
Today's Brutal DDoS Attack Is the Beginning of a Bleak Future - RyanMcGreal
http://gizmodo.com/todays-brutal-ddos-attack-is-the-beginning-of-a-bleak-f-1788071976
======
Animats
Dyn, Inc. is toast. They created a central point of failure for the Internet.
Major sites will stop using their services within hours.

Things need to get more distributed. Don't load Jquery from some central site.
Don't load fonts from Google. Make sure your site will work if all the
trackers and ad sites are not responding. Use multiple independent DNS
providers.

It's also time for serious litigation. Find some vulnerable IoT device being
used for the attack, and sue the retailer, distributor, and manufacturer for
negligence. Junk IoT manufacturers need to feel fear.

~~~
stcredzero
_Junk IoT manufacturers need to feel fear._

We've reached the point where any clueless business type who pooh-poohs and
wishes away security concerns needs to get the idiot bit flipped on them.
Today's networked computing environment has reached the point, where this
stuff is _toxic._ It might have been okay for a few isolated frontier weirdos
to play with mercury to extract gold, but then when that became a full blown
industry, it resulted in toxic consequences we are still dealing with over 150
years later. Maker hipsters playing with a few hardware hacks did little harm.
Now that IoT is becoming household, the situation has changed in an analogous
way.

~~~
Florin_Andrei
Selling insecure devices (be that IoT, wifi routers, etc) is almost like
aiding and abetting, in the context of DoS attacks.

~~~
Kunix
If they had to recall all vulnerable devices I am sure they would take
security a lot more seriously.

------
cheald
DDOS attacks are nothing new. The scale has increased over time, but DOS has
been a constant issue for as long as people have been mad on the internet.

This attack is notable because it expsoes a single point of failure for a lot
of popular sites. The long-term fix is to distribute that SPOF so it's not so
tight a bottleneck. This is as easy as specifying nameservers from multiple
providers, or as complex as a distributed DNS system such as namecoin.

The internet is a giant cascade of constant failures, and developing for it is
an exercise in planning for failure. This isn't new - if it appears new, it's
just that most engineers have done their jobs well. What will happen out of
this is that the people trusting all their DNS traffic to Dyn will start
trusting only half of it to Dyn, and the next time Dyn is knocked out, the
people who have diversified against that contingency won't be practically
affected.

~~~
the_watcher
That the scale of DDoS's has increased is the entire thesis of the OP.

~~~
cheald
They've been increasing steadily for _decades_. Today almost certainly isn't
some new record-setting attack orders of magnitude beyond what's been seen
before - it isn't the herald of a new age of attacks and the "beginning of a
bleak future". Claiming such is just sensationalist garbage that belies a lack
of understanding of the way the internet works and the history of DDOSes in
general.

Spamhaus was historic in 2013 at 75GBPS. In 2014, Cloudflare mitigated a
400GBPS attack. The BBC attack earlier this year crested 600 GBPS. Last month,
OVH was hit with a 1TBPS attack. Each of those was mind-bogglingly large at
the time, and infrastructure has continued to evolve to deal with them. This
attack isn't anything particularly different - it's just notable because it's
visible, not because it _happened_.

~~~
Bartweiss
Have they been increasing _steadily_ , though?

The 2013 attack was <1% of total internet traffic for its duration. The 2014
Cloudflare hit was ~2.5% of all traffic. BBC was ~3%, and OVH was ~4%.
(Interpolated from Cisco here:
[http://www.cisco.com/c/en/us/solutions/collateral/service-
pr...](http://www.cisco.com/c/en/us/solutions/collateral/service-
provider/visual-networking-index-vni/vni-hyperconnectivity-wp.html)) Most
predictions suggest that IoT attacks will grow faster than what we've already
seen, and a rough estimate suggests that DDoS capacity is growing faster than
legitimate capacity.

None of that means today was orders of magnitude higher - the shock factor was
that it exposed a structural weakness people hadn't accounted for. But I
expect this to become an increasingly significant problem as capacity
increases, and moreover as that capacity becomes available to more attackers.

~~~
cheald
I certainly expect it to become an increasingly-significant problem, as well.
I don't mean to downplay the significance of the attack. But the lesson here
isn't "welp, the bad guys have won, the internet is dead", it's "don't use one
DNS provider, go redundant on it just like you do on every other piece of the
stack". Yeah, it's annoying, but it's not an unsolvable problem.

The reporting on this has _really_ annoyed me because the writers writing
about it have pretty consistently said that GitHub, Twitter, PayPal, etc have
all been knocked offline, which is just untrue. They have unresolvable names -
resolve their names and they're working just fine. The fix is improved
resilience in name resolution, and it's not a terribly hard fix. Someone in
the other thread noted that PornHub is managing just fine despite using Dyn
DNS - because they also route half their DNS traffic to UltraDNS.

Attacks like this are certainly a big problem, and are going to become a
bigger problem, but IMO, the Chicken Little sky-is-falling hysteria is
unwarranted and unuseful.

~~~
Bartweiss
This is a great point, and I didn't mean to downplay it. As much as anything,
I was interested because you offered a time/size progression of attacks and I
saw a chance to study it against total traffic.

I've been _really_ selective with the reporting I checked, and so most
everything I've seen has been either BBC-bloodless ("these sites are
inaccessible, because a DDoS attack happened"), or TheRegister-sophisticated
(assumes the reader knows what DNS is). A quick look at what other people have
been running explains your general sentiment. This isn't the end of the world,
and running stories saying "IoT WILL KILL US ALL" isn't making anything
better.

So fair enough: I think this is a serious issue, and today's events revealed
that people haven't been properly prepared. But pitching it as something
totally unpredictable is downright dishonest.

------
rdl
It seems like some eyeball and distribution networks should get together and
run a private subset of the Internet, with good filtering (BCP38 style), etc.
internally. You could get pretty good coverage with just ~10 eyeball networks
in the US, a few cloud providers, and maybe some key infrastructure. Operate
normally most of the time, but when under attack, be able to fall back to just
vetted networks, transports, and routes, at least temporarily. Then have a
limited number of hardened gateways, the way NIPRnet does with the civilian
commercial Internet, which are used in intermediate-level attacks.

Opt-in, maybe have an association run it (like an IX, but without the
expensive dinners and dues and general activism which inflates IX budgets),
etc. This would do more for "critical infrastructure protection" than anything
DHS/NSA/FBI have ever done.

~~~
zitterbewegung
So, these DDOS attacks take advantage of IoT devices so how would you tell the
difference using vetting when they are on the same networks as regular users?

~~~
zzleeper
I would just ban the ips for 24hrs if I detect an IP that is part of a ddos.
After that people will wise up and unplug their nanycam/toaster/iotwhatever

~~~
micaksica
You're assuming that people will know or be able to guess what is compromised.
Assuming multiple IOT devices the average user won't have any clue, and will
think they just need to run antivirus on their Windows box.

~~~
rasz_pl
who cares?

------
jetru
Why are Gizmodo articles even getting upvoted here? They are always
sensational and low information density.

~~~
Florin_Andrei
I thought it raises a few good points, even though it doesn't propose any
solutions. The current sorry state of IoT security is something worth thinking
about.

------
smnscu
Twitter and GitHub have been down for me for a while now.

~~~
Mizza
You can use this to find IPs for services that are currently out:
[https://dns.google.com/query?name=github.com&type=A&dnssec=t...](https://dns.google.com/query?name=github.com&type=A&dnssec=true)

~~~
K2L8M11N2
TIL about dns.google.com. Seems to be pretty handy for doing quick lookups.
Thanks Mizza!

------
beamatronic
It occurred to me today that since certain sites have been down, it's forced
me to use other sites which are still up. As if someone is forcing all my
communication and activities to go through "approved" channels.

------
faragon
Just put DDoS attacks at same level as terrorism.

~~~
whamlastxmas
Great, now I need to pass through a naked-body TSA scanner in order to
shitpost on reddit.

~~~
faragon
Come on. That's about world-wide DDoS attacks, not about checking individuals.

------
excitom
Highly uninformative article.

------
m0llusk
Said the clickbait. Bleak future indeed!

------
meira
I Heard this after heartbleed too. No, it is not a beginning. Neither a bleak
future. Maybe for bigco.

