Is it confirmed yet that so-called IoT devices were the bots?
Bruce was on point if so, arguing a couple weeks ago that accountability needs to happen on the manufacturers:
"What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the Internet as part of the Internet of Things.
Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.
I feel like I hadn't thought of this as a market failure until reading your post calling it that. You're absolutely right about it. That's exactly what it is and the need for government involvement is quite obvious now. Suppliers are going to need to be held liable for the negative externalities their product offerings create, otherwise we're stuck at an equilibrium point where this situation does not improve.
If ISPs were treated like a utility and charged per bit, customers would have an incentive to ensure that their devices weren't dumping traffic onto the internet. It's rare that you can see a dashboard showing your usage, even rarer to see a dashboard showing your usage, broken down by device.
With ISPs (at least in the US) moving towards data caps, this is becoming a reality. It won't fix the problem.
DDOS attacks via IOT don't have to send much data per request. If my devices are doing an extra 10Mb/hour, I won't notice. 1000 homes is 10Gb/hour and that's just a few blocks in a city. 100,000 homes seems easy to hit, which is a petabyte of data per hour.
It's death by a thousand paper cuts. If my internet bill goes up a dollar per month, it's highly unlikely I'm going to debug my refrigerator to figure out how to stop it.
I think this is missing one component though. I agree I wouldn't, you wouldn't, in fact most people wouldn't debug their refrigerator over a dollar a month bandwidth bill.
I would however take into consideration bandwidth bill effects of what I buy. By comparison: today I buy LED lightbulbs and energy efficient appliances because they will have a long term cost impact on my electricity bill.
You can call that "getting the government involved" but it's allowing suing for damages due to negligence, which is a fairly basic form of involvement, the sort of thing at the base of the market to begin with. That is to say, it's a bit strange to call this a market failure, because the market will (imo) take care of it once you can assign liability.
I'm not so sure suing would help here, as who is suing who?
The people who bought the IoT devices probably don't even know that their device has been hijacked in a lot of cases and therefore have no incentive to sue the manufacturers.
The people being hit by the DDoS have a tricky attribution problem to prove which manufacturers are to blame and then the manufacturers could, in many cases, shift the blame to users who didn't read instructions/change default passwords/apply available security patches.
Also you have the problem of complex supply chain. A lot of the people selling these devices are just white-labelling someone else's product, so who's to blame there, the vendor or the ODM?
Lastly you have shrink-wrap style licenses that disclaim liability for flaws the the software market has been relying on for many many years to avoid any liability when their products misbehave...
Personally I don't see the market sorting this, its a classic case of negative externality where government regulation is the most appropriate way to rectify the problem
Nope. Many of these compromised routers and webcams are not based on U.S. soil, so they're outside of U.S. jurisdiction. But even if some enterprising lawyer could attach a legal claim to them, most of these guys are tiny, and while you could easily sue some individual companies out of existence, it would not have much impact on the broader problem.
That's probably too distributed a set. You'd have to hit the device manufacturers (say, ARM or Intel), or vendors (Amazon). Hold them liable for problems.
Hit the distribution channel and I suspect you'll see a rapid increase in accountability and security measures.
Hopefully it's not related threats about hacking during the election.
Remember that recently Biden openly threatened cyber attack on Russia if they make any attempt to tamper with the election. Which is completely unprecedented, as is the notion that DOD is openly saying Russia was behind DNC and other attacks.
Also what amazed me is that he would casually threaten to strike Russia. It seems that no one considers these attacks as an act of war. But that's what they are.
In July 2016, Allies reaffirmed NATO’s defensive
mandate and recognised cyberspace as a domain of
operations in which NATO must defend itself as
effectively as it does in the air, on land and at sea.
The technical verbiage used is "domain of operations" and "security domain".
> It seems that no one considers these attacks as an act of war. But that's what they are.
Wouldn't it be better that we on Hacker News stay above trying of define "act of war". Is it an act of war for one country to pollute air that floats over another country? Is it an act of war to launch satellites that pass over another country? These questions are governed by precise treaties today, but I can imagine politicians screaming "act of war, act of war!" at some point in the past.
It's just an arbitrary phrase used by politicians to justify whatever action or inaction they take. It will lead us to needless unproductive argument.
God I fucking hope not. I'd much rather lose access to some services and focus on technical mitigations than literally start a war over it. I don't want me or my family to die just because services go down or businesses lose some income.
Like it or not, that's happening and next year when Clinton comes in the office, that will be the among the first things it comes to. Mark this comment.
I think I must have missed some context here or misread since an attack on an electrical grid is substantially different from disrupting major web services.
Espionage is stealing data. Disrupting utility services is an act of war, whether it is shutting down an electricity power plant, cutting communications, or any other act of sabotage.
Equating what amounts to a temporary sabotage of a non-critical service to an act of war highlights how brittle and conflicted is US cyber-strategy.
Surveillance has for so long gotten all the money and mindshare A stockpile of zero days is considered a good and necessary thing. Back doors in hardware and software are considered clever and useful, and maybe even a workable compromise for domestic surveillance.
Imagine if the domestic surveillance budget had been spent instead on making Linux into an EAL6+ certifiable system and creating open, verifiable designs for chips and firmware for secure hardware platforms.
This is true, but in fun hypothetical talks with various tech friends over the decades, we often talked about in relation to Internet services in particular, taking down services and such can actually help with hacking (i.e. stealing data) efforts. How? Why? Firstly, probing as the article mentions does yield plenty of valuable intel which is the core for espionage.
Secondly, we often joked that companies have such flawed backup and response procedures that triggering these things has a funny effect. More specifically, a lot of times in our experiences, we saw things like backups, up-scaling servers, etc. go noticeably unmaintained or poorly attended. A lot of people, especially years ago never did a great job of testing their backup systems, failovers, scaling, etc. and kept them up-to-date and secured as well as the main stuff. It's more interesting in some ways in this world of containers and VMs. One would assume things are updated, patched, and deployed exactly inline with the mainline stuff, but that's not always the case. It often takes only one slip-up and this is where a ton of people make mistakes for so many reasons. And sometimes it's easier to manipulate the protection systems to be the vector itself than the systems they are protecting.
That is to say, messing around with services sometimes can be a way of creating an open front or back door. Especially if there's malware and things that can be planted that will be less likely to be caught in the panic or otherwise deployed as a result of the panic response.
Of course all of this is more unlikely, but it's fun to think about in the same way stupid schemes that are similar in heist movies are fun.
Don't know, hence the question. It seems murkier than data vs. infrastructure. The one article I've read so far on the subject doesn't say much [1]. The Cyber Act of War Act of 2016 is apparently working its way through Congress [2].
Does application of the stolen data play a factor? ie considering the OPM breach an act of war if compromised individuals are blackmailed. Would Russia stealing the location data & capabilities of our missile defense system constitute an act of war?
What if an entity willingly allowed the attacks or espionage to continue? Like the NSA allowing foreign nations to spy on US citizens and corporations, or the CIA operating and allowing drug operations to run amok within US borders, or the OPM breach?
You can't just have one without being able to hold all of those responsible accountable.
What Russia is trying to do with us (whether it's to influence our election or just make us seem weak) is very bad and should be met with a proportional response, but calling it an act of war seems a bit too far.
Did you know you're not at war, and have never been, with Afghanistan?
Meaning of all that: what is or isn't "war", an "act of war" or "is" is up to people to define, and international law is easily ignored whenever states think that's a good idea.
The best definition is probably the UN's "act of aggression", see http://www.un-documents.net/a29r3314.htm. That definition does not include provisions for such situations – the only (theoretically) unarmed act of aggression is a blockade.
There is a strange push in America to go to war with Russia. Of course no one comes right out and says this, because it would be counterproductive. But every time something bad happens to democrats, it gets blamed on Russia. Lots of non-sequitur bellicose talk about Putin all the time.
It reminds me of the run up to the Iraq war. Seems bad.
The idiot is embarrassed because the DNC was exposed as fraudulent and corrupt to the core. One might figure only the Russians would be interested in exposing the underlying machinations of American politics, but it really is just a classic case of misdirection.
He's also threatening not just the Russians, but the American citizens as well... that if they try to challenge the system as it is, then the politicians would rather start a major war than to address any concerns of fraud/corruption.
Thank you, missed this piece but it was interesting.
I disagree with him on the point of "Who would do that?" He might be right about state level actors, but I think he discounts the motivations of crazy/disillusioned people, bored and curious people, and especially teenagers.
When I was a teenager, the Internet wasn't a thing yet, but we sure dreamed of all kinds of crazy schemes for taking out the phone company, power, anything really. We talked about anarchy and many "taboo" topics I can't mention here. The thing is we were good kids at heart and we had the discretion and morals not to act on those things. All of this happened in a time where our instant communication was the phone or meeting up in person. Today, it is infinitely easier to seek out like-minded people and to replace those who drop out. The ability to seek out confirmation and push is easier than ever as well.
Unfortunately, there are plenty of people that don't have that. Just because someone is a misguided teenager or crazy person does not mean they do not have intelligence, organization, and skills. Many of us certainly did our share of things and had the power, but I wonder what might have happened if we didn't stop ourselves in some cases. While perhaps the organization and probing nature likely hints at something else, it's really not that unusual for people to just mess around. Some people as they say also just want to watch the world burn. A couple of rough years in my teens, I certainly felt that way at times. I did plenty of things I'm not proud of, many people just have no shame and will take it that much further.
In the end I probably agree in terms of who is most likely, but I am kind of surprised that there were not more possibilities mentioned. Even 20 years ago, attacking Internet infrastructure seemed an obvious thing to do to us and we used to love talking about fun ways to ruin things over a burger at lunch. I mean is it really that hard to fathom people would think about attacking targets other than some organization, government, or other kind of company's servers?
Schneier's post is hardly prophetic. The idea that "china is attacking the internet" is so well ingrained, that this 2-year-old fake security attack map has "china mode", to make most of the attacks seem to come from China (part of the mockery of such maps): https://github.com/hrbrmstr/pewpew
> "But technology providers in the United States could suffer blowback. As Dyn fell under recurring attacks on Friday, Mr. York, the chief strategist, said such assaults were the reason so many companies are pushing at least parts of their infrastructure to cloud computing networks, to decentralize their systems and make them harder to attack."
Pushing your infrastructure to cloud computing is not decentralization - it's centralization, and we're all doing it. Imagine if an attack like this was against AWS... we'd all be screwed.
Interestingly, in some ways this is a big selling point of AWS/Azure/Goog. The absolute scale they can handle is way up there.
The downside of course, is that whilst their infrastructure can likely handle it, handling the bill associated with 'just scale up your service' could be worse than the attack itself.
AWS has considerable defenses against DDOS attacks of all types - here's the video from Reinvent 2015 which introduces many of Amazon's defenses as well as best practices - https://www.youtube.com/watch?v=Ys0gG1koqJA
Interestingly, the presenter notes that Amazon had seen a drop in DNS as an attack vector in 2015. I asked the presenter (Product Manager) why they hadn't productized the DDoS attack dashboard so you could be aware if you were being attacked (and it was being absorbed by AWS) and his response was that there was insufficient demand at that point to justify the developer staffing. He gave me his card and asked to request the feature so he could us it to make the case internally.
Does anyone here have stories of being successfully DDoS'd on AWS (other than by their own staff :) ?
If Azure and Google would like to gain a competitive advantage over AWS, then I would suggest this: Build out a suite of tools for fighting DDOS. Enable private consultants and companies to provide this as a service. Do this in such a way, that cloud customers save money and have to worry about less. Hell, let companies jump in structured as insurance companies! Also bring in cooperation with law enforcement and use data gathering to catch and prosecute DDOS-ers.
> Enable private consultants and companies to provide this as a service.
If I am an AWS customer I expect AWS to handle/prevent DDoS, same way as they do with S3 to achieve 11 9's availability (the files are saved in multiple AZs in the same region - Glacier IIRC copy files on different regions to avoid data loss in case of physical disaster).
One of the reason for choosing AWS is because AMZ has deep pockets and has the means (financial and technical) to fight against large DDoS attacks, while a smaller provider might not have to do that. Putting clients in a position to have to buy that sort of protection doesn't sound very smart to me.
Availability is the % of times you try to access your data that you get it back. So 52.5 minutes of downtime a year is still within SLA.
Durability is the % of your data that doesn't die. Eleven 9s means that if you store 1TB on AWS S3 you can expect to lose 10 bytes and still be within SLA.
For those wondering .000000001% per what? The answer apparently is per object year.
i.e. you could expect to lose 10 bytes of your 1TB every year if your stored it as a trillion one byte objects, but if you stored it as a single object you could expect to lose the whole thing once every hundred billion years, but none of it the rest of the time.
Is that true? How can they possibly measure a probability event so small? If every human in the world was their customer, then .05 humans would lost heir data?
I don't know much about actuarial math but I think this number is for insurance policies more than anything else. It could be based on something like the rate of hardware failures they experience now amortized over a long period and many customers, and then adjusted to account for redundancy.
As a very simplified example, imagine they are expecting to lose 2 servers every day, this percentage might be the probability of those two servers storing the same exact object (and thus, losing it irretrievably).
It doesn't mean that either. It's just an SLA. Could have been a number pulled out of the air. Likely loss in real life would be granular at the object level.
I hear this misunderstanding a lot as well, generally in relation to AWS S3 SLAs. 11 9's of "uptime" would mean service could be be down for 3 milliseconds a year. 4 9s is very respectable.
I don't understand how people who use AWS have such unrealistic expectations.
Someone will always have the upper hand in an arms race, and it's not service providers yet. It's just a matter of finding the choke point between their transit and your code.
>I don't understand how people who use AWS have such unrealistic expectations.
Well, the whole point of AWS is not having to deal with the usual hosting stuff. They'll naturally have lots of customers with high expectations and very little understanding of how things work in the background.
When you are DDOSed they will keep supplying the resources for you to consume and pay them extra. Cloud is commodity so don't expect to be treated like a special snowflake. Your distress is their opportunity to make extra money.
Offtopic but relevant. One of my customer moved their email to O365 without understanding the differences from being ON-Prem. Now they are struggling to adopt their business processes to then limitations MS imposes.
> My website is on Blogger, Google Sites, or Google App Engine. Am I eligible?
> As Google products, these sites already have similar DDoS protection to Project Shield. Your website would not need to be set up with Project Shield.
Wonder if that answer includes Compute Engine. Doubt it.
It would be interesting to try using App Engine to simply proxy traffic. I don't know enough about it to even know if it's technically feasible. I imagine the downsides would be many but it could be useful as a temporary measure while you're getting attacked.
You can't just build a "suite of tools" and give them to a customer to fight a DDOS. The way DDOS is mitigated is by making routing changes at the network edge. This is not something you want a customer to be able to do for obvious reasons. And these in themselves are sometimes not enough and DDOS mitigation will require coordinating with transit providers, again not something you would want put in a customer console.
Yup until this morning, AWS was using Dyn as the sole provider of nameservers for the us-east-1 zone. So this attack did have a pretty substantial impact on some AWS services until they updated us-east-1 to use the more diverse set of nameservers their other datacenters use.
so it will be eventually Cloud VS DDoS eh, both can scale indefinitely so the limit is money, which makes the DDoS guys wins, they practically stole CPU/RAM/NET where cloud providers need to buy hardware as usual
Unless we can somehow secure every net-connected devices, ha (I don't know whether to cry or laugh right now)
DDOS usually occurs via a botnet of infected networked devices. Thus, the attacker is getting their resources for "free" since their host is unknowingly wasting CPU and bandwidth during the attack, while the defender is paying for theirs.
You're correct, it's centralisation, at least for the whole community.
It decentralises that one company's DNS -- instead of having one or two DNS servers, perhaps at two sites, they now have 20, at 20 sites. If someone wants to target them, they're probably better protected.
But it's the same 20 servers as a million other companies, so the chance of those servers being a target is much greater.
The cloud can be more decentralized but it more expensive, Done properly having redundancy across multiple clouds aws, rackspace, google, azure, in geographically different areas with different internet service providers it can be done in a very distributed decentralized fashion, just no one actaully does that. Instead they throw everything on one provider and pray its is backed up and secured by that cloud provider better than the IT guy down the hall they just laid off.
This is one of the many reasons AWS and cloud computing in general are way overrated.
I know of a company that pays an AWS bill sufficient to buy the equivalent of their pre-cloud datacenter's hardware every 1.5 months. The extra staff required to perform hardware maintenance would also cost about 2 months' worth of AWS each year (that means they're paying ~3x more than they would with hardware). Yet they moved to the cloud because it's the hip thing to do.
Cloud has upsides and things that are useful, especially for smaller proprietors who can take advantage of cheap droplets from DigitalOcean et al, but for grown-up companies, moving off your hardware shouldn't be automatic.
I think in some cases it might simply be the means to dump 1) people/groups that just don't have a large scale mindset and 2) bypass business processes that are absolutely not designed for large scale systems.
In that scenario you have a bunch of entrenched groups fighting about capex, capacity planning and budget all to get barely enough hardware to account for what you're doing in the next 3-12 months. Instead of taking a step back and creating a long term simple process for regular growth and replacement they get caught in the weeds because they have very old school mindsets.
Then you have your old school finance groups who are using terrifyingly delicate and complex interconnected spreadsheets to manage hardware expenditures and depreciation while maintaining old school draconian policies concerning CapEx budgets but allowing you to basically go nuts with OpEx.
You could try to change the culture in these entrenched groups who will view your attempts to make things better as political moves against them or you could just say "we're moving everything into the cloud" and make a complete end run around all of the people and baggage. The former is probably the "right" thing to do but the latter is going to let you focus on your product letting you get you back to being competitive.
There's also the difference between cabled systems, in which multiple elements can independently support load, and chained systems, in which any given link can fail.
The BBC was affected by the Dyn outage not because they themselves relied on Dyn, but because components of their site did.
I fully agree with you about the paradox of how, in the intent to de-centralize we centralize into cloud VPSes and managed services.
The real reason for the move is that same showtune that we keep hearing in our heads and wish we could tune it out: it's cheaper to move from physical infrastructure to the cloud. It's cheaper to skimp on security by not updating IoT devices. It's cheaper to skimp on security because features need to come first. It's cheaper to outsource operational management to parties with less expertise in places that pay less. To spend less time securing infrastructure perimeters because it costs money.
We feel almost as if we feel comfort hiding behind heavyweights like Google and Amazon will protect us from the bad elements of the world, where we hear about major breaches every few weeks (eg., Yahoo being the most recent). Will this strategy pan out long-term?
With this DDOS, articles about machine learning picking up better password-cracking/guessing algorithms by having previously analyzed large volumes of passwords, major breaches in the financial world, talk of state-sponsored attacks (a la DNC emails) it certainly FEELS like the Internet has gotten a little bit more wild.
AWS was hit today, we saw a spike failures. Got hold of one of AWS guys and they basically noticed that the issue they saw in the US earlier in the day happened again in EU west. Funnily enough they probably could have avoided it if they'd deployed their mitigation to the other zones.
I'm pretty sure DDos against http resources have become quite hard to pull of, which is why there was string of attempts to blackmail smaller email provider but nothing like it happens to similar startups relying on the web. Even the Linode attacks are only possible because they're highly target at a few critical systems there.
Well one upside of not being a Unicorn is that doubling the infrastructure/hosting costs for a project that's at a "cup of coffee a day" or a "diner and a movie a month" budget isn't a showstopper. Doubling Twitter's infrastructure costs would not be good...
We seem to be needing more concerted action on what is a consumer minimum standard for an internet connected device.
Consumer devices have to be more secure because if the low user skill level - and interest.
I am always reluctant to say "there should be a law against it" but frankly if we cannot mandate minimum standards of uogradbility and security for devices we will just keep handing over our devices to the first person to scan them.
Or you need to make it easier for the 'black hole' solution to be pushed further and further back to the sources of the bad traffic.
A remote site shouldn't be able to get you banned from the Internet (by it's self); but it MUST be able to say, "This host is being abusive, restrain them from sending me data". ISPs SHOULD use that information to evaluate if a host from their network might be compromised or otherwise a negative player. ISPs SHOULD also take steps to inform, and link to educational resources, customers which are being bad citizens of the Internet. ISPs SHOULD also be financially motivated (punishments to them) for allowing too many uncivil customers online; this might take the form of instead banning that ISP from the Internet as a whole.
So, as your ISP, I'm going to be held responsible for the actions of you, my customer/user?
Okay, if I'm going to be liable, financially or otherwise, well, then we're gonna have to make some changes around here.
First off, I'm going to have to heavily filter and restrict what traffic you can send out to the Internet. What isn't filtered or restricted is going to have to be inspected, logged, and retained for a period of time.
Next, because I can't be certain that you're RFC3514 compliant and that at least some of the bits you're sending aren't malicious, I'm going to have to prevent you from sending out any encrypted traffic. Instead of allowing you to use any DNS servers you want, you're going to have to use mine (DNS is heavily abused for DDoS attacks). Outgoing e-mail will be automatically redirected to my internal smart host (STARTTLS will be blocked, by the way) and I'm gonna have to log, read, and retain it all. HTTP traffic will be transparently proxied and all requests and responses will be logged and retained.
That's just the beginning. Are you sure this is what you prefer as your "solution"?
As a network operator, I believe that your ISP should be nothing more than a dumb pipe and allow the bits that you send to pass through freely. As an ISP customer, that's how I want my ISP to act. (If something gets reported or I "notice" you for some reason then, sure, I'll look into it. Otherwise, I try to fuck with my customer's traffic as little as possible.)
I'll agree that there is certainly a problem, but it is not because of ISPs.
> this might take the form of instead banning that ISP from the Internet as a whole.
I agree with some of your points, but fracturing the internet is not a viable option. It might make sense if it were a healthy, competitive market instead of the near monopolies that exist today. Imagine banning Comcast, or AT&T.
It's controversial, but I kind of agree. You need FCC approval to broadcast a radio signal due to the risk of interfering with other traffic, and you should have FCC approval that your IOT device meets minimum security standards before being sold.
Why rely on end devices? The infrastructure itself should be designed so that it cannot be broken that easily. Maybe we should return to metered connections, maybe we should implement a protocol to control routing.
The Internet has grown without proper planning using a lot of "quick and dirty" hacks (for example NATs, peering agreements) and today we just see the result. It reminds me of poorly designed email protocols that resulted in spam being the biggest part of email traffic.
I'd say [i]the Internet has grown using a lot of "quick and dirty" hacks [/i]
If internet should wait until all use cases were created, it wouldn't exist. It's power was exactly that people could think on how to create things on top of was available. Many RFCs came afterwards.
The standards don't need to be raised much. Banning the sale of internet-connected devices with non-random default passwords doesn't seem too intrusive for the benefits it will bring.
It's fashionable to blame Russia these days, but what country manufactures the most IoT devices, and has the type of government that could mandate backdoor access?
I think what the OP is implying is that these static admin passwords were put as a deniable backdoor. If it was a Chinese gov scheme it is quite clever as a real backdoor would have been obvious, while this just looks like total incompetence.
This makes no sense. Everyone knows what the default passwords are. And all sorts of products not made in China have default passwords. And, some of the products implicated in these attacks aren't Chinese. I think the OP is grasping at straws.
I was thinking of the hardcoded passwords in Xiongmai Tech components that were linked to the Krebs DDOS. Very much in line with the rumors about Huawei and ZTE a few years back, I don't think it's out of the realm of possibility. Hard to define a motive though.
It actually would be pretty clever given that once hacked you can close the door and keep out other hackers. Step 1. Make a device with a wide open door. Step 2. Hack all these devices and close the door. You get easy deniability and a massive botnet.
Having said this I suspect that this is not what has happened and it is most likely just a case of complete incompetence.
> It is too early to determine who was behind Friday’s attacks, but it is this type of DDoS attack that has election officials concerned. They are worried that an attack could keep citizens from submitting votes.
> Thirty-one states and the District of Columbia allow internet voting for overseas military and civilians. Alaska allows any Alaskan citizens to do so.
I had no idea any states allowed voting online. I wonder if the general population will ever get access to that.
If they're absent T ballots, they're not counted until several weeks later (unless the total amount of absent T ballots is larger than the margin between any candidate to ballot measure).
This seems so out of the blue, the last attack was targeting krebs for exposing extortionists. Who is being attacked this time and why?
There is a lot of talk of iot botnets but little to no evidence. This seems too vague and up in the air.
If all it takes is script kiddies and random extortionists to generate such large 1 Tbps scale attacks then we appear to be reliant on an unbelievably fragile base.
There is a growing realization of the need for more decentralization of services but these kind of attacks is going to drive more centralization if only Google scale companies can manage to stay up. I think this is drop everything and fix time for the IT profession.
If their claim is true, does anyone think, it will turn many sympathizers against them? I don't think attacking normal bushiness is a good thing to do.
So. Can we start talking about changing internet protocols to strengthen the integrity of internet network services against DoS attack?
Currently, the internet is very very open (as long as you don't live in certain countries). A baby monitor in Kansas can send arbitrary traffic to a router connecting a major financial services company in Hong Kong to an internet backbone. The idea, in a very hippy, world peace kinda way, is nice. But... probably not something we need to happen, much less should want to happen or allow, if good sense prevailed.
We have hacks in place that can prevent that particular situation from becoming too much trouble, but if you have enough baby monitors, something somewhere is going to choke. And really this is the point to me: you [as the network service provider] should not have to have carrier-grade infrastructure to avoid this scenario. If Casey Brogrammer wants to prop up a start-up on her DSL line (do people still have DSL?) she should be able to without fear of DoS. How do we do that?
I have no idea. But i'm betting it would require some rearchitecting of the internet and heavily modified protocols. Personally, I think the global BGP tables are gross (and, let's face it people, depending on RAM to perpetually increase in size while simultaneously decreasing in cost ad infinitum is not a realistic scaling mechanism), I think the many flaws in modern tcp/ip protocols are not designed with specific enough use cases in mind, and that the generalist design of the modern Internet has become more of a hindrance to efficiency and progress than a benefit. There is absolutely no requirement that we keep engineering ourselves into a corner, and IPv6 sure as shit isn't going to solve it.
"And in a troubling development, the attack appears to have relied on hundreds of thousands of internet-connected devices like cameras, baby monitors and home routers that have been infected..."
Is that really confirmed or just the reporter writing gossip.
I just remember seeing this article on news.com cira 1995 that predicted the imminent demise of the Internet due to the commercialization of it. It worried that the net just couldn't handle all the traffic from all those 56k dialup hitting and getting email all at once.
So my comment was a bit on the ironic / goofy side.
I have no doubt we'll see the end of the global internet in the next couple decades, but it's going to take quite a few more of these before we get there.
Harold Martin held without bail (high risk of flight) accused of theft of 20 years worth of government (NSA) tools/data, Trump stating he will not concede the election, tens of millions of IoT devices used in DDOS attack, Assange (wikileaks originator) cut off from internet, DNC hacked and exposed.
I wonder why companies affected by these IoT-enabled DDoS attacks don't sue the companies building those devices, as they currently often choose security over convenience when it comes to securing them. If you can forensically prove that a large fraction of the attack was carried out using a given type of device it should be possible to hold the manufacturer liable for the damage, at least if no reasonable measures were taken to secure it (using blank or default passwords on the device could count as gross negligence).
I even kind of wish that somebody would do this, as it would finally provide a strong incentive for the manufacturers to think about security.
Kind of makes me wonder - why let up? Can it be mitigated at all? Wouldn't they have done so by now. Be interesting if they just kept piling it on until they've got the whole internet on it's knees.
One of the Krebs articles mentioned an idea of a certification (similar to UL) which could be on products like DVRs and web cams. You can't ever certify something as completely secure of course, but the certification could indicate "firmware updatable", "no hard-coded default passwords" and "where there are passwords they are generated randomly and unique to each specific product" (not family of products). Maybe even "consumer can change all passwords to new randomly generated values". I can't say that all or even many consumers will care, but if ISPs stepped up and started emailing customers about suspicious traffic coming from their home networks indicating one or more devices may have been compromised, maybe a good number of consumers would start to look for that certification when they buy. Which is important because, let's face it, if insecure products don't actually impact sales then a lot of companies aren't going to care at all. You can try to punish bad behavior after the fact, but only if their government cooperates and even then I think many times they'd just fold up shop under one name and open again under another. You really have to address it at the point of purchase to affect company behavior IMO.
"if ISPs stepped up and started emailing customers about suspicious traffic coming from their home networks indicating one or more devices may have been compromised" - I remember Comcast doing something like that back in 2008ish.
Worth noting that even of stories such as these (new media, tech heavy) coverage by traditional media end up on the home page of HN. Beyond this observation, it seems that this election cycle brought home the importance of journalism for many people.
I don't think so. Modern botnets are mostly made of devices that are operating 24/7 already, such as compromised IP cameras, set top boxes, SOHO routers, IoT devices, etc.
The energy spent for TCP/IP stack usage is negligible at best, even when pushing those embedded CPUs to 100%.
Power consumption fluctuations need to be up in the billions of watts before power companies generally care and must do something about it. Wifi routers are limited to 1W output power, so you'd need a lot more than just the hundreds of millions of wifi routers bleating out TCP packets at the top of their lungs to take down the power grid.
Also, what the power companies really care about are changes in consumption; once they've adjusted the grid parameters to compensate for an increase in power consumption, they're happy until the consumption drops off. Using wifi or any internet traffic to destabilize the grid is just not going to work because there just isn't enough raw drain available, even if the attackers could get their timing absolutely flawlessly perfect so every wifi model popped on at once.
Hm, in my experience the difference between idle and 100% CPU usage on a modern ARM processor (e.g. Allwinner H3) is around 1 Watt. That's more or less what an LCD monitor in standby draws.
I wouldn't call that significant (as in, impacting the global energy consumption significantly) even if thousands of devices started the attack at the same time.
Would you call that detectable? Eespecially en masse. Perhaps a smart grid could detect these attacks in some way and dynamically adjust power to compromised devices?
I wouldn't. The signal ratio to noise very likely just isn't there.
Remember, people regularly operate toaster ovens, microwaves, hairdryers, etc on a fluxuating basis, and THOSE tend to consume more like 1200+ Watts for a /single/ device.
There is still real cost to moving those unsolicited bits at the target though. At the receiving end a server that that has all cores operating at capacity has a higher power consumption than a server that is somewhat idle - lower P states or even a C state. Power consumption is fairly dynamic in a datacenter chassis with Xeons. In addition there is an increased cost of cooling this increased heat dissipation as well.
Yet another thing to show us that IoT is a can of worms. Yes, the technology is very helpful, but from security perspective, are we ready for it yet? Why not make existing CCTV cameras and nanny monitors more secure before having IoT?
Are there any downloadable DNS lookup tables which could be used as hosts.txt or /etc/hosts in case of emergency?
I know that DNS is organized in root zones with hierarchical subqueries. A global hosts file which contains the whole IP space is sort of unfeasible because domain names change within seconds.
However, in face of the current attacks the DNS maintainers should seriously consider to offer downloadable hosts files so that we could use them temporarily to circumvent DNS queries in cases of further attacks.
Would longer, say, week long TTL along with some redundancy have prevented this problem? Can it be done now to prepare for next attack? That is, TTL shortened when making updates, etc., but then set to a week the rest of the time. Here's an article that I think could be useful:
https://medium.com/@brianarmstrong/youre-probably-doing-dns-...
This particular attack will likely eventually be mitigated (hours? days?). But it seems there is nothing preventing similar attacks from starting at any time, and be less possible to prevent each time.
Personally, I fear we are closer to global-scale, machine-learning-based attacks that find vulnerabilities, exploit them, and change patterns on the fly. We may not have a stable internet any more.
Am I blindly fearmongering? I hope not. But these are new waters. Insecure IoT is growing every hour and there's no clear path to stop it from being exploited more and more.
Based on what international laws? The source is likely in a country that doesn't play nice with our law enforcement and extradition requests. So what are you advocating?
Cut their internet access. Take down their power grid.
If you're being attacked, I'm not sure what international law has to do with it. A country has the right to defend itself -- it doesn't require the UN to grant 'permission.' If you are in the midst of being attacked, waiting for the UN or some other disfunctional body to 'approve' would be like asking the teacher for permission to defend yourself while you're getting your face pounded in. Countries are sovereign. They shouldn't need permission to defend themselves when they are under an immediate threat.
Your Netflix stopped working. You're talking about going to war.
If you're being attacked, I'm not sure what international law has to do with it.
That's incredibly naive. Trumpian almost. Even in the midst of real war (you know, when people are dying, not sitting on the couch unable to place a Prime order), we follow international law. Because we want everyone else to as well.
Except other adversarial technology domains like encryption or spamming where defensive technologies are extremely good when used and 'finding the attackers and taking them out' is ridiculously impractical.
Sure they could, it's called disconnecting your internet connection, unless you are arguing for every ISP to implement some sort of proxy, which itself would be mid-point infrastructure.
Would longer, say, week long TTL along with some redundancy have prevented this problem? Can it be done now to prepare for next attack? That is, TTL shortened when making updates, etc., but then set to a week the rest of the time?
Given national security interests, we need new laws: 1. IOT devices should not ship with default passwords. 2. Internet infrastructure companies should not be allowed to get "too big to fail".
As far as (2) goes, they actually need to be too big too fail. Otherwise, it's plainly impossible for internet infrastructure companies to be able to financially weather ddos attacks like this. These sorts of attacks are very expensive to mitigate, and part of the way we can do that is to centralize under services like AWS and collectively pay for ddos protection (short of the government doing so and separating our network from those of major malicious foreign actors').
WL's Twitter has claimed it was WL supporters. Although no one can really confirm what's going on with them since the Ecuadorian embassy events the other day.
I wonder if the embeds break when a tweet gets deleted. That was always one of my biggest concerns when using them: that someone else can change / break your article in the future.
The embeds resolve to plaintext when a tweet is deleted. In fact, the standard embed code includes the Tweet text in plaintext, so that at least the content is preserved
I agree. From what I understand, ipfs is designed to solve this problem (and several others). Maybe this will motivate the big actors to look into it seriously. Anybody disagree?
Boy am I glad you're not in charge of foreign relations, for the sake of nearly every country in the world.
"War? Whatever, so be it!". Right?
A complaint often surfaces from those that have actually lived through wars: How disconnected people are from war. Your country (I'm assuming) has been at war with various bits of the middle east for over a decade and you are not suffering the consequences. It's all remote for you. It's all drones, or "those men and women giving their life for our country gosh jolly gee we are so proud of them, so much respect".
It's not you, it's not your life, not your family's life, not your friends, your city, your streets being bombed, civilians being shot in the streets - none of that is what you've been through. The US has been exporting death, bringing none of it back home.
A warmongering country that is completely disconnected from the consequences; this is what leads to the "potentially nuclear war? pah, so be it, my internet is down anyway" attitude.
Your making a lot of assumptions about me. I am an immigrant from a country that has had suffered very severely from war.
The point is not to let these guys do whatever they want. Go into Ukraine, kill UN volunteers in Syria. Let them become emboldened by different types of attacks and tomorrow we will have the type of war your talking about.
Handle these problems now that they are small.
Edit: I wanted to add that it is very often the ones who have seen what terrible tragedies happen when you let terrible people like Putin do what they want that are the biggest "warmongers". It is why you see the Israelis become so eager to defend themselves because they have seen what will happen if you don't take care of bad people like Putin when they are small.
Well, yes, I'm making assumptions and I even highlighted them. Now if you tell me you've seen in person what war does to people and you're calling for round 2 with two superpowers, I don't believe you.
If, on the other hand, you're saying that the Russia situation needs to be solved sooner rather than later, you'll have a hard time finding somebody who disagrees but that shouldn't come at the cost of the entire planet. That's just nihilism.
A few things, I am not attacking your position against war. I am saying that Russia needs to be dealt with and it needs to happen sooner rather than later.
I am not advocating for war but I am saying that when dealing with things like this you have to prepare for the worst. There is one superpower here not two. You cannot let them do what they want and there has been real innocent bloodshed already because of Putins actions and positions.
I think we are closer in our line of thinking than it seems. I have a family and I would never advocate to end life on this planet. I am zealous about letting someone like Putin go with zero punishment because history has shown us time and time again where that will take us.
Like I said, you won't find anyone who disagrees (not here anyway), but you gotta know people are arguing with you because you are, in fact, in your other posts, advocating for war - even if you didn't intend to.
Really? Right after he hit Poland? That would have been the smartest move the world could have done and you would have had much less bloodshed than you did. You would have prevented the holocaust prevented the destruction of most of Europe.
This is so much easier to say if you're not a historian. "What if" scenarios are invaluable. You might as well say we should have killed him. Easier said than done!
The U.S. has changed the rules of engagment to state that any cyber attack can be met with real military counterattack.
If the Russians are behind it, after being emboldened by Ukraine and Syria, the United States has to respond. I'm not saying all out war but I am saying we have to show the Russians that this affects everything we are about. It affects our businesses, our elections, and our way of life.
I am saying there should be military action and if that leads to war then so be it, everyone will think twice about this sort of thing again and we will all be safer because of it.
> I am saying there should be military action and if that leads to war then so be it
I don't think that war with any nation, much less Russia, should ever be such a casual consideration. Measured in human suffering, military conflict is inestimably more awful than brief internet downtime.
Of course I agree with you but it's not about the internet downtime.
It's about messing with or elections it's about the invasions. You let it all go on long enough and you will have much bigger problems in a few years time.
Your point is completely accurate and critical to follow up on in a considered way. In the real world anyway.
But unfortunately, since Thiel has invited HN to go full /pol/ the answer you're gonna get is that it's a 400lb guy on a couch saving us from the devil.
I disagree. A cyberattack that were a short/medium-term risk to lives being the exception to this. But a cyberattack that plausibly affects at most the economy (and a fraction of it at best), if it be so proved, should be responded in a way that affects an economy or the like. The world, as it is, already has enough human lives being ended each day or put at risk for what are often tenuous reasons at best.
> everyone will think twice about this sort of thing again and we will all be safer because of it.
Sure. Respond to an cyber attack on infra by starting a physical war that will permanently remove all infrastructure. Its the equivalent of burning down your building because a neighbor cut your cable.
War should always be a last resort - only when all other options are exhausted. Especially nuclear war.
That's a great way into a nuclear holocaust, and I appreciate it. I always wanted to test my prepper skills, although I have to admit that I'm not really a prepper, more like a guy who makes fun of them, and don't even own a Geiger counter (because the good ones are fucking expensive).
I think the main problem is that the Internet is decentralized. As it has no single owner nobody is responsible for mitigating the attacks and noone wants to pay for developing and implementing new protocols, installing new hardware.
Bruce was on point if so, arguing a couple weeks ago that accountability needs to happen on the manufacturers:
"What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the Internet as part of the Internet of Things.
Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.
"
https://www.schneier.com/blog/archives/2016/10/security_econ... ("Security Economics of the Internet of Things")