40-Gbps DDoS Attacks Worry Even Tier-1 ISPs

sturgeon and other readers let us know that Arbor Networks has released their annual survey of tier-1 / tier-2 ISP security engineers. This year they got responses from 70 lead engineers. While DDoS attacks are reaching new heights of backbone-crushing traffic — 40 Gbps was seen this past year — the insiders are also worried about emerging threats to DNS and BGP. The summary notes that "Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat," but doesn't spell out what a better way of handling it might have been. All in all, the ISPs sound a bit pessimistic — one says "fewer resources, less management support, and increased workload." You can request the full PDF report here, but it will cost you contact information. In related news, an anonymous reader passes along a survey by Secure Computing of 199 international security experts and other "industry insiders" from utilities, oil and gas, financial services, government, telecommunications, transportation and other critical infrastructure industries. They are worried too.

let it collapse

[nurb432]

Then perhaps we will fix some of the fundamental problems.

Re:let it collapse

[0100010001010011]

The 700 billion would have been better spent setting up a Depression Era work force. After the bridge collapse in MN we've been hearing report after report about how the current infrastructure is falling apart around us. The electrical grid is rigged together worse than some college students' cars.

Suspend unemployment. (Anyone willing and able to work but cannot find a job). Start putting everyone to work doing something. Bus them to and from a work site up to X miles from your home.[0] Every major bridge that isn't going to make it gets the full 24/7 treatment. When one bridge is done. You move onto the next one. Everything trickles down. Every one of those workers is going to need food, haircuts, a trailer to live in (while at work). Trucking industry would pick back up doing loads of construction supplies. Domestic construction equipment manufacturers would need to up production Only other domestic MADE, no other equipment (Cat, Deere, etc). Build the roads to European standards (Autobahn and such).
Give the electric companies 2 choices: Fix your own damn shit with your profits or we fix it and lease it back to you or nationalize you.

Sure there are people that are going to bitch because they're used to their handout. But handouts aren't going to help anyone. Make everyone work.

It's not perfect but it's a hell of a lot better than handing it over to a bunch of people who managed to already lose $700b.

[0].M-F you live in work housing or you work 4 - 10s or 7 on 7 off.

Re:let it collapse

[cdrguru]

Back in the 1930's when construction was done by strong backs and no skills, that would have worked. And it did. Today, bridges are built by specialists with training. You want to drive on a bridge that was welded with by someone that never used one before? No? Neither does anyone else. The age of unskilled strong backs has ended. And we are discovering just how that relates to the "knowledge economy" now.

Face it, if everyone goes to college to learn how to be a "knowledge worker", who exactly will be working skilled construction jobs? Short answer is, nobody. And the harder getting a college education is pushed, the less chance we have of digging out of this hole.

Domestic construction equipement? Ha. Most of those products are made overseas now even through they have American manufacturer labels on them. It is cheaper to build a bulldozer in China and ship it to the US than to pay union scale wages plus deal with OSHA and environmental regulations. Unless we remove the US from WTO, we are stuck with making everything elsewhere - tariffs aren't legal anymore you understand. And any open-bid process would have to question why the government should spend 2x the money for "domestic made" equipment. Survival of the nation? Na, not a good enough reason.

Sure, I would like to see work camps replace welfare. If you are able-bodied you get nothing unless you are in a work camp doing something. Picking up trash, if nothing else. Cleaning up environmentally sensitive areas. Helping to build shelters for the homeless, whether they want them or not. But I think you would hear cries of "slavery" so much that the idea has no chance.

Re:let it collapse

[Red+Flayer]

Alan Greenspan's reaction was priceless saying that he'd expected banks to take reasonable risks and not commit suicide. It was in their own interests to self-regulate but surprise surprise, greed won out.

Just to be clear...

First, Greenspan expected banks to make choices in their own self-interest... but instead bank executives made decisions that were in their own self interests. He forgot that corporations are not actual decision-makers, individuals are, and individuals tend to make the choices that are best for them, not the choices that are best for their company.

Second, given the expectation of government bailout, it was no longer in the banks' self-interest to self-regulate, since they got to externalize the risk of bad investments. It's been known for years among financial circles that any bank failures big enough to potentially unhinge the economy would be prevented by government bailout. This information influenced lending decisions.

The simple fact of the matter is that top-level decision-makers at these financial institutions made decisions to maximize their bonuses, and those of their friends. Since the bonuses were not tied to long-term health of the company, the choices made were not optimized for long-term health of the company (or the economy as a whole). Any guilt over the negative repercussions was assuaged by the knowledge that the taxpayer would step in and bail them out.

Really, it was an investor's dream -- privatize the profits, socialize the risks.

Re:let it collapse

[Hatta]

First, Greenspan expected banks to make choices in their own self-interest... but instead bank executives made decisions that were in their own self interests. He forgot that corporations are not actual decision-makers, individuals are, and individuals tend to make the choices that are best for them, not the choices that are best for their company.

All the more reason to eliminate corporations as an entity in the eyes of the law.

Re:let it collapse

[Mister+Whirly]

So when a small business employee gets into a car wreck on the job and accidentally kills somebody, the victim's family should be able to take not only all business assets, but the house and all personal assets of the owner?? Yeah, I can't see where that would cause any problems...

Re:let it collapse

[0100010001010011]

Which is quite a bit different than us buying everything from China and restamping it over here. For some things (Cat Machines for example) it's cheaper to make it where it's going to be used.

And as far as "Big Chinese Manufactures" I meant like Shandong SEM. Now if everything in the US has a "Shandong SEM" and was repainted yellow and put out to use then the post I was replying to might have a bit of a point.

Re:let it collapse

[Kent+Recal]

No matter what you call it, it's still a problematic idea as countries that already follow that model can attest.
In germany, for example, you can go roughly 2 years on welfare (if you have been in a job for at least 2 years before) before they start sticking you into "1 EUR jobs".
An 1 EUR job, as the name tells, pays 1 EUR per hour. And you have to take whatever job they give you.

The idea is that people who are forced to work for low wage will quickly become very interested in finding a *real* job (why work your ass off for 1 EUR when can you make more for the same work in a real job?).

The problems are manyfold:

1. Many people are simply underqualified and won't find a job no matter how hard they try. The 1-EUR-model basically turns into slave labor for them.

2. Many people *are* reasonably qualified but still don't find a job in their profession.

3. 1-EUR jobs now seriously compete with normal low-wage jobs such as cleaning, callcenters etc. Why should a company pay minimum wage when it can request workers for almost free from the government?

4. At least in germany this has opened the gates for a lot of shady companies (really borderline slave-labor there) that abuse the system in various "funny" ways, squeezing the last bit of profit out of them poor souls at the bottom of the food chain.

IMHO we have a totally unsolved problem here that nobody has dared tackling so far. The demand for low-skilled workers is declining to critical levels in the western world (because of automation and because outsourcing is cheaper for the rest) and high-skill work can never nearly cover the whole population.

It has become a fact of life that any larger western country simply can not offer productive work to a significant part of the population. No matter how you spin it, we'll continue to subsidize these people in one way or another - unless we decide to let them die. Now while it is a legitimate desire to "want something back" from them for their subvention money I don't think *forcing* them can be the way to go.
It's not their fault that the society doesn't need them and I find it highly problematic to force someone to "work on a bridge" (completely outside their learned profession) for minimum wage while somebody else, possibly with similar qualifications but a better family name, makes millions on wall-street.

The current system kinda works (and has suppressed any tendencies towards civial war so far) because of the elevator effect. Once you start forcing people into minimum wage jobs on a large scale scale without offering any alternatives or escape routes you'll soon get just that: a revolution.

Re:let it collapse

[mcrbids]

Did this actually help with the depression?

Yes, but not right away. There's a very strict limit to how much "economy" the government can directly fund.

But the bridges and roads built during the 30's depression are the infrastructure that the automotive boom of the 1950's was based upon. Much more was built in the 1950s and 1960s, along with an extensive power grid, telephone system, and power plants, nuclear and otherwise. Many of these freeways, highways, power lines, and power plants remain today, gridlocked or overloaded, essentially the same as they were in 1965. For 40 years, we've been milking the massive infrastructure built during an era of the United States when we were boldly looking forward.

If we don't start looking forward again soon, our aging infrastructure will continue to crumble and groan under the burden of our much larger population. We blow 700 billion bailing out a bunch of white guys who were caught feeding at the trough of the public good, while other nations spend a similar amount remaking themselves into super powers.

Tisk tisk. We should be spending 700 billion on rebuilding bridges, roads, power lines, and green energy. We could be energy independent in just 10 years if we pushed it, and the cost of doing so would create a strong economic and political power base for the United States for generations to come.

Every day we don't, we squander the strength our fathers left for us. We should return the favor for our progeny.

Re:Why isn't the insecurity of Windows mentioned?

[lawaetf1]

I don't often ride to the rescue of MSFT but if people are going to ignore updates and continue to run unpatched IE5 on Windows 2000.. what would you have them do? Force patches on people with no disable option? That'd go over real well with the /. crowd.

Probably the best thing that could happen would be for major web sites to start rejecting IE5. That would oblige a significant chunk of the slackasses out there to upgrade and visit windowsupdate in the process. Not that this would really improve the already infected machines out there but it's a start.

Great Explaination

[IceCreamGuy]

Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat

The Kaminsky thing? The ISPs thought it was handled poorly? How ***the fuck*** should it have been handled then? The day they disclosed publicly that there was a vulnerability, nevermind that they didn't disclose the details, they had patches out for every major DNS server and any ISP who wanted to be patched could have been. WTF?

Re:Why isn't the insecurity of Windows mentioned?

[david_thornley]

It is often the elephant in the cubicle, but there's really nothing that most people can do. For anybody outside Microsoft, and most people inside it, it's kind of like a bad Supreme Court decision.

Now, suppose that all of these problems, all the spam and DDOSs, were due to Microsoft's incompetence, shortsightedness, and general desire to increase next quarter's profits while dooming civilization as we know it. (This isn't entirely true, of course.) Suppose that the top Microsoft execs believed they had to do something effective, or God was going to release everything Microsoft ever wrote under GPLv3.

They decide to get to work on a more secure OS. This will take a lot of rewriting, and they'll dump other features before they get it out the door. They decide to keep the eye candy intact, and give the RIAA and MPAA everything they want. They call it, for the sake of argument, Mojave. (Vista may not be ideal, but it has a lot more security built in than XP.)

Now, what do they do about older software? Most people and businesses have some software they rely on, which really won't work on a secure machine. The developers of Roller Blade Tycoon and The Sins had administrator accounts, after all, and that's what they tested on. Everybody took advantage of all the security holes, because it made it possible to get their stuff out the door a week sooner, at the expense of dooming civilization as we know it of course.

Ballmer thinks. He can't just enforce security, because nobody will buy Mojave. He can't leave all the holes there, or he gets Eric Raymond and Richard Stallman as permanent house guests. The only thing he can do is plug the holes, and let the users decide what they want to run under the Users Are Competent program.

At this point, the users notice that Mojave runs slower, and when they try to run their favorite game, Uncle Wiggley DDOSs WWW.Apple.Com, they have to click through all these boxes, which is annoying even to the multitudes who are completely trained to click OK on "See dancing pigs and doom civilization as we know it!" They start badmouthing Mojave, and stick to XP as much as they can. When they get Vista, the ones who know enough disable all those annoying little dialog boxes, and the rest just click through them to get them off the screen. "Hey, dancing pigs!"

So, regardless of what you think of Microsoft's bad security practices and shortsightedness, there's really very little they can do about the situation they helped create. We have to deal with the computers we have, not the ones we wish everybody had.