People have been talking about the internet crashing for as long as there has been an internet. The use of the 1980s graphic format "GIF" for the common phrase used to describe "Death of the internet: GIF at 11" tells you that. We've always been scared of it, but today it's a real possibility.
In fact, I'm certain we'll see such an attack. If I were a betting man, I'd say we'll see it sometime around November 8th: The US elections date.
An attack then would make a huge impression. And, as noted security expert Bruce Schneier pointed out recently, "over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses."
Schneier continued that major internet companies are telling him they're seeing an increase in [Distributed Denial of Service] DDoS attacks against them. "Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure."
Krebs sourly noted it didn't require a James Bond villain. "This attack was launched with the help of a botnet that has enslaved a large number of hacked so-called IoT devices -- mainly routers, IP cameras, and digital video recorders (DVRs) that are exposed to the internet and protected with weak or hard-coded passwords."
The botnet code used to make the attack, Mira, has been dumped on the web. That was a few days ago. In a few weeks, script kiddies can start making 500Gbps+ attacks.
BCP-38 was proposed in 2000 when DDoS attacks were first becoming a serious problem. It works by filtering out bogus internet addresses. Another internet proposal, Ingress Filtering for Multihomed Networks, BCP-84, helps to make it possible to use.
They're not perfect, but they would go a long way to reducing DDoS attacks to manageable sizes.
Their logic is, McConachie explained, "It costs money to install filters, albeit a very small amount, but it is not free. Nor is the labor capable of installing those filters cheap. Therefore it makes economic sense for this network operator to not install filters. No one is DDOSing their network, that's someone else's problem."
It's not. It hasn't been someone else's problem for years now. And now it's on the brink of becoming everyone's problem in the worst possible way. Besides, it doesn't cost that much. McConachie said "any carrier grade [Border Gateway Protocol] BGP router can support many more Access Control Lists (ACLs) than are actually needed to support implementation of BCP 38".