Slashdot Mirror
Webmail Services Struggling Against DDoS Attacks (fastmail.com)
An anonymous reader writes: A few days ago, privacy-oriented webmail service ProtonMail was hit by a massive DDoS attack, which was accompanied by extortion. It turns out they're not the only ones. FastMail has warned that similar attacks could lead to service disruptions this week. They have refused extortion demands, and have been hit with a couple brief attacks already. This follows attacks over the last week on Runbox, Zoho, and Hushmail. Each service has been working with data centers and network providers to mitigate the attacks as well as possible, but they're still struggling with intermittent service disruptions.
They should have used WWindowS instead.
Sometimes I wonder if the owners of botnet clients should be held financially responsible. For example, if someone steals a company semi and runs over people, said company will have lawsuits aplenty against it. Wonder if it should be that way with people who by negligence let their machines be part of a botnet.
Will this push the privacy oriented webmail providers further to the margins and create a landscape where only the big players such as Google and Microsoft can survive?
We play the game with the bravery of being out of range
Sounds like the NSA is hard at work trying to stomp out anyone who thinks they can evade surveillance.
You should always call any bluff of DDOS extortion. These botnets aren't free and cost money to get time on them. You might feel a little pain, but better than giving in to demands.
Better yet, use Cloudflare or subscribe to Spamhaus to preemptively deny traffic.
Judging by the systems being hit, I can't help but wonder if the attacks are being done by a government agency.
More like, the companies who wrote the OS should be responsible.
This service has always been a joke. First off, they've been hacked multiple times, executing JS inside emails. It's ran by incompetent people, and you cannot secure these types of services from a faked signed SSL cert and injected JS to send off your unencrypted email contents the second they're displayed. Protonmail is the ILLUSION of security, the world is better off without it.
As the other reply said, the OS is responsible. Go after them. The computer is still a black box, the user has no idea what goes on inside. All they know is that if they let any smoke leak out, the machine is cooked. Like all other crimes you need to find the perpetrator. Don't fuck with those caught in the crossfire.
“He’s not deformed, he’s just drunk!”
That way, we'd see less spam...
More like, the companies who wrote the OS should be responsible.
No. Botnets run mostly on deprecated and unpatched systems with known security holes. That is not the fault of the OS vendors. If software vendors are held liable for the stupidity of their users, then software will become far more expensive, and FOSS will disappear completely.
Big centralized services are vulnerable to these kinds of attacks.
Perhaps if the service were distributed over tens of thousands of nodes in thousands of data centers, it would be more difficult to perform the attack.
Anybody can hire a botnet to flood one data center. Can they flood every data center on the entire Internet at the same time?
I myself advocate an approach that identified zombie systems simply have their internet service shut off. We've been able to pretty cleanly identify which IP addresses are the source of these attacks, why not have legislation requiring that they simply lose their internet access until they fix it? Kind of like the ham radio days where you're held accountable for your activities when transmitting to the public.
Take it a step further and establish a treaty body that requires each signing nation set up the same laws for their ISPs, in addition to a trade organization that enforces these rules.
That would put a stop to this real fast. Either way something has to be done because this is going to get out of control real fast as even more people get high speed broadband and have no idea what the fuck they're doing with their equipment.
The equivalent is not maintaining the brakes on a car. This happens, and a car goes out of control, it isn't VW that gets sued; it is the driver/operator.
Same with Internet connected devices. It is the responsibility of the owner to determine if a device is fit to connect, and if not, to disconnect it.
Right now, people don't care (they are just another snowflake in the avalanche), but if the responsibility shifts to the origin of the traffic (like it originally belonged to, way back when), PFSense with Snort routers would become very inexpensive and common.
You really don't understand this shit, do you?
The goddam botnets are smart enough to change IP addresses at random, and often.
It's Whack-a-Mole.
It little behooves the best of us to comment on the rest of us.
Is there anyway to solve DDOS attacks for good? Would a more robust DNS system work? Say one that dynamically assigns multiple IPs and rotates them with a frequency based on load?
You really don't understand this shit, do you?
The goddam botnets are smart enough to change IP addresses at random, and often.
It's Whack-a-Mole.
Theres even another level of indirection; in reflection attacks you, the recipient of the attack, gets to see the IP addresses of the machines used as reflectors. You don't get to see the IP addresses of the machines used to trigger those reflections. Only the people hosting the reflector get to see the these.
In the free world the media isn't government run; the government is media run.
Oh, the botnet endpoints are smart enough to change the IP address assigned to the endpoint? Hrmm, how are they doing that on your typical user TWC or COX internet connection? Oh wait they aren't. You THINK they are because they just use different botnets for different attacks, or only utilize a % of the zombie PCs in their botnet.
Having the ISP cut the user off is a valid solution, or at the least, drop it to 56k speeds. You stop the zombies from attacking, you stop the DDoS.
That will turn the internet into "cable TV" with dumb terminals connected to a few big content providers in the blink of an eye.
And how do they stop it if they don't have Internet access to download the latest patches? What if there are no patches?
Actually with that statement, I think you fundamentally misunderstand how a botnet works. They have multiple compromised hosts under their control, each of which potentially has a unique IP address. So yeah, you'll likely see the IP address appear to change even though it's the same actor behind the action.
In most cases, the botnet operator doesn't have the ability to change the IP address of each individual host, because they don't have the ability to change the WAN MAC address (which is required to get your ISP to issue you a new DHCP lease.) Even in the cases where they do (such as a compromised NAT router) there's still the matter of the WAN device itself doing sticky MAC configuration and only allowing one MAC address to access the WAN (which is almost universal among DOCSIS cable providers, DSL providers, and even fiber providers in order to conserve their limited IPv4 address pool.) In the case where they can change the WAN mac address, they don't typically have the ability to clear the old MAC first (which in the more permissive WAN bridges requires a power cycle, i.e. rebooting a cable modem. Motorola cable modems can via a web query to 192.168.1.100, but other than that most modems don't support this.)
But let's say conditions are absolutely perfect, and they can change the MAC address at will and thus change their IP address, there's another problem: Virtually all ISPs keep logs of which account has a lease to which IP address at what time.
Which means that even in the worst of cases, you can still identify what account has been participating in a DDoS, and that account could be suspended as per appropriate legislation, until they remove and/or correct any compromised systems.
Centurylink - a company with plenty of reasons to hate it - will restrict internet access from machines deemed to be running malware until you talk to them and fix it.
Well first see my post here:
http://slashdot.org/comments.p...
And in addition to that, anybody who owns something that is being used as a reflector could be required to fix it (i.e. an open relay needs to add authentication) and in the case of passive services that can be used as reflectors (such as DNS) they can keep logs of what IP addresses are obviously using them as a DDoS reflector and report them to a proper authority.
You're talking past each other. To draw a car analogy, let's pretend that the streets around a particular business are getting clogged up by unlicensed teens borrowing their parent's cars to go joyriding. The previous poster is suggesting that we tell those parents that they're not allowed to drive on the road until they take steps to prevent their kids from using their cars illegally. I.e. We put the onus on the owners of the cars to properly secure their vehicle before we let them use a shared resource. You're saying that he doesn't understand the problem, since other kids will just clog up the roads instead.
To some extent, you're both right.
His idea won't fix the problem overnight or for any particular attack happening right now, but if we can get enough countries to enact such policies, it would effectively cut the legs out from under any future DDoS attacks, since it would reduce the number of zombie PCs and a botnet is only as strong as the number of zombie members in its network. At that point, we'd have to worry about people from non-treaty nations (i.e. to go back to the car analogy, kids from a neighboring region where the restrictions aren't in place).
A number of colleges and universities already enact such policies as it is. The one I went to actually had a mandatory malware scan before you were allowed on their dorm network, and then if malware activity was later detected, they'd cut you off until you fixed the issue and came back clean on a subsequent scan. I'm not suggesting that would be a good policy at a national level (in fact, I'd suggest it would be a HORRIBLE idea to allow the government to require us to install and execute software of its own creation), but it is an interesting idea, nonetheless.
Well if the infected system was mine, I wouldn't need a patch, I'd just wipe the systems clean and rebuild from scratch, and have your WAN edge configured as stateful and drop all unsolicited packets, which is easy to do with most SOHO gear. Don't know how to do that? Well then you should probably either learn how or hire somebody. Either way, that's better than a fine.
I wouldn't advocate a requirement to install antivirus software. Something like a 48 hour notice first, followed by 48 hour suspension. If after your service is restored and the problem isn't resolved, then you've got 24 hours to resolve, and if not resolved, the suspension time doubles to 96 hours. Something like keep doubling the suspension period until resolution. The long suspension wouldn't reset to 48 hours until about 6 months of no indication of botnet activity.
As for countries that wouldn't sign on to the treaty, you could do something like require any routers that border to a non-signatory nation have the known botnet IP addresses blocked for one week, and there is no warning period. Some of the ISP's customers might get upset really fast if they find that half of the internet doesn't even work most of the time, and let them sort out among themselves how they fix it.
A number of colleges and universities already enact such policies as it is. The one I went to actually had a mandatory malware scan before you were allowed on their dorm network
Is this malware scan available for OS X and major GNU/Linux distributions? Or does it work correctly in Wine? Or are students required to buy a copy of Genuine Windows® for each Mac or Linux laptop, reboot into Windows in order to connect to the Internet, replace iPad and Android tablets with Surface tablets, and leave the phones on cellular data?
you could do something like require any routers that border to a non-signatory nation have the known botnet IP addresses blocked for one week
Isn't that what the widely hated Stop Online Piracy Act (SOPA) and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property (PROTECTIP) bills threatened to do?
Well if the infected system was mine, I wouldn't need a patch, I'd just wipe the systems clean and rebuild from scratch
How would you download the image with which to "rebuild from scratch" and download patches released since the image was created without Internet access?
And how do they stop it if they don't have Internet access to download the latest patches?
Devices not yet cleared for Internet access would have access to hosts other than the ones used for update services blocked. Better yet, the ISP could run a mirror of Apple Software Update, Windows Update, and Ubuntu trusty-security and wily-security.
What if there are no patches?
If patches do not exist because the operating system has reached its date of end of support, it is the subscriber's responsibility to purchase an upgrade to customer-provided equipment. If patches do not exist because the defect is still 0-day, I don't know. If patches exist but the ISP is not aware of a particular brand of operating system, I don't know.
The image is already onsite, on removable media.
If not. Oh well. What kind of crapware OS were you running, again?
Attackers use DNS in a couple of ways - one is as an amplifier, where the attacker forges a query "from" the target's IP address to a DNS server that produces a response that's larger than the query, which causes more traffic and hides the attacker's IP. (Fixing this requires configuring DNS servers not to do amplification, and getting the ISPs that the bots live on to enforce anti-spoofing - how many decades old is BCP38 now?) Another is as a way for the bots to contact their controller, and for intermediate controllers to contact their master controllers, so the controllers can change their IP addresses and keep working. Often this is "fast-flux DNS", where the name records have short expiration times, and are often bought with stolen credit cards. (There are some defenses like identifying DNS registrars that support lots of bad guys, and configuring DNS resolvers not to accept names that have been registered in the past day or so, but bots can always do their own name resolution instead of using the host's or ISP's default DNS server, and you can't simply force DNS caching times to be long because that affects DNS-based load-balancers.)
Defenders have multiple ways to use DNS. One is simply load-balancing among servers - www.example.com can hand out different IP addresses to end users based on load or whatever, and can try to guess which users are legitimate and point them to different servers than the attackers. Lots of variations on this, and also they can do things like redirect web requests from www.example.com to wwwX.example.com, where X is 1...n different groups of servers, or moves every 15 minutes, or whatever. Some things to be careful of are that real web browsers usually cache IP addresses for a long time.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
on the part of the provider's ISP. It would be easy to learn which are the offending IP addresses and simply blackhole them at the router level. The the provider's ISP is too small to effect much of a change, the supplying ISP could easily do this. When I worked firewall and router security for the largest ISP in the US, we simply bllackholed the IP and, in some instances, entire class Cs and in a few instances, a class B coming out of Korea because the ISP wouldn't listen to reason. When enough of their customers called to complain their packets were being dropped into the blackhole route on the west coast of the US, they listened to us then.
Has anyone done a recent analysis of where these machines are, and what version of Windows they are running? XP use is finally fading, and I have seen a surprising number of home PCs successfully upgraded from Windows 7 or 8 to Windows 10.
I would not expect a malware infection to survive the update.
So are the number of bots in the network declining?
and download patches released since the image was created
The image is already onsite, on removable media.
The copy on removable media is more than likely not yet patched up to today. Or do you make a new install image every month with all updates slipstreamed in?
It was back in the early 2000s. At the time, their policy only required Windows machines to do the scan. Macs and Linux didn't have to.
Again, I'm not suggesting it was or is a good policy, nor that it's something to model national policy after. I was merely pointing out that there is precedent for similar sorts of policies at a smaller scale.
Then maybe, just maybe, they shouldn't own a computer. I know, I know... It's a horrible thought that people would be better served by knowing how to properly use the tools they own.
"So long and thanks for all the fish."
I've been saying this for years. If you're exhibiting signs of malicious activity that indicates an infection then you get firewalled from the 'net in general but have access to the tools to repair it.
"So long and thanks for all the fish."
Installing a fresh copy of a Windows 7 SP1 or any newer version of Windows
I seem to remember that Windows XP RTM was vulnerable because it connected to the network before its firewall was up. This meant a PC could get remotely compromised before it could finish downloading updates, even if it ran no applications other than Windows Update. The workaround was to purchase and install an external firewall appliance. Do more recent versions of Windows have an analogous vulnerability that would require someone to have to burn an install disc with a slipstreamed service pack in order to be safe? If someone were to reinstall from, say, the Windows 7 RTM disc, what hole could attackers use before the PC downloads updates?
But the user is responsible for it. Like a car owner is responsible for their car. Users don't *have* to understand either of those things to own and use one, but they're still responsible.
The consumer is being sold a defective "car", with loose bolts, faulty electrics, and bad brakes.
“He’s not deformed, he’s just drunk!”
A tighter car analogy would have considered a place where people can drive without license, car vendors increasingly hide technical details such as control lights and rev counters, and it is generally considered unfeasible for drivers to be their own security managers.