
DDoS Letter to Chairman Wheeler - ebarock
https://www.scribd.com/document/328854049/DDoS-Letter-to-Chairman-Wheeler#download
======
xenophonf
It strikes me as being somewhat dangerous to compromise open network/network
neutrality rules in order to kick compromised devices off the Internet, never
mind the fact that it puts the cost of security vulnerabilities on end users,
who can't fix them, instead of vendors, who can.

~~~
Sanddancer
This feels much like laws that already exist around Attractive/Public
Nuisances. A compromised device DDOSing is interfering with others' right to
be able to access the internet. The users themselves would in turn have much
more impetus to seek remedies, legal or otherwise, to get the devices fixed
because they'd then be without the ability to use devices they paid for. In a
lot of ways, doing this would put more pressure on the manufacturer, because
they would have much less room to wriggle out of their responsibility to
ensure their device is actually usable.

~~~
eli
Yeah and public nuisance laws are similarly problematic: selectively enforced
and sometimes used to punish the victims of crimes.

------
protomyth
Requested responses 8 and 9 scare the crap out of me. I think those pretty
much end open source software on the internet. Requested response 6 looks like
a call for forced updates. I would of preferred a call for a rule that
prevents cell providers from holding up phone updates.

~~~
Sanddancer
8 and 9 specify manufacturers -- people selling something that connects to the
internet. If you're selling, you should have to certify that you've done due
diligence. If this is done through NIST standards being created, one of the
side effects of this would mean that everyone would get actual guidelines, and
almost certainly tools, which could do checking if a device is configured at
least semi-properly. If anything, it would mean that vendors would have more
impetus to communicate and send patches, because they would have to actually
own their problems.

~~~
johncolanduoni
Yes, but even if your standard only states that manufacturers have to provide
some sort of resilience to attackers modifying the binaries on the device
remotely, I suspect many manufacturers are going to go with the simplest way:
preventing any modifications save manufacturer-signed updates, and/or reducing
user configurability of the device.

My feeling on this are somewhat mixed; on one hand virtually everyone who owns
a modifiable device never makes any significant modifications and doesn't know
how to properly secure it to boot. On the other hand, that means that even if
manufacturers had no selfish reasons to put in such limitations of their own
volition, the natural state for most consumer device markets is going to be to
have no modifiable devices available for purchase just because making an
unlocked version isn't worth it.

------
dreamcompiler
ISPs don't assign IP addresses to most IOT devices; routers do. So there's one
credibility problem with this letter right from the beginning.

~~~
0xfeba
Maybe he's an IPv6 fan.

~~~
feld
ISPs wouldn't assign addresses to the IoT devices with IPv6 either...

~~~
angry-hacker
But who does? Or what factor decides what my iot's device ipv6 will be?

~~~
wmf
Devices tend to self-assign IPv6 addresses using SLAAC, but the router would
still have MAC-to-IP mappings in its neighbor table. Or some cases the router
assigns it using DHCPv6.

~~~
johncolanduoni
Just to clear things up for people unfamiliar with IPv6, the ISP does have
some input in this process: they give your router a unique prefix (basically a
subnet) which the router delegates to the devices in your network.

------
nulagrithom
Parts of this letter sound informed, while other parts sound woefully
misguided... I'm not sure I understand the point. What's Mark Warner going for
here?

~~~
Sanddancer
He's going for starting the conversation. Basically saying, "hey, here are my
ideas, we need to talk about this."

------
eatbitseveryday
Letter on the senator's website itself:

[http://www.warner.senate.gov/public/index.cfm/2016/10/sen-
ma...](http://www.warner.senate.gov/public/index.cfm/2016/10/sen-mark-warner-
probes-friday-s-crippling-cyber-attack)

Unfortunately it also links to scribd.

~~~
abstractbeliefs
Humbly and without snark, what happened to scribd that has upset people? Is it
just the non-standard PDF viewer or have they been up to something
underhanded?

~~~
slavik81
Want to keep reading? Download the app for the full version!

* Read all 4 pages of DDoS Letter to Chairman Wheeler.

\-------

Their website cuts off the last page of the letter and tells you to download
their app to read it.

------
dwheeler
I think there are a number of specific laws or regulations that could reduce
the problems _without_ harming innovation.

Here's a starter list: [http://www.dwheeler.com/essays/law-
security.html](http://www.dwheeler.com/essays/law-security.html) . I'm sure
that list can be improved on (I'd love to hear about improvements).

------
dredmorbius
A non-Scribd source please?

------
jwtadvice
How about we fix DNS?

~~~
tptacek
To do what? DNS isn't the only amplifier on the Internet, and not all of the
Mirai attacks are amplified to begin with.

~~~
jwtadvice
"Decentralization of core nameserving and smarter caching downlevel so that
single modes of failure on internet name resolution doesn't bring entire
swaths of the internet down" is what I was thinking.

Reflection (UDP) and amplification are problems, sure - we could address those
as well.

~~~
tedunangst
This wasn't an attack against the root servers, so it's unclear what
decentralization help. Should Dyn stand up two servers? That sounds like a
good idea, but also something they can do themselves.

~~~
jwtadvice
So a proposal here would look like: redundant resolvers with ISPs and routers
failing and load balancing between them along with smarter caching strategies
on the entire name resolution stack. Getting more academic and speculative
with a “pie-in-the-sky” proposal that would remove both privacy and
centralization concerns: quorum strategies over a peer-based, differential
privacy protected authenticated database seeded by root servers.

The point here is that “IoT” isn’t the problem. Thousands of traditional
servers can do just as much damage (or more) than thousands of IoT devices in
a DDoS. You want to stop attacks that bring down DNS? Fix DNS. You aren’t
going to be able to legislate away compromise-likely devices and services.
That’s an imaginary solution, and likely to exacerbate other issues (IoT
privacy).

~~~
tptacek
I'm still not clear on how this is a solution. Attackers don't need to target
DNS. With massive botnets, they can generate backbone-melting traffic ---
which will look identical to legitimate traffic --- without the use of any
amplifiers, and which will knock out any service they choose.

~~~
jwtadvice
This isn't a proposal to stop all DDoS. That's some crazy feature creep you're
suggesting.

Look, if the purpose is to stop all DDoS, legislating IoT devices won't solve
that problem either.

You seem to be disqualifying a solution to attacks on DNS because it doesn't
solve a problem we aren't trying to solve.

I don't get it.

~~~
tptacek
Sorry. Reset. What problem are we trying to solve, and why that problem next?

~~~
jwtadvice
> What problem are we trying to solve? The problem where DNS providers, such
> as Dyn, are taken down, leading to outages to large swaths of the internet.

> Why that problem next? The recommendation to tackle this problem next is the
> topic of discussion. Namely, the DDoS letter to Chairman Wheeler.

The letter inappropriately confuses fixing this recent outage/attack on DNS
with preventing IoT devices from being compromised. My proposal (the high
level comment) is to fix the problem being discussed by fixing DNS (making it
difficult, as a core internet service, from being DDoSed).

