Modern field guide to security and privacy
The Homeland Security Department headquarters in Washington.
Susan Walsh/AP/File | Caption

How Homeland Security plans to end the scourge of DDoS attacks

search for solutions

The agency is working on a multimillion dollar effort to protect the country's most critical systems from distributed denial of service attacks, which are among the simplest digital assaults to carry out and the toughest to fight.

In late October, in Surprise, Ariz., more than 100 phone calls bombarded the police department's emergency dispatch line. Calls also overwhelmed the nearby city of Peoria’s 911 system and departments across California and Texas. 

But each time a dispatcher picked up, no one was on the line – and there was no emergency. 

The Arizona district attorney's office says the calls clogging 911 lines resulted from a digital prank, which triggered a distributed denial of service, or DDoS, attack on critical emergency communication systems. The prosecutor's office tracked the torrent of calls to 18-year-old hacker Meetkumar Hiteshbhai Desai. Now, he's facing four counts of felony computer tampering.

While Mr. Desai said he didn't intend to cause any harm, according to the Maricopa County Sheriff’s Office, he did surface a potentially devastating glitch in smartphone software that could exact damage on any number of sensitive and critical targets. Whenever anyone clicked a certain link on his webpage via a mobile device, their phone automatically dialed 911.

While this kind of DDoS targeting 911 systems is unprecedented, it's exactly the type of attack that national law enforcement officials have been concerned about for years. In fact, the Homeland Security Department (DHS) has been working on technology to protect 911 centers from DDoS and telephone-based, or TDoS, attacks for three years.

The Arizona incident proved someone can "cause a large number of phones or a large number of computers or a large number of whatever connected device to start generating these calls," says Dan Massey, program manager in the cybersecurity division of the DHS Science and Technology Directorate. "It went from how much damage can I do from my phone" to a situation where, with just a handful of people, "if all of our phones started calling some victim, whether that's 911 or a bank or a hospital, that can get very fast and very big."

DDoS attacks are both among the simplest forms of cyberattacks to carry out and the most difficult to defend against. They are designed to direct an overwhelming amount of digital traffic – whether from robocalls or web traffic – at targets to overwhelm them so they can't handle legitimate business. Writ large, there has been an exponential increase in the intensity and frequency of DDoS attacks over the past six months and critical infrastructure components are possible future targets, according to DHS.

For a sense of the scale of today's DDoS attacks, compare the 100 megabits per second Internet speed at a typical company to the more than 1 million megabits (1 terabit) per second speed of a DDoS attack against Web hosting company Dyn in October. The attack, which drew power from insecure webcams and other internet-connected devices, knocked out widely used online services like Netflix, Twitter, and Spotify for hours. 

Such massive web DDoS assaults may also become a problem for 911, as the country moves toward a next generation 911 system that uses mapping services to locate callers and can support voice, text, data, and video communication. "What you're seeing is a convergence of the traditional internet with the phone system and next generation 911 is a great example of that," says Massey. "DDoS attacks and/or TDoS attacks kind of blend together a little bit there."

To help combat the problem, the department has given out $14 million in grants for DDoS prevention studies, including phone-based attacks. Some of that funding is piloting initiatives to stop phone-based attacks at 911 centers in Miami/Dade County and the City of Houston, as well as at a large bank that the department wouldn't identify.

So far, DHS efforts have yielded, among other things, a DDoS early warning system to flag organizations that an attack may be coming, and alerting them to adjust internet network settings to defend against an onslaught of traffic. 

Additionally, DHS-funded research from tech firm SecureLogix produced a prototype that can thwart phony telephone calls sent to a 911 system or other critical phone operation. The model attempts to detect bogus calls by monitoring for clues that indicate an incoming call is fake.

“As we have seen, it is simple to flood a 911 center, enterprise contact center, hospital, or other critical voice system with TDoS calls,” says Mark Collier, SecureLogix chief technology officer. “The research is essential to get ahead” because the assailants “are generating more attacks, the attacks are more sophisticated, and the magnitude of the attacks is increasing. “

To be sure, the race to keep digital adversaries out of the country's 911 system faces obstacles, some of which are outside the jurisdiction of Homeland Security and dispatch centers.

The DHS DDoS defense program is "a good start," but one "challenge in defending certain types of critical infrastructure is the fact that emergency services like 911 must serve anyone – immediately," per Federal Communications Commission rules, "due to their life saving nature," said Mordechai Guri, research and development head at Israel's Ben-Gurion University Cyber-Security Research Center. "The approach of blocking the DDoS originators must be backed by a change in the laws and regulations."

Before the October attacks on the Arizona 911 systems, he and fellow Ben-Gurion researchers warned that DDoS attacks launched from cellphones could pose a significant threat to emergency services. During one experiment, it took fewer than 6,000 hacked phones to clog emergency services in a simulated US state, the academics wrote in a September 2016 paper. Such an attack can potentially last for days.

The very nature of the 911 system makes shutting out any callers potentially dangerous, and some alternatives, like requiring a person in distress to authenticate themselves for assistance, are not viable, says Massey of DHS.

"We really need to make sure that we're not missing a critical 911 call," he says. "So that's a challenge for the project to make sure that we're not misclassifying people."