Digital Dependencies

::: nBlog :::

Recently, the Finnish government authentication service at suomi.fi experienced a moderate Denial-of-Service (DoS) attack, which rendered the service inaccessible for some four hours. Access to services such as electronic prescriptions, police e-service, tax authority and to numerous others was thus unavailable to citizens and enterprises alike.

The service itself is simple – it verifies the citizen’s credentials using an electronic national identity card or with a delegated banking ID scheme. Most people use the latter, as the physical identity card requires a reader in the computer which is not very common.

The authentication service has been developed during the last 18 years and is implemented using different service providers, such as telecom operators, systems integrators, security providers and banks. The result is that the originally simple system has grown very complex and dependent on a diverse group of stakeholders, who have different service level agreements and interests.

Let’s take a quick glance on these dependencies. The website suomi.fi has its domain registered via Telia (formerly Sonera and Telecom Finland), so its domain name services (DNS) are maintained by a Swedish corporation. There are three name servers, in Finland, Sweden and USA which are registered to respond to any queries trying to reach suomi.fi. All of them are naturally dependent on Telia’s own network and internal infrastructure.

Now the authentication site itself inside suomi.fi points to a singular IPv4 address, which is owned by Tieto Corporation, a Finnish stock-listed company. This address was the target of the DoS attack. The site might have a redundant setup within Tieto, but running this kind of service through a singular IP in a general purpose address space is, how should I put it, brave but hazardous.

Tieto has its own network Autonomous System (AS) and suomi.fi’s network is currently routed through two telecom operators, Telia and DNA, meaning that Telia and DNA customers can reach the site directly from their networks, while other operators will go through Internet Exchanges or private peerings. This is somewhat redundant, but due to the singlar IP it easily happens that during a routing glitch, one third of Finnish citizens can’t access the site.

So by scratching the surface, we have the banks, Telia, Tieto, other operators, government IT center Valtori and likely a couple of integrators (CGI and Fujitsu) on the dependency chart when Finnish citizens are authenticated.

And how was the service restored? It looks like after some 3.5 hours, telecom operators blocked access to Tieto’s address space on their edge routers, so people within Finnish networks could use the service again. Citizens traveling or living abroad were ignored until the attack ceased.

As a humble comparison, BaseN Platform public deployments serve customers typically from two to four geographically separate data centers (our of current 12), using multiple BaseN-owned IPv4 and IPv6 addresses and networks per site. BaseN, as a telecom operator itself, also routes traffic through four upstream operators and continuously monitors their performance in order to optimize customer connectivity. Furthermore, BaseN fully controls its own DNS infrastructure that is integrated to all BaseN Platform deployments. To put it simply, we can do many things fast and independently when under attack.

Denial of Service attacks, especially the distributed ones, are commonplace due to the massive amount of vulnerable and thus hackable devices connected to the Internet, and they are likely to get worse with the explosion of (consumer) IoT devices.

The key for enterprises (and governments) in maintaining reliable digital services is that, upon an attack, the mission critical providers have an arsenal of Full Stack capabilities to ensure service continuity. It’s all about managing your dependencies.

//Pasi