This article can also be found in the Premium Editorial Download "Information Security magazine: IDSes takes aim: Emerging "target-based" systems improve intrusion defense."
Download it now to read this article plus other related content.
At the rate we're going, it won't be long. Patience is waning quickly, anger is building, and, when that process reaches a critical point, we may just see one of the greatest steps backward in the last few decades: The doors of the Internet will start slamming shut.
I'm talking about the simple refusal to accept traffic. Suppose you're running an ISP -- a big one -- and you're bombarded daily with DDoS traffic, spam of all kinds and perpetual poking into your networks with hacking tools. And, suppose you can identify some of the major sources of all this spew coming your way. What can you do? You've tried filters. You've tried jawboning the source ISPs. You've tried the law. And you've tried setting policy for your users. The net effect? The load and its ugly contents just keeps getting bigger.
Your patience wears thin, and eventually you just slam the door. You block Internet traffic simply by its identifiable source. An unheard of idea? Think again. We already do it with email.
You have two basic options: You look in the header, and react to the address, or else look at where the wire is originating and block transmissions from that location. Or mix these two approaches. The problem is, either way you'll shut down a ton of legitimate traffic along with the bogus stuff. And you'll still fail to shut down all the traffic that gets to you, via other networks that leave open the doors that you close. You can't control it all.
Now, envision this on a more global scale. Governments have control, or think they do. A government can squat on any line or signal entering or leaving its borders, and decide exactly what crosses its borders, and which foreign points can have access. And that government might just decide that there will be no traffic across borders without "review." Corporations can do it just as easily. It's a ham-handed approach: When your nose runs, chop it off.
It's a terrible idea. All the commerce, research, correspondence and other beneficial traffic would go away, and the isolating country would become an island, except for the code (including malware) that somehow would evade the barriers. Such isolation would be incredibly costly and ultimately impossible to enforce. But for countries for which the benefits of isolation outweigh the costs of staying connected to the world, the option is more attractive.
Are there such countries? North Korea comes to mind. And some developing countries -- such as China, India and Vietnam -- may set up competing networks because the industrialized West won't share control of the Internet. The point is that it's by no means unthinkable or even unlikely.
But spam, malware and other destabilizing traffic (espionage, terrorism, clandestine political movements) are growing at a faster rate, and it's just a matter of time before we reach a place where the costs of trafficking on the Internet begin to rival the benefits. That's when the doors will start slamming. That's where we're headed without some profound worldwide reengineering.
What can we do to address the problem? Here are some measures that can help:
- Solve the return-address-spoofing problem.
- Deliver operating systems and applications that always boot from a read-only image.
- Stop the execution of untrusted code in client systems.
The experts and their solutions aren't getting priority. The slamming doors will change all that, but by then it will be too late. The cozy little advantages of an isolated internal network will become all too apparent to the countries and companies who like total control, and they won't open the doors easily again. Without open channels across borders to help keep governments honest, human rights may well suffer.
Enough analysis paralysis. Either we quickly solve our spam, malware and related problems, or we'll be faced with a much greater problem. With locked doors facing us in every direction, and nasty code still crawling around like cockroaches, where will our Internet be then?
Dana Paxson researches and writes patent applications for a law firm on software, hardware and other technologies.
This was first published in January 2004