Hacker News new | comments | show | ask | jobs | submit login
Internet Attack Spreads, Disrupting Major Websites (nytimes.com)
309 points by pouwerkerk on Oct 21, 2016 | hide | past | web | favorite | 248 comments

Is it confirmed yet that so-called IoT devices were the bots?

Bruce was on point if so, arguing a couple weeks ago that accountability needs to happen on the manufacturers:

"What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the Internet as part of the Internet of Things.

Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.


https://www.schneier.com/blog/archives/2016/10/security_econ... ("Security Economics of the Internet of Things")

I feel like I hadn't thought of this as a market failure until reading your post calling it that. You're absolutely right about it. That's exactly what it is and the need for government involvement is quite obvious now. Suppliers are going to need to be held liable for the negative externalities their product offerings create, otherwise we're stuck at an equilibrium point where this situation does not improve.

If ISPs were treated like a utility and charged per bit, customers would have an incentive to ensure that their devices weren't dumping traffic onto the internet. It's rare that you can see a dashboard showing your usage, even rarer to see a dashboard showing your usage, broken down by device.

With ISPs (at least in the US) moving towards data caps, this is becoming a reality. It won't fix the problem.

DDOS attacks via IOT don't have to send much data per request. If my devices are doing an extra 10Mb/hour, I won't notice. 1000 homes is 10Gb/hour and that's just a few blocks in a city. 100,000 homes seems easy to hit, which is a petabyte of data per hour.

It's death by a thousand paper cuts. If my internet bill goes up a dollar per month, it's highly unlikely I'm going to debug my refrigerator to figure out how to stop it.

I think this is missing one component though. I agree I wouldn't, you wouldn't, in fact most people wouldn't debug their refrigerator over a dollar a month bandwidth bill.

I would however take into consideration bandwidth bill effects of what I buy. By comparison: today I buy LED lightbulbs and energy efficient appliances because they will have a long term cost impact on my electricity bill.

Right, though the IoT manufacturers probably aren't going to factor in internet attacks when advertising bandwidth usage. :)

That's why I got an Asus RT-AC5300 router. It's got a beautiful traffic analyzer.

I could've built something but honestly I don't have time for that anymore.

You can call that "getting the government involved" but it's allowing suing for damages due to negligence, which is a fairly basic form of involvement, the sort of thing at the base of the market to begin with. That is to say, it's a bit strange to call this a market failure, because the market will (imo) take care of it once you can assign liability.

I'm not so sure suing would help here, as who is suing who?

The people who bought the IoT devices probably don't even know that their device has been hijacked in a lot of cases and therefore have no incentive to sue the manufacturers.

The people being hit by the DDoS have a tricky attribution problem to prove which manufacturers are to blame and then the manufacturers could, in many cases, shift the blame to users who didn't read instructions/change default passwords/apply available security patches.

Also you have the problem of complex supply chain. A lot of the people selling these devices are just white-labelling someone else's product, so who's to blame there, the vendor or the ODM?

Lastly you have shrink-wrap style licenses that disclaim liability for flaws the the software market has been relying on for many many years to avoid any liability when their products misbehave...

Personally I don't see the market sorting this, its a classic case of negative externality where government regulation is the most appropriate way to rectify the problem

Yup, it's a classic externality.

Could the market failure be addressed through private class action suits against manufacturers of insecure IoT devices?

And what about software developers? Should we be suing the kernel developers for leaving that privilege escalation bug in for 9 years?

Don't open source license all include disclaimers?

Nope. Many of these compromised routers and webcams are not based on U.S. soil, so they're outside of U.S. jurisdiction. But even if some enterprising lawyer could attach a legal claim to them, most of these guys are tiny, and while you could easily sue some individual companies out of existence, it would not have much impact on the broader problem.

That's probably too distributed a set. You'd have to hit the device manufacturers (say, ARM or Intel), or vendors (Amazon). Hold them liable for problems.

Hit the distribution channel and I suspect you'll see a rapid increase in accountability and security measures.

Schneier wrote about related attacks just over a month ago in a post titled "Someone Is Learning How to Take Down the Internet" (https://www.schneier.com/blog/archives/2016/09/someone_is_le...)

Hopefully it's not related threats about hacking during the election.

Remember that recently Biden openly threatened cyber attack on Russia if they make any attempt to tamper with the election. Which is completely unprecedented, as is the notion that DOD is openly saying Russia was behind DNC and other attacks.

Also what amazed me is that he would casually threaten to strike Russia. It seems that no one considers these attacks as an act of war. But that's what they are.

NATO's new position as of July 2016: http://www.nato.int/cps/en/natohq/topics_78170.htm

    In July 2016, Allies reaffirmed NATO’s defensive 
    mandate and recognised cyberspace as a domain of
    operations in which NATO must defend itself as 
    effectively as it does in the air, on land and at sea.
The technical verbiage used is "domain of operations" and "security domain".

This article says that "massive" cyber attacks can lead to invocation of Article 5: http://www.reuters.com/article/us-cyber-nato-idUSKCN0Z12NE


Well that is potentially huge.

> It seems that no one considers these attacks as an act of war. But that's what they are.

Wouldn't it be better that we on Hacker News stay above trying of define "act of war". Is it an act of war for one country to pollute air that floats over another country? Is it an act of war to launch satellites that pass over another country? These questions are governed by precise treaties today, but I can imagine politicians screaming "act of war, act of war!" at some point in the past.

It's just an arbitrary phrase used by politicians to justify whatever action or inaction they take. It will lead us to needless unproductive argument.

God I fucking hope not. I'd much rather lose access to some services and focus on technical mitigations than literally start a war over it. I don't want me or my family to die just because services go down or businesses lose some income.

Like it or not, that's happening and next year when Clinton comes in the office, that will be the among the first things it comes to. Mark this comment.

Why ? Because business.

I am not sure you will think the same if someone in your family is at the local hospital and the electricity has been shut down

I think I must have missed some context here or misread since an attack on an electrical grid is substantially different from disrupting major web services.

I'm not sure you've seen eighth graders who are unable to watch Netflix.

It's espionage, not necessarily an act of war. The US government is threatening to strike back with more espionage. (If they haven't already...)

Espionage is stealing data. Disrupting utility services is an act of war, whether it is shutting down an electricity power plant, cutting communications, or any other act of sabotage.

Equating what amounts to a temporary sabotage of a non-critical service to an act of war highlights how brittle and conflicted is US cyber-strategy.

Surveillance has for so long gotten all the money and mindshare A stockpile of zero days is considered a good and necessary thing. Back doors in hardware and software are considered clever and useful, and maybe even a workable compromise for domestic surveillance.

Imagine if the domestic surveillance budget had been spent instead on making Linux into an EAL6+ certifiable system and creating open, verifiable designs for chips and firmware for secure hardware platforms.

This is true, but in fun hypothetical talks with various tech friends over the decades, we often talked about in relation to Internet services in particular, taking down services and such can actually help with hacking (i.e. stealing data) efforts. How? Why? Firstly, probing as the article mentions does yield plenty of valuable intel which is the core for espionage.

Secondly, we often joked that companies have such flawed backup and response procedures that triggering these things has a funny effect. More specifically, a lot of times in our experiences, we saw things like backups, up-scaling servers, etc. go noticeably unmaintained or poorly attended. A lot of people, especially years ago never did a great job of testing their backup systems, failovers, scaling, etc. and kept them up-to-date and secured as well as the main stuff. It's more interesting in some ways in this world of containers and VMs. One would assume things are updated, patched, and deployed exactly inline with the mainline stuff, but that's not always the case. It often takes only one slip-up and this is where a ton of people make mistakes for so many reasons. And sometimes it's easier to manipulate the protection systems to be the vector itself than the systems they are protecting.

That is to say, messing around with services sometimes can be a way of creating an open front or back door. Especially if there's malware and things that can be planted that will be less likely to be caught in the panic or otherwise deployed as a result of the panic response.

Of course all of this is more unlikely, but it's fun to think about in the same way stupid schemes that are similar in heist movies are fun.

Doesn't seem hypothetical or unlikely at all:


IIRC this tactic was used during the massive Target data breach in 2014.

What about say, stealing a map of secret military installations? Can stealing certain pieces of data be considered an act of war?

> Espionage is stealing data.

You tell me. Under their classification system, is stealing map data espionage?

Don't know, hence the question. It seems murkier than data vs. infrastructure. The one article I've read so far on the subject doesn't say much [1]. The Cyber Act of War Act of 2016 is apparently working its way through Congress [2].

Does application of the stolen data play a factor? ie considering the OPM breach an act of war if compromised individuals are blackmailed. Would Russia stealing the location data & capabilities of our missile defense system constitute an act of war?

1. http://www.wsj.com/articles/when-does-a-hack-become-an-act-o... 2. https://www.congress.gov/bill/114th-congress/house-bill/5220...

If a foreign entity is attacking our infastructure, that could certainly be viewed as an act of war.

What if an entity willingly allowed the attacks or espionage to continue? Like the NSA allowing foreign nations to spy on US citizens and corporations, or the CIA operating and allowing drug operations to run amok within US borders, or the OPM breach?

You can't just have one without being able to hold all of those responsible accountable.

I think it could be either. Destruction vs information gathering would seem to be the line to me.

Hence not necessarily.

What Russia is trying to do with us (whether it's to influence our election or just make us seem weak) is very bad and should be met with a proportional response, but calling it an act of war seems a bit too far.

Hillary specifically promised to treat a cyberattack with all possible responses including military.

This woman is dangerous.

She and Obama were referring to cyberattacks that cripple critical infrastructure. Like shutting down power grids.

If that's what they are, why aren't we already at war with Russia?

Would you like to be at war with Russia?

Did you know you're at war with North Korea?

Did you know you're not at war, and have never been, with Afghanistan?

Meaning of all that: what is or isn't "war", an "act of war" or "is" is up to people to define, and international law is easily ignored whenever states think that's a good idea.

The best definition is probably the UN's "act of aggression", see http://www.un-documents.net/a29r3314.htm. That definition does not include provisions for such situations – the only (theoretically) unarmed act of aggression is a blockade.

There is a strange push in America to go to war with Russia. Of course no one comes right out and says this, because it would be counterproductive. But every time something bad happens to democrats, it gets blamed on Russia. Lots of non-sequitur bellicose talk about Putin all the time.

It reminds me of the run up to the Iraq war. Seems bad.

But they had WMDs ! /s

The idiot is embarrassed because the DNC was exposed as fraudulent and corrupt to the core. One might figure only the Russians would be interested in exposing the underlying machinations of American politics, but it really is just a classic case of misdirection.

He's also threatening not just the Russians, but the American citizens as well... that if they try to challenge the system as it is, then the politicians would rather start a major war than to address any concerns of fraud/corruption.

DNC and RNC are corrupt to the core. Does that really need to be exposed? It's been a know fact for a few decades.

It's not just DoD, eset found strong evidence to back the claim [1].

[1]: https://news.ycombinator.com/item?id=12764898

Thank you, missed this piece but it was interesting.

I disagree with him on the point of "Who would do that?" He might be right about state level actors, but I think he discounts the motivations of crazy/disillusioned people, bored and curious people, and especially teenagers.

When I was a teenager, the Internet wasn't a thing yet, but we sure dreamed of all kinds of crazy schemes for taking out the phone company, power, anything really. We talked about anarchy and many "taboo" topics I can't mention here. The thing is we were good kids at heart and we had the discretion and morals not to act on those things. All of this happened in a time where our instant communication was the phone or meeting up in person. Today, it is infinitely easier to seek out like-minded people and to replace those who drop out. The ability to seek out confirmation and push is easier than ever as well.

Unfortunately, there are plenty of people that don't have that. Just because someone is a misguided teenager or crazy person does not mean they do not have intelligence, organization, and skills. Many of us certainly did our share of things and had the power, but I wonder what might have happened if we didn't stop ourselves in some cases. While perhaps the organization and probing nature likely hints at something else, it's really not that unusual for people to just mess around. Some people as they say also just want to watch the world burn. A couple of rough years in my teens, I certainly felt that way at times. I did plenty of things I'm not proud of, many people just have no shame and will take it that much further.

In the end I probably agree in terms of who is most likely, but I am kind of surprised that there were not more possibilities mentioned. Even 20 years ago, attacking Internet infrastructure seemed an obvious thing to do to us and we used to love talking about fun ways to ruin things over a burger at lunch. I mean is it really that hard to fathom people would think about attacking targets other than some organization, government, or other kind of company's servers?

Schneier's post is hardly prophetic. The idea that "china is attacking the internet" is so well ingrained, that this 2-year-old fake security attack map has "china mode", to make most of the attacks seem to come from China (part of the mockery of such maps): https://github.com/hrbrmstr/pewpew

Irony alert:

> "But technology providers in the United States could suffer blowback. As Dyn fell under recurring attacks on Friday, Mr. York, the chief strategist, said such assaults were the reason so many companies are pushing at least parts of their infrastructure to cloud computing networks, to decentralize their systems and make them harder to attack."

Pushing your infrastructure to cloud computing is not decentralization - it's centralization, and we're all doing it. Imagine if an attack like this was against AWS... we'd all be screwed.

Interestingly, in some ways this is a big selling point of AWS/Azure/Goog. The absolute scale they can handle is way up there.

The downside of course, is that whilst their infrastructure can likely handle it, handling the bill associated with 'just scale up your service' could be worse than the attack itself.

AWS has considerable defenses against DDOS attacks of all types - here's the video from Reinvent 2015 which introduces many of Amazon's defenses as well as best practices - https://www.youtube.com/watch?v=Ys0gG1koqJA

Interestingly, the presenter notes that Amazon had seen a drop in DNS as an attack vector in 2015. I asked the presenter (Product Manager) why they hadn't productized the DDoS attack dashboard so you could be aware if you were being attacked (and it was being absorbed by AWS) and his response was that there was insufficient demand at that point to justify the developer staffing. He gave me his card and asked to request the feature so he could us it to make the case internally.

Does anyone here have stories of being successfully DDoS'd on AWS (other than by their own staff :) ?

If Azure and Google would like to gain a competitive advantage over AWS, then I would suggest this: Build out a suite of tools for fighting DDOS. Enable private consultants and companies to provide this as a service. Do this in such a way, that cloud customers save money and have to worry about less. Hell, let companies jump in structured as insurance companies! Also bring in cooperation with law enforcement and use data gathering to catch and prosecute DDOS-ers.

> Enable private consultants and companies to provide this as a service.

If I am an AWS customer I expect AWS to handle/prevent DDoS, same way as they do with S3 to achieve 11 9's availability (the files are saved in multiple AZs in the same region - Glacier IIRC copy files on different regions to avoid data loss in case of physical disaster).

One of the reason for choosing AWS is because AMZ has deep pockets and has the means (financial and technical) to fight against large DDoS attacks, while a smaller provider might not have to do that. Putting clients in a position to have to buy that sort of protection doesn't sound very smart to me.

> do with S3 to achieve 11 9's availability

I see so many people confused about this. Eleven nines is their durability guarantee, their availability that they guarantee is only 99.99%


What's the difference between durability and availability?

Availability is the % of times you try to access your data that you get it back. So 52.5 minutes of downtime a year is still within SLA.

Durability is the % of your data that doesn't die. Eleven 9s means that if you store 1TB on AWS S3 you can expect to lose 10 bytes and still be within SLA.

No, it means that if you store your data there that there is a .000000001% chance that you will lose all of it.

For those wondering .000000001% per what? The answer apparently is per object year.

i.e. you could expect to lose 10 bytes of your 1TB every year if your stored it as a trillion one byte objects, but if you stored it as a single object you could expect to lose the whole thing once every hundred billion years, but none of it the rest of the time.

Is that true? How can they possibly measure a probability event so small? If every human in the world was their customer, then .05 humans would lost heir data?

I don't know much about actuarial math but I think this number is for insurance policies more than anything else. It could be based on something like the rate of hardware failures they experience now amortized over a long period and many customers, and then adjusted to account for redundancy.

As a very simplified example, imagine they are expecting to lose 2 servers every day, this percentage might be the probability of those two servers storing the same exact object (and thus, losing it irretrievably).

It doesn't mean that either. It's just an SLA. Could have been a number pulled out of the air. Likely loss in real life would be granular at the object level.

durability means you'll get your bits eventually.

availability means you'll get your bits immediately.

Durable means it was persisted to disk. Availability means the service is up and reachable.

I hear this misunderstanding a lot as well, generally in relation to AWS S3 SLAs. 11 9's of "uptime" would mean service could be be down for 3 milliseconds a year. 4 9s is very respectable.

> If I am an AWS customer I expect AWS to handle/prevent DDoS, same way as they do with S3 to achieve 11 9's availability

If you are an AWS customer you should have done your due diligence and know that amazon won't do a very good job at that.

I don't understand how people who use AWS have such unrealistic expectations.

Someone will always have the upper hand in an arms race, and it's not service providers yet. It's just a matter of finding the choke point between their transit and your code.

>I don't understand how people who use AWS have such unrealistic expectations.

Well, the whole point of AWS is not having to deal with the usual hosting stuff. They'll naturally have lots of customers with high expectations and very little understanding of how things work in the background.

When you are DDOSed they will keep supplying the resources for you to consume and pay them extra. Cloud is commodity so don't expect to be treated like a special snowflake. Your distress is their opportunity to make extra money.

Offtopic but relevant. One of my customer moved their email to O365 without understanding the differences from being ON-Prem. Now they are struggling to adopt their business processes to then limitations MS imposes.

>When you are DDOSed they will keep supplying the resources for you to consume and pay them extra.

If the attack is tiny, sure. Otherwise they'll just cut you off.

> If the attack is tiny, sure. Otherwise they'll just cut you off.

Yet they get to claim inexhaustible capacity.

For when you want it for traffic you want to pay for, not for unwanted traffic no one wants to pay for.

"achieve 11 9's availability" is this sarcasm?

They're referring to AWS S3's claim of 99.999999999% durability. AWS actually offers 99.99% availability.

Oh that at least could theoretically be feasible considering AWS's SLA though they might as well claim it's 99.9999999999999999999999999%

It all depends how you measure it

I thought you had to pay substantially extra to get files stored in multiple regions.

i'm not an AWS customer, but from what I have heard, you would be financially responsible for the DDoS traffic bill.

Amazon might wave the fee, but you are the first party responsible.

Doesn't Google already have the infrastructure to deal with an attack of this magnitude? I remember recently reading about Krebs on Security moving to Google's Project Shield service: http://www.zdnet.com/article/google-rescues-krebs-on-securit...

afaik Shield is for select journalists only, not for typical web infrastructure.


> My website is on Blogger, Google Sites, or Google App Engine. Am I eligible?

    > As Google products, these sites already have similar DDoS protection to Project Shield. Your website would not need to be set up with Project Shield. 
Wonder if that answer includes Compute Engine. Doubt it.

It would be interesting to try using App Engine to simply proxy traffic. I don't know enough about it to even know if it's technically feasible. I imagine the downsides would be many but it could be useful as a temporary measure while you're getting attacked.

Some people already use App Engine as a free CDN (http://www.digitalistic.com/2008/06/09/10-easy-steps-to-use-...) , I imagine it would be totally possible to use it as a proxy.

You can't just build a "suite of tools" and give them to a customer to fight a DDOS. The way DDOS is mitigated is by making routing changes at the network edge. This is not something you want a customer to be able to do for obvious reasons. And these in themselves are sometimes not enough and DDOS mitigation will require coordinating with transit providers, again not something you would want put in a customer console.

Cloudflare is targeting that market pretty heavily.

Yup until this morning, AWS was using Dyn as the sole provider of nameservers for the us-east-1 zone. So this attack did have a pretty substantial impact on some AWS services until they updated us-east-1 to use the more diverse set of nameservers their other datacenters use.

That's a good point. If anything, it makes DDOS attacks more effective since you can't easily scale up your bank account :)

so it will be eventually Cloud VS DDoS eh, both can scale indefinitely so the limit is money, which makes the DDoS guys wins, they practically stole CPU/RAM/NET where cloud providers need to buy hardware as usual

Unless we can somehow secure every net-connected devices, ha (I don't know whether to cry or laugh right now)

Can you third grade down your comment please?

I find your language to be of high interest like you had a "dUH" moment - which I am ignorant to get myself.

The Sons rays meat

DDOS usually occurs via a botnet of infected networked devices. Thus, the attacker is getting their resources for "free" since their host is unknowingly wasting CPU and bandwidth during the attack, while the defender is paying for theirs.


Is this analogy accurate?

I have one road to get home. It got blocked so I create 2 more roads.

I now have 3 Roads to get home. All 3 become blocked. So now I have to make another road.

More roads is redundancy and requires capital.

The roads become unblocked but I now must expect future road blocks.

Until Google starts serving pages from our phones...

Isn't that the meaning the having multiple AWS regions? :-)

If you want HA at local level you'd go with AWS AZs but if you need real HA you need can do the same at region-level.

Of course not everyone has the money/need to go down that route, but it's possible and even advised for some AWS services.

You're correct, it's centralisation, at least for the whole community.

It decentralises that one company's DNS -- instead of having one or two DNS servers, perhaps at two sites, they now have 20, at 20 sites. If someone wants to target them, they're probably better protected.

But it's the same 20 servers as a million other companies, so the chance of those servers being a target is much greater.

> But it's the same 20 servers as a million other companies, so the chance of those servers being a target is much greater.

Yeah, that's what I was getting at. I feel like my chances of being collateral damage on an attack against someone else is way higher in the cloud.

Even today with GitHub and other SaaS platforms going down, we were all affected.

The cloud can be more decentralized but it more expensive, Done properly having redundancy across multiple clouds aws, rackspace, google, azure, in geographically different areas with different internet service providers it can be done in a very distributed decentralized fashion, just no one actaully does that. Instead they throw everything on one provider and pray its is backed up and secured by that cloud provider better than the IT guy down the hall they just laid off.

If you're talking rendering some VPS's, sure that's possible.

But that's a fraction of the cloud. It's hard to integrate every service the hopeful equivalent of every other service.

This is one of the many reasons AWS and cloud computing in general are way overrated.

I know of a company that pays an AWS bill sufficient to buy the equivalent of their pre-cloud datacenter's hardware every 1.5 months. The extra staff required to perform hardware maintenance would also cost about 2 months' worth of AWS each year (that means they're paying ~3x more than they would with hardware). Yet they moved to the cloud because it's the hip thing to do.

Cloud has upsides and things that are useful, especially for smaller proprietors who can take advantage of cheap droplets from DigitalOcean et al, but for grown-up companies, moving off your hardware shouldn't be automatic.

I think in some cases it might simply be the means to dump 1) people/groups that just don't have a large scale mindset and 2) bypass business processes that are absolutely not designed for large scale systems.

In that scenario you have a bunch of entrenched groups fighting about capex, capacity planning and budget all to get barely enough hardware to account for what you're doing in the next 3-12 months. Instead of taking a step back and creating a long term simple process for regular growth and replacement they get caught in the weeds because they have very old school mindsets.

Then you have your old school finance groups who are using terrifyingly delicate and complex interconnected spreadsheets to manage hardware expenditures and depreciation while maintaining old school draconian policies concerning CapEx budgets but allowing you to basically go nuts with OpEx.

You could try to change the culture in these entrenched groups who will view your attempts to make things better as political moves against them or you could just say "we're moving everything into the cloud" and make a complete end run around all of the people and baggage. The former is probably the "right" thing to do but the latter is going to let you focus on your product letting you get you back to being competitive.

It's orthogonal to centralization. Abstracting your infrastructure allows you to easily replicate infrastructure providing the same services.

This is only ironic if you expected moving to the cloud to be what provides the redundancy.

There's also the difference between cabled systems, in which multiple elements can independently support load, and chained systems, in which any given link can fail.

The BBC was affected by the Dyn outage not because they themselves relied on Dyn, but because components of their site did.

AWS was affected at one point.

I fully agree with you about the paradox of how, in the intent to de-centralize we centralize into cloud VPSes and managed services.

The real reason for the move is that same showtune that we keep hearing in our heads and wish we could tune it out: it's cheaper to move from physical infrastructure to the cloud. It's cheaper to skimp on security by not updating IoT devices. It's cheaper to skimp on security because features need to come first. It's cheaper to outsource operational management to parties with less expertise in places that pay less. To spend less time securing infrastructure perimeters because it costs money.

We feel almost as if we feel comfort hiding behind heavyweights like Google and Amazon will protect us from the bad elements of the world, where we hear about major breaches every few weeks (eg., Yahoo being the most recent). Will this strategy pan out long-term?

With this DDOS, articles about machine learning picking up better password-cracking/guessing algorithms by having previously analyzed large volumes of passwords, major breaches in the financial world, talk of state-sponsored attacks (a la DNC emails) it certainly FEELS like the Internet has gotten a little bit more wild.

AWS was hit today, we saw a spike failures. Got hold of one of AWS guys and they basically noticed that the issue they saw in the US earlier in the day happened again in EU west. Funnily enough they probably could have avoided it if they'd deployed their mitigation to the other zones.

I'm pretty sure DDos against http resources have become quite hard to pull of, which is why there was string of attempts to blackmail smaller email provider but nothing like it happens to similar startups relying on the web. Even the Linode attacks are only possible because they're highly target at a few critical systems there.

It's harder, but you can distribute your web resources across multiple cloud providers

If GitHub and Twitter are struggling with this, what chance do the rest of us have?

Well one upside of not being a Unicorn is that doubling the infrastructure/hosting costs for a project that's at a "cup of coffee a day" or a "diner and a movie a month" budget isn't a showstopper. Doubling Twitter's infrastructure costs would not be good...

We seem to be needing more concerted action on what is a consumer minimum standard for an internet connected device.

Consumer devices have to be more secure because if the low user skill level - and interest.

I am always reluctant to say "there should be a law against it" but frankly if we cannot mandate minimum standards of uogradbility and security for devices we will just keep handing over our devices to the first person to scan them.

Or you need to make it easier for the 'black hole' solution to be pushed further and further back to the sources of the bad traffic.

A remote site shouldn't be able to get you banned from the Internet (by it's self); but it MUST be able to say, "This host is being abusive, restrain them from sending me data". ISPs SHOULD use that information to evaluate if a host from their network might be compromised or otherwise a negative player. ISPs SHOULD also take steps to inform, and link to educational resources, customers which are being bad citizens of the Internet. ISPs SHOULD also be financially motivated (punishments to them) for allowing too many uncivil customers online; this might take the form of instead banning that ISP from the Internet as a whole.

So, as your ISP, I'm going to be held responsible for the actions of you, my customer/user?

Okay, if I'm going to be liable, financially or otherwise, well, then we're gonna have to make some changes around here.

First off, I'm going to have to heavily filter and restrict what traffic you can send out to the Internet. What isn't filtered or restricted is going to have to be inspected, logged, and retained for a period of time.

Next, because I can't be certain that you're RFC3514 compliant and that at least some of the bits you're sending aren't malicious, I'm going to have to prevent you from sending out any encrypted traffic. Instead of allowing you to use any DNS servers you want, you're going to have to use mine (DNS is heavily abused for DDoS attacks). Outgoing e-mail will be automatically redirected to my internal smart host (STARTTLS will be blocked, by the way) and I'm gonna have to log, read, and retain it all. HTTP traffic will be transparently proxied and all requests and responses will be logged and retained.

That's just the beginning. Are you sure this is what you prefer as your "solution"?

As a network operator, I believe that your ISP should be nothing more than a dumb pipe and allow the bits that you send to pass through freely. As an ISP customer, that's how I want my ISP to act. (If something gets reported or I "notice" you for some reason then, sure, I'll look into it. Otherwise, I try to fuck with my customer's traffic as little as possible.)

I'll agree that there is certainly a problem, but it is not because of ISPs.

> this might take the form of instead banning that ISP from the Internet as a whole.

I agree with some of your points, but fracturing the internet is not a viable option. It might make sense if it were a healthy, competitive market instead of the near monopolies that exist today. Imagine banning Comcast, or AT&T.

It's controversial, but I kind of agree. You need FCC approval to broadcast a radio signal due to the risk of interfering with other traffic, and you should have FCC approval that your IOT device meets minimum security standards before being sold.

It may be controversial, but I think there ought to be a law. Some ideas: http://www.dwheeler.com/essays/law-security.html

Why rely on end devices? The infrastructure itself should be designed so that it cannot be broken that easily. Maybe we should return to metered connections, maybe we should implement a protocol to control routing.

The Internet has grown without proper planning using a lot of "quick and dirty" hacks (for example NATs, peering agreements) and today we just see the result. It reminds me of poorly designed email protocols that resulted in spam being the biggest part of email traffic.

I'd say [i]the Internet has grown using a lot of "quick and dirty" hacks [/i]

If internet should wait until all use cases were created, it wouldn't exist. It's power was exactly that people could think on how to create things on top of was available. Many RFCs came afterwards.

If only there were an app for consumers to securely scan their own network for unspoken traffic in these connected devices.

The amount of consumer IoT currently connected with default and often outdated device settings is beyond belief.

The standards don't need to be raised much. Banning the sale of internet-connected devices with non-random default passwords doesn't seem too intrusive for the benefits it will bring.

As noted below, you need FCC or similar licences for wifi radio, why not something similar for the packers emitted.

Downside is that radio leakage licensing is fairly simple scientifically. Proving something is unhackable is harder ...

It's fashionable to blame Russia these days, but what country manufactures the most IoT devices, and has the type of government that could mandate backdoor access?

It's been fashionable to blame China not so long ago.

Did I miss it going out of fashion?

This is true. Does this make the accusations less credible?

What "backdoor access" are you talking about? These botnets spread via static admin passwords.

I think what the OP is implying is that these static admin passwords were put as a deniable backdoor. If it was a Chinese gov scheme it is quite clever as a real backdoor would have been obvious, while this just looks like total incompetence.

This makes no sense. Everyone knows what the default passwords are. And all sorts of products not made in China have default passwords. And, some of the products implicated in these attacks aren't Chinese. I think the OP is grasping at straws.

I was thinking of the hardcoded passwords in Xiongmai Tech components that were linked to the Krebs DDOS. Very much in line with the rumors about Huawei and ZTE a few years back, I don't think it's out of the realm of possibility. Hard to define a motive though.

>"rumors about Huawei and ZTE"

What were these rumors?

It actually would be pretty clever given that once hacked you can close the door and keep out other hackers. Step 1. Make a device with a wide open door. Step 2. Hack all these devices and close the door. You get easy deniability and a massive botnet.

Having said this I suspect that this is not what has happened and it is most likely just a case of complete incompetence.

Who is... China?

> It is too early to determine who was behind Friday’s attacks, but it is this type of DDoS attack that has election officials concerned. They are worried that an attack could keep citizens from submitting votes.

> Thirty-one states and the District of Columbia allow internet voting for overseas military and civilians. Alaska allows any Alaskan citizens to do so.

I had no idea any states allowed voting online. I wonder if the general population will ever get access to that.

If they're absent T ballots, they're not counted until several weeks later (unless the total amount of absent T ballots is larger than the margin between any candidate to ballot measure).

"Absent T"

Is this a reference I'm not getting, a speech-to-text error, or a simple misspelling of "absentee"?

"absentee" – for those grasping for meaning in a sea of autocrat.

What does the T stand for?

Hillary. Oh no, voter fraud!

Many of us in the industry hope not.

This seems so out of the blue, the last attack was targeting krebs for exposing extortionists. Who is being attacked this time and why?

There is a lot of talk of iot botnets but little to no evidence. This seems too vague and up in the air.

If all it takes is script kiddies and random extortionists to generate such large 1 Tbps scale attacks then we appear to be reliant on an unbelievably fragile base.

There is a growing realization of the need for more decentralization of services but these kind of attacks is going to drive more centralization if only Google scale companies can manage to stay up. I think this is drop everything and fix time for the IT profession.

Wikileaks tweeted:

"Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point. "

Link: https://twitter.com/wikileaks/status/789574436219449345

If their claim is true, does anyone think, it will turn many sympathizers against them? I don't think attacking normal bushiness is a good thing to do.

I think this tweet says more about Assange's vanity than anything else.

The motives of the attackers are much less interesting than the fact that such attacks are now possible.

"Assange's vanity than anything else" -> Don't get too ahead of yourself. Has there been any instance where Wikileaks had made a false claim?

So. Can we start talking about changing internet protocols to strengthen the integrity of internet network services against DoS attack?

Currently, the internet is very very open (as long as you don't live in certain countries). A baby monitor in Kansas can send arbitrary traffic to a router connecting a major financial services company in Hong Kong to an internet backbone. The idea, in a very hippy, world peace kinda way, is nice. But... probably not something we need to happen, much less should want to happen or allow, if good sense prevailed.

We have hacks in place that can prevent that particular situation from becoming too much trouble, but if you have enough baby monitors, something somewhere is going to choke. And really this is the point to me: you [as the network service provider] should not have to have carrier-grade infrastructure to avoid this scenario. If Casey Brogrammer wants to prop up a start-up on her DSL line (do people still have DSL?) she should be able to without fear of DoS. How do we do that?

I have no idea. But i'm betting it would require some rearchitecting of the internet and heavily modified protocols. Personally, I think the global BGP tables are gross (and, let's face it people, depending on RAM to perpetually increase in size while simultaneously decreasing in cost ad infinitum is not a realistic scaling mechanism), I think the many flaws in modern tcp/ip protocols are not designed with specific enough use cases in mind, and that the generalist design of the modern Internet has become more of a hindrance to efficiency and progress than a benefit. There is absolutely no requirement that we keep engineering ourselves into a corner, and IPv6 sure as shit isn't going to solve it.

This would make an interesting Ask HN (or StackExchange or Reddit) question.

Extensive commentary on this topic is in the update from Dyn - https://news.ycombinator.com/item?id=12759697

"And in a troubling development, the attack appears to have relied on hundreds of thousands of internet-connected devices like cameras, baby monitors and home routers that have been infected..."

Is that really confirmed or just the reporter writing gossip.


According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet.

Seems in-between. Not confirmed, but not just conjecture either.

Is this the end of the Internet that news.com predicted back in 1995?

Are you talking about this Newsweek article?


I just remember seeing this article on news.com cira 1995 that predicted the imminent demise of the Internet due to the commercialization of it. It worried that the net just couldn't handle all the traffic from all those 56k dialup hitting and getting email all at once.

So my comment was a bit on the ironic / goofy side.

Looks like that author has continued down the path of that line of though though, if you look at the books listed on his Wikipedia page: https://en.wikipedia.org/wiki/Clifford_Stoll#Books

I have no doubt we'll see the end of the global internet in the next couple decades, but it's going to take quite a few more of these before we get there.

Harold Martin held without bail (high risk of flight) accused of theft of 20 years worth of government (NSA) tools/data, Trump stating he will not concede the election, tens of millions of IoT devices used in DDOS attack, Assange (wikileaks originator) cut off from internet, DNC hacked and exposed.

A conspiracy theorists dream.

I wonder why companies affected by these IoT-enabled DDoS attacks don't sue the companies building those devices, as they currently often choose security over convenience when it comes to securing them. If you can forensically prove that a large fraction of the attack was carried out using a given type of device it should be possible to hold the manufacturer liable for the damage, at least if no reasonable measures were taken to secure it (using blank or default passwords on the device could count as gross negligence).

I even kind of wish that somebody would do this, as it would finally provide a strong incentive for the manufacturers to think about security.

Poul-Henning Kamp had this proposal on the subject back in 2011: http://queue.acm.org/detail.cfm?id=2030258

I think it's a good idea.

Kind of makes me wonder - why let up? Can it be mitigated at all? Wouldn't they have done so by now. Be interesting if they just kept piling it on until they've got the whole internet on it's knees.

Well because a lot of the companies that went down today, addressed the problem by now running a blend of different dns providers.

But it hasn't really dropped off since earlier today.

One of the Krebs articles mentioned an idea of a certification (similar to UL) which could be on products like DVRs and web cams. You can't ever certify something as completely secure of course, but the certification could indicate "firmware updatable", "no hard-coded default passwords" and "where there are passwords they are generated randomly and unique to each specific product" (not family of products). Maybe even "consumer can change all passwords to new randomly generated values". I can't say that all or even many consumers will care, but if ISPs stepped up and started emailing customers about suspicious traffic coming from their home networks indicating one or more devices may have been compromised, maybe a good number of consumers would start to look for that certification when they buy. Which is important because, let's face it, if insecure products don't actually impact sales then a lot of companies aren't going to care at all. You can try to punish bad behavior after the fact, but only if their government cooperates and even then I think many times they'd just fold up shop under one name and open again under another. You really have to address it at the point of purchase to affect company behavior IMO.

"if ISPs stepped up and started emailing customers about suspicious traffic coming from their home networks indicating one or more devices may have been compromised" - I remember Comcast doing something like that back in 2008ish.

Worth noting that even of stories such as these (new media, tech heavy) coverage by traditional media end up on the home page of HN. Beyond this observation, it seems that this election cycle brought home the importance of journalism for many people.

I wonder, how much electricity do these attacks spend on average? Is it significant for economy?

I don't think so. Modern botnets are mostly made of devices that are operating 24/7 already, such as compromised IP cameras, set top boxes, SOHO routers, IoT devices, etc.

The energy spent for TCP/IP stack usage is negligible at best, even when pushing those embedded CPUs to 100%.

> The energy spent for TCP/IP stack usage is negligible at best.

Not true, especially en masse. Even less true for wirelessly connected devices.

Power consumption fluctuations need to be up in the billions of watts before power companies generally care and must do something about it. Wifi routers are limited to 1W output power, so you'd need a lot more than just the hundreds of millions of wifi routers bleating out TCP packets at the top of their lungs to take down the power grid.

Also, what the power companies really care about are changes in consumption; once they've adjusted the grid parameters to compensate for an increase in power consumption, they're happy until the consumption drops off. Using wifi or any internet traffic to destabilize the grid is just not going to work because there just isn't enough raw drain available, even if the attackers could get their timing absolutely flawlessly perfect so every wifi model popped on at once.

Hm, in my experience the difference between idle and 100% CPU usage on a modern ARM processor (e.g. Allwinner H3) is around 1 Watt. That's more or less what an LCD monitor in standby draws.

I wouldn't call that significant (as in, impacting the global energy consumption significantly) even if thousands of devices started the attack at the same time.

Would you call that detectable? Eespecially en masse. Perhaps a smart grid could detect these attacks in some way and dynamically adjust power to compromised devices?

I wouldn't. The signal ratio to noise very likely just isn't there.

Remember, people regularly operate toaster ovens, microwaves, hairdryers, etc on a fluxuating basis, and THOSE tend to consume more like 1200+ Watts for a /single/ device.

Here's a real-world case of the above happening (tea kettles): http://www.bbc.co.uk/britainfromabove/stories/people/teatime...

You can sum it and have a big number but is electricity that would be wasted anyway.

There is still real cost to moving those unsolicited bits at the target though. At the receiving end a server that that has all cores operating at capacity has a higher power consumption than a server that is somewhat idle - lower P states or even a C state. Power consumption is fairly dynamic in a datacenter chassis with Xeons. In addition there is an increased cost of cooling this increased heat dissipation as well.

Yet another thing to show us that IoT is a can of worms. Yes, the technology is very helpful, but from security perspective, are we ready for it yet? Why not make existing CCTV cameras and nanny monitors more secure before having IoT?

If these sites hosted with google cloud, would they be less susceptible to ddos attacks?

This attack is on the DNS and niṛ in the sites themselves. The sites are working fine. We need better infrastructure for the internet.

Google cloud can host your DNS zones for you.

That's also true of AWS, Digital Ocean, Linode, etc. Hell, you can even host your DNS yourself!

Are there any downloadable DNS lookup tables which could be used as hosts.txt or /etc/hosts in case of emergency?

I know that DNS is organized in root zones with hierarchical subqueries. A global hosts file which contains the whole IP space is sort of unfeasible because domain names change within seconds.

However, in face of the current attacks the DNS maintainers should seriously consider to offer downloadable hosts files so that we could use them temporarily to circumvent DNS queries in cases of further attacks.

Would longer, say, week long TTL along with some redundancy have prevented this problem? Can it be done now to prepare for next attack? That is, TTL shortened when making updates, etc., but then set to a week the rest of the time. Here's an article that I think could be useful: https://medium.com/@brianarmstrong/youre-probably-doing-dns-...

Typical Dark Army

How long could this go on for?

This particular attack will likely eventually be mitigated (hours? days?). But it seems there is nothing preventing similar attacks from starting at any time, and be less possible to prevent each time.

Personally, I fear we are closer to global-scale, machine-learning-based attacks that find vulnerabilities, exploit them, and change patterns on the fly. We may not have a stable internet any more.

Am I blindly fearmongering? I hope not. But these are new waters. Insecure IoT is growing every hour and there's no clear path to stop it from being exploited more and more.

Trying to fight a war purely with defense is usually a dangerous strategy. The only long-term solution is to find the attackers and take them out.

That's irony, right? I can't even tell anymore.

Microsoft has had an active role in taking down botnets.


I do remember something about a virus that patched the computers it infected. White hat virus!

No, not irony. Our infrastructure is under attack. Why not fight back?

Based on what international laws? The source is likely in a country that doesn't play nice with our law enforcement and extradition requests. So what are you advocating?

Wait until they take that relaxing foreign vacation after all their hard work.

Cut their internet access. Take down their power grid.

If you're being attacked, I'm not sure what international law has to do with it. A country has the right to defend itself -- it doesn't require the UN to grant 'permission.' If you are in the midst of being attacked, waiting for the UN or some other disfunctional body to 'approve' would be like asking the teacher for permission to defend yourself while you're getting your face pounded in. Countries are sovereign. They shouldn't need permission to defend themselves when they are under an immediate threat.

Your Netflix stopped working. You're talking about going to war.

If you're being attacked, I'm not sure what international law has to do with it.

That's incredibly naive. Trumpian almost. Even in the midst of real war (you know, when people are dying, not sitting on the couch unable to place a Prime order), we follow international law. Because we want everyone else to as well.

"War is peace. Freedom is slavery. Ignorance is strength."?

Let's build a botnet to DDoS the DDoS botnet. /s /kinda

...or simply send a few hackers to Guantanamo!

Except other adversarial technology domains like encryption or spamming where defensive technologies are extremely good when used and 'finding the attackers and taking them out' is ridiculously impractical.

Might not be wildly impractical to brick insecure iot devices.

Not fully understanding TCP/IP, but could routers installed at ISPs disallow direct traffic to mid-point infrastructure?

I mean.. only allow traffic from/to leaf nodes.

Sure they could, it's called disconnecting your internet connection, unless you are arguing for every ISP to implement some sort of proxy, which itself would be mid-point infrastructure.

Wikileaks seem to be claiming the attack for their supporters here: https://mobile.twitter.com/wikileaks/status/7895744362194493...

Any evidence to support that?

Would longer, say, week long TTL along with some redundancy have prevented this problem? Can it be done now to prepare for next attack? That is, TTL shortened when making updates, etc., but then set to a week the rest of the time?

Given national security interests, we need new laws: 1. IOT devices should not ship with default passwords. 2. Internet infrastructure companies should not be allowed to get "too big to fail".

As far as (2) goes, they actually need to be too big too fail. Otherwise, it's plainly impossible for internet infrastructure companies to be able to financially weather ddos attacks like this. These sorts of attacks are very expensive to mitigate, and part of the way we can do that is to centralize under services like AWS and collectively pay for ddos protection (short of the government doing so and separating our network from those of major malicious foreign actors').

WL's Twitter has claimed it was WL supporters. Although no one can really confirm what's going on with them since the Ecuadorian embassy events the other day.


I _think_ WL == WikiLeaks.

Thanks everyone. I don't know how I wasn't able to come up with it given the reference to the Ecuadoran embassy.

WikiLeaks I think

Maybe WikiLeaks?



Since it's impossible to update many permanently-insecure "IoT" devices we may need laws to legalize gov't permanently bricking them.

Can't recall ever seeing the NY Times embed tweets in a story, is this a first?

edit: apparently it's because I mostly read the site within the app.

No, they do it all the time, especially for politically-related stories.

They've done it before, especially for trump: http://www.nytimes.com/2016/10/21/us/politics/trump-apprenti...

I wonder if the embeds break when a tweet gets deleted. That was always one of my biggest concerns when using them: that someone else can change / break your article in the future.

The embeds resolve to plaintext when a tweet is deleted. In fact, the standard embed code includes the Tweet text in plaintext, so that at least the content is preserved

why i think adding an edit feature to twitter is thorny issue

or Jen just dropped the internet.

LOL - I just re-watched that episode last night, as it turns out. Hilarious. The Elders of the internet will be miffed!

could we just move along with ipfs and a distributed web please guys, it's about time!

I agree. From what I understand, ipfs is designed to solve this problem (and several others). Maybe this will motivate the big actors to look into it seriously. Anybody disagree?

I love IPFS but how exactly does IPFS/IPNS solve the DDOS problem? The FAQ entry on this is not very convincing [1].

[1] https://github.com/ipfs/faq/issues/171

Brainstorming: We should make DNS mines like for Bitcoins


We detached this subthread from https://news.ycombinator.com/item?id=12765946 and marked it off-topic.

Boy am I glad you're not in charge of foreign relations, for the sake of nearly every country in the world.

"War? Whatever, so be it!". Right?

A complaint often surfaces from those that have actually lived through wars: How disconnected people are from war. Your country (I'm assuming) has been at war with various bits of the middle east for over a decade and you are not suffering the consequences. It's all remote for you. It's all drones, or "those men and women giving their life for our country gosh jolly gee we are so proud of them, so much respect".

It's not you, it's not your life, not your family's life, not your friends, your city, your streets being bombed, civilians being shot in the streets - none of that is what you've been through. The US has been exporting death, bringing none of it back home.

A warmongering country that is completely disconnected from the consequences; this is what leads to the "potentially nuclear war? pah, so be it, my internet is down anyway" attitude.

Your making a lot of assumptions about me. I am an immigrant from a country that has had suffered very severely from war.

The point is not to let these guys do whatever they want. Go into Ukraine, kill UN volunteers in Syria. Let them become emboldened by different types of attacks and tomorrow we will have the type of war your talking about.

Handle these problems now that they are small.

Edit: I wanted to add that it is very often the ones who have seen what terrible tragedies happen when you let terrible people like Putin do what they want that are the biggest "warmongers". It is why you see the Israelis become so eager to defend themselves because they have seen what will happen if you don't take care of bad people like Putin when they are small.

Well, yes, I'm making assumptions and I even highlighted them. Now if you tell me you've seen in person what war does to people and you're calling for round 2 with two superpowers, I don't believe you.

If, on the other hand, you're saying that the Russia situation needs to be solved sooner rather than later, you'll have a hard time finding somebody who disagrees but that shouldn't come at the cost of the entire planet. That's just nihilism.

A few things, I am not attacking your position against war. I am saying that Russia needs to be dealt with and it needs to happen sooner rather than later.

I am not advocating for war but I am saying that when dealing with things like this you have to prepare for the worst. There is one superpower here not two. You cannot let them do what they want and there has been real innocent bloodshed already because of Putins actions and positions.

I think we are closer in our line of thinking than it seems. I have a family and I would never advocate to end life on this planet. I am zealous about letting someone like Putin go with zero punishment because history has shown us time and time again where that will take us.

> I am not advocating for war

Like I said, you won't find anyone who disagrees (not here anyway), but you gotta know people are arguing with you because you are, in fact, in your other posts, advocating for war - even if you didn't intend to.

This guy Putin has nukes. Lots of them.

That's a mute point.

We do too.

Do you not think Hitler scared the whole world? If you let this guy scare you into inaction then he's already won.

At the same time, declaring unilateral war against hitler would have been stupid.

Really? Right after he hit Poland? That would have been the smartest move the world could have done and you would have had much less bloodshed than you did. You would have prevented the holocaust prevented the destruction of most of Europe.

But you keep telling yourself that.

This is so much easier to say if you're not a historian. "What if" scenarios are invaluable. You might as well say we should have killed him. Easier said than done!

I realize I sound like Captain Hindsight here. But.

The thing is that I think we don't need to repeat histories mistakes.

Minor correction: that should be "moot" point.

The U.S. has changed the rules of engagment to state that any cyber attack can be met with real military counterattack.

If the Russians are behind it, after being emboldened by Ukraine and Syria, the United States has to respond. I'm not saying all out war but I am saying we have to show the Russians that this affects everything we are about. It affects our businesses, our elections, and our way of life.

I am saying there should be military action and if that leads to war then so be it, everyone will think twice about this sort of thing again and we will all be safer because of it.

> I am saying there should be military action and if that leads to war then so be it

I don't think that war with any nation, much less Russia, should ever be such a casual consideration. Measured in human suffering, military conflict is inestimably more awful than brief internet downtime.

Of course I agree with you but it's not about the internet downtime.

It's about messing with or elections it's about the invasions. You let it all go on long enough and you will have much bigger problems in a few years time.

Your point is completely accurate and critical to follow up on in a considered way. In the real world anyway.

But unfortunately, since Thiel has invited HN to go full /pol/ the answer you're gonna get is that it's a 400lb guy on a couch saving us from the devil.

> if that leads to war then so be it

Well gee, slow down there buddy

Would not disconnecting a cable from Russia or installing a firewall be a cheaper solution?

Their next move would be disconnecting the US.


What then?

I remember reading the same about american submarines installing unknown devices on underwater cables.

Yeah, they both do it. US has been doing it for decades, however.


I disagree. A cyberattack that were a short/medium-term risk to lives being the exception to this. But a cyberattack that plausibly affects at most the economy (and a fraction of it at best), if it be so proved, should be responded in a way that affects an economy or the like. The world, as it is, already has enough human lives being ended each day or put at risk for what are often tenuous reasons at best.

> everyone will think twice about this sort of thing again and we will all be safer because of it.

Sure. Respond to an cyber attack on infra by starting a physical war that will permanently remove all infrastructure. Its the equivalent of burning down your building because a neighbor cut your cable.

War should always be a last resort - only when all other options are exhausted. Especially nuclear war.

That's a great way into a nuclear holocaust, and I appreciate it. I always wanted to test my prepper skills, although I have to admit that I'm not really a prepper, more like a guy who makes fun of them, and don't even own a Geiger counter (because the good ones are fucking expensive).

I think the main problem is that the Internet is decentralized. As it has no single owner nobody is responsible for mitigating the attacks and noone wants to pay for developing and implementing new protocols, installing new hardware.

More the opposite, because it's too centralized, an attack can take out the few 'authority' servers and knock off everything downstream.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact