CYBERWAR (3): "Cyber attacks are available for $20"

Sorry, but I can't provide a translation for a language that is already in English.

Commercial providers with their internet exchange points are the basic structure of the digital architecture of our society. The Faces of Peace initiative spoke with Harald Summa, the CEO of DE-CIX Group AG, about Critical Infrastructure, the omnipresence of DDoS attacks, and the ruling of the Federal Constitutional Court on surveillance by intelligence services.

The "German Commercial Internet Exchange" (DE-CIX) is the largest internet exchange point in the world and is considered Critical Infrastructure. How do you protect yourself against cyberattacks and what if they go unnoticed?

Harald Summa: Internet exchange points like the DE-CIX platforms are distributed across a variety of data centers within a metropolitan area. The infrastructure of DE-CIX in Frankfurt, for example, extends to over 30 data centers in the Rhein-Main area. This allows DE-CIX to guarantee high availability and reliability, and DE-CIX customers can reach all connected networks, regardless of which data center they are in. For decades, the DE-CIX Frankfurt internet exchange point has been operating without any platform-wide outages. By directly connecting to multiple networks simultaneously, networks can avoid congested transit routes and cost-effectively transfer data directly. Overall, the network quality of all networks connected to the internet exchange points is improved by direct data transmission and the significantly shorter paths taken by the data packets.

In March, a throughput of 9.1 terabits per second was measured at DE-CIX. The downside: Countless DDoS attacks and barely effective countermeasures. Are we making it too easy for attackers?

Harald Summa: Dealing with DDoS (Distributed Denial-of-Service) attacks is a very important topic, of course, including for us. DE-CIX has an internal research team that works closely with industry and academic partners to search for innovative technical possibilities and solutions that drive the innovation of the market segment and the development of a next-generation internet exchange point. This includes publicly funded projects; the focus is on the detection and containment of DDoS attacks.

For example, DE-CIX, together with an international team of scientists, recently published a study that, for the first time, examined the effects of DDoS attacks and the effects of police countermeasures. It was found that any internet user can commission and carry out cyber-attacks for less than 18 euros (20 US dollars). For the study, a measuring infrastructure was specially set up, DDoS attacks were purchased from DDoS service providers - so-called "booter" websites - and used to attack their own system. The research team also analyzed the effects of the international police measures from December 2018 against DDoS service providers. In this regard, 15 booter websites were taken offline as part of an FBI and Dutch police operation, without sustainable success. Researchers from DE-CIX, BENOCS GmbH, Brandenburg Technical University Cottbus-Senftenberg, University of Twente, and the Max Planck Institute for Informatics in Saarbrücken were involved in the project.

We were unable to see a sustainable improvement in the security situation regarding DDoS activities on the internet as a result of the police countermeasures taken in December 2018. After approximately six days, the frequency of attacks had already returned to the old level of an average of fifty NTP (Network Time Protocol) DDoS attacks per hour - the measures had reduced it to thirty attacks per hour.

"Through Blackholing, DE-CIX blocks the data waves that arise during DDoS attacks as close to the source as possible. They are intercepted before reaching their target."

These results have led to another research project that is funded by the Federal Ministry of Education and Research. The focus is on artificial intelligence technologies and how these can be used to detect DDoS attacks at the core of the Internet, at the Internet exchange point, and to develop novel, effective protection measures. The project runs until mid-2022.

For years, DE-CIX has been providing its customers with a highly efficient service called "Blackholing" for free through medium- and long-term research. With Blackholing, DE-CIX blocks the data waves that arise during DDoS attacks as close to the source as possible. They are intercepted before reaching their target. This is done at internet exchange points like DE-CIX, where many data streams can be protected from DDoS attacks because various networks come together and hundreds of providers exchange data during peering.

Peering partners report suspicious traffic in their network to DE-CIX, which is closest to the source of the attack. The data belonging to the DDoS attack is then marked, stopped at the DE-CIX platform, and filtered out of the network and destroyed, like a black hole - hence the term "Blackholing". This way, the data of the DDoS wave is sorted out, while the desired traffic can continue to pass undisturbed.

The Federal Intelligence Service (BND) can divert 1.2 trillion connections per day at DE-CIX. However, the Federal Constitutional Court - in your favor - has now declared this unconstitutional. But does the ruling not also endanger the security of DE-CIX?

Harald Summa: We took note of the ruling of the first Senate of the Federal Constitutional Court on the constitutional complaints of a number of journalistic organizations - such as Reporters Without Borders (ROG), the Society for Civil Rights (GFF), and the German Federation of Journalists (DJV) - against the BND Law that came into force in 2017 with great interest. The amendment of the BND Law that came into force in 2017 was highly controversial from the start, and there were significant doubts about its constitutionality.

DE-CIX, as the recipient of BND orders for the diversion of data based on the law contested there, has a keen interest in the clarification of this procedure. For this reason, we ourselves filed a complaint with the Federal Administrative Court in Leipzig against these orders in 2018, a procedure that was suspended there without any substantive review until a decision of the Federal Constitutional Court on the lawsuit in question.

We feel obliged to our customers to ensure that blanket surveillance of their telecommunication takes place solely in a lawful manner provided for by the legislator and simultaneously compatible with the fundamental rights of citizens.

With its decision, the Federal Constitutional Court has taken the opportunity to set clear limits on the surveillance powers of intelligence services with a landmark ruling and to provide the federal government with guidelines for a constitutionally compliant design. The legislator is now called upon to revise the BND Law by the end of 2021 and to make the constitutionally required corrections demanded by the court.

It is already apparent that the Federal Constitutional Court demands a significantly more comprehensive, independent, and, above all, advance control of the surveillance measures of the service. This requirement also corresponds to the deficiencies recognized by DE-CIX in the existing practice.

A complete analysis of the decision of the Federal Constitutional Court and its implications for future legislation, which will once again concern DE-CIX, will only be possible after a thorough examination of the full written rationale. The implementation of the extensive conditions will not be easy in any case.

DE-CIX Group AG online: www.de-cix.net

CYBERWAR on SPARTANAT:

- "The digital defense case is only partially successful", Lieutenant General Ludwig Leinhos, Inspector of the Cyber and Information Space Command of the German Armed Forces in an interview.

- "We see many targeted cyber attacks", says the head of the department "Cyber Analysis & Defense" at the Fraunhofer Institute, Elmar Padilla.

- "Cyber attacks cost 20 dollars", says Harald Summa, CEO of DE-CIX Group AG. He talks about critical infrastructure, the prevalence of DDoS attacks, and the ruling of the Federal Constitutional Court on surveillance by intelligence services.

The book on the topic: "Myth of Cyberwar"

More on the topic: HERE you can download the Military IT Report for free.

Source: Faces of Peace Initiative. Used with permission