Slashdot Asks: How Can We Prevent Packet-Flooding DDOS Attacks? (oceanpark.com) 351
Just last month Brian Krebs wrote "What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale," warning that countless ISPs still weren't implementing the BCP38 security standard, which was released "more than a dozen years ago" to filter spoofed traffic. That's one possible solution, but Slashdot reader dgallard suggests the PEIP and Fair Service proposals by Don Cohen:
PEIP (Path Enhanced IP) extends the IP protocol to enable determining the router path of packets sent to a target host. Currently, there is no information to indicate which routers a packet traversed on its way to a destination (DDOS target), enabling use of forged source IP addresses to attack the target via packet flooding... Rather than attempting to prevent attack packets, instead PEIP provides a way to rate-limit all packets based on their router path to a destination.
I've also heard people suggest "just unplug everything," but on Friday the Wall Street Journal's Christopher Mim suggested another point of leverage, tweeting "We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure." Is the best solution technical or legislative -- and does it involve hardware or software? Leave your best thoughts in the comments. How can we prevent packet-flooding DDOS attacks?
I've also heard people suggest "just unplug everything," but on Friday the Wall Street Journal's Christopher Mim suggested another point of leverage, tweeting "We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure." Is the best solution technical or legislative -- and does it involve hardware or software? Leave your best thoughts in the comments. How can we prevent packet-flooding DDOS attacks?
Technical OR legislative? (Score:5, Informative)
Why not both?
Why is it so hard to grasp the concept that both a problem and a solution can be more than ONE THING?
Re: (Score:2)
I don't know where you live, but here in the US, some people were trying to push through anti-encryption legislation that technically outlawed lossy compression, like JPEG, as well.
So, we better hop onto the technological solution train Right Now, otherwise we're going to get people passing crappy laws on things that they don't understand because "well someone has to do something!" and we're all going to suffer for it.
Re: (Score:2)
Technical solutions can be quickly changed and adapted to new methods. Legislative is a long process with many compromises in it.
Legislative would mean to push ISP's to be more proactive towards abuses from their customers. However what is considered an abuse vs innovative usage. Is downloading that Linux ISO via a turret to be be blocked because it is the same technology that is popular for piracy? The bad guys who will not stop doing illegal activities won't stop because it is more illegal.
Re: (Score:3)
You cannot legislate a sociological solution to a technical problem, any more than you can legislate a technological solution to a sociological problem. It is like using a screwdriver to hit a nail or a hammer trying to screw in a screw.
Since a DDOS is a technical problem, legislation isn't even going to solve the problem and will no doubt cause unintended consequences.
The only solution to a DDOS that will work, is a Distributed model to detect and dismantle the problem at the edges, not at the central atta
Re:Technical OR legislative? (Score:5, Informative)
PEIP is a technical non-starter for several reasons:
1. Not enough room in the IP header to record the path.
2. Changing the packet size in flight would greatly exacerbate the impact of the PMTUD design error in normal operations.
3. The router data plane is a poor location for any kind of complex programming.
4. The same people who have failed to implement BCP38 would have to implement the much more difficult PEIP.
5. It's whack-a-mole. The nature of the attacks is evolving from spoofed source addresses to distributed botnets with each bot performing a complete IP transaction with its own IP address. If everybody implemented BCP38 tomorrow, theses newer kinds of DDOS attacks would continue unabated.
Re: (Score:2, Interesting)
Civil or criminal solutions are intrinsically Local, with varying measures of corruption involved.
No, I disagree. Governmental authorities are not equal, and that's helpful in this potential area of regulation.
If the United States and European Union were to introduce common IT security fitness requirements then they would likely be more than enough to form a "critical mass." A fairly straightforward legislative remedy, at least conceptually, would be to require Internet connected device and software vendors to provide complementary, opt-out, timely security updates for a minimum of X years after produc
Re:Technical OR legislative? (Score:5, Insightful)
The problem is that people buy stuff on eBay from China. It will be nearly impossible to block all those sales or hold the manufacturers to account.
In the EU at least the onus would be on the vendor, i.e. the shop that sold the thing, to ensure updates were available. Again, not that helpful for imports but perhaps eBay or Amazon could be made liable to encourage them to vet sellers. If that IoT toaster they sold 3 years ago was discovered to be vulnerable and no fix was available, the customer could return it for a partial refund. eBay and Amazon would have to be required to notify buyers too.
Re:Technical OR legislative? (Score:4, Insightful)
If the FCC and CE require network security tests and not only Safety/EMI/RFI tests, then China will not be able to sell crap and customs will impound it at the border.
Re: (Score:3)
Yeah, because no goods have ever had forged / false FCC or CE certification emblems on them...
Re: (Score:3)
require Internet connected device and software vendors to provide complementary, opt-out, timely security updates for a minimum of X years after product withdrawal from sale
That sounds good and all, but is entirely unenforceable. Very few companies even have a guarantee of being in business in 5 years, never mind knowing whether or not they'll still have the talent and finances available to continue maintaining products that are generating little to no revenue -- and simultaneously taking that talent and money away from creating new, saleable products.
I mean you may as well equally say that consumers should be forced to purchase new products every 5 years. I mean at least that wouldn't completely kill innovation in the field. But its still not something anyone would ever agree to.
Maybe you could aim for a middle ground though. Force manufacturers to implement a "soft" kill that activates 5yr after each firmware release and if the user still has the device at that point, give them a nag screen once a week or month or something suggesting that their device is out of date and should be upgraded (if newer firmware exists than whatever they have installed) or replaced.
I mean its still a reasonably annoying burden on both the manufacturers and the users and nag screens necessarily would need to involve software on the interface PC (which could be hacked to remove the nag screen never mind the eternal alternative OS issues with software drivers,) but at least it doesn't require predicting the future.
Re:Technical OR legislative? (Score:5, Interesting)
That's not a great argument. Companies, big or small, that ship security defective products, and that do not repair security defects in timely and convenient fashion, probably shouldn't be making Internet connected products at all. If your company ships crap, and if your crap stays crappy, causing material external harm to others, why should your company expect government acquiescence in your crappiness? You shouldn't.
Besides, it's not a "big" versus "small" issue, not in this instance. There are some excellent, security savvy companies that happen to be small, and there are some truly awful ones that happen to be big. What would be helpful to small businesses, if there is new regulation (probably), is for the industry to get ahead of that regulation and to promote a common, industry wide approach so that the U.S., E.U., and other regulatory "zones" are as uniform as possible. Frankly I'm surprised regulators have had as much patience as they've had. That patience won't last.
Re:Technical OR legislative? (Score:4, Insightful)
The only solution I can see is regulation, like we have for radio transmitters. Everything has to be certified to meet minimum security requirements before it can be sold. The problem is that for radios it is fairly easy to test the output, but to check firmware for security you need access to source code and time to understand and evaluate it.
Re:Technical OR legislative? (Score:4, Interesting)
Then small companies can no longer make any IoT product.
Not necessarily. It depends on what your standards and rules are.
Sure, you could write the rules in such a way that only big companies can afford to comply with them. It doesn't mean you have to. What's more rules could actually ensure small companies could remain competitive by creating safe harbors if you do certain things. Believe me there are lawsuits coming in the future, whether there is legislative or regulatory action or no. It would go a long way toward keeping the little guy competitive if he could point to rules that he was supposed to follow and did. This would socialize the cost novel attack vectors evenly rather than distribute the costs stochastically.
Eliminating the low-hanging fruit could make IoT devices reasonably safe, and "reasonable" is a much more attainable goal than "absolutely". Everyone fails at "absolutely", but only big companies can afford to bear the cost of that failure.
As for stuff getting designed in China, it's the low prices, period. I actually evaluated some Chinese radio linked flow meters a few years ago -- they were intended for metering liquor being poured in casinos (where the "free drinks" paid for by the casinos are acdtually paid for by a subcontractor and poured by a bartender who lives on tips). We wanted to adapt them for pesticide flow metering. The guy we were working with was selling these gizmos at $200, but they arrived on his US loading dock from China all boxed and ready to ship out to customers at a wholesale price of about $3. I was astonished. That's why stuff like that doesn't get made in the first world anymore, it's the jaw-droppingly low wholesale prices. Quality wasn't great, but with a $197 margin you can afford to ship replacements out for free.
Adding regulatory compliance costs to a device like that actually favors domestic producers.
Re: (Score:2)
Re: (Score:2)
I just really want to see this comment over in the thread about smart guns.
Re: (Score:2)
Do you trust your average consumer electronics company with a kill switch on all your devices?
I know I don't!
Imagine that the company decides to do an autoupdate to introduce more ads, and more vendor lock-in, while doing nothing to improve security (which is thousands of times more likely to happen than a simple security update is) and then uses a kill switch on any device that doesn't update?
We don't actually have to imagine all that hard, because we have lots of past experience of companies trying this s
Re: (Score:2)
Or the company gets hacked and a malicious update gets pushed out to turn all the connected devices into a botnet. And those that don't get updated? They're kill-switched to force people to update at their earliest convenience.
Set up correct secondary DNS servers (Score:5, Interesting)
Set up correct secondary DNS servers.
If the secondaries had not been hosted at the same company, but instead at various companies around the world, the attack would have had no effect on anything but traffic.
This is, by the way, how multiply connected networks are supposed to work.
This could be easily accomplished at no additional cost by having a peering-pool arrangement between all the host registrars, so that we ended up with a multiply connected redundant network.
Kind of how we designed the thing to work in the 1960's and 1970's, and DNS itself in the 1980's.
But a lot harder for law enforcement to issue DNS-based takedowns on, of course. Since it would route around the damage and keep functioning. As designed.
Re: (Score:2)
Re: (Score:2)
If the source address is spoofed (they were) then it's not legit traffic. If you are getting thousands of requests a second for a service like DNS, from a particular IP that is not known to be an edge router for an ISP, then it's not legit traffic.
It really shouldn't be that hard to analyze.
Re: (Score:3)
That's not how DNS works, most machines do not directly resolve against a domain's DNS server. They resolve against an ISP's DNS server. An ISP's DNS could easily stream thousands of requests per second to a provider like DynDNS. And usually that's not a problem since in a well-architected DNS system, you have a TTL of 3600-86400 and so your ISP caches requests from all their clients for a specific server.
The problem with the way Twitter 'fixes' issues is to set TTL on the order of seconds and continuously
Re: (Score:2)
Re: (Score:2)
Wait, you mean that people should use the distributed nature of a worldwide network to their advantage?
Crazy talk!
Re: (Score:2)
Secondary DNS would not have helped here. The issue with DNS is that it's a centralizing service. As the world moves more towards a decentralized, distributed Internet, the first piece that moves in that direction should be DNS.
It could be done right now using a similar blockchain to the one bitcoin uses. In fact, you could also tie in SSL into the platform, to prevent centralizing services like Verasign from being a weak point. The design is already in my head - just need to build it. Anyone have some fre
Re: (Score:2)
It could be done right now using a similar blockchain to the one bitcoin uses. In fact, you could also tie in SSL into the platform, to prevent centralizing services like Verasign from being a weak point. The design is already in my head - just need to build it. Anyone have some free time?
It's been done. The project is called Namecoin [namecoin.org].
Re: (Score:3)
Why wouldn't it have helped? If Dyn is down, the other provider would still be up and resolve your domain. Amazon stayed up even though they were using Dyn, they also use PowerDNS.
Re: Set up correct secondary DNS servers (Score:2)
Re: (Score:2)
Re: (Score:2)
Typed out a massive post. Got blocked by the lameness filter.
Removed all references to DNS, round-robin, DDoS and anything else that might be tripping it up (destroying the prose at the same time) and still got blocked.
Spent 20 minutes editing, still got blocked.
Gave up, closed Chrome window.
Basically, the target in this instance was Dyn. Secondary DNS would only help if only Dyn were targetted. The second the target is not Dyn but you (or Twitter or Microsoft), it doesn't matter how many secondaries or
Re: (Score:2)
Please enlighten us. Amazon stayed up thanks to having multiple DNS providers as did many other systems. It was only DynDNS that was out, nothing else.
Ineffective (Score:5, Informative)
Technical measures that prevent address spoofing are quickly becoming obsolete anyway; AFAICT, the recent attacks on Krebbs and Dyn, the two biggest DDoS attacks ever, didn't use spoofed source addresses. A spoofed address is only useful in an amplification attack, where you send a small request which provokes a much larger response; then if you don't spoof the source address, you get a huge firehose of responses coming at you and it's you that gets DDoSed, not the target.
In this case, the attackers didn't bother spoofing source addresses, because they didn't use an amplification attack; they just used a huge botnet all making ostensibly-valid requests and each device dealing with the response individually. It looks like the only way we have of preventing this sort of attack is to make the devices secure - easier said than done.
Re:Ineffective (Score:5, Insightful)
I guess it depends on what qualifies as a "technical measure" then?
From what I understand, a very large portion of the devices were compromised because they used default passwords that were never changed. I would consider having a device disabled/crippled out of the box until a new password was set to be a technical measure.
=Smidge=
Re: (Score:3)
Adding the manufacturing cost to generate a random password and put it on a label on the bottom is not significant. Seems to be the method that the cable company's are going with.
Re:Ineffective (Score:4, Insightful)
That's exactly what my router has. But we can take it a step farther and perhaps even simpler;
Disable the device's full functionality until a new password is set. This is a firmware change and doesn't add a single cent to the manufacturing costs. No labels, no special programming for each device.
Lost your password? Use the hardware reset button. Device is disabled again until a new password is set.
=Smidge=
Re:Ineffective (Score:4, Interesting)
What a strange position.
Re: (Score:2)
Not necessarily. Just a firmware change that has everything disabled until you change the admin password in the "setup wizard" that everyone is likely already running anyway.
Re: Ineffective (Score:2)
The alternative is to have a different default password for each unit. The challenge there is that it complicates manufacturing since now you need to set it and also print out and label each unit individually. Then again, if each unit already knows about its serial number, then the overhead is probably low?
Re: (Score:2)
Or to hack the devices proactively. The ones that are already part of the botnet have probably been secured, but if we routinely scan the internet for new devices and do the stupid attacks (default passwords, open ports, long-patched vulnerabilities) we can take control of these things ourselves and then destroy them, or at least change the damn password.
It will certainly piss off the owner of some connected fridge, but at least it will make them do something about it. It is not as if they care that their "
Re: (Score:2)
Re: (Score:2)
Quarantine.
Your computer gets caught sending spam, you get quarantined, no questions asked.
Make ISPs at the source responsible (Score:2)
I fail to understand why ISPs aren't blocking packets from customers (bots) that have a source address that is impossible from that location. They know the end point address out subnet already.
Years ago (when i was stupid, times were tough and everything was done on a shoestring) I had a BSD box that "load balanced" two connections (ADSL & WISP). The WISP one caught packets not being correctly SNATed, dropped them and told me.
Re:Make ISPs at the source responsible (Score:5, Informative)
They are.
No source addresses were faked here.
Just millions of "genuine", unfaked connections.
That's the "new" part of this attack. It's not trying to pretend it's anything that it isn't. It's literally just millions of devices requested advertised services and responding to their responses in the correct manner.
Imagine a DDoS of just asking for Wikipedia pages. It's hard to combat because you have no way to distinguish it from just a sudden surge of genuine traffic.
Re: (Score:2, Interesting)
isn't that what's sometimes referred to as "the Slashdot effect"?
Re: (Score:2)
Not anymore - there isn't enough Slashdot traffic left to melt down a load balancer.
Re: (Score:2)
Re: Make ISPs at the source responsible (Score:2)
Re: Make ISPs at the source responsible (Score:2)
How do we prevent flooding the phone system? (Score:5, Insightful)
If a manufacturer made a device that connected to the public phone system, that could be compromised and made to call thousands of people at random, they'd soon find themselves facing product recalls, fines, import bans, and liability for the disruption caused.
Why should IoT devices be any different?
Some shitty noname Chinese remote webcam manufacturer hardcoded 'admin' as the password and tunnels through routers using uPnP to listen on the internet? Import ban that shit. Slap on a fine. Seize any of their American assets or property to pay it. They'll soon get the message that security can't be neglected. It's not hard to fix this stuff given the will.
Re: (Score:3)
Liability is the key issue. Unlike literally everything else you purchase, you don't own software, you obtain it under a license which typically indemnifies the manufacturer from liability. Allowing product liability suits against software developers for issuing hazardous products would dramatically alter the landscape.
Re:How do we prevent flooding the phone system? (Score:5, Funny)
"If a manufacturer made a device that connected to the public phone system, that could be compromised and made to call thousands of people at random"
ie 2016 campaign pollsters?
If you just see the 2016 campaign as a giant DDOS attack on the concept of democracy, a lot of things start to make sense.
Re: (Score:2)
Mental note: change all of our phones from a SIP password of 1234 to something more secure... even though external access is not allowed...
Re: (Score:2)
While I agree, there's a bigger picture to it.
1) We don't know about it until after they are hacked. So that ban comes too late.
2) It's not just one device. It's hard to even know what the devices are.
3) This attack is just a small piece of the damage that could be inflicted. It was a DDOS conducted by stupid devices like home security cameras. But what happens when IOT devices in gas stations and power plants are hacked? It could be used for far more nefarious acts. Stuxnet showed us the damage that
DoS (Score:5, Interesting)
As most of this traffic was "genuine", i.e. not spoofed, not faked, not bouncebacks, not violation of the protocol, etc. it's hard to do much about it. Even if you were running protocols where each packet had to be part of an authenticated stream, you would still have the same problem.
The only technical solution I can think of is a protocol with which you can communicate with an upstream host and have them implement a filter of your choice to the traffic they send you before it comes down your line.
Quite literally "please block anything from these IP's or traffic that matches this pattern".
But I cannot imagine such a thing ever be implemented as it pushes the burden further and further upstream and the top-layer will be overwhelmed with traffic and their filters running hot all day long, especially if they have millions of customers all specifying complex rules.
There's no way I can see to stop something like this, where millions of random devices starting genuine full connections and responding as any other client, without just rate-limiting (which rate-limits your other genuine clients) or engaging in the packet conversation as you normally would (which would be enough to cause a DoS in itself).
Even if you can spot a pattern, it'll be changed in the next iteration, or dynamically and randomly generated in time. It's like spam-filtering at packet-speeds, and as stupendously unreliable.
Previously, it was faking source IPs, which can be solved by ISPs being required to only allow their announced ranges. Now, with just millions of valid connections, a DoS is indistinguishable from a service just suddenly becoming incredibly popular with real users.
Any method, protocol, or setup where they have to connect to you like that and you perform some kind of check or measure against their connection (even, say, setting up a TLS session) can be replicated by the botnet just as easily.
There's no solution to what is effectively "junk mail" inside a TCP/UDP packet.
Re: (Score:2, Insightful)
Mod parent up.
This is not a technical problem, a technical solution won't fix it.
Re: (Score:2)
That's effectively the same as applying encryption to the stream, albeit for a different purpose. Though you can rate-limit SSL requests, and require them to all be valid before you continue processing, you hit a problem either way - either you're throwing lots of time/effort at verifying the challenge yourself against a lot of bots faking it, or you're handling a lot of connections that are indistinguishable from genuine ones.
Every if you reset the counter for each unique IP (because of NAT etc. that's yo
There is a reason send/return pathes are not... (Score:4, Interesting)
There is a reason send/return pathes are not included.
Go look at how many bytes addresses for 10 hops would take. Now scale that up to the maximum of 255 (most routers TTL-kill connections over 40-60 hops to avoid routing loops. Lack of connectivity to remote sites when key routers go down is often due to this limitation even if alternate paths are available. Good for reducing traffic, bad for 'worst case connectivity' reliability/redundancy.) The real solution long term would be a 'push back' anti-DDOS system where ips/ranges considered to be spamming the host can be 'pushed' back to routers, which in turn could push IP blacklist information to the next router back when incoming packet floods are recieved, and pass the block to the next router back until it is blocked at the originating ISP. As with the 'include all hops' idea it requires a *LOT* of overhead, which backbone switches/routers cannot afford and which most edge routers are not specced to handle.
However, were this to be done it would provide the least strain on the network for the most bandwidth savings, since it would over time reduce the bandwidth pressure on all but one participating link (since the border link between participating and non-participating ISPs would still be DDoSed) and lower the packet load on all other hops which in turn would have more resources available to provide normal traffic and analysis for said pushback service.
Maybe someone could mock it up for us on OpenWRT with a few 100M/1G routers that could handle the header analysis load so that it remains an unpatented idea (if someone has not already patented it.) And if not, write a royalty free RFC for future implementation. The basic idea could be applied to every other internetworking protocol, given sufficient cpu/memory. It should also ensure all well behaving programs would not be filtered since the threshold to blockage would require saturating a link beyond an acceptable percentage of throughput, which existing mechanisms should deter via voluntary rate limiting.
Use Torrent for #allthethings (Score:2)
When you use p2p for everything a DDOS will increase service reliability.
Forbid flatrates on DSL lines (Score:2)
As long as data transfer on DSL lines seems to be "free" to the user, the user will not care very much about the possibility that his device is used in a DDOS attack. I believe even the prospect of a minor additional charge (e.g. $10 per year) by malicious traffic for the end user would do much good for the willingness of the user to accept inconveniences which make the IoT devices more secure against arbitrary access.
Re: (Score:3)
So you punish them twice, first by having an insecure device and then by paying the fine for it, too?
To force the omnipresent car analogy, you think VW drivers should be punished for the CO2 trickery of Volkswagen because they didn't check that their cars aren't manipulating the tests?
Start filtering entire internet accounts like spam (Score:5, Interesting)
There already is a solution to this. We've done it already with email and with the increasing compromised accounts/junk message spam on iMessage getting throttled.
If someone is part of a botnet, then when someone reports being DDoS'd, they report it and the higher level ISP's should be notified. Cut them off temporarily, give them the same message that violators of MPAA/RIAA are given on their ISP's where they get a standard message that they are a shithead instead of loading normal pages and have to call in to an ISP to get the ban lifted.
"Your computer is running outdated software, is actively infected. We'll lift the ban for a few hours, but if you're still part of the botnet after 3 hours, you're banned again until you call us again."
Something along those lines. If you're running an infected system and get reported, then fuck off and either call a family member that knows computers or take it to a shop and have it cleaned.
Re: (Score:2)
Re: (Score:2)
Fair question.
We need a trade for this. Just like you call pest control when you have a mouse, you call someone to find out what hacked device is connected to your network.
3 ways (Score:2)
Get free AV and consumer grade AV products to scan the users home networks with the same passwords and test every device found as a default setting.
Tell the user about the type of devices they have networked and the poor quality security some have.
Get some real security from the 5 eye nations and find out who is doing the command and control.
If its a person or bad country whats the problem with fi
Prevent the participants (Score:5, Insightful)
It's been said before here, so allow me to offer a "how" for the obvious and already mentioned "secure the damn crap people hook up to the net".
This will only work with legislature. Sorry to all my libertarian friends here, but yes, there are times when the only way to sort out a problem is government intervention. These times are when you have to force people to do something for the "greater good" when they themselves would have a (smaller) profit from not giving a shit. And if there has ever been a good example, it's this. People don't give a shit about their IoT devices being insecure, because it does not affect them directly, but these insecure devices threaten the usability of the internet for all of us.
This is one of the reasons organizations like the FCC were created. Remember that sticker [apt46.net]? Few people notice it nowadays because, well, it's a given that devices don't create harmful interference and that they don't go bananas if they are subject to any, but this was anything but certain in the early days of electronics. And no, that sticker itself doesn't do jack, of course, but it is a promise that the manufacturer has to live up to or face a heavy fine and ban of his device.
We need something like this for the IoT devices. "This device will not cause trouble on the internet and cannot be hijacked from there". Live up to it or see your device recalled. It pains me to ask for this, but it's time to create a government entity that deals with this. Or maybe hand it to the FCC so they start doing something useful again.
Re: (Score:2)
"there are times when the only way to sort out a problem is government intervention". such as space exploration, medical and basic science research, the efforts of the CDC to contain epidemics, pollution control, traffic safety, airline safety, Wall Street and Banking rules, Social Security and Medicare, etc.
Libertarianism is a euphemism for a Dog-Eat-Dog world where everything has an individual price and woe betide the poor sucker who cannot afford the price.
Re: (Score:2)
This could be handled just like how UL approval is. Most stores won't sell electronics unless they are UL approved, but it isn't a government agency. We need something like that, but who checks device security. Homeowners insurance policies don't have to pay out from a fire if was caused by a non UL-approved device. So maybe we could have something like that: You are liable for the damage your hacked devices cause, unless they are UL approved.
Re: (Score:2)
Odd. There are so many machines connected to the internet and so few of them are being hijacked to participate in the DDoS. Wouldn't it be far more useful for the attacker to use all of them? After all, it's impossible to secure them.
Re: (Score:2)
Odd. There are so many machines connected to the internet and so few of them are being hijacked to participate in the DDoS. Wouldn't it be far more useful for the attacker to use all of them? After all, it's impossible to secure them.
Soft targets are the first ones chosen. If you're building a botnet, are you going to go after the hardened VMS box behind a military firewall, or are you going to drag in 10,000 network-capable toasters with their default admin passwords and no firewall?
I'm not arguing that these devices shouldn't have more security, or less network access. I am saying that passing knee-jerk legislation that says that if your network capable device can be compromised, it has to be withdrawn from the market immediately, i
You could start by... (Score:5, Insightful)
You could start by not giving IP addresses to kettles and toasters.
Re: (Score:2)
Exactly, just intranet address ranges are allowed, both source and destination. Or some link-local, or site-local multicast. It's all that these devices want to do anyway.
Re: (Score:3)
My toaster has an IPX address you insensitive clod!
Comment removed (Score:5, Informative)
Re: (Score:2)
What should happen is an easy, secure, simple VPN setup that doesn't force users to navigate to a cloud hosted service for remote access, and blocking internet access for devices by default. History has shown this is too hard though.
Opportunity for Google/FB to inform users (Score:2)
I've wondered if companies like Google and FB - who are no doubt getting DDOSed all the time in various ways - could start trying to inform users if they notice them browsing from the same IP address as a DDOS source.
A big notice on FB or the Google search page that says "there is suspicious activity coming from your IP address" might at least get people to contact their local nerd to ask them what the hell that warning is all about. I don't expect users to be able to identify the source of the problem (unl
Re: (Score:2)
or just have ISP's simply shut off service to users that are sending out packets to a known DDOS attack target. Granted it would mean that Comcast would have to hire competent admins and management.....
Re: (Score:2)
ISPs will never do this though; they have their hands full dealing with users who either really can't get the Internet working because it's legit broken (e.g., area outage, modem fault, busted fibre) and those who have busted their own network (turned off wifi, etc).
The cost of egress traffic is negligible; they won't want to do anything that risks losing a customer like intentionally breaking their network.
Doing proper egress filtering for spoofed traffic seems like it would be a better start!
Civil penalties--and big ones (Score:2)
Disconnect everything (Score:2)
Re: (Score:2)
But, but, but, if my toaster can't send a message to my iPhone, how will I know when it's done?
non centralized DNS (Score:5, Insightful)
I was 100% unaffrected by the DDOS attack on DNS because I run a cacheing DNS server that I set to break the rules of DNS. I cache DNS until I get an update.
a DNS request is passed through to the main servers, if I get no response in 100ms I fall back to cached information. cached information does not expire for 30 days
so unless some obscure site that changes it's IP constantly decides to hop IP's during the DDOS attack I have zero issues.
Re: (Score:3)
Consider that the target of this attack was Dyn. That's Dyn as in "dynamic". A big chunk of their business involves mapping host names to dynamic IP addresses. Caching someone's dynamic IP address for a 30 days may or may not yield the desired result. The fact that you happen to have "zero issues" probably means only that you attempted to connect to exactly "zero" dynamic DNS clients.
Hello... users. (Score:2)
This will be difficult to solve (Score:2)
Path recovery/tracing has been a dead topic for > 20 years now, with the occasional irrelevant paper still getting published. The fact of the matter is that all proposals require far too many expensive changes and hence are never going to make in in practice. Sad but true.
Personally, I think we should start to drop ISPs that do not do egress-filtering and maybe make that a legal requirement for backbone operators. I do not see this changing unless we force ISPs to finally start following sound practices.
Department of Bricking (Score:3)
We need a Department of Bricking (DOB).
An agency of the federal government that is staffed, funded, and mandated to find and brick every device on the internet.
Don't want your device bricked? Secure it.
Device bricked? Your problem. Maybe you should complain to the vendor.
Re: (Score:3)
Murder? Hacking off of hands? Finally AC shows his true colours.
Sharia! i just read a law named Sharia
And suddenly that name
Will never be the same
To me...
(With apologies to Leonard Bernstein)
come on, have a little perspective here... (Score:2)
Re: (Score:2)
Bringing down large portions of the internet is much more than a mild inconvenience. People work on the internet. Entire industries revolve around it. Disruptions have serious financial impacts that can threaten the livelihood of families. I don't necessarily think it should warrant a death sentence - but don't brush it off is a trivial matter either.
IMHO - it should carry a LENGTHY prison sentence. 10 years minimum. And any country that doesn't match mandatory sentencing guidelines or that doesn't in
Re: (Score:2)
That's a dumb argument. That's like arguing that we don't punish murderers because all they did was prove that a skull is inadequate to stand up to an axe.
DELIBERATELY damaging something isn't just showing a weakness - its destructive, and rather pointless.
Re:blacklists (Score:4, Insightful)
If this was so simple, you'd see spam blacklists being used that way. Wonder why that doesn't happen...? Right, because you have to spam to get on the list! And to get on the new list, you'd have to have an insecure IoT device in your house.
Still, it's not a good solution. Spamming blacklists hit email providers who better are professionals (and if not, it's a DAMN GOOD idea to block them anyway), while IoT users are primarily private people. You cannot expect them to do a full audit of every piece of junk they buy.
It's time to put the burden on the makers of those shoddy devices, not expect a CS degree from anyone who wants to use one.
Re:blacklists (Score:4, Insightful)
When I buy an electrical device, I assume it's passed all the relevant consumer safety checks and complies with the regulations, as otherwise the shop would be breaking the law selling it to me (in the UK at least). I assume I'm safe to plug it in unless there's an absolutely obvious flaw (damaged power cable, for example).
Most people will go and buy a security camera or other device that connects to the internet and assume there's nothing to worry about if they're buying it from a high street shop. These things are sold as consumer devices in major stores, targeted at non-technical people. That should be enough, in an ideal world, for buyers to be confident they can connect them to the internet in the same way they can connect the microwave they buy to the power without worrying about whether it's safe.
OK, I accept that these days you can buy no-name stuff on the internet that probably doesn't meet safety standard (electrically or otherwise). That's your lookout and you should absolutely be liable for problems that result. But if you buy it at Currys? Argos? Well, in the UK consumer law says anything sold must be fit for purpose.
Re: (Score:2)
The flaw in our legislation in this regard is "fit for purpose" - the purpose of a webcam is to take pictures/video and present them on PC/phone or whatever - in that regard they are fit for purpose.
If IoT devices had to additionally state "reasonably safe for internet use" or some such, then you could argue these aren't fit for purpose, but until then you're flat out of luck. Whilst our consumer protections are pretty good (compared to other western countries), they're not really setup for problems such as
Re: (Score:2)
When I buy an electrical device, I assume it's passed all the relevant consumer safety checks and complies with the regulations, as otherwise the shop would be breaking the law selling it to me (in the UK at least).
That would be a massively incorrect assumption.
Regulations are bad, and interfere with the market. If burdensome regulations are in place, how are honest businessmen supposed to make money bringing Internet of Things devices to market.
There are not that many regulations on these devices - and the on es that are there are interfereing with the process anyhow. The free market will correct this silly IoT DOS attack any day now.
Re: (Score:2)
Maybe we need some kind of minimum security standards for any network-connected device. Like how we have FCC and UL, we need something else.
Re: (Score:2)
And THE INTERNET LACKS FUSES. Time to add them!
Imagine, if you will, any fuse in your house going 'pop' at the whim of a neckbearded gimp 4chan dweller.
That's what you're proposing.
Re: (Score:2)
Opportunist did not misunderstand you.
Re: (Score:2)
Yes, and people would finally start locking their doors if burglary were made NOT illegal, instead of depending solely on the force of law to protect their homes like they do now.
Re: (Score:2)
Ipv6 is a lot cleaner administratively routing wise, big allocations and nobody is letting you advertise smaller for TE etc. So filtering becomes pretty trivial.
Re: (Score:2)
Most of these can be fixed by turning off upnp, thing should never be opening up ports to the world because the asked for it.
Re: (Score:2)
Re: (Score:3)
Simple.
If you jailbreak your device, you take responsibility for security.
Heck, I think that's one reason that the FCC hates jailbreaks, because it causes the product to be altered and lose its certification.