Slashdot Mirror
Why Laws Won't Save Banks From DDoS Attacks
kierny writes "Rep. Mike Rogers (R-Mich.) should know better. The chairman of the House Intelligence Committee claimed to told NBC News that the Operation Ababil U.S. bank disruption DDoS campaign could be stopped, if only private businesses had unfettered access to top-flight U.S. government threat intelligence. Not coincidentally, Rogers is the author of CISPA (now v2.0), a bill that would provide legal immunity for businesses that share threat data with the government, while allowing intelligence agencies to use it for 'national security' purposes, thus raising the ire of privacy rights groups. Just one problem: Numerous security experts have rubbished Rogers' assertion that threat intelligence would have any effect on banks' ability to defend themselves. The bank disruptions aren't cutting-edge or stealthy. They're just about packets overwhelming targeted sites, despite what Congressionally delivered intelligence might suggest."
These folks obsessed with a "negative peace" by making more laws should study history.
Is there such a thing?
In the name of fighting money laundering--an activity primarily associated with the War on Drugs--Congress passed a law requiring all transactions around $5k or more to be logged and sent to federal law enforcement. Paying in cash for everything is now being called a sign you might be a terrorist. Paying in cash is also *gasp* resistant to DDoS attacks. The coralling of most of our commerce into the hands of banks has effectively made banks a target that can cripple unrelated businesses. If we were mostly a cash society, it'd be no big deal. The worst a DDoS could do is delay the processing of your paycheck or an ATM withdrawal.
... I don't think 'rubbished' is a legitimate word.
I urge everyone to contact their congressperson and tell them to amend the bill to instead require the implementation of RFC 3514, which is a much more sensible solution to the problem than the one in the current bill.
What's needed is a big lawsuit by a big bank against Microsoft for willful negligence. (Def: Intentional performance of an unreasonable act in disregard of a known risk, making it highly probable that harm will be caused.") Knowingly distributing operating systems which are known to be remotely exploitable to attack other systems fits that definition.
Microsoft's EULA doesn't protect them here. The victim is a third party, not their own customer, and not a signatory to the EULA. Nor does this require a class action. There are single banks big enough to take this on.
No matter how justified that deterrent is made (by creating it as a law). To stop the most determined people from doing what they will do.
Should banks be protected from attack? I would say in a perfect world were banks were innocent and served a purpose other then gambling on your own investment into them. Maybe.
But as it stands now, banks should be left out in the cold to defend themselves, and in ways that don't violate our laws. They need no more special justifications placed in our society for them.
These people want this information shared for their own purposes.
This has nothing at all to do with protecting banks from DDoS -- it's about ensuring government access to all of our data. If they can get private industry to hand them data they can't collect on their own then they can circumvent other laws.
I agree with the assessment that no law is going to make this kind of attack hitting from all over the world (and probably on zombie computers) go away.
These people just want the total surveillance world that scares the rest of us.
Lost at C:>. Found at C.
If terrorist surveillance information isn't enough, then the banks will have only one logical next step: operate their own armed aerial drones.
Why don't ISP redirect internet users with infected PCs to a quarantine page stating the problem? It might even educate them.
Laws without respect and/or a gun won't protect you from anything.
It goes without saying, but I'll say it anyway, Many laws, like CISPA, RICO, etc., deserve no respect, and sometimes it takes a gun to remove them from the books, or to keep them from being put there in the first place when majority rule fails.
“He’s not deformed, he’s just drunk!”
Because criminals don't obey laws. Also, the location of the client, the server and/or the person pressing the keys determine which of who's laws apply.
they may limit it, but people will always kill, people will always steal, people will always defraud, people will always do drugs.. etc
I'm ashamed to say that Rogers is my congressman. I've even voted for him several times. As much as I'd like to vote for someone who excels in all areas, to bad our choices are normally choosing between an idiot and a half-wit.
. Paying in cash is also *gasp* resistant to DDoS attacks.
Go to a car dealer and say "I'm paying cash"
They will then insist ( and lie - car dealers are liars and cheats - and scum fuckers) that you NEED to supply an SSN for the partriot act.
Lie
They do that so they can they run a credit check and try to sell you something more expensive.
ONLY when you are about to finish the transaction, do they need your name - ONLY your name to report to the Treasury Dept.
Car dealers are scum. They deserve to have their children die from cancer where they have to watch them rot every morning and cry out, "Daddy, why am I dieing?! Why does it hurt so baaaad" Only for their car dealer father or mother to say, "Because I"m in the car business and I'm scum and this is karma to watch you die and suffer needlessly"
That is my curse on the assholes - like car dealers - of the World.
Yes, Satan says, "You're a cruel Mother fucker!"
This bank must not be utilizing a CDN. Distributed denial of service attack can be mitigated by a distributed CDN.
Given that a lot of these problems stem from inherent design flaws with our current Internet protocols, perhaps we ought to start improving upon the 20 and 30 year old protocols we've been relying on. Fundamental scale and design flaws will continue to empower bad people to do bad things so long as it continues to be nearly effortless. BGP, DNS, IPv4... You can only build on a foundation for so long before its age and brittleness beings to cause serious problems.
Using the ancient outlaw principle we can get at the DDoS'ers. I'm referring to making laws that takes away all rights and legal protection for those declared outlaws, thus making it legal to hunt down the actual people and do with them as you please. As most DDoS'ers basically are cowards (hiding behind spoofing, not even making a statement about the motivations behind the attack) this will go a long way. Throw the spammers in with the DDoS'ers and we'd have a real chance at cleaning up the Internet by removing the trash the hard way.
Investing in one of THESE is a big help:
DDoS Appliances:
http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22DDos+Appliance%22&btnG=Search&gbv=1&sei=KYw7UI-4FsXs6wH3uIDoDw
Because DDoS/DoS CAN be stopped (Microsoft & Amazon are setup PERFECTLY vs. it in fact, read on below on that note)!
---
Microsoft Windows NT-based OS settings vs. DoS:
Protect Against SYN Attacks
FROM -> http://msdn.microsoft.com/en-us/library/ff648853.aspx
A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.
To protect the network against SYN attacks, follow these generalized steps, explained later in this document:
Enable SYN attack protection
Set SYN protection thresholds
Set additional protections
Enable SYN Attack Protection
---
The named value to enable SYN attack protection is located beneath the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.
Value name: SynAttackProtect
Recommended value: 2
Valid values: 0, 1, 2
Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.
---
Set SYN Protection Thresholds
The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
These keys and values are:
Value name: TcpMaxPortsExhausted
Recommended value: 5
Valid values: 0?65535
Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.
Value name: TcpMaxHalfOpen
Recommended value data: 500
Valid values: 100?65535
Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.
Value name: TcpMaxHalfOpenRetried
Recommended value data: 400
Valid values: 80?65535
Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.
---
Set Additional Protections
All the keys and values in this section are located under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are:
Value name: TcpMaxConnectResponseRetransmissions
Recommended value data: 2
Valid values: 0?255
Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.
Value name: TcpMaxDataRetransmissions
Recommended value data: 2
Valid values: 0?65535
Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.
Value name: EnablePMTUDiscovery
Recommended value data: 0
Valid values: 0, 1
Description: Setting this value to 1
"Military intelligence" just met its match in the oxymoron sweepstakes.
Thats kind of hard to do when the world is in a permanent state of global recession because the money banking and currency systems we developed are just as flawed. Justify spending all that money rolling out a new global infrastructure built on new technology learned from lessons past, but with its own unique new bugs and complexity issues.
Its ironic isn't it that banks are complaining about this then. But this only affects the banks access to consumers, their real internal infrastructure is much more guarded and modern the closer you get to the balance sheets, unless of course they deliberately want the records to disappear, then a good old fashioned fire works just fine on electrical hardware the same as it did on paper for their purposes and throwing it all in the landfill were its not likely to ever be scrutinized or investigated.
I'm not sure that we have a choice. "Because its hard" is probably not going to be a sufficient excuse with respect to the critical mass we are heading toward. If everything that the world has invested in standing on top of the Internet is so important, than all that important stuff is going to need to experience the growing pain of adapting to new redesigned transit protocols. The alternative seems to be a sheer cliff.
To put it another way. The wolf does not adhere to the laws of the little pigs. If your tired of him blowing your house down, you need to stop thinking about patching holes in your straw house. Reenforcing reeds isn't a scalable solution. You need to start building the houses with bricks.
This is coming from the guy that boasted on Twitter how much money he received from lobbyists that support CISPA... A truly devoted corporate **ahem** civil servant. It's no surprise that 2 out of 3 people would rather have a colonoscopy than the current congress.
http://boingboing.net/2013/03/23/congressman-boasts-on-twitter.html
No sig for you! Come back one year!