How Homeland Security plans to end the scourge of DDoS attacks
In late October,聽in Surprise, Ariz.,聽more than 100 phone calls bombarded the police department's emergency dispatch line.聽Calls also聽overwhelmed the nearby city of Peoria鈥檚 911聽system and departments聽across California and Texas.聽
But each time a dispatcher picked up, no one was on the line 鈥 and there was no emergency.聽
The聽Arizona district attorney's office says the calls clogging 911 lines resulted from a digital prank, which triggered a聽distributed denial of service, or DDoS, attack on critical emergency communication systems. The prosecutor's office tracked the torrent of calls to聽18-year-old hacker聽Meetkumar Hiteshbhai Desai. Now, he's facing four counts of felony computer tampering.
While Mr. Desai said he didn't intend to cause any harm, according to the聽, he did surface a potentially devastating glitch in smartphone software that could exact damage on any number of sensitive and critical targets.聽Whenever anyone clicked a certain link聽on his webpage聽via a mobile device, their phone automatically dialed 911.
While this kind of DDoS targeting 911 systems is unprecedented, it's exactly the type of attack that national law enforcement officials have been concerned about for years. In fact, the聽Homeland Security Department (DHS) has been working on technology to protect 911 centers from DDoS and telephone-based, or TDoS, attacks for three years.
The Arizona incident proved someone can "cause a large number of phones or a large number of computers or a large number of whatever connected device to start generating these calls," says Dan Massey, program manager in the cybersecurity division of the DHS Science and Technology Directorate. "It went from how much damage can I do from my phone" to a situation where,聽with just a handful of people, "if all of our phones started calling some victim, whether that's 911 or a bank or a hospital, that can get very fast and very big."
DDoS attacks are both聽among the simplest forms聽of cyberattacks to carry out and the most difficult to defend against. They are designed to direct an overwhelming amount of digital traffic 鈥 whether from robocalls or web traffic 鈥 at targets to overwhelm them so they can't handle legitimate business.聽Writ large, there has been an exponential increase in the intensity and frequency of DDoS attacks over the past six months and critical infrastructure components are possible future targets, according to DHS.
For a sense of the scale of today's DDoS attacks, compare the 100 megabits per second Internet speed at a typical company to the more than聽1 million megabits聽(1 terabit) per second speed of a聽in October. The attack, which drew power from insecure webcams and other internet-connected devices, knocked out widely used online services like Netflix,聽Twitter, and聽Spotify for hours.聽
Such massive web DDoS assaults may also become a problem for 911, as the country moves toward a next generation 911 system that uses mapping services to locate callers and can support voice, text, data, and video communication.聽"What you're seeing is a convergence of the traditional internet with the phone system and next generation 911 is a great example of that," says Massey. "DDoS attacks and/or TDoS attacks kind of blend together a little bit there."
To help combat the problem, the department has given out $14 million in grants for DDoS prevention studies, including phone-based attacks.聽Some of that funding is piloting initiatives聽to stop phone-based attacks聽at 911 centers in Miami/Dade County聽and the City聽of Houston, as well as at a large bank that the department wouldn't identify.
So far,聽, among other things, a DDoS early聽warning system to flag organizations that an attack may be coming,聽and alerting聽them to adjust internet network settings to defend against an onslaught of traffic.聽
Additionally, DHS-funded research from tech firm SecureLogix produced a prototype that can thwart phony telephone calls sent to a 911 system or other critical phone operation.聽The model attempts to detect bogus calls by聽monitoring for clues that indicate an incoming call is fake.
鈥淎s we have seen, it is simple to flood a 911 center, enterprise contact center, hospital, or other critical voice system with TDoS calls,鈥 says Mark Collier,聽SecureLogix聽chief technology officer.聽鈥淭he research is essential to get ahead鈥 because the assailants 鈥渁re generating more attacks, the attacks are more sophisticated, and the magnitude of the attacks is increasing. 鈥
To be sure, the race to keep digital adversaries out of the country's 911 system faces obstacles, some of which are outside the jurisdiction of Homeland Security and dispatch centers.
The DHS DDoS聽defense聽program is "a good start," but one "challenge in defending certain types of critical infrastructure is the fact that emergency services like 911 must serve anyone 鈥 immediately,"聽per Federal Communications Commission rules,聽"due to their life saving nature," said Mordechai Guri, research and development head at Israel's Ben-Gurion University Cyber-Security Research Center. "The approach of blocking the DDoS originators must be backed by a change in the laws and regulations."
Before the October attacks on the Arizona 911 systems, he and fellow Ben-Gurion researchers warned that DDoS attacks launched from cellphones could pose a significant threat to emergency services. During one experiment, it took fewer than 6,000 hacked phones to clog emergency services in a simulated US state,聽in a September 2016 paper. Such an attack can potentially last for days.
The very nature of the 911 system makes shutting out any callers potentially dangerous, and some alternatives, like requiring a person in distress to authenticate themselves for assistance, are not viable, says Massey of DHS.
"We really need to make sure that we're not missing a critical 911 call," he says. "So that's a challenge for the project to make sure that we're not misclassifying people."
