US House of Representatives Speaker Nancy Pelosi’s visit to Taiwan on Aug. 3 and 4 triggered a series of retaliatory countermeasures from China that included military, diplomatic, economic and information attacks. The biggest of these was an unprecedented large-scale military exercise that covered seven areas around the nation’s waters and lasted four days.
In terms of information warfare, it was originally thought that China would levy high-visibility disruptions and damage government information systems with pre-emptive backdoor programs. Fortunately, this wave of cyberattack seemed to aim only to blockade the network services of government agencies — a denial of service (DoS) attack — rather than to damage their underlying information techology systems. Although the services of several government Web sites, including the Presidential Office and the Ministry of National Defense, were temporarily interrupted, they were able to recover quickly. Overall, the damage from this wave of cyberattack was quite minor.
The scale of the DoS attack was not particularly excessive, either. According to publicly released reports, the Web sites of government offices collectively suffered about 15,000GB of cyberattack traffic throughout the day on Aug. 2, which is 23 times as much traffic as during the heaviest previous attack in a single day.
However, a 2020 study conducted by Amazon found that the average traffic volume of the highest-end DoS attacks it experienced that year was more than 100GB per second, or about 360,000GB in one hour. Therefore, if China were to militarily launch a DoS attack against the whole nation, the scale of the attack is expected to be at least 100 times larger than what it did this time.
Suppose a network service’s maximum processing capacity is 1,000 requests per second. When a DoS attacker sends requests to this service at a rate far exceeding its processing capacity, say 5,000 requests per second, the service would be too overwhelmed to respond properly to the attacker’s requests as well as those submitted by legitimate users. Specifically, the service would first place all incoming requests that it cannot handle into a buffer area, which would quickly get filled up. It would eventually have no choice but to drop all subsequent requests, thus denying them the service.
This means that when a network service comes under a DoS attack, the solution must include the capability to discern the attacker’s requests amid all incoming requests — and then discard the attack requests as soon as possible. That is, the key to mitigate a DoS attack is the ability to distinguish, in real time, between good requests — those from legitimate users — and bad requests — those from an attacker.
Modern DoS attacks are distributed, and referred to as distributed DoS (DDoS) attacks. Their attack packets come from a large number of Internet-attached computers, which might be virtual hosts rented from public cloud service providers, or devices recruited from a for-hire botnet. Because the attack hosts could come from anywhere, it is difficult to solely use the source IP addresses of incoming requests to distinguish between attack and non-attack packets.
The most effective countermeasure against DDoS attacks today is traffic cleaning. State-of-the-art traffic cleaning technology is able to analyze the packet content of incoming requests to pick out the attack packets that exploit known vulnerabilities of specific communication protocols.
However, even traffic cleaning is still relatively powerless against the most lethal form of DDoS attack, which mounts a brute-force attack by using a very large number of properly geographically located networked computers, each submitting normal requests at a normal rate.
Fortunately, for government, e-commerce and mobile application Web sites that serve the public or consumers, and where network services directly interact with human users, as long as one could confirm that there is a human user behind a specific IP address, then all requests coming from that IP address could be considered legitimate and not part of a DDoS attack.
Therefore, protecting user-facing Web sites from DDoS attack boils down to determining whether the source IP address of an incoming request is controlled by a human being — a legitimate user — or by a program — an attacker.
A standard way to distinguish between humans and programs is known as the Turing test, which uses problems that humans can easily solve but are beyond the capability of modern AI algorithms to determine. For example, during the login process of many Web sites, users are presented with (sometimes distorted) images and asked to identify the content using alphanumeric digits. Similar tests could be used to identify attack requests during a DDoS attack.
Some people have proposed leveraging the emerging Web 3.0 architecture to defuse DoS attacks. Presumably, the intention is to apply the idea of the blockchain-like distributed database architecture to the system design of a network service, so as to enhance its overall resilience to DoS attacks. The more network nodes to which a network service is spread on, the less likely any one node failure could bring down the service. Such an argument is more applicable to cyberattacks that use malicious programs to control and thus knockout the victim’s systems.
However, that is not the way DoS attacks work. Instead, DoS attacks aim to exhaust the victim’s network service computation and bandwidth resources. Taking a fixed resource and distributing it among multiple network nodes does not change the size of the resource. A well-known weakness of blockchain is that its decentralized architecture needs tight coordination among participating nodes — it therefore incurs significant computing and communication overheads, substantially detracting the overall system performance when compared to its centralized counterpart. As a result, using the Web 3.0 architecture to defeat DoS attacks has limited value and might well be counterproductive.
Chiueh Tzi-cker is a joint appointment professor in the Institute of Information Security at National Tsing Hua University.
On May 7, 1971, Henry Kissinger planned his first, ultra-secret mission to China and pondered whether it would be better to meet his Chinese interlocutors “in Pakistan where the Pakistanis would tape the meeting — or in China where the Chinese would do the taping.” After a flicker of thought, he decided to have the Chinese do all the tape recording, translating and transcribing. Fortuitously, historians have several thousand pages of verbatim texts of Dr. Kissinger’s negotiations with his Chinese counterparts. Paradoxically, behind the scenes, Chinese stenographers prepared verbatim English language typescripts faster than they could translate and type them
More than 30 years ago when I immigrated to the US, applied for citizenship and took the 100-question civics test, the one part of the naturalization process that left the deepest impression on me was one question on the N-400 form, which asked: “Have you ever been a member of, involved in or in any way associated with any communist or totalitarian party anywhere in the world?” Answering “yes” could lead to the rejection of your application. Some people might try their luck and lie, but if exposed, the consequences could be much worse — a person could be fined,
Taiwan aims to elevate its strategic position in supply chains by becoming an artificial intelligence (AI) hub for Nvidia Corp, providing everything from advanced chips and components to servers, in an attempt to edge out its closest rival in the region, South Korea. Taiwan’s importance in the AI ecosystem was clearly reflected in three major announcements Nvidia made during this year’s Computex trade show in Taipei. First, the US company’s number of partners in Taiwan would surge to 122 this year, from 34 last year, according to a slide shown during CEO Jensen Huang’s (黃仁勳) keynote speech on Monday last week.
When China passed its “Anti-Secession” Law in 2005, much of the democratic world saw it as yet another sign of Beijing’s authoritarianism, its contempt for international law and its aggressive posture toward Taiwan. Rightly so — on the surface. However, this move, often dismissed as a uniquely Chinese form of legal intimidation, echoes a legal and historical precedent rooted not in authoritarian tradition, but in US constitutional history. The Chinese “Anti-Secession” Law, a domestic statute threatening the use of force should Taiwan formally declare independence, is widely interpreted as an emblem of the Chinese Communist Party’s disregard for international norms. Critics
RSS