Hacker News new | comments | show | ask | jobs | submit login
FCC says its cybersecurity measures to prevent DDoS attacks must remain secret (techcrunch.com)
210 points by janober 11 months ago | hide | past | web | favorite | 32 comments

I really liked [1]this comment on reddit illustrating evidence that not only was there no cyber attack on the FCC, but that it also self-orchestrated its supposed "DDOS." Curious HN's thoughts.

Realistically (or perhaps otherwise), what can Americans without enough money to lobby individually, do to prevent the FCC acting against our greater good, especially in the face of evidence that they are maliciously acting against the greater good? I have already called all of my senators and congressfolk, as well as written the president (for all that will do). This does not feel effective.


While I suspect the DDOS was fabricated, the linked reddit comment is flawed.

They claim that because the FCC uses Akamai as a CDN, that the FCC is immune from DDOS attacks. The FCC comment section is heavily reliant on a database, and you could simply overwhelm the database to DDOS that site. I would bet it is unlikely that the FCC utilized a cache for the queries.

"While I suspect the DDOS was fabricated, the linked reddit comment is flawed."

I too think that the DDOS is bollocks but I wouldn't go so far as to describe the reddit comment as flawed - MNGrrl presents quite a lot of additional evidence alongside the Akamai assertion. If you have some spare time it is worth reading/skimming the rest of the reddit thread. Whilst you are at it, look at the posting history of the highly rated commentators for some contextual bias hints. Follow links as well and lose a lot of time 8)

On balance the official story really does not stack up and I think a fully tooled up investigative journo could tear the FCC to pieces if given enough time and motivation to dot the Is and cross the Ts. The keyword there is motivation ...

It really depends, the calls to their database wouldn't be direct, it'd be through a REST API which then communicates with a DB. That REST API likely has some sort of DDOS protection, like for example how cloudflare protects ALL requests to the domain.

But anyway, their excuse that it needs to be secret is BS, DDOS protection methods are widespread and not very secret as it is. They probably just want to keep it secret, because they don't actually have proper DDOS protection.

> But anyway, their excuse that it needs to be secret is BS, DDOS protection methods are widespread and not very secret as it is. They probably just want to keep it secret, because they don't actually have proper DDOS protection.


At what point did the government become a special interest group which does not exist to protect the nation it serves? Providing good security advice is their job.

Even if they do have some super secret techniques, keeping them secret is not a strategy, it's what idiots who don't know anything about technology or computers or network security would do.

I would trust Cloudflare's staff over the FCC's I.T. department every day of the week, and I hate Cloudflare.

Not only that, in what way does an independent agency having zero ties to national security or the IC have any right to hold just about* anything secret? This is asinine!

I think you underestimate just how far we've allowed natsec expansion to taint even the most benign agencies.

As a constitutionalist, the real problem as I have condensed it is that the balance between providing for the common defense has completely overshadowed things like securing the blessings of liberty. Our gov is increasingly leaning authoritarian, and the populace has allowed it.

I wouldn't say I've underestimated anything. That was an honest question; as in: "what mental gymnastics did the FCC do to even think that keeping secrets is allowable?"

That aside, I would agree with you.

Ah, a small miscommunication I guess. My guess is the decision to keep secrets was made and then someone was told to do the gymnastics.

You have to set up protection on an API, it doesn't come magically installed by default.

> like for example how cloudflare protects ALL requests to the domain.

The primary purpose of cloudflare is to hide the IP address of the server and filter packets on IP level. It does not magically protects from any attack, especially on application level.

It is wrong to assume that there is a universal automatic solution against DDOS. Neither CDN nor Cloudflare nor REST API (how?) can help with this.

Like a dude in a Starbucks on free wifi and a script?

As much as I would like to believe it was a government conspiracy I think the far more likely explanation was an attention starved black-hat taking advantage of an incompetent government website.

Exactly my thoughts: Don't assume malice when stupidity is an adequate explanation.


Translation: their protection is bad and they don't want to reveal its mediocrity publicly, or there was no attack.

My guess is both. The actual volume of semi-automated (there were a few canned form submission tools) negative feedback may have resulted in a DOS (due to unexpected volume), and the mitigation was probably just to write it to /dev/null.

There was most definitely an automated (fraudulent) effort, if you doubt it go and see [1] if submissions were made in members of your family's name. I have no idea if it's Comcast doing it, my impression is that's just a catchy name for the site.

There is a complex regex search that the site uses to find copies of "the comment" – I was shocked how many of my family members (not with their actual addresses, but names of actual members of my family) filed brief comments that start out "The unprecedented regulatory power the Obama Administration imposed on the internet is smothering innovation, damaging the American economy and obstructing job creation."

Presumably the text is varied in order to hamper the efforts of people like Comcastroturf that are trying to help quantify the number of these fraudulent comments that were filed.

I have no idea if the volume of these type of comments are enough to constitute a "DoS" attack, let alone DDOS, but the scale is quite grand.

I was shocked how few names I had to try before I found copies of "the comment" in filings in the names of many members of my family. Maybe about 50% hit rate. Higher with a common name.

[1]: http://www.comcastroturf.com

So the reason FCC won't release these records is that they don't want to implicate their boss?

Haha. Yes

The news coverage of this campaign was back in May, but the campaign continued on into July at least.

It's ok, we got Barron and Ajit on it, they're geniuses at the cyber.

In all seriousness, my research following the DDOS/astro-turfing campaign led me to at least some of the astro-turfing being the result of efforts by the Center for Individual Freedom[0] a far right-wing political operation masquerading as a non-profit.

There's an entire shadowy layer of questionable "public advocacy" groups out there tied to unquestionably partisan organizations. And sometimes even the political parties themselves.

The Center for Individual Freedom for example has received monies from Crossroads GPS[1], which is Karl Rove's umbrella organization for disbursing funds raised nationally to further the extreme agenda of the American right-wing and its financial backers, whether that be Putin or the Kochs.



Well one way to tell would be to DDoS the FCC and see if it works. But of course they likely don't have anything and are just covering up their fictitious story with gobbledegook. Proving they were DDoS'd by showing evidence of the attack would in no way affect how they protect against it. But then they know that.

The FCC's comments and all their interactions with the public since Ajit Pai has taken over honestly sound like what I would say to someone who I know has no idea about how technology works and I screwed up but I don't want them to know. I'm surprised we haven't heard about BSODs and exchange emails being lost or hard drives accidentally wiped after two days as is policy.

It's pretty clear that he's trying to pull the wool over our eyes and because the tech press has gone from being actual journalists to just eating up PR pieces and worrying about access so much that they refuse to do any real investigations, we're left with no one who appears credible to the public to actually do the investigation and publicize the wrong-doing.

Hard to defend against the old 'John Oliver mentioned my website' DDoS.

Because obscurity is the best security!... right? FCC knows what's best for everyone.

Isn't DDOS mitigation an area where obscurity is the standard? I am no expert on this but it seems like most providers keep the info about how they filter traffic pretty close to the chest.

As far as I can tell (as someone in the networking field but not a DDoS or HA expert), the standard for DDoS mitigation is basically "be bigger": too many POPs/routes, too much capacity to eat packets and establish TCP connections, capacity to serve cached responses, etc. such that even a huge attack simply can't exhaust your resources. To even think about classification and filtering means that you're somehow ingesting and processing this stuff; DDoS becomes threatening exactly when you lack the capacity to do that.

I guess I was thinking about providers like prolexic that filter the traffic for you. They must have some methodology for doing that.

Not really; no. DDOS mitigation is actually a pretty standard bag of tricks. Cloudflare describes their setup in pretty deep detail via engineering docs. Technically you might have to talk to their sales people to get them, but that's more to fill their sales pipeline than anything.

I'm by no means a networking professional, so maybe take this with a grain of salt, but no, your only two options are to handle the traffic or not. At low DDOS level you can offload certain traffic like dropping packets from certain IPs before your web layer gets to deeper inspection, but if there is enough traffic to overwhelm your layer 3 devices, you'll drop packets on the floor.

Alternatively you can usually let Akamai or similar advertise your IPs, and let them help with the load, but ultimately that's just distributing traffic to more devices so you can still check IPs against a blacklist.

Since we're talking about the availability aspect of security, there is hopefully no obscurity involved (confidentiality on the other hand is nothing but obscurity). And really, an obscurity technique like using alternate ports won't even help you much because that still hits your firewall and requires processing on each packet.

A DDoS is often also used to describe infrastructure that cannot handle load by people who do not know what they are talking about. I suspect that is what has happened here.

Security by obfuscation... That's not a good sign.

I just don't trust that guy.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact