
Why Friday's Massive DDoS Attack Should Be Terrifying - jason_wang
https://www.truevault.com/blog/massive-iot-ddos-attack.html
======
marze
Ok, dumb question:

Why can't a list of addresses of all the devices in the world of the type used
in the attack be created, and all packets from any address on the list be
trashed? At least, for the duration of the attack.

If such lists were made ahead of time, they could be turned on rapidly.

Is anything like this done?

~~~
1812calif
You are speaking of basically an IP-based version of the spamhaus blacklist.
For general http or TCP protocol.

I, for one, would be fine with a general internet citizen losing access if
they have a compromised device. I suspect this is how we will go -- your home
security cam was used in an attack, now every single website you visit for
XXXXXXXX days gives you a CAPTCHA.

I maintain the crucial element is informing people why they have that hassle.
Add extra friction, but not inhibit what they can do, because they are unable
and unwilling to secure their devices.

Yes, this affects the internet-uneducated disproportionately. Yes, I think it
is the responsibility of anyone with a broadband connection to understand the
responsibilities that come with it.

No, I do not expect grandma to learn this. I expect her to deal with a
crippled internet because they are not able to fix their pollution.

------
johansch
Reddit, Netflix, Github and Airbnb all appear to have switched from Dyn to AWS
DNS for their primary .com domains by now.

~~~
andrewmitchell
I can understand the instinct to move, but I think the answer is to split your
eggs among many baskets, not just pick a sturdier basket. I don't think the
Dyn team is necessarily bad, it was an enormous assault.

------
emblem21
/etc/hosts saved the day for me.

~~~
andrewmitchell
I found a really really stale name server that didn't respect TTLs.

~~~
vitus
I found a HN post that recommended switching my nameservers to OpenDNS, which
uses SmartCache. Seems like a better approach in general.

~~~
jwarren116
Same. I use OpenDNS and I had no idea there was an attack happening until I
asked a co-worker to review something on GitHub and they couldn't access it.
SmartCache saved me a lot of hours that could have been lost Friday.

------
BerislavLopac
I'm not aware of all the technical intricacies here, but could this kind of
attack be preventable by having local DNS caches in the OS itself, kinda like
a dynamic hosts file?

------
pessimizer
It should be terrifying because the government's complete lack of ability to
regulate anything has allowed the so-called "internet of things," more
accurately called the "internet of corporate things that the user is locked
out of," to develop into a national security threat.

~~~
jstandard
I'm trying to understand your position. Are you saying this is partially (or
fully) the government's fault because they didn't regulate the IoT device
market to force it to be open source? And if they had done so this attack
could have been avoided?

~~~
andrewmitchell
There's a very strong argument to be made that regulation is the only way to
improve this situation. A negative externality like this is unlikely to
correct itself. Cheap manufacturers will continue to save money by cutting
security features, and unaware or price-driven consumers will reinforce that
behavior. What else can we do?

Note: this isn't something the US can solve. A lot of this traffic came from
overseas. It's needs a coordinated response.

~~~
dogma1138
The problem with most regulation is that it tends to be quite a bit behind the
current trends.

You also need to acount for the fact that these devices are going to be alive
for years maybe even decades which means that their security measures would
become obsolete.

DDoS needs to be solved on the infrastructure level at this point, securing
endpoint nodes is a game you are going to constantly lose.

~~~
cariaso
The same backdoors that owned the devices as a botnet, should be used to brick
the devices. And the courts should support that purchasers are entitled to
refunds and damages. Your IoT refrigerator got bricked? You can sue for $500
worth of spoiled food. Encourage class action lawsuits and watch how fast this
is fixed.

[https://github.com/jgamblin/Mirai-Source-
Code](https://github.com/jgamblin/Mirai-Source-Code)

~~~
WildUtah
You can build secure devices. All it takes is putting quality engineers in
charge.

But paying quality engineers isn't fun and they won't work for idiot
management. So as long as management doesn't have to pay for the cost of
disasters they cause, nothing will be secure.

It's the same thing that happened at Hillary's State Department.

So I agree: Brick those refrigerators.

------
perseusprime11
Do we know who is behind this?

~~~
TheSpiceIsLife
"The Russians™"

~~~
perseusprime11
:) you want me to fall for that?

------
coreyp_1
90 miles from Chicago. Didn't notice a thing.

Note: I'm not dismissing the validity of the concern. I'm only reporting that
I didn't even know about it as the attack was happening. I'm sure others were
much more severely affected.

~~~
tarellel
I'm along the North Western New Mexico/South Western Colorado border and
didn't notice a difference either. I'm not saying this is shouldn't be a major
concern. Just some areas are effected quite a bit more than others, it appears
to mainly effect high metro/coastal regions.

~~~
jacobsenscott
I'm in Denver. Couldn't get to github, and our site is hosted on Heroku and
was down for most of the day.

------
gfody
Friday's massive ddos attack barely registered on my day-to-day, the only
annoyance was that Github was slightly slower than usual. It has been amusing
though to see all the hundreds of news articles trying desperately to
sensationalize the event.. and it simply didn't even matter.

~~~
partiallypro
Just because it didn't effect you directly doesn't mean it wasn't a big deal.
I'm in Nashville and was not effected, but I'm not writing it off as a non-
event. The worrying thing is hacked IoT devices were militarized (just using
this as a term, not saying this was a state actor, though it very well could
have been.)

Imagine if the hack occurs again, but is more targeted towards things that
aren't just minor annoyances, and maybe happens on election night in the U.S.;
I mean just earlier this year a repo on a package manager being deleted caused
mass failure across the world of applications. A targeted attack on certain
assets or dependencies could be very bad indeed. I would argue that GitHub
being effected was more important than the other consumer based services in
this attack. This is the first of many similar attacks in the coming years.

~~~
gfody
Militarized? You were as affected as I was which is not at all, don't you
wonder if this is just mass media trying to incite bullshit?

~~~
cderwin
For reference, I wasn't able to access any of the affected sites until around
5pm on the day of the attack, and I don't even live in a big city, though I do
live on the east coast.

If you look at HN comments from posts about the attack while it was ongoing
you can see plenty of people who were also affected by the attack (for
example, people looking for name servers that cached longer than allowed, or
opendns' smartcache). I understand why you think "the media" sensationalizes
things, but in fact it is absolutely not complicit in saying things that are
not true, even for the sake of embellishment (i.e. look at what happened to
Brian Williams).

~~~
gfody
ddos attacks are script kiddy bullshit. I bet whatever kids behind it are
absolutely loving the attention. Completely sensationalized stupidity to say
our entire infrastructure could be "taken out" in such a way and wild
speculation about it being a state sponsored attack. If a state wants to
actually take out some infrastructure they have fucking bombs and missiles for
that.

