

Free Speech and DDOS Attacks - kmfrk
http://blog.name.com/2012/04/free-speech-and-ddos-attacks/

======
sauteedbiscuits
This isnt a good thing, its a bad thing. Name.com basically buckled from a
threat and made this user move to a new registrar.

Hopefully next time they dont demand name.com reveal private whois or
something else. Good on them for not suspending the domain/user, but this was
NOT the customers problem. They had a legitimate website and you chose to take
the easy way out. You should not have asked the customer to leave to another
host, you should have fixed the problem yourself.

It is your responsibility as a infrastructure provider to have adequate DDoS
prevention in place. Passing the buck to every extortionist that comes in is
not acceptable behavior.

Now that people know that name.com is easy to push around, I suspect much more
of these attacks will be likely. Best not to use name.com nameservers
apparently.

~~~
Monotoko
I sympathize with the provider here, if the systems weren't designed to take
the heat, do they continue trying to defend (at the risk of the other 1.5 mil)
when they believed they couldn't keep everything online, or discuss with the
user how to put their domain somewhere with more resources to defend against
this kind of attack?

Any small company would do the same (hosting etc) to stop everything going
offline. You can't blame name.com for being overwhelmed, because this sounds
like a DDoS from an organized group who knew what they were doing, which is
quite hard to mitigate against.

~~~
alain94040
What if, instead of asking for the domain, they had asked for $10,000, would
you have paid? What about $1M? Where do you stop?

I sure hope that my registrar would never give in to anything like this, and
would actually know how to defeat DDOS.

------
andrewcooke
so who had the balls to take the name?

<http://registrar.schlund.info> these fine people, apparently.

~~~
aes256
The domain was most likely registered with 1&1 Internet; both companies are
subsidiares of United Internet AG, and from what I recall, domains purchased
from 1&1 are registered with Schlund + Partner

------
rollypolly
The attackers need to read up on the
<http://en.wikipedia.org/wiki/Streisand_effect>

~~~
gojomo
Not enough people know about the Streisand Effect; perhaps we should threaten
Wikipedia to take the article down?

------
codexon
DDoS attacks are way too easy to do now, and something needs to be done about
it.

Anyone can go to www.hackforums.net for a free UDP flooder (called shell
booters there), or rent one capable of over 1 gb/s for $5.

Or if you want to do it yourself, pick a cheap throwaway vps from
www.lowendbox.com, go to www.gametracker.com and grab IPs from COD4,
Wolfeinstein ET, Medal of Honor, etc... and send UDP query packets with your
IP spoofed as the victim. This will amplify the size of your attack 20x or
more and hide your IP address. You can easily get 10-20 gb/sec attacks like
this.

------
credo
boxun's manager claims that the attack was ordered by China's security
service. name.com is a US company and boxun.com is also a US website.

Why is the US government not doing anything to stop the attackers ?

------
TomGullen
"At this point we helped the customer transfer the domain to another
registrar"

Seems a bit off to pass a customer with a lot of baggage over to a competitor,
AND actively help them do so.

------
NHQ
I had imagined the linked page was going to say "We got DDOS'd and we're
proud!" b/c DDOSing is a kind of free speech, like spending money.

------
aes256
Speaking of DDoS attacks, this article is showing:

 _> Error establishing a database connection_

------
tptacek
Attack? No! "Digital equivalent of a sit-in"!

------
jsprinkles
Why are DDoS attacks still a problem? Can't we, the network engineering
community, figure this out? It's 2012, for God's sake.

I feel like if every network engineer cared about DoS attacks and actually
watched traffic leaving their AS for such attacks (they're relatively easy to
identify), the world would be a much better place. I can't tell you how many
times I've e-mailed abuse contacts in APNIC regions and heard nothing but
silence -- or, occasionally, the attack intensified. And you can't tell me the
big telcos like Comcast don't already have packet sniffing gear in place to
penalize BitTorrent and so forth; can't you quickly identify LOIC and the
other bullshit and yank that customer offline or shape the hell out of them?

This is ridiculous, and might have a solution as simple as, "if your network
DoS attacks mine and you don't deal with it, I reserve the right to depeer
you. Good luck explaining to your customers why they can't hit Google any
more."

I might have high expectations, though, since countless ASNs still let packets
with forged addresses out.

~~~
runeks
The reason we haven't solved DDoS attacks is because we're working on solving
the problem at the wrong level. We're trying to solve the wrong problem. This
video explains very clearly how this is the case:
<http://www.youtube.com/watch?v=8Z685OF-PS8>

Short(er) explanation: we no longer use the internet primarily for the purpose
of communicating between two parties. But the infrastructure of the internet
forces us to obtain data by having a conversation with a supposedly trusted
party, even though a line of communication is not really what we want; we want
a specific piece of data (an internet page, the latest exchange rate of USD to
EUR, the ISO for the daily image of Ubuntu 12.04, etc.). It doesn't matter
_where_ we get it from (location is irrelevant), it only matters that it's the
right data. Our use of the internet today is all about data. Yet, the
infrastructure of the internet (TCP/IP) is location-centric; not data-centric.
Data is shuttled between computers based, not on the data, but on the location
of the computers. This creates the possibility of DoS attacks. The TCP/IP
protocol is designed to efficiently route packages from a source to a
destination, and a DoS attack simply uses this feature maliciously. When
someone is hit by a DoS attack, the routers aiding in this are just following
the rules of TCP/IP: routing packages to a destination. That's their job. What
we need is a data-centric infrastructure. An infrastructure where data is not
obtained via a _connection to some location_ , but an infrastructure where
data is simply accessed by sending a request for a specific piece of data into
the cloud, and receiving the data from someone (and verifying that piece of
data via its hash and signature).

Instead of me obtaining the NY Times front page like this:

* Wireless USB dongle sends out signal. Signal is picked up by _my_ router (and everyone else's routers in near proximity, but all these other routers discard the signal). Router sends out a signal which my dongle (and all other routers/dongles pick up), but only my dongle uses this signal to obtain an IP address that the router knows. Over this connection I tell the router I want to connect to nytimes.com. Router connects to a server (name server) and asks it what the IP address is for nytimes.com. Router establishes a connection to nytimes.com, based on the IP it got from the nameserver. I send some commands over this connection where I ask for data, nytimes.com sends data, router hands it over to me. I now assume that I have the correct data - the front page of the NY Times, because some name sever said some IP address corresponds to nytimes.com, and this IP address sent me this data.

I would obtain it like this:

* Wireless USB dongle sends out a "data ID" for the NY Times front page. _Any_ of the routers in my near vicinity that has a copy of the NY Times front page sends out a signal containing this data. My USB dongle pick up this data (and all other routers/dongles do so as well, the difference is that they are able to use this data as well, if they're looking for it). My computer checks if the data is signed using the public key of the New York Times. If the "date" field of the data is equal to or newer than, say, "now minus on hour", I accept this data as the NY Times' current front page.

A DoS attack is easy in the former case, because there is a connection. Not so
easy in the latter case, because routers don't willingly forward any data;
they are data-aware and if they receive a copy of the NY Times that isn't
signed by the NY Times' signature, it's discarded/ignored.

If you want to understand it better, watch that video. It's an excellent talk.
Really puts things in perspective.

~~~
chc
It sounds like you're essentially talking about caching proxies, since if the
data only lived on NYT's server, it wouldn't matter whether you were looking
it up by "data ID" or IP address. Don't we have that already? Is there some
significant difference I'm missing?

~~~
mjschultz
Google, NYT, Amazon, et al. have data caching and it conceptually works in the
same way as the idea of named data networking (on of the names of the idea
above).

However, named data networking would push a cache to every network device
between the requester and the provider for every piece of data. Unless an
attacker is very close to the provider, they won't be able to take down the
resource. The best they could do is take down the resource for themselves and
their nearest neighbors.

~~~
Retric
Until someone poisons the cache by writing and requesting random junk and
takes everyone offline at the same time. Remember DOS may be controlled by a
few machines, but compromised machines tend to be randomly distributed
throughout the world (ed: random but not uniform).

