Slashdot Mirror

← Back to Stories (view on slashdot.org)

40-Gbps DDoS Attacks Worry Even Tier-1 ISPs

Posted by kdawson on from the isotropic-tsunami dept.

sturgeon and other readers let us know that Arbor Networks has released their annual survey of tier-1 / tier-2 ISP security engineers. This year they got responses from 70 lead engineers. While DDoS attacks are reaching new heights of backbone-crushing traffic — 40 Gbps was seen this past year — the insiders are also worried about emerging threats to DNS and BGP. The summary notes that "Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat," but doesn't spell out what a better way of handling it might have been. All in all, the ISPs sound a bit pessimistic — one says "fewer resources, less management support, and increased workload." You can request the full PDF report here, but it will cost you contact information. In related news, an anonymous reader passes along a survey by Secure Computing of 199 international security experts and other "industry insiders" from utilities, oil and gas, financial services, government, telecommunications, transportation and other critical infrastructure industries. They are worried too.

12 of 146 comments (clear)

  1. Welcome to the recession. by mbone · · Score: 2, Interesting

    ...one says fewer resources, less management support, and increased workload.

    Welcome to the recession. Please enjoy your stay.

  2. what's scarier, or not by circletimessquare · · Score: 5, Interesting

    i can't decide, is the 40Gbps spike was related to fighting between criminal organizations. so its mollifying that this tool is so far only being used at such screaming proportions as turned on its creators:

    The Arbor Networks researchers said a 40-gigabit attack took place this year when two rival criminal cybergangs began quarreling over control of an online Ponzi scheme. "This was, initially, criminal-on-criminal crime though obviously the greatest damage was inflicted on the infrastructure used by the criminals," the network operator wrote in a note on the attack.

    the new york times had a good summary:

    http://www.nytimes.com/2008/11/10/technology/internet/10attacks.html?partner=permalink&exprod=permalink

    its notable that a lot of this potential is just sitting around, waiting for a chance to be used. if china goes to war with taiwan, or as when russia declared war on georgia, you will see/ saw these countries get DDosed off the face of the earth. that's the really worry: using DDos as a tool of war. the usa can sit around and wait until DDos used against vital government and civilian systems, or get ahead of the curve now

    also notable: reflective amplification. that's the methodology employed. i'm not really sure, but i think that's where you dupe completely unrelated systems into responding to forged packets. someone wiser than me on these issues: is that the general drift?

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:what's scarier, or not by Splab · · Score: 4, Interesting

      Well there are all sorts of neat tricks, but basically its the same.

      First you get yourself a bunch of zombies, these can hammer away at whatever speed they got uplink - but instead of hitting the target directly you use BGP routers (hopefully most are now immune to this) and make ICMP packets claiming to be from your victim, this way the BGP routers will respond to the ping effectively making a reflected DDoS (RDDoS). The neat thing is its pretty hard to figure out where the traffic is coming from because you need to contact whoever administrates the BGP router - and you can't block the traffic since the BGP routers are kinda important for your connection(s).

  3. IPv6 and DDoS? by Midnight+Thunder · · Score: 4, Interesting

    Have any studies been made with regards to DDoS attacks and IPv6. While at this point highly theoretical, would the differences in address range and lack of NATs reduce, increase or have no change on the risk?

    --
    Jumpstart the tartan drive.
  4. Re:let it collapse by 0100010001010011 · · Score: 5, Interesting

    100% Absolute Bull Shit. Name 1 manufacturer that does this.

    I work for Caterpillar. (You know, Construction Equipment). I've been on the factory tours. I've SEEN a Bulldozer come together from front to end. I can't speak for every component and I'm sure that some parts come from China or elsewhere. But a chunk of the product is made right here built by American Workers. I've seen the robots cutting the plate steel out and people welding it together

    Bulldozers/Pipe Layers (Track Type Tractors) are built in East Peoria, IL.
    Large Mining Trucks, Motor Graders are built in Decatur, IL.
    Hydraulic Excavators and Large Wheel Loaders are built in Aurora, IL.
    Skid steers, Backhoes are in South Carolina. (At will factory).
    Engines are built in Lafayette, IN, Mossville, IL and Greenville, SC. (Only Mossville is Union).
    Paving equipment is in MN.
    Underground mining equipment is in Australia.

    And there are factories all around the world, Belguim, France, England, India, etc. (Ever figure the shipping on a multi-ton vehicle)

    John Deere is in Moline, IA.

    Go on a road trip sometime. Name a Chinese Manufacturer. Kumatsu and Mitsubishi and Japanese. JCB is British, Samsung is Korean. There are no (yet) big manufactures in China.

    Construction equipment is a tool. And just like with hand tools you can go to Harbor Freight or you can go to Snap-On. For some people Harbor Freight is fine. But if you run something 24/7, 365 and every hour costs you thousands of downtime. You don't go cheap.

    I know this is slashdot, but try not to talk out of your ass so much.

  5. Re:let it collapse by prezkennedy.org · · Score: 3, Interesting

    You seriously think the Mexicans who built your house went to college for it?

    For that matter, you more than likely have been driving on bridges built by unskilled labor back in the 30's. They haven't collapsed on you yet it seems. And I guess the ole' Hoover dam is still there. Oh, and the Empire State Building, Pentagon, and hey, even the White House. Uh oh...

    People are incompetent and lazy, but damn, you make them sound like they're all downright idiotic and unwilling to lift so much as a finger to save themselves.

    If times get tough enough, even you might be willing to put down your mouse and pick up a shovel.

    --
    It started back in Team Fortress Classic
  6. If it's really that big a problem then... by Spatial · · Score: 4, Interesting

    ...take them out.

    The computers I mean. If it's that bad the zombies need to be killed off.

    I've read a few stories about researchers infiltrating botnets and being able to see a list of all the compromised computers. I wonder if it's possible to completely stop network access remotely without causing data loss.

    If I was in a position where I could press a button and wipe the MBR of every zombied computer on a gigantic botnet, I'm not sure if I would or not. Would you?

    1. Re:If it's really that big a problem then... by Anonymous Coward · · Score: 1, Interesting

      Heh, yeah good luck with that. Oldskool botnets weren't that hard, since they were controlled over IRC ... just /join the channel and work out the commands. Modern bots use public key encryption, custom p2p protocols, and most significantly they have no static central server: they move around constantly by means of election protocols, heartbeat monitoring and fast-flux DNS. In fact there are usually several tiers of roles which continually self-reorganise. Oh, and they detect attempts to probe them and DDoS you off the face of the earth.

      Sure it's possible, but infiltrations of modern top-tier botnets are newsworthy for a reason. Even if mass-disinfection were possible it would be illegal under most jurisdictions, since your modifications are just as unauthorised as the infection. Getting permission across all those jurisdictions, with a moving target, is of course totally infeasible. For all intents and purposes the bad guys have won, and security researchers know it.

  7. Re:let it collapse by afidel · · Score: 2, Interesting

    OK, so we rivet the new bridges. I still fail to see why we can't do what our great grandparents did with significantly lower levels of technology.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  8. Re:let it collapse by insllvn · · Score: 2, Interesting

    Perhaps this is a stupid question, but could we go back to riveting? The bridges have held, and if it is cheaper/easier/more practical... well, it goes against my geeky instincts to say it, but not every endeavor needs the latest tech, so long as what is used is safe and workable.

  9. Re:let it collapse by hairyfeet · · Score: 4, Interesting

    I agree. They just scraped an old WPA bridge near my home,not because it was unsafe,but because it was built in the time of single lane back roads and with all the trucks they needed a two lane bridge. That thing was built like a tank and had needed almost no maintenance in the nearly 80 years it stood. Most of the bridges here in AR,along with a lot of the electric and water lines were originally WPA,and really changed folks lives for the better in these rural states.

    So why not a WPA now to not only fix the crumbling roads,but to build us a new national broadband infrastructure for future generations? We could cut the ranks of the unemployed and lay fiber throughout the country,from the most urban to the most rural. And since it would be owned by We,The People we could lease it out to the telecos and have us some actual free market competition for a change. Wouldn't that be nice? Oh,BTW,it isn't 700 billion,that was just smoke up your butt. The actual number so far is 2 trillion! and they refuse to even tell us where the money went. You know,OUR money,that our great great grandkids will be paying for? You just have to love the brilliance of putting Wall Street insiders in charge of bailing out Wall Street.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  10. Re:let it collapse by Kent+Recal · · Score: 4, Interesting

    We have exactly this discussion here in germany right now.
    Germany is one of the last countries in europe that doesn't have a minimum wage and the slave labor lobby is trying hard to keep it that way.

    I agree that a minimum wage should alleviate a large part of the immediate problem. But the bigger problem remains unchanged: We have more people than we have jobs.
    The government can (and does) create artificial jobs by making people clean up parks or even repair bridges that would otherwise not be repaired - but that will always be a losing game. If these jobs would provide enough value to justify the cost then they'd already exist as regular jobs and there was no need to create them. Such "created" jobs are really just subventions in disguise and a tool to keep people busy so they don't start thinking.

    The question is: For how much longer can the (steadily shrinking) productive portion of the population drag the (rapidly growing) non-productive part of the population along?
    It doesn't matter much whether a non-productive worker is collecting welfare or is kept busy in a pseudo-job. The cost to society is almost the same.

    I think therein lies the real crux that we're facing these days. Maybe the new messiah (err, obama) will finally at least acknowledge the problem so we can start looking for solutions.