Slashdot Mirror
Webmail Services Struggling Against DDoS Attacks (fastmail.com)
An anonymous reader writes: A few days ago, privacy-oriented webmail service ProtonMail was hit by a massive DDoS attack, which was accompanied by extortion. It turns out they're not the only ones. FastMail has warned that similar attacks could lead to service disruptions this week. They have refused extortion demands, and have been hit with a couple brief attacks already. This follows attacks over the last week on Runbox, Zoho, and Hushmail. Each service has been working with data centers and network providers to mitigate the attacks as well as possible, but they're still struggling with intermittent service disruptions.
They should have used WWindowS instead.
Sometimes I wonder if the owners of botnet clients should be held financially responsible. For example, if someone steals a company semi and runs over people, said company will have lawsuits aplenty against it. Wonder if it should be that way with people who by negligence let their machines be part of a botnet.
Will this push the privacy oriented webmail providers further to the margins and create a landscape where only the big players such as Google and Microsoft can survive?
We play the game with the bravery of being out of range
Sounds like the NSA is hard at work trying to stomp out anyone who thinks they can evade surveillance.
You should always call any bluff of DDOS extortion. These botnets aren't free and cost money to get time on them. You might feel a little pain, but better than giving in to demands.
Better yet, use Cloudflare or subscribe to Spamhaus to preemptively deny traffic.
Judging by the systems being hit, I can't help but wonder if the attacks are being done by a government agency.
More like, the companies who wrote the OS should be responsible.
This service has always been a joke. First off, they've been hacked multiple times, executing JS inside emails. It's ran by incompetent people, and you cannot secure these types of services from a faked signed SSL cert and injected JS to send off your unencrypted email contents the second they're displayed. Protonmail is the ILLUSION of security, the world is better off without it.
As the other reply said, the OS is responsible. Go after them. The computer is still a black box, the user has no idea what goes on inside. All they know is that if they let any smoke leak out, the machine is cooked. Like all other crimes you need to find the perpetrator. Don't fuck with those caught in the crossfire.
“He’s not deformed, he’s just drunk!”
That way, we'd see less spam...
More like, the companies who wrote the OS should be responsible.
No. Botnets run mostly on deprecated and unpatched systems with known security holes. That is not the fault of the OS vendors. If software vendors are held liable for the stupidity of their users, then software will become far more expensive, and FOSS will disappear completely.
Big centralized services are vulnerable to these kinds of attacks.
Perhaps if the service were distributed over tens of thousands of nodes in thousands of data centers, it would be more difficult to perform the attack.
Anybody can hire a botnet to flood one data center. Can they flood every data center on the entire Internet at the same time?
I myself advocate an approach that identified zombie systems simply have their internet service shut off. We've been able to pretty cleanly identify which IP addresses are the source of these attacks, why not have legislation requiring that they simply lose their internet access until they fix it? Kind of like the ham radio days where you're held accountable for your activities when transmitting to the public.
Take it a step further and establish a treaty body that requires each signing nation set up the same laws for their ISPs, in addition to a trade organization that enforces these rules.
That would put a stop to this real fast. Either way something has to be done because this is going to get out of control real fast as even more people get high speed broadband and have no idea what the fuck they're doing with their equipment.
The equivalent is not maintaining the brakes on a car. This happens, and a car goes out of control, it isn't VW that gets sued; it is the driver/operator.
Same with Internet connected devices. It is the responsibility of the owner to determine if a device is fit to connect, and if not, to disconnect it.
Right now, people don't care (they are just another snowflake in the avalanche), but if the responsibility shifts to the origin of the traffic (like it originally belonged to, way back when), PFSense with Snort routers would become very inexpensive and common.
You really don't understand this shit, do you?
The goddam botnets are smart enough to change IP addresses at random, and often.
It's Whack-a-Mole.
It little behooves the best of us to comment on the rest of us.
Is there anyway to solve DDOS attacks for good? Would a more robust DNS system work? Say one that dynamically assigns multiple IPs and rotates them with a frequency based on load?
I've been pretty impressed with how Runbox has handled the situation. I personally haven't noticed any downtime and they were super great about communicating.
You really don't understand this shit, do you?
The goddam botnets are smart enough to change IP addresses at random, and often.
It's Whack-a-Mole.
Theres even another level of indirection; in reflection attacks you, the recipient of the attack, gets to see the IP addresses of the machines used as reflectors. You don't get to see the IP addresses of the machines used to trigger those reflections. Only the people hosting the reflector get to see the these.
In the free world the media isn't government run; the government is media run.
Oh, the botnet endpoints are smart enough to change the IP address assigned to the endpoint? Hrmm, how are they doing that on your typical user TWC or COX internet connection? Oh wait they aren't. You THINK they are because they just use different botnets for different attacks, or only utilize a % of the zombie PCs in their botnet.
Having the ISP cut the user off is a valid solution, or at the least, drop it to 56k speeds. You stop the zombies from attacking, you stop the DDoS.
That will turn the internet into "cable TV" with dumb terminals connected to a few big content providers in the blink of an eye.
And how do they stop it if they don't have Internet access to download the latest patches? What if there are no patches?
cyber-criminals are at large pro-privacy, and they have better targets than a few small services like this. The solution is to identify and take down bot-nets, before the NSA and GHCQ can assume control over them and use to attack other countries and their business like this.
Actually with that statement, I think you fundamentally misunderstand how a botnet works. They have multiple compromised hosts under their control, each of which potentially has a unique IP address. So yeah, you'll likely see the IP address appear to change even though it's the same actor behind the action.
In most cases, the botnet operator doesn't have the ability to change the IP address of each individual host, because they don't have the ability to change the WAN MAC address (which is required to get your ISP to issue you a new DHCP lease.) Even in the cases where they do (such as a compromised NAT router) there's still the matter of the WAN device itself doing sticky MAC configuration and only allowing one MAC address to access the WAN (which is almost universal among DOCSIS cable providers, DSL providers, and even fiber providers in order to conserve their limited IPv4 address pool.) In the case where they can change the WAN mac address, they don't typically have the ability to clear the old MAC first (which in the more permissive WAN bridges requires a power cycle, i.e. rebooting a cable modem. Motorola cable modems can via a web query to 192.168.1.100, but other than that most modems don't support this.)
But let's say conditions are absolutely perfect, and they can change the MAC address at will and thus change their IP address, there's another problem: Virtually all ISPs keep logs of which account has a lease to which IP address at what time.
Which means that even in the worst of cases, you can still identify what account has been participating in a DDoS, and that account could be suspended as per appropriate legislation, until they remove and/or correct any compromised systems.
Centurylink - a company with plenty of reasons to hate it - will restrict internet access from machines deemed to be running malware until you talk to them and fix it.
Well first see my post here:
http://slashdot.org/comments.p...
And in addition to that, anybody who owns something that is being used as a reflector could be required to fix it (i.e. an open relay needs to add authentication) and in the case of passive services that can be used as reflectors (such as DNS) they can keep logs of what IP addresses are obviously using them as a DDoS reflector and report them to a proper authority.
You're talking past each other. To draw a car analogy, let's pretend that the streets around a particular business are getting clogged up by unlicensed teens borrowing their parent's cars to go joyriding. The previous poster is suggesting that we tell those parents that they're not allowed to drive on the road until they take steps to prevent their kids from using their cars illegally. I.e. We put the onus on the owners of the cars to properly secure their vehicle before we let them use a shared resource. You're saying that he doesn't understand the problem, since other kids will just clog up the roads instead.
To some extent, you're both right.
His idea won't fix the problem overnight or for any particular attack happening right now, but if we can get enough countries to enact such policies, it would effectively cut the legs out from under any future DDoS attacks, since it would reduce the number of zombie PCs and a botnet is only as strong as the number of zombie members in its network. At that point, we'd have to worry about people from non-treaty nations (i.e. to go back to the car analogy, kids from a neighboring region where the restrictions aren't in place).
A number of colleges and universities already enact such policies as it is. The one I went to actually had a mandatory malware scan before you were allowed on their dorm network, and then if malware activity was later detected, they'd cut you off until you fixed the issue and came back clean on a subsequent scan. I'm not suggesting that would be a good policy at a national level (in fact, I'd suggest it would be a HORRIBLE idea to allow the government to require us to install and execute software of its own creation), but it is an interesting idea, nonetheless.
Well if the infected system was mine, I wouldn't need a patch, I'd just wipe the systems clean and rebuild from scratch, and have your WAN edge configured as stateful and drop all unsolicited packets, which is easy to do with most SOHO gear. Don't know how to do that? Well then you should probably either learn how or hire somebody. Either way, that's better than a fine.
I wouldn't advocate a requirement to install antivirus software. Something like a 48 hour notice first, followed by 48 hour suspension. If after your service is restored and the problem isn't resolved, then you've got 24 hours to resolve, and if not resolved, the suspension time doubles to 96 hours. Something like keep doubling the suspension period until resolution. The long suspension wouldn't reset to 48 hours until about 6 months of no indication of botnet activity.
As for countries that wouldn't sign on to the treaty, you could do something like require any routers that border to a non-signatory nation have the known botnet IP addresses blocked for one week, and there is no warning period. Some of the ISP's customers might get upset really fast if they find that half of the internet doesn't even work most of the time, and let them sort out among themselves how they fix it.
A number of colleges and universities already enact such policies as it is. The one I went to actually had a mandatory malware scan before you were allowed on their dorm network
Is this malware scan available for OS X and major GNU/Linux distributions? Or does it work correctly in Wine? Or are students required to buy a copy of Genuine Windows® for each Mac or Linux laptop, reboot into Windows in order to connect to the Internet, replace iPad and Android tablets with Surface tablets, and leave the phones on cellular data?
you could do something like require any routers that border to a non-signatory nation have the known botnet IP addresses blocked for one week
Isn't that what the widely hated Stop Online Piracy Act (SOPA) and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property (PROTECTIP) bills threatened to do?
Well if the infected system was mine, I wouldn't need a patch, I'd just wipe the systems clean and rebuild from scratch
How would you download the image with which to "rebuild from scratch" and download patches released since the image was created without Internet access?
And how do they stop it if they don't have Internet access to download the latest patches?
Devices not yet cleared for Internet access would have access to hosts other than the ones used for update services blocked. Better yet, the ISP could run a mirror of Apple Software Update, Windows Update, and Ubuntu trusty-security and wily-security.
What if there are no patches?
If patches do not exist because the operating system has reached its date of end of support, it is the subscriber's responsibility to purchase an upgrade to customer-provided equipment. If patches do not exist because the defect is still 0-day, I don't know. If patches exist but the ISP is not aware of a particular brand of operating system, I don't know.
Good luck with that Google DDOS guys.
I once lived in an apartment with free internet, no router required. All the units were on one large Lan. I did some packet sniffing and found an IP that was constantly making dns requests for the same sites over and over again. But with the lan setup the apartments were using we all had the same public IP. If you cut that ip off allot of innocent people would lose internet.
The image is already onsite, on removable media.
If not. Oh well. What kind of crapware OS were you running, again?
Attackers use DNS in a couple of ways - one is as an amplifier, where the attacker forges a query "from" the target's IP address to a DNS server that produces a response that's larger than the query, which causes more traffic and hides the attacker's IP. (Fixing this requires configuring DNS servers not to do amplification, and getting the ISPs that the bots live on to enforce anti-spoofing - how many decades old is BCP38 now?) Another is as a way for the bots to contact their controller, and for intermediate controllers to contact their master controllers, so the controllers can change their IP addresses and keep working. Often this is "fast-flux DNS", where the name records have short expiration times, and are often bought with stolen credit cards. (There are some defenses like identifying DNS registrars that support lots of bad guys, and configuring DNS resolvers not to accept names that have been registered in the past day or so, but bots can always do their own name resolution instead of using the host's or ISP's default DNS server, and you can't simply force DNS caching times to be long because that affects DNS-based load-balancers.)
Defenders have multiple ways to use DNS. One is simply load-balancing among servers - www.example.com can hand out different IP addresses to end users based on load or whatever, and can try to guess which users are legitimate and point them to different servers than the attackers. Lots of variations on this, and also they can do things like redirect web requests from www.example.com to wwwX.example.com, where X is 1...n different groups of servers, or moves every 15 minutes, or whatever. Some things to be careful of are that real web browsers usually cache IP addresses for a long time.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If X uses OS A, webserver B, application C and database D, all from different vendors?
Seems like there's an opportunity for an Internet Mafia to form, offering protection and attacking other hacker who attack their paying customers. Racketeering in the Internet age.
on the part of the provider's ISP. It would be easy to learn which are the offending IP addresses and simply blackhole them at the router level. The the provider's ISP is too small to effect much of a change, the supplying ISP could easily do this. When I worked firewall and router security for the largest ISP in the US, we simply bllackholed the IP and, in some instances, entire class Cs and in a few instances, a class B coming out of Korea because the ISP wouldn't listen to reason. When enough of their customers called to complain their packets were being dropped into the blackhole route on the west coast of the US, they listened to us then.
I'm puzzled by the motive behind this for the TLAs.
Admittedly they don't like the privacy based web mail suppliers but it seems like using a sledge hammer to crack a nut. These email companies will never cover more than a tiny fraction of email users. The attackers are also drawing attention to their capabilities in this area and are encouraging their victims to harden their defenses which may make it more difficult for the TLAs if they need to do an attack in the future.
Ultimately these attacks may be counter productive and they have a hint of petulance about them.
Has anyone done a recent analysis of where these machines are, and what version of Windows they are running? XP use is finally fading, and I have seen a surprising number of home PCs successfully upgraded from Windows 7 or 8 to Windows 10.
I would not expect a malware infection to survive the update.
So are the number of bots in the network declining?
and download patches released since the image was created
The image is already onsite, on removable media.
The copy on removable media is more than likely not yet patched up to today. Or do you make a new install image every month with all updates slipstreamed in?
It was back in the early 2000s. At the time, their policy only required Windows machines to do the scan. Macs and Linux didn't have to.
Again, I'm not suggesting it was or is a good policy, nor that it's something to model national policy after. I was merely pointing out that there is precedent for similar sorts of policies at a smaller scale.
Then maybe, just maybe, they shouldn't own a computer. I know, I know... It's a horrible thought that people would be better served by knowing how to properly use the tools they own.
"So long and thanks for all the fish."
I've been saying this for years. If you're exhibiting signs of malicious activity that indicates an infection then you get firewalled from the 'net in general but have access to the tools to repair it.
"So long and thanks for all the fish."
Installing a fresh copy of a Windows 7 SP1 or any newer version of Windows
I seem to remember that Windows XP RTM was vulnerable because it connected to the network before its firewall was up. This meant a PC could get remotely compromised before it could finish downloading updates, even if it ran no applications other than Windows Update. The workaround was to purchase and install an external firewall appliance. Do more recent versions of Windows have an analogous vulnerability that would require someone to have to burn an install disc with a slipstreamed service pack in order to be safe? If someone were to reinstall from, say, the Windows 7 RTM disc, what hole could attackers use before the PC downloads updates?
"they can keep logs of what IP addresses are obviously using them as a DDoS reflector"
The problem is, if you're being attacked by a reflection attack, you will only see packets coming from the 'fairly' innocent servers (usually DNS or NTP) being used for reflection. If you try and contact them and get their logs checked, all they will see if packets destined for their server, with a source address of you, the target. Reflection works by sending packets to the reflection server that have the target as the source (this is also why they only use UDP services). As the source is fake, finding out where it originally came from is near impossible.
The most obvious thing that does need looking at, but is almost impossible especially in less developed countries, is pushing on ISPs to make sure their routers are not sending out any egress traffic that doesn't have one of their addresses as the source.
Reflection attacks are becoming a huge problem that allow pretty much anyone to take out massive networks at will, and it pretty much relies on the fact that large parts of the Internet don't bother checking that packets they are sending out actually have a source address inside their own network.
But the user is responsible for it. Like a car owner is responsible for their car. Users don't *have* to understand either of those things to own and use one, but they're still responsible.
Maybe ransom payers should be held responsible? They're worse than the botnet hosts, they knew what they were doing.
The consumer is being sold a defective "car", with loose bolts, faulty electrics, and bad brakes.
“He’s not deformed, he’s just drunk!”
A tighter car analogy would have considered a place where people can drive without license, car vendors increasingly hide technical details such as control lights and rev counters, and it is generally considered unfeasible for drivers to be their own security managers.