By Kevin Poulsen
May 12, 2008
While most government agencies are struggling to keep their computers
out of the latest Russian botnets, Col. Charles W. Williamson III is
proposing that the Air Force build its own zombie network, so it can
launch distributed denial of service attacks on foreign enemies.
In the most lunatic idea to come out of the military since the gay bomb,
Williamson writes in the Armed Force Journal that the Air Force should
deliberately install DDoS code on its unclassified computers, as well as
civilian government machines. He even wants to rescue old machines from
the junk bin to enlist in the .mil botnet army.
The U.S. would not, and need not, infect unwitting computers as
zombies. We can build enough power over time from our own resources.
Rob Kaufman, of the Air Force Information Operations Center,
suggests mounting botnet code on the Air Force.s high-speed
intrusion-detection systems. Defensively, that allows a quick
response by directly linking our counterattack to the system that
detects an incoming attack. The systems also have enough processing
speed and communication capacity to handle large amounts of traffic.
Next, in what is truly the most inventive part of this concept, Lt.
Chris Tollinger of the Air Force Intelligence, Surveillance and
Reconnaissance Agency envisions continually capturing the thousands
of computers the Air Force would normally discard every year for
technology refresh, removing the power-hungry and heat-inducing hard
drives, replacing them with low-power flash drives, then installing
them in any available space every Air Force base can find. Even
though those computers may no longer be sufficiently powerful to
work for our people, individual machines need not be cutting-edge
because the network as a whole can create massive power.
After that, the Air Force could add botnet code to all its desktop
computers attached to the Nonsecret Internet Protocol Network
(NIPRNet). Once the system reaches a level of maturity, it can add
other .mil computers, then .gov machines.
Brilliant! The best defensive minds in the country want to build a
massive distributed computing system to do nothing but pump crap into
the internet. The article talks about carefully targeting attackers'
machines, but this ignores all the intermediate networks between the Air
Force and the target, which will have to contend with a flood of garbage
packets whenever some cyber Dr. Strangelove decides to go nuclear.
What's next? Air Force 4-1-9 scams? Dot mil phishing attacks? The most
disappointing thing about this irresponsible proposal is the tacit
admission that our elite cyber warriors can't actually break into an
enemy's computer, instead resorting to a brute force attack designed by
web defacement script kiddies eight years ago when Apache servers got
too hard to hack directly.
Reader A.E. Mouse says,
You all obviously don't really know anything about cyberwarfare.
Including you Kevin. Having this type of capability is essential to
IW [infowar] operations. Whether or not we actually need a "botnet"
to do it is inconsequential. DDoS attacks can be very useful when
used in a coordinated IW attack on enemy communications and network
In addition our relatively unsophisticated enemies have this
capability. DDoS, while admittedly juvenile and "last resort", can
be an effective tool. The reciprocity doctrine here applies. If the
enemy has one, we need one too, a bigger one. The internet is a new
battleground. All weapon types are on the table.
I'm sure that DDoS attacks could be useful to the military under certain
circumstances. So could sending our enemies a bunch of unwanted magazine
subscriptions, or ordering them dozens of pizzas with anchovies and
pineapple (blech). But adults don't do that sort of thing.
The internet is a community venture, and DDoS is vandalism against the
community. There's no such thing as pinpoint targeting in a DDoS attack;
innocent civilian infrastructure is impacted every time.
Basically, Col. Williamson has noticed that there are bad guys in the
swimming pool, and his solution is to piss in their general direction.
That's the kind of behavior that rightly gets you kicked out of the pool
and sent home for the summer.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com