How One Hacker Repeals Net Neutrality
A few months back, I stayed very busy vigorously defending my company against a cyber attack by one or two people whom were hellbent on trying to take all of our websites (and customer websites) offline. One law made it all possible – Net Neutrality. We were relentlessly DDOSed for weeks. The attacker contacted me several times during this time through alternative communications and even telephone. All mediums used anonomyzers to hide his identity. This was a game-changer for me. Being Signal Corps in the US Army, combating network intrusions was my forte and I was over-confident in my company’s network security. The servers and network was hardened very well, meaning that our client’s data was safe. I had never anticipated that the network infrastructure available to my state was a single-point-of-failure or that a law would cripple my ability to defend against such an attack. What is a DDOS attack? DDOS stands for “Distributed Denial of Service” and is the big brother of the DOS attack or “Denial of Service”. It’s important to first understand what DOS means before we get into what a DDOS is. DOS’s are attacks from a single point which causes an information system to be unable to service other users while being inundated with requests made by the attacker. These are easy to stop, you simply block the incoming IP address and you have successfully stopped the attack. The ‘distributed’ part of DDOS means that the attack comes from several sources. This makes the attack more difficult to stop because there are multiple origins. The problem compounds itself when several thousand information systems work in tandem in botnets to focus an attack on just a handful of servers. If it couldn’t get any worse, it does. The attackers have found ways to disguise their junk packets meant to clog a network as legitimate DNS traffic by hijacking vulnerable DNS servers. DNS Amplification, for which our own Government states there is no way to mitigate without coordinated effort. But what does that mean? A coordinated effort means that the person that is being attacked must coordinate with their upstream providers (the ISP) to block the traffic from flooding the network. There was just one little problem with that: Net Neutrality. Net Neutrality was a law passed in February 26th, 2015 and said that upstream providers could not discriminate against internet traffic regardless of its origins. What this means is, our upstream provider could not legally help us to stop the incoming DDOS attacks. I consulted our company attorney, Mr Harry Lorello in Goldsboro, North Carolina. He characterized the law as “short-sighted, knee jerk reaction to corporatism” and stated the law needed changing. Fortunately for me, his good friend George Holding was on his speed dial. Within a few weeks I was in Congressman’s Holding’s office explaining exactly what happened to my company and how it inured such a high cost to my company and other companies associated with us and our network. Congressman Holding created a coalition, he talked to other congressmen about my issue and within a few weeks they had introduced a bill to fully repeal Net Neutrality. I might brag a little and even mention that it was rather awesome hearing the congressman on CSPAN mention my name and company name, but all-in-all, I wish it never happened. We hear a lot of complaints from large corporations with large networks that Net Neutrality is bad and evil. But why? These companies would have to better police their networks now that Net Neutrality is gone. With the law out-of-the-way, ISP’s such as Level3 and AT&T can prioritize internet traffic based on the reputation of the network. For instance, if Facebook allows its users to spam someone Facebook could gain a poor reputation and therefore all of Facebook’s servers could be given low priority for several back-bone ISP’s. This is simply avoided by hiring staff to make sure people aren’t abusing your services. Small businesses that rent networks have to do that already, why not the mega corporations? The problem is, the cost analysis has never added up. If a single network attacks my company, we could lose $700,000 which is about a quarter of our annual income. That’s not a lot. After payroll and taxes, I might see $70,000 of that which I can either spend on bills or reinvest into the company. For Google to hire the staff to ensure their network doesn’t attack my company, it would cost them only 0.021% of their annual income. Again, the cost analysis doesn’t add up. While it didn’t help immediately, Net Neutrality was repealed just at the end of last year on December 14, 2017, about a month after the attacks stopped. Even if it is unpopular, it does give me a sense of pride to put my name on the repeal of that law even if people have sour attitudes about it and scowl at me when I walk into board meetings in other companies. But if we’re going to assign blame to it’s repeal, it is not my fault – this could have never happened without our friendly neighborhood script kiddy that resorted to DDOSing our network. I call the hacker a script kiddy because once someone resorts to using a free web application to take down a website, they obviously lack the aptitude to crack it, and that’s a fact. In hindsight, I learned a lot from the experience. I’ve been told that what doesn’t kill you makes you stronger, and I’m starting to believe that is true. Today our servers are backed by 800Gbps DDOS protection. While it is possible for our servers to be taken offline through another DNS Amplification DDOS attack, it would have to break world records and exceed the attacks on Sony and PlayStation. Also, for our own office network, we have now two providers in which are actively filtering our traffic upstream since Net Neutrality was repealed. I’ve also been assured that if we were DDOSed in the future, we likely wouldn’t even notice it because of the packet prioritization that is run at the peer exchange. So, the next time someone tells you how bad the repeal of Net Neutrality was, direct them to this story.