panelists, I wanted to note that PIR recently conducted a survey in the United States to test the public's awareness of DDoS attacks, this very important and growing problem on the internet. Among the results, we found that 85% of the respondents did not know what AD DDoS Attack was. When asked, what would you do if you were made aware that DDoS attacks were taking place? Among the very revealing responses were, "Call the geek squad," which is a technical service organization that comes to fix your home computer. "Call my spouse, or go to Google." And while we're very happy to have a Google Representative here on the panel today, I think these answers reveal the depth and breadth of misunderstanding and lack of awareness about this very important problem in the public. So today we're going to try to begin to chip away and provide some awareness about the important problem of DDoS attacks and how we collectively can address them effectively. So with that, let me get on to the introduction of today's panelists. Today's panelists represent a variety of organizations that operate at various points in the internet ecosystem. Their wealth of experiences and insights from industry, government, and civil society perspectives should help us better understand the challenges of DDoS attacks and identify mitigation practices. First, at the far-end, we have Mr. Jeff Greene. Jeff serves as a senior policy council at Symantec. Jeff focuses on cyber security, identity management, and privacy issues and works extensively with industry and government organizations. Prior to joining Symantec, Jeff was a senior staffer on both the U.S. Senate, and House Homeland Security Committees and before that was an Attorney with the Washington D.C. law firm. Next we have Ram Mohan. Ram is the Executive Vice President and Chief Technology Officer at Afilias Limited. Ram oversees key strategic management and technology choices for the Dublin, Ireland based provider of internet infrastructure services. Ram also serves as a Director and Key Advisor to the Internet Corporation for Assigned Names and Numbers or ICANN, The Internet Society, and the Anti-Phishing Working Group. Next, we have Dr. Damian Menscher. Damian is a Security Engineer at Google where he leads the DDoS Defense Team. Damian uses his front-line experience defending today's largest attacks to design defenses that will automatically mitigate future attacks. He also reduces botnet sizes by directly informing users of infections on their machines that are targeted messaging on Google. Previously, Damian gained experience in large-scale data analysis while completing his PhD in Computational Particle Physics. I could barely say that. Next is Miguel Ramos. Miguel is Senior Product Manager at NewStar Inc, responsible for NewStar site project, a leading cloud-based DDoS Mitigation Service. Mr. Ramos has extensive experience in product management, marketing and technology. Previously Miguel was a Product Manager in charge of hosting and email product lines at Network Solutions, a leading domain registrar and online services provider. We were also to have Wout DeNatris from the Netherlands. Unfortunately Wout is here in New York but came down with a sudden illness of food poisoning. We regret deeply that he's not here with us today. He was very eager to be here with you and we wish him a swift recovery. Next on the panel is Danny McPherson. Danny is the Chief Security Officer for Verisign, the trusted provider of key internet infrastructure services including two of the root servers, and the dot com and dot net name spaces. Danny is responsible for strategic direction, research and innovation in infrastructure and information security. He currently serves on the internet architecture board, ICANN security and stability advisory council, the FCCs communication security reliability and interoperability council and several other industry forum. And finally, on the near-end, we have Miss Jillian York. Jillian is a Director for International Freedom of Expression at Electronic Frontier Foundation where she specializes in free speech issues and the effects of corporate intermediaries on freedom of expression and anonymity, as well as the disruptive power of global, online activism. Prior to joining EFF, Jillian spent 3 years at Harvard University's Berkman Center for Internet and Society, where she worked on several projects including the open net initiative. Thank you all for coming, we appreciate your time. Now the way we're going to structure today's event and discussion is that I will do a first round of introductory remarks from each of the panelists. We'll keep it brief and we're basically going to try to set the stage, the background on DDoS attacks. Now before I get there, I just want to offer a little reaction from the common man. "I've been in the industry myself for 10 years. I have a familiarity with DDoS attacks and internet infrastructure, but in approaching this event and preparing for it, I went on line and pretended to be an average guy from Columbus, Ohio. What would I find if I'm trying to educate myself online about this serious problem? And in doing that, what jumped out to me is an issue of nomenclature, an issue of language, an issue of understanding, potentially barriers to understanding and awareness." So I'm going to ask Jeff Greene to start painting the picture of what DDoS attacks are and while we have a number of brilliant engineers on this panel, let me suggest that when one goes online as the average guy from Columbus, Ohio, he runs into things such as, dos, DDoS, DRDoS, Smurf attacks, SYN floods, ping of death, attacks that are perpetrated by Trojans and Zombies, attacks that are combated through techniques like Black-holing, sink-holing, and intrusion protection. Our job today is to utilize the expertise of these brilliant folks on our panel to help translate all of these very intimidating words around attacks on the internet so that we can raise the awareness for the public. So, Jeff if you wouldn't mind kicking this off for us. >> Jeff: Sure, thanks again for having me and thanks for including me with such a great group of folks up here. I thought I'd give a little background on what are some trends we're seeing at Symantec in DDoS attacks, motivations also, and hopefully set the table for the conversation. The first thing I would start by saying is, when you're thinking about a DDoS attack, don't conceptualize it as a single event or a siloed activity. You really need to think about it as potentially part of a larger effort directed at you or directed at an entity organization. It can still be a one-off but more often now days, it is not. In terms of motives, they can run the gamut, it can be harassment, political, it could mischief, you know there's probably still some 15-year-old hackers in the basement somewhere. ^M00:10:06 It could be someone you know, annoyed, frustrated with a particular company or entity and going after them. It really runs anything. It could extortion, simple "pay me" type activity, or more common now or what we're seeing more of what we're calling multi-frank attacks and transitioning to talk about some of trends, we'll start there. If you folks saw, I think it was in October, Defense Secretary Panetta was talking about cyber security and one of the things he mentioned were these frank attacks and DDoS is certainly a part of them and has become less of a blunt-force attack to more of a sophisticated diversionary attack; I should say it can be. The goal, basically being drawing attention and resources away from standard security to focus on this response and leaving perhaps yourself open to other activity. One example that we talked about at a conference earlier this year, DDoS was a big part of it but the DDoS attack happened actually at the end of the activity. This particular effort was directed to mid-sized banks. It began with spear-phishing and other efforts to compromise some IT administrators at the bank. Once that is successful, the bad guys will then spend their time figuring out what they need and they want and it was at this point that the DDoS attack was launched in one of the cases that our folks talked about. It was done on a Friday afternoon when staffing was light, nationally resources were directed at responding to the denial service attack which then left other activities perhaps unmonitored, and that's when the criminal enterprise or individual actually began the more sophisticated attack and actually traded a lot of information that allowed them to clone ATM Debit and Credit Cards. There press reports about one bank having lost 9 million dollars over the next 48 hours. So again, the DDoS was a big part of it because it had really facilitated the ability to conduct a larger crime. Another trend we're seeing is crowd sourcing of DDoS attack. You may be familiar with operation payback, which is something that Anonymous was behind. Initially started as a response to some antipiracy efforts and worked into a response when the wikileaks became very press-worthy in terms of some companies responding to the wikileaks. So social networking facilitates the crowd sourcing essentially why do you need to go build up or acquire your own botnet to engage in attack when you could get 100 or 1,000 like-minded friends who will happily do that thinking that they're doing something for the greater good. And I would also suggest that the criminal enterprises are fully aware of this and why should they expose themselves or spend their resources if they can gin up some real or imagined front by a company they're trying to penetrate and get people to unwittingly support their efforts. Another trend is application layer attacks. More sophisticated, generally you get more bang-for-your-buck, you can have more impact with less resources. It takes a little more work, but it is something that you will see more of, we suspect going forward. Two more things, one insider threat, not strictly DDoS but it is certainly can be a part of it. What we're seeing generally with intrusions is an increasing number of compromised insiders. Again, often through use of social media, social media is wonderful. So it allows folks to figure out just how to get at someone and a compromising insider facilitates the effort and again, often the DDoS is part of the culmination of it there. Finally I would say it's getting easier than ever. There are attack kits, there's malware out there that you can buy, optimized for DDoS attacks. As all the attack kits out there, they're becoming much easier for less sophisticated users. You don't have to have a lot coding expertise to get some of these up and running and have yourself an ongoing criminal enterprise. So, circling back to where I began, I would say that, you know we're here talking about DDoS attacks but I think it's important in this conversation not to put it in a box and isolate it from other malicious activities that going on and other vulnerabilities and intrusions because the bad guys don't think about it that way so we really, as we're talking about responding to it, make sure that we don't do the same. >> Brian: Thank you Jeff, so in listening I'm hearing that I have more things to be concerned about, more things to be afraid of, something called spear-phishing, I'm not sure what that is. That this is a broader attack profile against the internet that there's numerous points of attack and it's part a simple attack that is designed to provide misdirection so a secondary attack can happen. So clearly, this is a troubling landscape that I'm trying to sort through. Ram, as Afilias Registry Operator on the internet, you provide technical services for dot org, on the internet and other top-level domains. From the Registry Operators perspective, what is the scope of this problem? >> Ram: Thank you Brian and thanks for having me here. I guess the very first thing is, if you're a Registry Operator, really what you're doing is you're providing a targeted answer for where the main names are on the internet. You're in a target of directory, to a large extent and that's the biggest job that you do as Registry and you get information from people who want to buy domain names or who want to get a website going. You get information from them, store it into a large database, and the biggest thing you do is propagate it instantaneously everywhere around the world. And what that means, is that your browser, typing in redcross.org when it's sitting here or on your mobile phone, typing in redcross.org when your perhaps in another part of the world, they all translate to get to the actual Red Cross site, and that translation is done by the registry, by the directory. So that makes it a really interesting place to attack because after all if you can compromise or if you can take down the authoritative directory for every dot or, the main-name in the world, there are more than 10 million dot org domain names. There are more than 10 million dot org websites in the world. If you can take down the provider who is giving the information that says to every computer in the world, hey for a given dot org, which computer should I go to? Where should I go to? If you can take them down, that's not only a coo, but that also is a global event. It gets you noticed, there are many motivations but that's certainly one of them, right? And that makes the order of registry, a [inaudible] of what we run a regular target. Up on the screen you see, this is some data from earlier in the year, gives you an idea of the scaling, the kinds of attacks that come through. So that's 2012, February and from 2012 February, to 2012 June, this is the number of queries, the number of a requests coming into the servers that we run worldwide asking for information about a daughter of domain name right. And much of this comes from DDoS so, the foundation for DDoS is very simple, right? It's a denial of service so all these computers around the world do it, they send a request in to our server saying hey, tell me where a particular daughter of domain name is. And before you even respond they're gone and they come back again and they say tell me where. And they do this hundreds of millions of times in, it used to be a very short timeframe, but as you can see here, it's an extended timeframe. Now what we saw earlier in the year was in the space of just a few months, February through to June, we had a 3X increase, a 3 times increase in the total volume coming in in just 4 months-time. But, if you look further, if you look in the next screen, that's not the real story. That 3X increase that I showed you earlier, so that was up to 2012, June but look at what happened from there through to September. That was a 9X increase in total volume coming through to the daughter systems. In total, from February through to September, that was an 18 times increase in volume. Not the data is interesting. The real life importance of this is if as a registry provider, if you're not provisioned and if you don't have the measures to boot the [inaudible] attacks are coming and then be able to take appropriate counter measures when such attacks are coming. You could just go down and going drinking water means that every single dot org website in the world, dot org email address, okay every single thing that depends on dot org, sooner or later is not accessible on the internet and it's not happened so far, but the gap between what do you provision, and what the scale of attacks, and who was attacking you. It's a continuous cat and mouse game. ^M00:20:05 The other thing that I've wanted for you to know about is the DDoS words coming from, it's often coming from your PC that is just on at home, connected to your broadband connection. Just sitting there, and you probably don't even know it. If you have a good ISB, if you have a good internet provider, they probably have ways to track it and many of the internet providers these days are putting in measures to understand whether they're a DDoS attack, so whether you're part of a botnet. But when we say a zombie, that's really what it is. Your computer, your computing device somewhere connected online, has been taken over, and you don't know it but it's now part of a global group of computers that can be harnessed to attack any given target at a moment's notice. And that is pretty scary, it's a pretty impressive feat of engineering, but it's scary because pulling together 5 million of these is no big deal. Pulling together 40 million of these, takes some effort but it's doable. And if you have 40 million computers that are just sending a little ping every so many milliseconds, asking for information and then just going away, that becomes a massive problem and something that you really have to work hard to mitigate before it overwhelms you because if it becomes a tsunami, it's very hard to overcome. >> Brian: Thank you Ram and thank you for giving pictures are worth a million words and giving us a sense of the scope of the problem and also in your comments, connecting this to the "why should I care" question as an individual if all the dot org sites in the world go down, the organization who have that website up, whether they're an NGO or not-for-profit trying to do good in their mission or whether it's an individual or a company in a dot com, having their commercial activities interrupted, that's a very serious impact. So as we move through the discussion, connecting the dots to "why should I care", the individual at home, and also the interesting thing is that I might be an unwitting participant in an attack, my machine on my desk at home, and be completely unaware of this. I think we're starting to get to those issues of "why I should care". So next, let's get to I think, it's Dr. Damian Menscher. So we've heard from a Registry Operator now from an online service provider, in this case Google, the leading search engine. Damian with Google's breadth and depth of technology and reach, this certainly can't be that big of a concern for a company the size of Google, right? Tell me why I'm wrong. >> Damian: Right because we have a team of people that worries about this stuff. So, most people don't realize that Google is actually regularly attacked. The reasons you'd sort of wonder why would anyone have anything against Google? Well it turns out we actually host a lot of user content, so blogspy includes random user content from people all over the world. Sometimes that's controversial. Similarly u-Tube might have a controversial video on it and so frequently these sorts of sites do get attacked. And it's not just DNSs as previously mentioned, it's you know, we see application layer attacks where they'll dispatch the same homepage over and over again at very high rates, you know upwards of maybe a million times a second. So, you've also probably noticed that we're never actually down so, if you want to talk about how we do that, if you go to the first slide. So we benefit a lot from economy of scale when you look at most small websites, there might be a thousand websites hosted on a single machine because they don't get very much traffic. We sort of turned that around and we might have a thousand machines hosting one website. You know Google.com is a big website, it doesn't fit on a single machine. So we do benefit a lot from the economy of scale and pooling our defense resources across our various properties. But, go to the next slide, you have to be a little bit careful about this if you put everything together, you also have some risk. So, I wanted to talk briefly about how we deal with this and this also is, as Jeff had mentioned, we have to be careful that we don't distract our security team when there is a dos attack. If we have one team that focuses on all of security, then when there's a dos attack we might be looking at that and miss other things. So, what we do actually is, go on, we have layered defenses. So we have a separate team that focuses on dos attacks so that when there's an attack we don't lose sight of the other attacks that are happening against us every day. And, basically we focus on having layered defenses so; this is a very rough sketch of what our network might look like. We don't see the internet necessarily as a single cloud. We see it as multiple clouds because we peer directly with several major ISPs. We go through a layer of load balancing at our network so if any particular network device gets overloaded, we can work around that. Then we go through a layer of load balancing within our own network to eventually get to the backend that are the webservers, serving the actual content. And so by doing this, we're able to shift traffic around to avoid any damage from the attack traffic. We also have many layers of which we can filter out the bad traffic so, at the very edge of our network we might be able to filter out some of the more obvious attacks, but as you get deeper in or more sophisticated attacks, we filter them at other places. Another thing I want to mention though is, this style works really well for a very large company like Google, but most of you are probably more interested in how to defend the small site and the best advice I have there is that the user comment of going to Google, might actually make sense if they host their site on Google, they automatically benefit from our defenses. They won't even know they're being attacked. And we frequently do see cases of organizations that are under a heavy, dos attack and they just quickly setup a site on blogger saying, "Hey, we're being attacked. We're going to use this for our communication for now." That's actually, at one point, the country of Georgia had their ministry of foreign affairs host their site on blogger which was entertaining for me to say, like oh, what are we going to see as a result of this? But the other thing is just making sure that you are pooling your resources with others in your organization, there are other cloud based dos mitigation providers that sort of aggregate resources from several different clients and can provide good defenses for you. >> Brian: Thank you Damian, and love ice. It's terrific. >> Damian: Also our PR people would want me to say it's not as weak as eggs, you know like fortified eggs. >> Brian: Boiled eggs. [Laughter] No terrific, thank you. >> Damian: Each layer is very strong. >> Brian: Thank you and you know, fully appreciating your remarks too, one thing that jumped out to me is that I think one of the challenges we all share in this space is that from the user perspective, and I'm going to try to keep bringing us back to the user and the average person at home, is that this problem, there's a low level of awareness and one of the reasons is because as very responsible service providers like Google and the other's on this panel, you've taken on the challenge and objective of staying up and not being taken down by DDoS attack. You've been successful to date and as such, users who have their sites on Google, the DNS is sometimes thought of like electricity, you know it's just there. It's my website is up, the internet is up. I only notice it when it goes down. I only become aware there's a problem when there's a problem. So interesting thought, let's keep coming back to that "why should the individual, why should the user care?" How do we get this on their radar screen in a meaningful way so they can become part of the solution? So with that thought let's go to Miguel. And Miguel we're going to ask you to focus on specifically corporate responses from the perspective of a third-party mitigation service provider. >> Miguel: Sure and thank you Brian. I'm going to dovetail on some of the things that Damian was saying. A lot of organizations and a lot of people don't understand or know about DDoS and don't see an issue until it actually happens to them. And at that point, a lot of organizations are kind of scrambling, trying to figure out what it is that they can potentially do to deal with this issue. And they most likely go to Google to try to determine and try to find an answer. So, a lot of people don't think about this because they assume that their ISP or their hoster is actually going to take care of the problem for them. ^M00:30:07 Actually, what tends to happen is that when an organization is under heavy DDoS attack, the ISP and the hoster is looking at protecting their own assets and will most likely just shut you down. And so they might contact you and tell you you're under a DDoS attack but they may not help you through it. So, there are some things that organizations can do to help mitigate this risk. Some organizations look at dealing with the DDoS problem themselves. They'll look at buying their own hardware; they'll look at provisioning bandwidth, etcetera. Unfortunately a lot of organizations don't have the resources to be able to do that. And it doesn't necessarily make sense for a lot of organizations because it's sort of an arms-race and it's hard to spend your way out of dealing with this problem as attacks larger and larger and more complicated and etcetera. So, there some third-party options that organizations can look at that I would kind of consider to be the infrastructure as a service that can be used on an on-demand basis to help organizations deal with DDoS attack when they happen. So the idea is simply, you don't necessarily have to over-provision all hardware, bandwidth, etcetera to deal with the risk. You can potentially use the third-party that has that capacity and capability when you need it. And you know at that point you're looking at options like content distribution networks, they can potentially help deal with absorbing some of this traffic and keeping that traffic away from your network. There's also cloud-based providers that specifically focus on the DDoS problem and the idea there is if you're under an attack, your organization can potentially redirect the traffic over to a cloud-based provider that can absorb the traffic that knows how to mitigate and deal with [inaudible] service attacks and then sends you basically the clean traffic. It's sort of kind of putting a shield in front of your infrastructure on a non-demand basis when you're dealing with these attacks. So, infrastructure as a service is something that is more affordable for organizations and something that organizations are starting to look at more and more as a way to deal with this DDoS issue. And certainly, there's a lot of information about that on Google and it's key to become informed. >> Brian: Thanks Miguel, so we're beginning to get a clear picture of the scope of the problem from a number of different perspectives and in addition to service providers such as Google and Afilias, Verisign and NewStar maintaining their services in a way that keeps them up 24/7 and addresses these attacks. There are 4 certain organizations specific resources available if needed and that's interesting as we're beginning to, after setting the scene, now let's transition towards those solutions as mitigation efforts, the services that are out there to design specifically to provide additional protection. As we transition, Danny I want you to help the audience understand some domestic initiatives such as the anti-botnet work undertaken by CSIRC and help us to begin to understand how we can begin to collectively come together to address this problem. >> Danny: Yes sir thanks Brian. So there have been a large number of clamber of efforts between public and private sector related to botnet infections, compromised machines, male code proliferation, virulence of threats on the internet, just this broad swath of malicious activity. It's a nontrivial problem to solve because the ISPs for example, a lot of folks point fingers at the ISPs, but the ISPs don't [inaudible] systems, their [inaudible] system in particular, the broadband ISP user residential consumers that acquire service from the ISP, and the ISP shouldn't be looking at their traffic and you know and they have privacy concerns or other things. So, what sort of controls the capabilities of the ISPs actually add to help them. So a number of efforts have been underway actually. One such example is the FCC sizerk3, working group 7 recently published something called the ABC for ISPs and it's basically the anti-botnet code and they develop with a number of other folks in the industry monolog messaging and ANIB's working group as well as some publication in the IETF and broader participation, actually internationally from folks from Japan, Cyber Clean to Australia, Finland, Germany, other folks and it basically talks about some fundamental things that ISPs can do to help educate, protect, notify, detect malicious threats associated with their consumers and then activity they might take to help to clean that problem or sanitize or provide a little better hygiene on their infrastructure. So, one pointer there is one of the reports, the ABCs again, for ISPs, you can find it on the [inaudible] website or the FCC sizerk3, working group 7 webpage that you can find easily via Google and so that's certainly one effort. One of the fundamental things, going back to the user, is there anyone on the receiving end of a DDoS attack? What you should definitely be looking at is sort of what enables your business? Most of the folks on this panel, you know network is our business all right, we're going to focus on providing network services and availability. We're absolutely committed to the security and stability of our infrastructure and services, but a lot of folks, network enables their business. It enables your email or your web presents or your small business or your e-commerce or retail site. And so irrespective of what it is, you absolutely need to consider what the critical network assets are or the critical assets across the board to your organization and you identify those, you say what's the impact of an availability issue or security issue or a compromise of information impacting those assets? And how might I put controls in place to help mitigate that or to at least have a plan to respond if there's a DDoS attack or a breach inside my infrastructure, those sorts of things. You know one of the things that I've seen in the past, we did this survey for several years, a previous employer of mine, and most of the folks that responded to this infrastructure security survey didn't actually even have an incident response team in place in their organization even if it's an over-lay team, much less an incident response plan. And if you don't have an incident response plan, you're certainly not going to exercise that and so you really don't want to be on the receiving end of something like a DDoS attack and not have a book in someone's hand that says this is the phone number I call for my ISP or for my national curator for my vendor that provides a certain service or capability to me, so I think it sort of starts with those fundamentals, identifying critical assets, understanding what the options are to protect the things that are critical to you. If it's moving services to cloud infrastructure, acquiring protection services for those, putting your own controls in place, but you definitely need to consider that in your environment. Consider what the impact would be. These are a real risk to your business and your operations and so, I think fundamentally that's sort of where I would recommend you start, Brian. >> Brian: Thanks Danny, so interesting in your comments, you mentioned ISPs, we've got registry operators, you've got online service providers, we've got search engines, so we really have a number of different service providers in this community that helps keep the internet up in a collaborative way. The siezerk effort for ISPs in particular sounds interesting and what we want to get at a little bit later in the conversation is a cross this community of service providers who I assume have different roles and maybe different responsibilities in some ways, how do we build on the collaboration that you've begun to speak about and also interestingly, you spoke to the organization and what they should have in place. Understanding what enables your business, having a plan in place, and the question that raises for me is, well how do organizations know they should have these things and how do we educate on that front as well? So we'll get to that in a little bit, but to round out the panel, thank you all so far for shedding some light on the scope and dimensions of the problem and how we can begin to address it, but let me now go to Jillian. Jillian, what I'd like you to talk about from your perspective is what are some of the unintended consequences related to DDoS attacks and in particular, help us start thinking about potential over-reactions to DDoS attacks. We know that these attacks are of furious in nature, we know that we have a panelist of good guys who are doing what they can and doing everything we think they should, but tell us about the unintended consequences both from the malicious attack side and when a well-intended operator tries to take mitigation techniques against an attack. >> Jillian: Sure, so at the beginning of this I think Jeff referred to, actually I'm sorry, Brian referred to sometimes these attacks being used as sort of an extreme form of free expression. I'm not sure I would classify it as free expression, but we could say civil disobedience that's been argued by many and an example of this that might resonate a little bit better than say the anonymous attacks against Master Card and Visa, would be sympathetic people to the Syrian opposition going after Syrian Government websites. That's something that a lot of people have sympathized with, have considered civil disobedience in a scenario where the government has shut down the internet sensor, the internet, etcetera. And so nevertheless the vast majority of these attacks are malicious, are directed at, not just these big companies and the big networks, but also at the little guy and that's kind of where my perspective is coming from. ^M00:40:06 A few years ago when I was still at the Berkman Center, we did a study that looked attacks on human rights websites and independent media website, and 62% of the respondents to that study said that they had experienced a DDoS attack at some point and as Damian said, Google is sort of at what would you say, the core of the network. Google has resources, they have staff, they own fiber, but then you've got these other small organizations that are what we would say is at the edge of the network. These are organizations that not only are they literally at the edge of the network but they also lack the funding and the staff to ward-off an attack. They often have fairly insecure hosting, their host might jack-up the cost in an effort to help them and so if you are using say, I don't want to throw any specific examples out there although I have a couple, but if you're using say a shared hosting provider such as Rackspace or Bluehost, I'm not speaking of those companies specifically but, if you're using one of those, and you are the victim of an attack, your provider could kick you off, they could also raise your costs which for many of us would be completely unaffordable. And so, when we're looking at the unintended consequences of these, I mean I think that there's a couple of different aspects here. One is the legal consequences and so I'm not a lawyer and so I should say that I should just preface by saying that, but you know these attacks are largely by most governments at this point considered hacking and are dealt with as such. And so in the U.S. that's governed by the Computer Fraud and Abuse Act and in Europe there are other similar conventions, but I think that we need to start looking at them as a little bit different, than that. I think that you need to look at the sort of the [inaudible] behind the attack, we need to look at the consequences of the attack, and I think a great example of this is an attack that was conducted against Lufthansa, the German airline back in gosh, I'm not going to remember the year, early 2000 I believe where a court actually did determine that the intent of that attack was not coercion and was there--I'm not a lawyer so I feel like I'm using the wrong language here, but it was dealt with as civil disobedience and so. But that's actually not my biggest concern. My biggest concern is the unintended consequences on these smaller websites and so when we look at the consequences on independent human rights and independent media websites, generally these sites go off line and are not able to quickly get back up and so we've seen attacks that last a week, 6 weeks, or where the site goes down entirely. And so some of the suggestions that have already been given are excellent and I think actually what Damian said in terms of people moving their sites to Google, that's actually one of the suggestions that we give is, if you are a small website, sometimes you're just better off hosting your site on a provider like Google where you have those resources to back you up. We've also, my organization along with the tactical technology collective has also developed this guide which is really, really basic mitigation techniques. We're not even talking about the kinds of things that a corporate website or even a large-scale organization would use, but the things that your blogger, your independent media site might utilize. And this is available, I'll share it after, but it's also available in 9 languages. And so just to sum up, I would say that we need to think about these attacks, not just how they affect major websites, but also how they affect much smaller organizations. >> Brian: Thank you. So thank you all. We've now set the scene, I hope, and provide some baseline understanding of the nature of the attacks, the scope of the attacks. We have 2 hours. What we're going to do is as follows, we're going to leave 30 minutes at the end for Q&A from the folks in the room and from online and we're looking forward to all of your questions. We're going to have basically 2 sessions now. What I'm going to do now is engage in some Q&A with the panelists and we'll have 45 minutes for that and then we have in the second session a scenario that we've built that we want to rollout in front of our panelist and ask how they, in their respective rolls would react to that particular scenario. Now I've got about 7 questions or so, we've got 45 minutes so this isn't rapid-fire but let's leave about 5 or 6 minutes for a response to each of these questions. This is open to anyone on the panel so let's be dynamic, raise your hand, don't be shy and we'll kick it off with the first question which is; let's get specific and both from your perspective and from a user's perspective. What mitigation techniques are available to us today? Both you, as a service provider and the user, how do we stop these things at a basic level? Who would like to take that on first? Ram. >> Ram: Brian this is Ram, let me start; if I was a user, one of the things that I'd want to do is if I have a good ISP, then they probably have a botnet mitigation kit or something like that, that gets installed in my computing devices and if not, I would go to my ISP and ask them for a mitigation kit like that. There pretty commonly available. They're pretty sophisticated and they give you the first order of protection. I just also want to point out; having antivirus software in your computer doesn't protect you from your computer getting compromised in a DDoS attack. >> Brian: That's interesting. Most average users would assume that that addresses that problem. Tell us why. >> Ram: So earlier, let me give you an example, earlier we were hearing about spear-phishing right, so I give you a specific example, something that actually happened in one the organizations I work with. A high-level executive in this company, it's a pretty small company, got an email and the email had a very good subject line, you know it's a photograph of their daughter. And it said, took this photograph, she looks great and even had the daughter's name on it, right? And so the executive got the mail, it looked like a legitimate thing and the, from address in the email was kind of somebody he ran into in random, but there was enough things in the mail that looked like it was real, you know. It was the daughter's name was right, there was actually a photograph and so they double-clicked and they opened up the photograph and that compromised their machine and ended up compromising the network from there on, right? Now that was not a virus in the traditional sense of a virus. That was something that was custom crafted just for that one individual because the person trying to brake-in had a clear idea who this person was, they were trying to penetrate, they understood that that person likely had access to other important resources inside of the company's corporate network, got through. So, they had antivirus on their computer, but this was not the traditional virus, this was an attack just aimed at you, individually. >> Brian: Thank you and getting back to the botnet protection package from your ISP, at a basic level what does that provide? We heard the story of how your own computer can become an unwitting zombie participating in a botnet attack, is it designed to present that from happening, or other things? That was a follow-up for Ram. >> Ram: Oh, for me specifically. Okay, yeah there are many things that this piece of software or these pieces of software do, but often they look at patterns, they look at where the attacks may be coming from. They also look at what's happening on your own device and where it's trying to connect to and typically you've got certain patterns. You go to a certain set of sites or you send emails, you know you connect to a known set of places for the most part and if your device has been compromised, often your device is going to places that you normally don't go to and your ISP typically has an idea of that stored up over time. >> Brian: Thank you. So let's dig a little bit deeper on that. What was in your answer was, how do we identify where this problem is coming from? I think it's an important piece of the puzzle here and you and your service provider capacity, let's turn deeper on preventative measures. How can we identify where these malicious attacks are coming from? Is that an easy thing to solve for, or a harder thing to solve for from the service provider perspective and also from the user? I think Ram just started to touch on that. Anybody want to take that on? So, Danny? >> Danny: Yeah this is Danny, I'll say something about that and then move on to others, but one of the things I think I would touch on initially is that if you're on the receiving end of even a moderate sized DDoS attack, a lot of some of the bigger networks have the capacity to absorb the attack. What many ISPs or services in the infrastructure offer is the capability to absorb the large-scale bits of malicious traffic and surgically mitigate and preserve the availability of the services that someone may be concerned with, so that's sort of one aspect. ^M00:50:10 From an ISP side, one of the interesting things is that IP is a sort of hop-by-hap packet forwarding paradigm for communications networks and anyone, largely anyone on the internet can emit a packet in the infrastructure that has a source address of anyone else on that infrastructure and so this is known as IP source address booping. And it's a common attack factor, it's not the only attack factor and a lot of times spotted hosts don't spoof packets at all, but trace back in large networks is fairly complex. There are a lot of techniques people use from some things like commercial tools that do net-flow and flow-based analysis to trace back to the ingress of their network. The problem is you then have to have the capability to say, the upstream or the adjacent network that attack flows I'm seeing from you. Can you trace these back on your network? Hope that they have the same capability and so forth. And so it's non-trivial when the fact that any sort of advisory on the internet has global projection capability and you could be on the receiving end of a lot of packet lull as a result of that, right, you know what I mean, and these could be broadly distributed or single-source attacks. So, tracing these attacks back is one aspect. So you would certainly want to trace back flow-based tools other things and then ideally if you could find sources that were participating in an attack, then you could try and identify command and control infrastructure that's used a command or took control those attack sources or those botnet hosts and then you would step back from there, but that's an extremely complex thing and unfortunately what most people do, and to Jillian's point actually, is that a lot of the controls some people put in place through data mitigate DDoS attacks is actually to effectively complete those attacks. It's like hey, there's a large-scale attack of 10 gigabytes per second going toward one of the smaller hosts on my network so, what an ISP may do is actually say I'm going to drop all the traffic towards that destination at the ingress of my network. So they do is effectively complete the attack. That's why it's so important to have controls in place to be able to identify and surgically mitigate those attacks, before the attacks occur, so anyway. >> Brian: Thank you, very interesting. Anybody else want to pick-up on this point? Miguel. >> Miguel: Just adding to what Danny is saying, collaboration to try to figure out what the attacks those sources are is key and it's not something that happens very well currently. It's something that the internet community is trying to improve on but we're nowhere near where we need to be and to be able to do some of the things that Danny is referring to, you kind of have to have backchannel communications between providers. You have to be able to have somebody on the inside, somewhere that you can share intelligence with and that's something that's difficult. The last thing I'll say about it is that sometimes, where are who it is that's doing it is not necessarily that important potentially. When these things are happening, a lot of people might be focused on getting their infrastructure back online, but you do have to temper that with the fact that as Jeff was alluding to earlier, this might be something that an organization is doing while they're doing something else. It could very well be a diversionary tactic. >> Brian: Let me pick-up on one point there Miguel, you know you mentioned the collaboration between and across network operators being a challenge. Is that a resource challenge, it is a communications challenge, is it a technical sophistication challenge, because it is understood from Danny's comment that this is complex investigation that has to cross a number of different network operators to get to the answer. What's the issue there? >> Miguel: I would say that there's a corporate privacy challenge that a lot of organizations don't really want their technical staff or the staff that are dealing with this problem to be collaborating with other operators and that's a significant roadblock. >> Brian: Thank you. Jillian--oh go ahead Damian? >> Damian: I also wanted to say that I think that the 3 things that you mentioned, Brian it being resources and technical issues and communication are also significant challenges even if you do get through the communication barrier to talking to somebody at the ISP, they might not have the technical capability to track it further back or they might not have the resources to spend time on spending an hour to track it back. Just knowing that it will just go to yet another ISP that won't have time to communicate with you or track it back or anything. >> Brian: Right, thank you. Jillian. >> Jillian: Sure, I'm just going to make my point again to the sort of smaller organizations. I think that it's important for them to sort of assess beforehand, before this is even an issue, both what their risk is, if they can do that, as well as what their priorities are in the event of a DDoS attack. And so, for a lot of these organizations that I'm thinking of, I'm thinking of sort of the human right sites in embattled countries. A lot of times there priority is just to stay up and to keep their content on the internet in the event of an attack and sometimes these attacks are coming during say, election periods, or periods of protest and so a lot of times what that means is choosing their host wisely, so we talked about that a little bit but knowing what their host can do to mitigate an attack, but also if they're high-risk, considering a DDoS Resistant Hosting or some programs that are starting to come up. Some of these are pretty cost prohibitive for smaller organizations but, there are a couple that are a little bit more affordable. One of them is called Virtual Road. It's hosted by the international--I forget the acronym--IMS--forget that but based in Denmark. Another thing is to, you know really easy stuff, keep backups of your site. I know that seems so simple, but that's something that a lot of these sites are not thinking of and so when there site goes down, it goes down forever. And then another thing is just mirroring their site. If we're talking about a site that's say in Iran that's going to come under attack during elections or something like that, you know making sure that that content is up somewhere else can be really important. You know URLs don't matter as much as they used to, thanks to social media. And so just making sure that that content is still up and available is a lot of times more important than actually immediately mitigating the attack. >> Brian: Jeff? >> Jeff: Real briefly, I would say in particular, if you have limited resources, figure out what your purpose in tracking back is. If there's a technical side of it and as smarter folks up here may appear to have explained it. It's very difficult to get to the end but let's say you get through all those hurdles and you find out where it's actually coming from, then you walk into a human problem. Do you really care what the motivation is? I mean, if your goal is to stay up, you may only want to track back far enough to be able to protect yourself and even if you get to the end, you know it's a bunch of computers sitting in country x, you'd have to get to those people to figure out is it a nation state act, is it a bunch of individuals, is it somehow loosely connected? So the track back, you know I would say just from my perspective thinking about this when I was up on the hill, there is a techno side, but there's very much the political and security side and you get into human litigations there which are even harder to track back than some of the techno stuff. >> Brian: Thank you Jeff. Let me ask a slightly different question. When an attack is happening, does it matter what the targeted platform is from your perspective and how you react to it, how do you manage it? For example if it's an attack against the banks as we've been seeing recently, versus an attack, versus a social media site or a small-user site. Does the nature of the target affect the way you address the problem, try to mitigate the problem? Can you give us some dimension on that front? Miguel, do you want to go first? >> Danny: Yeah, sure. Yeah so what I would say is that if you're trying to mitigate an attack, what you're really trying to do is preserve the availability of the services that you care about. And so you've really got to flip and say you know, I really want to scrub out the bad stuff and try and be able to absorb this attack. One of the interesting things, when you see numbers thrown around on scale, frequency, duration, attack factors, all those things, you might see 10 gigabyte per second attack. Well what 10 gigabytes per second attack is on a webserver or on a DNS server is very different. That means 10 gigabytes per second of transaction servicing capacity. Right, that's basically I've got to be able to process 10 gigabytes per second of DNS packets or of web-service packets or SSL packets or whatever the service is you're concerned with and that's the only way you can preserve the availability of that. So when it gets more and more complex, is when you have more stay-based and more complex applications that more sophisticated attacks become problematic in that manner. So I think it absolutely depends on the attack factor. One of the challenges is that sort of commodity, off the shelf routers and firewalls and those things don't do application [inaudible] mitigation. They don't provide certain capabilities. On the other hand, if it's some services it may be simpler to simply absorb a high-rate per second attack or to just drop bad traffic that's not target a production service. So, yeah in short the answer is yes to your question, I think. >> Brian: Thank you, Miguel. >> Miguel: Danny mentioned that the type of infrastructure that is being attacked matters, I absolutely agree. The type of organization that is being attacked also plays a factor potentially and how you're dealing with the problem of mitigating the attack. I think Jeff alluded to the fact earlier that there are attacks that are potentially, for example extortion. ^M01:00:06 There's activist-type attacks; I'll use the activists' example. These people that are protesting and attacking your site, they're most likely discussing it online, so they're congregating on twitter, on Facebook, Payspin, whatever site it is that they're using to IRC relay chip, you know internet relay chat rooms, they're discussing attack strategies there. So, what kind of an attack it is, and which organization is being attacked, it does matter because you do want to factor in how your monitoring social media based on the particular attack because it can help you determine what it is that you need to do and what you need to focus on. >> Brian: Anyone else? Let me shift gears here. I think by now, hopefully we've got a fairly good picture of the dimensions of DDoS attacks both from website operator, individual user, service provider, civil society. It's an important problem. It's a growing problem, there's no doubt about that. It gets bigger each year, it's a big cat and mouse came, we have a hard time identifying the bad guys, tracking them down, stopping them from doing what they're doing. Who should fix this problem? Private sector, government, how do we fix this problem? Collaboration is important, we've heard that but it seems like it's a game that we're not necessarily winning. Anyone want to take that on? Pros and cons, Damian? >> Damian: I'll start off the discussion. So I think a lot of the difficulty we have is that nobody feels actually responsible so the attacks are often being sourced from compromised machines and people are saying well it's not my fault, my machine is compromised. You know they don't know it, it's an end user, they don't actually know how to secure their machine, they're not even aware that there machine is participating in the attack. Then it goes from that machine through an ISP and the ISP says well, we're just providing network transit to our customers. We don't actually look at what that content is. And then it might go through multiple ISPs and eventually get to the victim who really doesn't have any choice but to just receive this traffic. So I think the root issue here is to figure out who you would actually hold responsible for these attacks and then maybe figure out in what way they would be held responsible. You know clearly, we don't want to hold the home user responsible for an attack they weren't aware that they were committing, however, if we could inform them and they refuse to fix their machine, maybe after they've had that opportunity to fix their machine and they refuse to, or after we inform a hosting provider that has compromised webservers that are attacking you. If they don't fix those machines after a month and they're still attacking, maybe there should be some responsibility there. >> Brian: So that's an interesting thought Damian because you all do have terms of service and abuse policies that users agree to when they use your service, so that's an interesting thought. Jeff, I want to throw this to you and I know this is part of your past experience, but having been in the Senate and House Committee, can you bring a little bit of the government perspective to the question I asked of who should be fixing this problem and how? >> Jeff: So I guess I would step back and say that we can't define this problem as just dos attacks. You know you phrase it as, it's not a game of winning, well, in my mind it's not a game that will ever end. To the extent it's more of a constant race, how far ahead or behind are we of the people developing new ways to attack? And to my first point about, it's a broader problem, if someone has a computer that is being used as part of a botnet for a DDoS attack or something else, it's very likely that the folks who are on that computer could do a lot of other things with that computer or to that person's identity or steel their banking credentials, so it is a much broader problem and I think Damian made a good point is everyone kind of pushes it back but at some level it needs to start with users taking more control over their computers. Not just looking at antivirus but broader protections. The government's role from my perspective and that's something that we worked on the projects I worked on the hill are much more critical infrastructure focused, but if it's true there, I think it's even more true with a much more commercial side. It's got to be private sector laden and the government can play a role facilitating and educating and punishing and perhaps in some areas where there is significant possibility of major national impact requiring some standards, you're not going to do that for John Smith who has his computer at home, you're not going to say that there is a minimum security [inaudible] that you have to have in order to log into the internet. Were you even to try that, it would never pass. But the government can play a significant role educating folks; simple things as patching whatever software applications you have, making it the easiest way for someone to get into your computer. The patch comes out, someone is out there trying to figure out what was patched and how can we take advantage of the people who don't patch. So the government, I think the role, sort of hopefully I'm answering the question. The role the government is going to play is going to depend on what you're talking about. If it's an attack on water, electrical, other systems the government is going to have a very active role, hopefully ahead of time, protecting and assisting in developing protections. The government will also have a role in the backend where possible prosecuting, investigating and that's where your earlier question about does it matter who is being attacked? Maybe it shouldn't, but the government is going to be much more focused when you have a series of major banks attacked, looking whether there's another type of attack going on or there are more laws that apply [inaudible] after that. Then if it is, you're attacking someone's speech on block spy, so the government's role is going to vary, I think depending upon where you are but ultimately it can't be government lead because it will end up being less effective and more [inaudible], in my view. >> Brian: Thank you. Let me ask for the service providers, you all run services that are globally accessible. You all have network footprints that are global to some extent. Specifically, engaging with law enforcement which I'm sure you do, you all work for law abiding companies who under the proper circumstances collaborate with law enforcement to address legitimate concerns. What are you seeing in your interactions with law enforcement that provides the good seeds for collaboration? What do you think might be missing in your interactions with law enforcement? I'd like the service providers to address that point. Who wants to go first, Ram? >> Ram: Let me start. One of the things that is striking in interactions with law enforcement, one of the fundamentals here is that this is essential a borderless problem and law enforcement has a broader problem. >> Brian: Okay. >> Ram: Not a problem, they have to work within the jurisdictions of the borders that they're in. So often when you're collaborating and working on uncovering, you know somebody is running a botnet that's got some significant problems behind it and if you start to do trace-backs, you'll find that the folks in law enforcement would rather work with you informally than formally because if they go formal, then you go through a method where you then have to involve every law enforcement agency at every boarder that is crossed on the internet. It's pretty damn easy to cross those boarders. So, that's a, I think that's an essential thing and the real-world hasn't yet caught-up to that reality online. That attacks come from multiple boarders, from across multiple boarders and the morph in real-time, depending what the response looks like, and so that's a very significant factor when we work for instance on, a year and a half ago, we worked on pulling together part of an industry or in a taskforce on child abuse set of sites that were focused on child abuse and they were using that to infect the computers of those who had the bad stuff on it to make them part of a zombie network. And it got very snarled up in various jurisdictions legal restrictions, the necessity to preserve evidence, versus the imperative to solve the problem and make sure it doesn't become very large. >> Brian: Interesting. Anyone else, Danny? >> Danny: Yeah so I'll point out again, some of the work that you know with public/private sector partnerships, I think that's so important. Certainly I don't think you're going to regulate your way out of this, right? From a controls perspective there are 869 things that I have to do in my day job just to check boxes and those give me marginally more secure, right, 82% of IT security span goes towards compliance and regulatory controls and then people try and get secure on top of that. ^M01:10:08 Those sorts of things are like antivirus software and there's 10 new pieces of male-code a second on the internet, yet AV is a frontline defense to protect the residential user or maybe even a corporate machine, and so I think education of the threat vector, some of the very fundamental stuff like patching systems and software and collaboration and information sharing and putting these things in place. From a law enforcement perspective, I think that some of the most successful stuff we've seen involves multilateral teaming agreements and collaboration, those sorts of things where there is some coordination and some effort in trying to work together. In general though, in particular with DDoS attack we've always seen this sort of fragmented response where one ISP on the receiving end, or along the projectory of an attack will drop all the traffic towards the destination and cause, you know effectively completing the attack for that network, and another one will security research will infiltrate the command [inaudible] structure and law enforcement may be there and then someone will break one of their connections to the C&C infrastructure and all of a sudden, you can't even disable the attack because you've got all these headless machines out there that are attacking something and depending on where those systems reside and where they're coming from. I mean we've seen attacks with attack sources in 100s of countries and you're breaking lots of laws. I mean just if you were to try and disable an attack if you had the keys to the command and control infrastructure, that sort of thing. So it's really problematic and there needs to be a lot of collaboration and cooperation and I don't think regulations a way, but I do think harmonizing and working on the international aspects and the information sharing and collaboration, you know those sort of things are the only way we're going to be in a better spot collectively. We're playing a lot of wackemall today and I'm not sure it's effective. >> Brian: Jillian, let me ask you, from your perspective, from a civil society perspective, what more should industry and government in their roles, be doing to address this? And what in their collaboration would you hope that they avoid? >> Jillian: So in terms of what more, I mean I think it's hard for me to say. I mean I think one of the problems here is that as others have mentioned, law enforcement is going after the folks who are going after the big targets. And I understand that, but it's not really ever going to help these smaller targets. I mean you don't see law enforcement going after the perpetrators of small attacks and a lot of the attacks that I'm looking at are happening in other countries where sometimes the perpetrators are in other countries and so from my perspective I'm not thinking so much about U.S. law enforcement, but in terms of what people can be doing more about and what they should avoid. I think that a lot of it is about raising awareness as folks at the other end of the table said in the beginning, I think that making people aware, not only of what might be going on in their own systems that they can avoid becoming part of a botnet, but also what they can be doing as individuals and as organizations to mitigate the potential of DDoS attacks. And then as far as industry, I think adding that layer of civil society is really important as well. Making sure that industry is collaborating with civil society to make more of these systems available to the smaller user would be great. And as far as what law enforcement should avoid, I think a lot of it for me is addressing whether DDoS attack are a useful form of civil disobedience. I think it kind of comes down to that and my personal opinion, this is really not the view of my organization which does not have a stated view on this, but it's just that I don't think it's a particularly useful form of civil disobedience. I think that in the United States we have many other paths of recourse to protest and then I think that when you look at the example like I gave before, attacks against Syrian government websites, it's a bit of a different thing. But nonetheless, I think that the effect of these attacks on smaller websites is so great that we should really sort of try to look at the whole picture and realize how much damage this is doing. And so I guess in thinking about that, I think that that should also sort of inform where we think about law enforcement. >> Brian: Thank you. Danny [inaudible]? >> Danny: Yeah I just wanted to make one other comment, something she touched on which I think is really actually is, one of the things we see a lot of is the internet itself is inherently multi-tenant. And then you see a lot of, in particular a lot of the smaller folks can aggregate and there's these really high tenant densities on certain pieces of infrastructure and what ends up happening is that someone on the infrastructure gets attacked and there's a lot of collateral damage that everybody is impacted. Or a really large attack along a trajectory fills some links and not only is the intended target impacted but there's collateral damage to other people that utilize that infrastructure. And most of the attacks that the folks have been on the receiving end of seeing is that it's hard for an attacker to gage how much firepower they actually have and to surgically attack a target with a DDoS attack on the internet, usually they sort brute-force flood a whole bunch of traffic of a particular type and there is collateral damage in that. And that's an important artifact that you're highlighting there and if you have high-tenant densities on cloud infrastructure or lots of people behind small links then it does have a really devastating impact and not just on the target, but maybe on other people that utilize that infrastructure. And so I think that's important highlight. >> Brian: Thank you. Damian? >> Damian: Yeah just to follow-up on that, Jillian had mentioned that law enforcement doesn't go after the very small attacks. They tend to focus on the large attacks. But I do see the large attacks as the most damaging, largely because of what Danny said of, it causes collateral damage. If there's collateral damage on other sites that they have no other way to mitigate, they will kill the small victim, they'll completely attack by just turning off everything to that site. So by basically preventing any very large attacks by having law enforcement focus on those we at least give the smaller sites a change of getting some dos mitigation service to help them and basically that boundary is probably around 10 gigabyte. You know once you get up over 100 gig, there's very few organizations that are going to be able to help and most are just going to turn off the site. >> Brian: So right now on this issue, it's the rule of the submarine captain that is the compartment flooding, and their sailors in there shut it off to save the rest. And that's where we are. So, this is interesting and I think we've all been very polite so far, so allow me to play devil's advocate and put your feet to the fire a little bit folks. So what I'm hearing at a high level to pull some threads together, is there is some coordination across law enforcement which is key to this solution in collaboration, but it's not nearly what it needs to be. It itself is a barrier to our ability, at least in the industry, to work on these problems with law enforcement. We're hearing that there is some collaboration across network operators but not as good as it needs to be all the way up and down the stream. And some lack of sense of responsibility coloring that part of the puzzle. We all in this industry trumpet the fact that the internet is critical global infrastructure. We all in this industry trumpet the fact that the infrastructure of nations of countries have come to rely on the internet, banking systems, electric grids soon, governments have a clear interest in this critical infrastructure and if I listen to all of this and piece together, I could come at this from, this is a fiddling while Rome burns dynamic going on between industry and governments and civil society. So, putting your feet back to the fire, what needs to happen in terms of collaboration, in concrete terms to break through at the industry level, at the government level and across those levels and with the civil society perspective. Let's get to it. Who wants to take it on? Pause. >> Ram: Sure I'll jump on the grenade. Look I think everyone who is here and everyone who is up here is not part of the problem. When you take it to the global level of the impact on society and the fiddling while Rome burns and the implication that there's an existential or close to a threat to us, everyone up here and I assume because you're here, you all get it. The problem we have are the sectors that you mentioned that use technology but are not technology sectors and going back to my government experiences, often, not always but often, the difficulty in those sectors to get nontechnical executives to spend the money or the time to put in place the protections. You know Danny, I thought talked earlier about the need of a mitigation plan in place. If you're under a major denial service attack and you're then figuring oh, how do I deal with a denial service attack? You're toast, you need to have things in place ahead of time and that's where going back to the question about where the government can play a role, my personal view and what we were trying to do on the hill was create an environment where the truly critical infrastructure systems are required to meet some base-level of security. Not a technology specific but more if you're talking about computers that control big machines, water pumps, electric grids, those shouldn't be connected to the internet. ^M01:20:09 A lot of them are. Some of them are connected with open connections using default passwords available through, no offense, Google searches. So, what needs to happen, I think is some impetus, some general understanding of the type of threat that the country faces both in the digital realm and in the physical realm. But again, I think going back to what I said earlier a lot of it starts with the individual and I used to be very skeptical as to whether we could actually get most people to do basic hygiene things on their computer and then one of the things that we also covered, the committee worked on was swine flu and as soon as big bird told everyone to cough into their elbows, you have a fast majority of American's, you see people coughing or sneezing into their elbows now. We change behavior very quickly and I think there can be an education campaign that could change enough behavior to help stop the problem, but without some type of push, I think that we're all going to keep trying to do what we can, but the people who need to make the changes may not. >> Brian: Ram, thank you. >> Miguel: Thank you, so I'm a bit of a skeptic on these push-measures. Folks do push-measures, governments do push-measures all the time and decades go by and the basic problems don't get resolved. One thing that does seem to work is events. Events result in consequences. Michael Angelo, the virus got people to install antivirus software, Y2K got people to focus on mitigation measures, 9/11 caused a series of responses and the Georgian Cyber War caused another set of responses. We don't really have a global cyber event, I'm not asking for one, but I'm just saying that if you just look at human behavior and you want to affect human behavior and you want to get individuals, governments, civil society, public sector, everybody together and the private sector together, you need to have something to unify around. The threat today doesn't feel real to me until I get attacked and if my friend got attacked, I kind of have some sympathy about it but I kind of shrug my shoulders and say, "Ain't going to happen to me." And there is not the unifying sense of impending doom. >> Danny: Can I just, I agree with everything Ram said from the skepticism to the kind of work I was also trying to also do the need for an event and we would tell a lot of the skeptics who came in is, look you have Congress trying to act proactively. It may not fix everything now but when something happens there will be better systems in place to respond to it. But more importantly, you want government to act proactively because when government acts reactively, it acts stupidly and that's why there is a strong effort to get some type of performance-based, nontechnology specific standards that are limited to really critical stuff in place, so hopefully some things will improve and if something happens, we have the framework that is not so regimented that the attempt to fix the problem actually enhances it. But I'm ultimately, because I'm a cynic I don't think we're going to do anything until we have something blowup and that's unfortunate to say the least. >> Brian: Danny, oh Damian thank you. >> Damian: Sure, yes I also sort of agree with the cyber event being needed. Not needed but, [Laughter] if you look at history, we've seen that there's like an email worm or virus that comes out approximately once every 6 months because that's how long it takes people to forget and start being stupid again. And you know click on everything they see but, you know once every 6 months everyone gets infected, everyone is like oh yeah, I shouldn't do that. Fortunately no major damage has been caused. Nobody has ever actually--there haven't been any large-scale cases where people have lost data. I see this as very similar to how diseases spread. If you killed the person instantly, like if someone gets infected and you format their hard drive right away, they don't have time to spread. They don't have time to pass it on to others and so most of the malware that we've seen so far has been fairly benign and that allows it to spread, but it also means it doesn't cause much damage. I also wanted to say, I think right now laws largely favor the attacker. There's a lot of constraints on information sharing, all of the jurisdiction issues, and that also means that there's a very slow response. If somebody goes to law enforcement, law enforcement might have to sit on it for weeks or months before they can actually take action against the attacker, if they can even get to the attacker. So, some things might need to change in laws to allow the defenders to keep up with the pace of the attacks. And it's also important to note, you know sometimes the attacker would actually know how to shut down the attack, it's just they're not legally able to and so there are a lot of inherent delays in the system. >> Brian: Thank you, Miguel. >> Miguel: Just adding to that, it's worth noting that there's such a stigma associated with security incidence. Organizations are very unwilling to admit that something has happened. They don't want to admit so publically. They really, they don't want to collaborate and to be effective, a lot of operators have to work, as I mentioned earlier, they have to work through back-channels, people they know where the person that you're potentially collaborating with would probably get slapped if other people were aware of this collaboration taking place. So, that needs to get formalized, potentially more formal protocols for collaboration need to be developed. And from an international perspective, governments need to do a better job at. They haven't caught up to the fact that this is a big issue. So, some examples where we, as an operator, we're seeing attacks happening on small government websites, Syria's as an example, and you actually want to lend your resources and expertise to help these people, but because of their own roadblocks, legislation, etcetera they actually can't receive the help that you are potentially looking at offering them. So we've been in situations where we've seen protest attacks during elections, for example in smaller countries, and we are willing to help them but then, these governments have restrictions on where their data is etcetera while at the same time they don't have the infrastructure to deal with this problem themselves, but they're handcuffing themselves, so all of that has to change for us to be able to be more effective. >> Brian: Danny? >> Danny: Yeah I think some of this sort of the tragedy of the common sort of thing, the sheep on the commons I guess if you will. And what's the impact on me or the investment on me? Actually the Internet Security Alliance did something not long ago called a CFO's Guide to Cyber Risk and in that document they introduced the notion of a digital immigrant and they're talking about someone that didn't grow up digital native or wasn't prolific with electronic devices and the internet and the capabilities of those and they were discussing how in many places, they're the ones that control the purse strings or control the investments. Like people don't have problems investing in fire suppression systems but if you ask about a, DDoS mitigation capability, well nobody is going to invest in that until they've been attacked right, or unless you're a very savvy organization or have a lot of the right folks that do that. And then people even question those investments after a long time of not being attacked. So I think definitely looking at what enables your business again or whatever size business, because it's all relative right, I mean we've seen things from animal rights activists attacking zoos, to Jersy Joe's a local sports memorabilia being attacked by a guy across the street for a gold watch and a pair of tennis shoes. And that's a decade old, right? And so, I think understanding what the impact of these things are in your business is extremely important. I think understanding the constraints today as well, this is a global problem. The internet is loosely interconnected network of networks and largely provides any kind of activity and that's a fantastic thing. You know the fact that you can launch DDoS attack might be considered a success of that substraight or that infrastructure, right I don't know. And so you certainly don't want over-pivot either and compromise privacy, you're a regulator, put controls in place that might impact that global platform. That's something important as well, so I think that's why industry partnership, private sector with halook and things like information sharing and saying look, these things are impacting real people, real organizations and law enforcement government needs to go after that and accommodate those as appropriate. But at the same time, I think we do have to be careful about over-pivoting as well. >> Brian: Thanks, Jillian. >> Jillian: Sure, you know I think I'll just give the civil society perspective what we can be doing better. For example, my organization has come under several DDoS attacks at different points and we do have a big enough team in place to try mitigate those pretty quickly and we've mostly been able to do that successfully. ^M01:30:06 But I think there's actually a pretty strong lack of information sharing across my type of NGO or NGOs in general. I'll give you an example of this, and I don't mean to pick on this group, but I think it's perfect and quite public example. Avaz, which I'm sure you're familiar with, a few months back they came under DDoS attack and their first reaction was to send a message out to their members asking for donations. But what they didn't do is they didn't share any of the details of the attack, not that they necessarily needed to publically but they actually straight-up refused to share the details. We have a group of technologists who had been asking for that information and I think that sometimes that information is actually quite helpful for organizations to share with each other so that we can understand what type of attacks our allies and friends are coming under and therefore what types of attacks we might be at greater risk of. And so I think that that's a really good example of how not to respond. In the end they still didn't want to share, and we said okay, fine but I think that just sort of going and asking for donations and not kind of collaborating with other civil site organization is not a particularly helpful way of responding and we'd be much better off if we were clearer with each other. >> Brian: Thank you. So thank you for that. I'm going to draw this part to a close. Some takeaways for me in the last round of questions is that clearly there are some structural barriers to the level of collaboration that everyone seems to believe is important to addressing the problem, both at the government level, and at the operator level. I guess the understanding at senior management level that investments in the security aspect of their business are as critical as any other to their business and have to be central to their planning. And at the government level, clearly existing legislative structures and collaborative barriers between governments need to be broken down if we can get to the place where we can be more aggressively and effectively collaborating to address the problem. So, we all knew that we weren't going to solve this problem with today's panel and I want to thank you all for giving us a lot to think about and those are some of the takeaways that I've gotten for myself. So now, let's take a breath and for the next 35 minutes or so, try to have a little bit of fun, make it a little bit more dynamic for the panelists by running through a scenario and then we'll have 30 minutes at the end where we want to hear Q&A again from folks in the room and from the folks online. So, shift your mindset now on the panel, we're going to walk through a scenario of a DDoS attack. What I'd like you to think about is what your specific role would be within the scenario and how would you react? What would be the things that would be important to you in addressing your part of the problem? There's a clear understanding and appreciation for the fact that good security also means not divulging all of your good effective practices. So I'm not asking you to say anything that you wouldn't want to say publically. Let's get that clear. But I want you to take this on as a real-time event and then in your proper role, tell the audience what's important to you, what do you need, and in a direction of how would you see or design a best practices reaction to this scenario. So let's start this part of the program. So the scenario we've developed is as follows. The citizens of small country A, let's call it the Kingdom of Genovia, my 14-year-old daughter insisted that I do that. Kingdom of Genovia has been criticizing an economic embargo put in place by a regional Hodgeman, let's call it Mordor, against its neighbor, a small country Gilder. The citizens of Genovia who have a long standing alliance with Gilder are very upset about Mordor's embargo against Gilder. Condemnations include mass rallies as well as increasingly critical posts on blogs and social media sites. While the government of Genovia itself shows no public support for the protestors, neither does it criticize them for exercising their freedom of expression rights, fueling speculation that it actually condones the protests and may even be behind some of them. Large-scale DDoS attacks begin against Genovia. They are aimed primarily at the social media sites posting the criticisms but also at Genovia's financial sector. Researchers indicate that the attacks are coming from botnets of comprised end-user machines. The financial attacks are perceived to be an attempt to weaken Genovia's economy because the core issue, after all is an embargo and that the financial sector has showed itself to susceptible to other kinds of security incidence and breaches. Traces show the attacks originating primarily in Mordor. Some of which could be locations under government control. Some however, appear to come from unrelated countries. Mordor predictably, denies any responsibility. With those facts, in your respective roles and responsibilities, start off with what's important to you in your given role and then we'll move on to what actions you might take. Jeff, do you want to tee it up? >> Jeff: I guess the first thing, you know I'm being the least technical guy up here I think, you're going to want to really figure out, you know you talked about the attacks originating from Mordor, but does that mean the commanding control is there? Are the machines all over the place? If you're going to respond, you need to figure out first what is your first goal in responding? Are you going to try to stabilize your systems or are you going to try to somehow get attribution and then seek retribution? So, I guess my first council would be look at what you have in place to respond and figure out what your ultimate goals are. You need to know what you're driving at so you're not wasting resources, pursuing answers to questions that don't help you achieve your ultimate goal. >> Brian: Thank you, Ram. >> Ram: Four things. One, get contact lists together because you know people but there are other people involved here, so you've got to get that. That's in some ways the top thing. Second is to setup an analysis stream work. Once you identify the scope of the problem, then you need a framework in which to actually work as new data comes in and you need a structure. So create a structure for it. Third thing is to begin working with upstream providers, folks who are connecting you and connecting others to the internet. Start working with them because you need to have information sharing and also the ability to take mitigation measures, to take steps if and when you have to. And the fourth is to setup alerts based on pattern recognition or traffic analysis that your analytical team is already doing. Those are the first four things to do. >> Brian: Thank you, Damian. >> Damian: So the first thing I would ask about this would be what style of attack is this? Depending on some attacks can be spoofed with the sources, some cannot. So if the sources are definitively like, you know they're definitively coming from Mordor or you know what these sources are, that can help a lot more than if it's an attack where you don't really know where it's coming from, you just know--you don't know which machine it's coming from in Mordor. You know that it's just coming from that country in general, maybe. And I think that's the key thing to focus on here. I mean, I agree with what other's said, but I think it's important to start by understanding the details of the attack, figuring out what you actually know and versus what you are assuming or guessing about the attack. And then I would also start thinking about what type of collateral damage is acceptable. If you really only care about financial services in Genovia being accessible to people living in Genovia, they could at the boarder of their country, just block all traffic from Mordor and yet people who happen to be on vacation to Mordor might not be able to access their bank account, and that would be pretty bad. But you could at least partition the problem and keep your own country up. >> Brian: Thanks for that point and just to note, people on vacation in Mordor to my understanding, no one walks into Mordor. Miguel, please. >> Miguel: I might actually repeat some of the things that my colleagues here have said. From the perspective of an operator that focuses on mitigation and defense, I would probably start by looking at the affected entities. Get a good scope on what the targets are, what's being affected. Move to start looking at determining what the attack vectors are that are being used for this particular attack. ^M01:40:01 You can do this in a variety of ways and then I'd probably start focusing on starting the mitigation techniques and the defense against these affected systems. As Damian said earlier, I'd look at prioritizing and trying to determine or trying to gauge which affected resources are acceptable collateral damage which are priorities and need to be available and need to be in place. I'd be sharing information as much as possible with both, the public and private sector, the operators in question that manage the assets that are being attacked. So definitely start reaching out to people. Another thing that I would be doing is heavily monitoring social media. Typically with an attack on Mordor, let's say and suspected political motivations for the attack, I would be looking at Facebook, I'd be looking at Twitter, I'd be looking at internet relay chat rooms. Anywhere where these attackers could potentially congregate to organize, I'd be monitoring that and I'd be trying to agleam as much information as I can from that activity that is going on online. So those are some of the things that I'd be doing. >> Brian: Thank you, Danny. >> Danny: So yeah I guess there's both a luxury in going last and not having much [inaudible], but there are a few things I could offer actually. I think these guys are all spot-on with a lot of this. I think it certainly, whatever detection capabilities you have for this, whether it was a phone call, hopefully not, or an alert or some capability, engage your incident response capability which you should have now because you've been alerted to that. And the figure out what controls for that sort of attack factor, right, exactly as these guys have said. You certainly want to continue with continuous monitoring and make sure that other devices, other things aren't impacted in particular with sort of multi-vector attacks, especially such as this which we have seen empirically in the past. One of the things that you have to be really careful about and we've actually seen this in the past and learned from that, is Genovia should have learned from is that you've got to be really careful about what kind of controls you put in place for attacks as well because you may say, I'm going to bring everything back into my organization, under control and then I'll turn my internet access back up or inside my nation, or whatever it is. And we've literally seen this at the national level and so you decide you're going to break all your connectivity and then you realize you don't have a root name server, or you realize your CCTLD is hosted in Mordor. Or you realize that your emails over there, your authentication service, your CA that issues your searcher there or, some other resource that you need. So you really need to numerate those things and understand what enables your business before these attacks occur. I think I use this statement in the past but kind of goes back to Mike Tyson's, "Everyone's got a plan until they get hit," sort of mentality, right. And so I think that if you haven't done this and you're on the receiving end of a large-scale attack, it could be really problematic so certainly absorbing an attack and then refining your controls and mitigating as surgically as possible and then trying to move those controls further and further upstream and then collaborate as much as possible is pretty much what you can do today and then protect any forensics information associated with that for whatever it is that you might intend to do with that information. >> Brian: Thank you, Jillian. >> Jillian: There is almost nothing left for me to add here. It is the great thing about going last. But since you did ask what my organization might do, I suspect that after the leaks to the Mordor times come out that Mordor government officials had something to do with the attacks, we would probably condemn the government of Mordor for having double standards--no I'm just kidding, sort of, but yeah, nothing that I can add from a technical perspective. >> Brian: Okay, well from--you know what I'm going to reverse order here, so you'll go first and Jeff you're going to have to deal with Danny's problem next. So this is good and very helpful in terms of the first priorities, the first analytical and reaction priorities from your perspectives very clear and interesting--not interesting but a lot of consistency across the board there. Now let's take it from the point of view of, if this were an ideal scenario in terms of effective mitigation techniques, effective collaboration with network operators, effective collaboration with government law enforcement resources. Walk us through how you would get to that good outcome from that perspective and Jillian, from your own point of view, kick it off. >> Jillian: I'm not sure I can kick that one off. Like I said, this is a wonderful and probably very likely scenario but it's also it's not the level at which we're generally dealing with these things and so I'd actually love it if somebody else wants to kick it off and I'll keep thinking through that. >> Brian: All right, Danny, you're first up. >> Danny: Wow, an ideal scenario is that it's not my problem anymore and so having the capability to either certainly stop these things from being launched at me with some sort of capability or collaboration with law enforcement, other folks which in this case might be very problematic so, at the sort of ultimate ingress point of your network, putting controls in place that minimize collateral damage or even scope the distribution of reachability information in a certain place on the infrastructure, that sort of thing so that you have some sustainable controls in place and you're not continuously simply filling links and absorbing that and causing collateral damage to other services or people that may use those links. It's really problematic if there inter-media networks with other eyeballs or content or other things that you may or may not want on your infrastructure and so if it's an adjacent network, it's a lot simpler, right, it simply if you've done your homework before and then simply shut those links off and you may be fine, but if I'm a smaller network and this is someone, somewhere that's nonadjacent to me, it could be much more problematic because I may have to work with them to push controls further and further upstream and that's about their capabilities, the lulls, what sort of technical or legal framework that they operate under, time scales and other things. And so, it's sort of all relative to perspective and why the broad variance of attack factors that occur today, why it's so problematic to just get your cookie cutter out and say this is a solution for that and so, it's nontrivial I think, so it entirely depends on vectors and other things. I'm not sure if I said anything that was actually useful, but-- >> Brian: That's fine, Miguel please. >> Miguel: In an ideal scenario where information is being shared, where we've quickly been able to determine what the attack vector is, we are looking at ensuring that we can put really precise filters in place to lob off attack traffic while letting good traffic through. It's easier said than done a lot of the time. As I said, it's in an ideal situation we understand the attack, and we can put the right mitigation strategies in place to deal with it. So in that ideal situation, most likely we should be able to get to availability within minutes if people are cooperating correctly and we have the information that we need. The problem is that we don't live in an ideal world and beyond that, attackers are smart, right? So they try one thing and then you scramble and get the sites available again and put the right mitigation strategy in place, but then potentially they might start trying something else. You know if that's not being effected, they'll go route B and then potentially will go right to route C, so it's a cat and mouse game and it's far from ideal and it's starting over again in some sense in terms of putting together another mitigation strategy to deal with the new attack vector or signature that comes in and unfortunately, the ideal scenarios never happen and attackers have gotten smart and they know how to [inaudible] it up and do the damage, and put the damage that they need to for the people that are unprepared. >> Brian: Thank you, Damian just let me interject before you go there. So hearing Danny and Miguel, clearly understanding that again, the problem of the upstream operator and what their sophistication capabilities are in helping you diagnose the problem across networks, if you will you pointed out. And also the clear understanding of needing to kind of secure your resources and prevent collateral damage. But Damian, Ram, Jeff, bring in also how do we work effectively with law enforcement? What can they do to help, what can you do together and the good scenario when it works well with the upstream provider, what does that look like? >> Damian: Yes I'll start by saying without bringing in law enforcement, ideally you would be able to work directly with the network operator, they do want to track it through their network and stop the attack upstream. There are situations as Miguel was saying; sometimes it's a little tricky. In this case we don't know if the government of Mordor is behind these attacks. So, it's sticking with the scenario it's never going to be entirely idea because you don't necessarily want to tell the ISP in Mordor what your fingerprint of the attack is which maybe would help them filter it because they might just turn around and tell the government, the government will modify the attack to not match that fingerprint anymore and then you're in bigger trouble than you were before. ^M01:50:07 So, depending on how paranoid you want to be, I'm a security person so I'm paid to be paranoid but, you have to be a little cautious about what information you're sharing. Try to share information that's useful for stopping the attack but, not sharing everything you know about the attack so you can still trace it. In terms of law enforcement since we're in the U.S., U.S. CERT is a good resource. They have contacts at CERTs. CERT is Computer Emergency Response Team. They have contacts at CERTs at every other country and so that's very helpful because they're sort of a central point. They might be able to recognize that you're not the only victim of an attack, so they might be able to correlate events that you perhaps were not aware of. And they can also assist with language issues. You know it's very difficult for me personally to email an ISP in Asia because I don't speak any of the Asian languages whereas U.S. CERT probably has the ability to handle that translation a little bit better than Google Translate which is my fallback option. [Laughter] >> Brian: Thank you, Ram. >> Ram: Thanks, so in this ideal scenario perhaps one of the things that have to be worked on is the formation of an alliance for data sharing. Especially identifying who the next Genovia might be and you go work out who those next Genovia's might be and this kind of an alliance cannot be government to governments, it's got to be public, private, a combination of that and that takes time to do but this is the time to start doing it [inaudible]. The second, you know we're talking about this ideal scenario and there is rapid availability. The attack happened, mitigation happened, everything came back but remember this might simply Mordor profiling you for a bigger attack to come and they've now learned how you countered it and their building counter-measures right now for your counters and that's likely to happen if this is really a serious act coming up against you. So, you may leave everything on the floor at this time and you may just get killed really online the next time. On the third is law enforcement, this is a case where most often this is a source less crime, there is no one to prosecute, there's no one to really go after for the most part. Most of the people along the way are in transit and are trying to help to some extent. They're just doing their job passing packets along, passing information along and they got coopted into something that was initially beyond their understanding and eventually beyond their ability to solve individually. So you have to start to change a little bit of law enforcement's mindset of who are we going after because this is not so much about a counter attack, this is often much more about prevention and you have to start thinking about the online equivalence of a neighborhood watch and one doesn't really exist in any coordinated way today. >> Brian: Thanks, Jeff. >> Jeff: I definitely like going last. I have more time to think about what I'm going to say and I bounced around with a few ideas but you know they say don't fight the scenario but I was always the kid who fought the scenario. So I guess I would start kind of where Damian went, if you're an ideal scenario that means Mordor is helping and helping you willingly and with no ill intent in actually wanting to stop their own citizens who [inaudible] and probably something they believe in. Which leads me to point two, I think Ram hit well, if everything is really going that well, that's when you should really start being scared because things never go that well. So question everything that worked and try to figure out why it worked and is someone just letting you think it worked? In terms of what does it look like to be successful on the legal and governmental side, there are a lot of things you need to work. Governments that are willing to share information, that have relationships, that trust each other, but then even beyond that you need laws that will allow the information sharing both between the private sector and the government within each country and then between the various governments. But then you also need laws that protect the privacy of the individuals whose information is being shared and assuming you have all that and you get the information that allows you to find the actual source of the crime which as Ram said is very difficult, you actually have both resources and laws that allow prosecution and not in medieval ways of people who are doing these types of acts. So going back to, you really need to figure out what your end-goal is out of this before you figure out, it would be great if you'd actually prosecute the people doing it. It would be better if you could get all your systems back up really quickly and try to develop better relationships to prevent them in the future. >> Brian: So Jeff, just picking up at that point, this will be the last round then we'll turn it over to Q&A for the audience and Ram mentioned the notion of an alliance. Danny the scizrick work that mentioned at the FCC. Very interesting industry, government but clearly, just uniquely ISP focused in terms of best practices or a potential code of conduct if you will in that exercise. Where is this collaboration happening today or the seeds of this collaboration between industry and government specifically that clearly has to be globally oriented. That has to be cross-cutting across boundaries. Where is that happening, where should it begin to happen more deeply and how can we make that happen? I'll open to the entire panel. Danny. >> Danny: So yeah there are a lot of national level stuff that I mentioned certainly as some of the countries that blazing the trail there from Australia, to Germany, to Finland, to the U.S. I mean some of the work that the FCC and others have done which is about educating folks and sharing information. A lot of this as you'll notice, even though these scenarios comes back to international laws or even national laws or disclosure laws or fair disclosure laws, right I mean what is the extent of where I can share information and who I can get help from and where can we get collaboration from a nation state versus send in a snatch team or not do anything, right? And so, what are the kinds of capabilities that you have, and then you'd really like to operate in meet space and prosecute people that have real impacts on real businesses and break walls internationally, but how do you balance that internationally with the privacy for example? I mean that's a tough balance because if you can attribute every transaction on the internet, then no one has any privacy or [inaudible] and what does that mean for censorship or for other things. So all these sort of things together is, it is definitely needs more leadership from the government. I think they've certainly done a humungous amount, and from local law enforcement folks we work with, to national level folks, and certainly Jeff and some of the places he'd been. A lot of the folks looking for ways to collaborate and to put frameworks in place allowing information sharing and enable in a sort of protections of private sector and industry and you know that the government's got your back for this and that they're going to pull the levers and turn the steam valves they to make sure that if someone is attacking someone on this infrastructure and have an impact that it's having a real impact and represent their citizens wherever they are. So I think it sort of goes all the way back to that from the international perspective because of the projection capability that advisories have on the internet and there are a lot of alliances, a lot are private sector, public sector, partnerships, everything from internet security alliance, online trust alliance, stop bad ware. I mean there's no shortage. I mean a lot of the outreach that we talked about, the work that [inaudible] and anti-phishing working group and some of the other folks have done. So I think that a lot of this is happening but it certainly, the industry level leadership with the recognition by governments that they're captive to this. We're all sort of captive to this and the only way we're going to get there is if we collaborate. >> Brian: Thanks, anybody else? >> You know there are many more acronyms we could throw out there about the various public/private collaboration partnerships. Some doing great work, some doing work. [Laughter] But I want to get back to something I think Miguel touched on earlier about information sharing and the need to share information and most folks who would go ahead and share will get slapped down for it. There are two reasons for it, one corporate strategic secret issues, but also the lawyers will often slap you down because, well can we really share that information. That's an area where I think we need change and we need it soon is changing the laws that limit the ability of companies who want to share information with other companies, ECPA, Electronic Communication Privacy Act, antitrust laws, all these don't need to be gutted, they need to be reformed and frankly we got to a very weird place in the [inaudible] legislative cycle this year where you had the head of the national security agency and you had privacy groups all saying this is something we need to do and here's the framework that we all think actually can work. ^M02:00:18 It based our own idea of sharing cyber security information narrowly defined for cyber security purposes, narrowly defined, but Congress in its infinite wisdom got you have the NSA and the privacy groups essentially agreeing, so Congress chose not to act. And that is something that I think is not going to solve the problem but would be a step in the right direction to allow information sharing and maybe breakdown some of those barriers. Make it happen 5, 10, 15, minutes an hour soon, sooner or even won't happen at all so that's something that within all these groups there are still these limitations that are illegal and need to be changed by the politicians. >> Brian: Thanks, Damian. >> Damian: I wanted to mention there are some ways that collaboration can occur without needing to necessarily involve lawyers or worry about user privacy. Some of the attacks that we see there's just sharing information and about the fact that we're seeking an attack, the size of the attack, the type of the attack can be helpful to others. So as a recent example the dos attacks that hit the banks recently hit us actually about a week before it started hitting all of the banks and we sent a quick heads-up to a security list of people just letting them know, hey we're getting this surprisingly large attack. This is a bit unusual; this is what it looks like. You might want to watch out, be prepared. Unfortunately two days later, we wrote back and said it just doubled in size, but there are things that you can do to give out information. We're not giving out necessarily like the IP addresses that it's coming from because we have talk to lawyers about the privacy implications of that, but even just the basic information about the type of attack that you're getting and the size and maybe the general area of the world it's coming from can be very helpful to others. >> Brian: Thanks, any last remarks? Okay, thank you panelists very much for playing along and for the great information you provide with us so far. So let's get to the real important folks here today, the audience both here and online. At least for the next 30 minutes, we'll have an open mic in the middle of the room. I think we have some questions from online, so if you would, please [inaudible] we have--[Pause]--it doesn't work? Why don't you come up and use this microphone if you would to pose your question. [Pause] >> David: I'm David Thaumenal [phonetic] President of The Internet Society of New York and just as we have software as a service and infrastructure as a service, there's now crime-ware as a service so if I'm a bad person, rather than going to all the trouble of actually attacking somebody I don't like on the internet, I can actually pay a service provider to do it for me and they're using a commercial business model so I can have warranties, guarantees of quality of service, support contracts and everything else. So my question is wouldn't it make sense for whether it's industry or law enforcement or whatever to focus on identifying these crime-ware service providers infiltrating them, targeting them, purchasing their software and reverse engineering it to disable it, that type of thing? >> Brian: Anyone on the panel want to take that? >> Danny: Absolutely in if you go back to the scenario of an ideal world, but a lot of these are happening offshore in countries that aren't particularly mendable to working with our law enforcement to arrest or prosecute. Reverse engineering I think goes on, but the problem is that the software morph so quickly that the signatures old as soon as you know it. And there are other efforts, other techniques for protecting against it and I think that's actively underway, but in terms of infiltrating, breaking up, prosecuting, they'd just go somewhere else. >> So I was going to add just there is one aspect to this certainly lots of folks are looking at when you try to move it back to meet space and the place where law enforcement usually operates in a more productive way and better than most information security folks and there has been a lot more work on follow the money and use that angle for the attribution side of this. I mean some of the recent things you may have seen from spam campaigns to phishing and mal-code distribution and those sorts of things. Some recent work actually by Steph and Savage and some of the folks at UCSB and was particularly enlightening in that area for those of you that haven't seen that. And I know that law enforcement is certainly taking note and very good at those kind of things and so, I suspect that being aware of that and seeing more on that side I would follow the money and work on the attribution and the prosecution associated with malicious activity, that sort is certainly something that we're going to see more of from a prosecution perspective. >> Brian: And the FBI has had some big take downs recently. There was one in [inaudible] early this year, late last year. >> Last year. >> Brian: Thank you. I've got two questions from online, I'll go to one of them first and then come back to the room. From Vanda [phonetic] the reality that people don't think it will happen with them is a fact here too. So how can I convince people that they need to take preventative measures? Jillian? >> Jillian: Sure, so I don't know what "here" means in that sentence but nonetheless I would say in thinking about how to convince people, there is a wealth of information on what sort of attacks occurred and who they've targeted and one of the things that this Berkman Center study found was that there's really no associated ideology with attacks. There's one example where some conservative Muslim groups outside of the U.S. were attacking U.S. Conservative website. The U.S. Conservative Groups were then attacking these Muslim websites outside the U.S. And so on and so forth and sort of in a circle and so, anyone can be a victim. Any type of group, any type ideology and so I think that's where we start looking at previous attacks and educating people about those various desperate targets, that's another way that we can raise awareness. And then like I said just sort of thinking about risk assessments not an easy thing in these cases and like I said with having desperate ideologies be the target of attacks, it's not easy to really assess what your actual risk is and so to assume that you could potentially be a target of an attack is the first thing. But then to sort of weigh your risk and figure out what you might want to think about in terms of what's important to you and keeping your site up. >> Brian: Sure, Miguel. >> Miguel: Thank you Brian. What the question refers to is sort of how to make the business case for protection or mitigation against this kind of a threat. Danny actually talked about some of these things previously in the conversation in terms of really evaluating your infrastructure and your needs and kind of asking yourself some basic questions. What would it mean to you if your, let's say for example your website was down? What are some of the things that could potentially happen if that was the case and what would the impact to you be if your infrastructure was down for 12 hours for example? I'll use some private sector examples to just kind of illustrate this. Maybe obviously there's potentially the revenue component. Maybe you're making money off your website so there's some tangible result in terms of not having revenue. But from a customer service perspective for example, what happens if your website is down for a certain amount of time? Maybe your call center gets flooded, gets into code red. People are waiting an hour-and-a-half to have the phone answered. Maybe your email boxes start getting flooded and maybe it's going to take weeks potentially to dig yourself out of that hole. Another thing to kind of think about is, as you make the business case for this or to have some kind of a plan to mitigate the attacks is how long would it actually take you to get your core infrastructure or the infrastructure you need to be online, back online if something like this happened? Potentially it would take you a significant amount of time just to figure out what's actually happening let alone figuring out what the path is going to be in terms of what the best strategy is to deal with the problem when it happens. And then on top of that, after that is once you actually know what to do, actually putting the plan in place to do what needs to be done to get the threat under control. So when you start asking yourself some of these fundamental questions and it's not just a private sector thing where you're worried about your revenue potentially or your brand equity. ^M02:10:08 You know the public sector faces this as well because it obviously, there's some tangible stuff. It looks really bad when a government website is down or a free speech NGO website is down. So there are fundamental questions that you can start asking yourself and when you start asking yourself these question and really look at what the impact is going to be, both short-term and long-term, you really have to think about the long-term impact too. At that point you start to look at that and the business case for DDoS protection or for having a plan in place to deal with this particular issue if it happens, it starts to become quite apparent that this something that is worth doing. >> Brian: Sounds like good common sense, anybody else, yeah, Damian. >> Damian: So I want to highlight like in addition to just the business financial impact, there is a very strong PR impact to going down. We saw user comments during the bank attacks, you know comments and articles of our users saying things like, if my bank can't handle a dos attack, how do I trust that they know how to secure my money? They're completely unrelated things but the average person doesn't understand that and so there can be a significant PR impact to your organization if it goes down even if it doesn't directly affect them like with banking yes, some people couldn't do online banking for a day, ATMs were still fine. Like there was no actual real risk there but I also want to point out that I think the going down is actually a viable option. We're all talking about it as if the ultimate goal is to stay online, but economically that might not make sense for you and even from a PR standpoint it may not make sense. If you're a human rights organization and you can get an article in New York Times about how you went down due to a dos attack, that's the best publicity you can possibly imagine. Nobody is thinking about human rights until they see this article. So, it's something to keep in mind, staying up at all costs isn't necessarily the end goal. >> Brian: Yeah, Danny. >> Danny: So I was going to add a little bit to both of what they said actually, and to Vanda's question, how do sort of get ahead of these. One of the comments that I made earlier is somewhere between 80% and 85% of IT securities span goes toward regulatory compliance. Things you have to do just to check boxes like these fire suppression systems right, and this is the sort of thing where most of the traditional controls that are on our network, the 100s and 100s that we have are about keeping private information private and more and more so many organizations, particularly for internet facing services, the availability of those services, as opposed to just the confidentiality of the data contained therein is more and more of an issue and so making sure you understand that, to Miguel's point. Risk management 101, basic business resilience says take the asset, take what one minute of downtime with that asset may cost you, talk about how long a particular outage may be and then you come up with your single lost expectancy and then take how many times this may occur in a year something known as annualize loss expectancy and you multiply annualize rate of occurance with single loss expectancy and you know in a year, this much downtime could cost you this much in your organization. And if you don't do that, and then say okay what are we willing to invest in proactively to get residual risk to some level that we [inaudible] or go buy insurance or ignore it and hope that it doesn't happen. And so you really need to think about this. Actually, I'll reference again the internet security lines documents. It's a little hefty but it's a really great read for folks asking just that question. It's a CFO's guide to cyber risk and it sort of talks about some of these sorts of things. I definitely recommend that you have a look at that and try to get ahead of it. So, I'm done now so-- >> Brian: Okay do we have other questions from inside the room? Please, okay. >> You were talking about the PR aspect of it and I took Jill's comment to heart earlier about she doesn't think it's a good idea and we know that Pirate Bay went anonymous [inaudible] the whole Pirate Bay came out against it saying they were for free speech and this was against it and I wonder about how much embarrassment and the moral argument and basically if you've got governments who are doing it, can there be kind of treaties between governments that say this is not acceptable behavior. And in the activist world, also the same kind of thing so [inaudible] technical solutions are where social solutions? >> Jillian: Sure so I'll just give my quick two cents because I'm actually more curious to hear others responses to this. So using our example of Mordor and not getting into real life, let's say that the governor of Mordor was partly behind the attacks against Genovia. And so in cases like that, it's really difficult. I'm assuming that Mordor also prosecutes citizens for hacking and for their own DDoS perpitrations and so it's really difficult to look at that and say that Mordor has any moral ground to stand on when it does prosecute its own citizens for being behind those attacks. And I think that we have seen, I'm sure you're aware of them, real life examples where this exists. Where you know governments are doing one thing with one hand and something with the other. But to the point about [inaudible] example is a great one and I agreed with them and I think John Perry Barlow one of the founders of [inaudible] said the same thing that DDoS attacks are essentially an attack on free expression. I do agree with that. Like I said I think that there are some circumstances where it's much more difficult to condemn and those are circumstances where you're up against a government that is stifling its own citizens free expression and so you're getting into sort of irregular warfare, online warfare in those cases, but generally speaking I do think that it would be a lot easier if we all viewed this as something that was not morally acceptable in terms of free expression. It would certainly be a lot easier to go after the actual bad guys. >> Brian: Others, Jeff? >> Jeff: I would say I think that there are things that can be improved through international cooperation, potentially international treaties. There's a pretty healthy debate over whether that's even possible and enforceable and I think we at least have to try. Maybe some of that will filter down into day-to-day conduct with people, but people still commit crimes all the time even though they're illegal so I think there's a limitation to how far that will go to stop the groups that think that they're above the law or independent of law or have a separate obligation that's different to it. But I think you will see more effort in the future to try out some negotiated agreements remains to be seen if they're actually verifiable. >> Brian: We have an interesting question from online. I know we've got another couple from in the room. This one is from Mikey. What about a global simulation of cyber event with a goal of beginning to build a global, who can I call for immediate help type mechanism? I know that in certain countries table top exercises take place with a number of different participants that create scenarios, what about this idea of a global simulated cyber event? Is the feasible, would that be helpful? Ram--oh sorry, Danny. >> Ram: I was just going to; I think it was Miguel that quoted Mike Tyson. All the simulations are great but reality is often very different so, we'd have to think about whether the simulation is actually helpful. Certainly it helps to get people to be aware of who they should be contacting and who to work with. But the real life scenario is probably going to be fairly different. >> Brian: Fair enough, Danny. >> Danny: Yeah this is working now. I would just add there are some multinational simulations today, everything from cyber storm to you name it, lots of national level exercises, international exercises that sort of thing. I think from a global scale perspective, we have those every day, [Laughter] so I'm not sure we actually need one. Certainly we're on the receiving end of a lot of love and so I think that exercising [audio issue] and understanding those sorts of things, but [audio issue] final turn of attack vectors. >> Brian: Okay in the room, I think we have at least 3 more. Okay come on up to the mic--oh is that one working now Joley? >> Joley: No. >> Brian: Okay come on up to the mic please and if you'd introduce yourself before the question please. >> My name is Anthony Bargese [phonetic] and I'm from John J College of Criminal Justice. You guys covered some of the parties that DDoS and users and also the government, and also the providers and how to be responsible and proactive. But what about software vendors or some of the vendors that are putting their products out there with all these security holes and that's where it starts and ends with the NS providers, the ISP providers who sometimes host these command control servers for these DDoS attack. ^M02:20:17 Should there be a change of mentality on their side? I know that Google does something that's called bug bounties; they offer you money if you find a bug on their software. Should this be applied across the board for all the software vendors and of these providers of products? >> Brian: [inaudible] >> Damian: I guess I have to start. So we do find--what he was referring to is Google has a program where we actually pay for people to find bugs in our products so for security critical bugs. So we found that there's a lot of college kids or independent security researchers who are very interested in looking for security holes and when they previously basically had no option but they could give it to us privately, hope that we'd fix it or to whatever vendor of the software was. It could be Microsoft or Adobe, and hope that they would fix it, but then if the company could just take no action and they could just wait and let this vulnerability remain and eventually this kid might say, the security researcher would say why am I waiting on this? Everyone is vulnerable to this thing and they would publish this exploit and then you could see lots of attacks targeting that. So what Google has done is basically start offering money for bugs to compensate their time in finding them so, if you compromise, if you find a vulnerability in Google Chrome, the web browser, we'll pay you for information on that vulnerability with the agreement that you're going to keep it quiet until we fix it which could take a few days. And that way we're able to protect everyone and also compensate the security researcher. >> Brian: Interesting, Miguel. >> Miguel: The thing that kind of complicates this a little bit also is that there is a lot of the internet runs on open source software which is it gets a little bit more difficult to be able to put these mechanisms in place. With the recent bank attacks, we saw vulnerabilities exploited with open source content management systems that are widely deployed like a [inaudible] etcetera at word press. These are open source software that is out there that is used significantly and so it gets a little bit harder. Unfortunately it's difficult for operators necessarily to control the content that is on their system, especially the shared hosting operators etcetera and it's hard to push people to update their software and as for software developers, as much as they'll try to make things as secure as they can, there's always going to be some kind of a bug, you can't get it all and it's the fact that there's so much open source software out there, it's not like you can point a figure and you are responsible. It's quite difficult to do. >> Brian: Yeah, Ram. >> Ram: You know one thing that software manufacturers and the developers of software, some of them have to start thinking about and changing their mindset is due to come to the understanding that many of the devices on which the software is running are always on and they're always online. There's still a lot of software that does not incorporate automatic updating and regular downloads of patches. That should be the baseline, that should be the very fundamental thing and that's the kind of thing that ought to be taught in schools for folks learning how to write code. It's not enough to just learn to do the code, but to have that mechanism in there. It ought to be trivial and it ought to become regular. Unfortunately, it's more the exception than the norm today and I think if you'd get to that point that will solve some part of the problem significantly. >> Brian: Danny. >> Danny: So yeah I think I would be remiss in not mentioning Versign's, I Defense Vulnerability Contribution Program as well and we do something very similar for any vulnerability that fall within a very broad spectrum that are multivendor and try and do responsible disclosure associated with those. To the topic in general, I think bounties are certainly valuable things in general for people that want to apply exploits in a positive way and contribute in a positive way to industry. I think anybody that's paying attention certainly realizes a lot of the commercial vendors while they're always going to be a long way to go, are leaps and bounds from where we were with worm able systems or even patch management systems of that we were vulnerable of a few years ago. And so I think Microsoft is an example, but lots of others as well, and so I think we are making progress but, secure coding practices, application, software security, those things and all the fundamentals are certainly thing that we're going to have to continue to do a much better job at. >> Brian: Thank you, I know we've got two more questions in the room. Go here first and then please identify yourself. >> [Inaudible] New York Technology Council. I was wondering if you could put this perspective. Are DDoS attacks the one thing we should be focusing, are there other like SYN floods, other attacks that are similar in nature that there should be conferences on and keep you up at night or is this where most of your energy goes? >> Ram: Yeah this, the single biggest thing that keeps me up at night. Lots of other things end up becoming part of this much larger stream and it used to be that it was a dos attack and then it became a DDoS attack and then you had command and control and then you have crowd sourced, it's evolving, it's not the same beast as was many years ago. So the definitions from multiple years ago, is not what it is today. What really scares me about this is the asymmetric nature of the ability for an attacker to mount a significant attack in a very short amount of time and keep it sustained for a long period of time and really drain you on the responding side of your critical attention resources. That really worries me and I think you look at SYN floods or any of those things; those kind of are subsumed into the larger scale of this phenomenon that left unchecked I think has a significant negative impact. >> Brian: Anyone else? Yes Jillian. >> Jillian: Yeah just I actually agree with what Ram just said. I would add to that to say just say, and if you're thinking about the scale, the most recent stat that I have off the top of my head is that in 2010 Arbor Networks was detecting roughly 1300 attacks per day and I guessing that it's much higher than that, the real number and so I do think this is a big concern because of the impact that it has. I mean there are certainly plenty of other types of attacks but the sort of inability to protect oneself, coupled with everything that Ram just said, makes this a much bigger issue than some of the other things that we're looking at. >> Danny: I was going to add that DDoS the two primary vectors volumetric, in other words attacks are getting bigger, more frequent, longer duration, so forth but the sophistication of those as well where the right query string could drive a lot of backend transactions on the right piece of [inaudible] those sorts of things from a denial service perspective is the availability side of the information security [inaudible]. The other two sides are the integrity of the information on the infrastructure and the confidentiality and I think certainly for anyone in the information security field persistent attackers, advance attackers, even general attackers and mobile devices and bring your own device and sort of a squishy perimeter and soft under belly inside an enterprise or at Starbucks or whatever. All those things for information leakage and so forth certainly is something that you should be concerned with as well but the availability side for a lot of folks that are in the network services business is a very big piece of that but also the sort of more concerted attackers that might want to control the right keyboard as opposed to simply disabling is also something that has some pretty far reaching effects. >> Brian: Damian. >> Damian: So I wanted to say from a defender standpoint, yeah DDoS is sort of the largest concern right now but from a global view, I think dos attacks are really a symptom of a larger problem which is that there are a lot of infected machines on the internet. ^M02:30:04 I think at one point I heard an ISP say is they estimated 10% of their customers are infected. So when you take that into account, if we could actually stop having so many infected machines on the internet or so many vulnerable machines at least, then that would largely reduce the scope of these dos attacks and for that we basically need what Ram was saying of automatic updates have to be the normal thing. You should never have any client side software that doesn't automatically update. Brian: Thanks, Miguel. Miguel: Just adding to one thing that Damian is saying, I absolutely agree with all of that in terms of automatic updates and especially for end user computers which form a significant part of the botnet paradigm these days. When it comes to enterprises, it gets a little bit more difficult. I think as much as I would love to say automatically update my production software, unfortunately, especially for a large-scale operators, they're running infrastructure that services a lot of people, you don't really know what's going to happen when you make an update potentially and that has to be very carefully controlled, it's got to be regression tested. It's got to go through extensive QA and are we ever going to get to a point where it's going to be easy for enterprises to be able to push out security fixes? The idealist in me says I hope so, but I'm skeptical that that's going to be the case because the day-to-day aspects of ensuring business operations, continuity and making sure that assets are available are most likely for the foreseeable future, going to trump the need to push out updates as quickly as possible. Brian: Actually we do have two more questions. This gentleman here first and we do have time for two more questions. So will you come up please? >> I am [inaudible]. I run a software company called QCD Systems. So the question is actually very similar to the previous one but I'll go a little more in detail. So when it comes to security, [inaudible] security off of just data itself. So there's an attack to intellectual property and then we've heard of cases that intellectual property got stolen [inaudible] of that. Movie companies always have their trailers leaked and pieces of movies leaked, so that's one kind of attack out there. Then there's other things; like the phishing kind of thing like [inaudible] scams and all that. I'm talking about things that effect users and companies. And then there's also the risk that your bank account may have been compromised, your passwords might have been stolen or is easy to guess. So in the scheme of all these different things, where will you place the denial of service for a company or for a consumer because they have plenty of things to deal with right now when it comes to security? So I was just trying to get a perspective on where this distributed denial service, where it fits into the larger scheme of things and how relevant it is and the other part is where do you see things going let's say five years from now? Is this going to be the single biggest thing to worry about or do we have other things also that we should be concerned about? >> Brian: Thanks. Danny. >> Danny: I would just say that you know for your organization it's going to be specific to your organization. You're going to say here's our risk tolerance for these things, for these internet facing properties, this information security or data privacy or data retention, or digital rights management, whatever it is you're concerned with. I don't think that there's a one size fits all, I think it's all about risk management for your organization because if you don't have a lot of internet facing services, it may not be a problem. More than likely you have some things today. You wouldn't be here if you weren't relying on the internet in some way so what does that mean to your business? As opposed to some piece of information from either your personal bank records or your corporate information being actually traded to the wrong person what would that mean? So I think it all goes back to what are the critical assets your organization, what enables those and how do you balance risk to those assets? >> Brian: Yeah, Ram. >> Ram: So the way I advise folks or provide some suggestion is, you really have to think about this and look at it as a matrix. You have to think about, which is further to what Danny is saying, you have to worry about confidentiality, or integrity, or availability and you have to figure out which of those matter more for you. You can't have one versus the other, in many cases you want to have all of the above, but you have to decide which of those matter more for you, and then devote your time, effort and resources towards that. But picking just one, just having great availability, DDoS mitigation ensure availability but if you have a site that is running on software has not been updated and is prone to buffer overflow attacks then all the availability is going to be fantastic for you to get hacked. [Laughter] So you have to figure out where it is on the spectrum and devote it. One reality is that no matter what the budget that is allocated, if you're a corporation, if you're an entity, the budget that is allocated to it, it seems that it remains the same, it suddenly doesn't reduce and you simply reallocate the pie depending on what you think your biggest vulnerability is, your biggest risk is. >> Brian: Anybody else, Jeff. >> Jeff: I would just say you know you asked about what's important to a crump company or [inaudible], I mean it totally depends. I think Brian talked about some guy from Ohio, more likely to have a problem, it may be inconvenienced by DDoS because they can't get to whatever website, but they're more likely to have their computer compromised or identity stolen or other activity. That's going to hit them deeper and for a longer period so it's totally situational. In terms of where we going in 5 years, my guess is that we'll see new nefarious uses for the same old tools. There's some new stuff out there but it's a lot of variations on a theme and just find a new creative bad ways to use them for bad purposes or profit. So I think the down service attacks are here to stay but how they're used will probably morph and change and cycle back, what's old is new again. >> Brian: Miguel. >> Miguel: The thing that troubles me a little bit about the future when it comes to DDoS attack is that there is because it's been in the news a little bit more because it's been publicized a little bit more, you look at what happened on the bank attacks lately, there's kind of a blueprint now that is out there that people can potentially follow to launch these large-scale attacks. You've got what happened with the banks recently it's at least at a high level, its public knowledge how it was sort of done from a high level, that information is out there and those attacks kind of proved yes, it's possible. They provide a blueprint for people to follow for doing it again and the fact that that was done scares the heck out of me. >> Brian: Thank you and we have one final question from the room, please. [Pause] >> Hi, it's Lucas from [inaudible]. Just following up similarly to the previous question, based on the trends that you've seen to date, where do you see these attacks heading both from like an attacker perspective as well as from a mitigation perspective? Do you see one side winning the cat versus mouse game? >> Brian: Great question, Damian? >> Damian: Yeah so attacks are basically growing exponentially I think if you look at most of the data on this you'll see that the size of the attacks roughly doubles every year. I have graphs that track this back like 8 years and it's kind of scary that it's actually continuing, that exponential growth but I think it's important to realize that that's just the internet is growing exponentially as the consumers, as the end users, bandwidth increases, their home, the website bandwidth is also increasing so, you can kind of keep up but I think that a lot of what we're going to run into is a very small website, you know especially the types of sites that Jillian is worried about are simply too small to possibly survive. So they're going to be forced to combined their resources and pool with others so what I expect is probably going to happen over the next five years is we're going to start seeing organizations consolidate into larger and larger pools until eventually we're going to have only like maybe five organizations that offer DDoS mitigation in the cloud as a service. It's just my guess of where the world is headed. >> Brian: Ram. >> Ram: And my fear is that we get at that point and then they get too big to fail. >> Brian: Well, with that thought, we're going to bring this to a close. [Laughter] Well done. Fear and loathing in New York. Public Interest Registry of the New York Technology Council, Internet Society and the Internet Society's New York Chapter want to offer our sincere thanks to the panelist today. Thank you so much for your time, your dedication to helping us understand this really critical issue and also to thank the audience here and the audience online for following along. We hope that today's event has been helpful and that the participants come away with a greater appreciation of the scope of this problem, steps that should be taken to mitigate DDoS attacks, and the potential for significant unintended consequences. ^M02:40:07 DDoS is a serious issue in today's interconnect world, one that is not just going to fade away as we've heard. Fortunately there are resources available to help us confront the myriad of challenges. I would like to specifically thank Joley McFee [phonetic] from iSoc, New York, Eric Grimmelman [phonetic] from New York Tech and Paul Brigner [phonetic] from iSoc here for helping us make this happen in a real sense. Along those lines, we at PIR intend to make the recording of this event available online at our website and our social media sites and push that out and we're also going to post additional background materials and encourage anyone to recommend other helpful tools and information like the CFF Guideline to keeping your site alive. So again thank you to everyone for joining us today. Thank you so much. ^M02:40:59 [ Applause ] ^E02:41:02