Slashdot Mirror
Webmail Services Struggling Against DDoS Attacks (fastmail.com)
An anonymous reader writes: A few days ago, privacy-oriented webmail service ProtonMail was hit by a massive DDoS attack, which was accompanied by extortion. It turns out they're not the only ones. FastMail has warned that similar attacks could lead to service disruptions this week. They have refused extortion demands, and have been hit with a couple brief attacks already. This follows attacks over the last week on Runbox, Zoho, and Hushmail. Each service has been working with data centers and network providers to mitigate the attacks as well as possible, but they're still struggling with intermittent service disruptions.
Sometimes I wonder if the owners of botnet clients should be held financially responsible. For example, if someone steals a company semi and runs over people, said company will have lawsuits aplenty against it. Wonder if it should be that way with people who by negligence let their machines be part of a botnet.
Will this push the privacy oriented webmail providers further to the margins and create a landscape where only the big players such as Google and Microsoft can survive?
We play the game with the bravery of being out of range
Sounds like the NSA is hard at work trying to stomp out anyone who thinks they can evade surveillance.
Judging by the systems being hit, I can't help but wonder if the attacks are being done by a government agency.
More like, the companies who wrote the OS should be responsible.
No. Botnets run mostly on deprecated and unpatched systems with known security holes. That is not the fault of the OS vendors. If software vendors are held liable for the stupidity of their users, then software will become far more expensive, and FOSS will disappear completely.
Denying traffic takes computing time too, if the attacks are as massive as the TFS suggests, any device used to filter the incoming requests would soon be overwhelmed and the service would be down anyway...
I myself advocate an approach that identified zombie systems simply have their internet service shut off. We've been able to pretty cleanly identify which IP addresses are the source of these attacks, why not have legislation requiring that they simply lose their internet access until they fix it? Kind of like the ham radio days where you're held accountable for your activities when transmitting to the public.
Take it a step further and establish a treaty body that requires each signing nation set up the same laws for their ISPs, in addition to a trade organization that enforces these rules.
That would put a stop to this real fast. Either way something has to be done because this is going to get out of control real fast as even more people get high speed broadband and have no idea what the fuck they're doing with their equipment.
The equivalent is not maintaining the brakes on a car. This happens, and a car goes out of control, it isn't VW that gets sued; it is the driver/operator.
Same with Internet connected devices. It is the responsibility of the owner to determine if a device is fit to connect, and if not, to disconnect it.
Right now, people don't care (they are just another snowflake in the avalanche), but if the responsibility shifts to the origin of the traffic (like it originally belonged to, way back when), PFSense with Snort routers would become very inexpensive and common.
You really don't understand this shit, do you?
The goddam botnets are smart enough to change IP addresses at random, and often.
It's Whack-a-Mole.
Theres even another level of indirection; in reflection attacks you, the recipient of the attack, gets to see the IP addresses of the machines used as reflectors. You don't get to see the IP addresses of the machines used to trigger those reflections. Only the people hosting the reflector get to see the these.
In the free world the media isn't government run; the government is media run.
Actually with that statement, I think you fundamentally misunderstand how a botnet works. They have multiple compromised hosts under their control, each of which potentially has a unique IP address. So yeah, you'll likely see the IP address appear to change even though it's the same actor behind the action.
In most cases, the botnet operator doesn't have the ability to change the IP address of each individual host, because they don't have the ability to change the WAN MAC address (which is required to get your ISP to issue you a new DHCP lease.) Even in the cases where they do (such as a compromised NAT router) there's still the matter of the WAN device itself doing sticky MAC configuration and only allowing one MAC address to access the WAN (which is almost universal among DOCSIS cable providers, DSL providers, and even fiber providers in order to conserve their limited IPv4 address pool.) In the case where they can change the WAN mac address, they don't typically have the ability to clear the old MAC first (which in the more permissive WAN bridges requires a power cycle, i.e. rebooting a cable modem. Motorola cable modems can via a web query to 192.168.1.100, but other than that most modems don't support this.)
But let's say conditions are absolutely perfect, and they can change the MAC address at will and thus change their IP address, there's another problem: Virtually all ISPs keep logs of which account has a lease to which IP address at what time.
Which means that even in the worst of cases, you can still identify what account has been participating in a DDoS, and that account could be suspended as per appropriate legislation, until they remove and/or correct any compromised systems.
Well first see my post here:
http://slashdot.org/comments.p...
And in addition to that, anybody who owns something that is being used as a reflector could be required to fix it (i.e. an open relay needs to add authentication) and in the case of passive services that can be used as reflectors (such as DNS) they can keep logs of what IP addresses are obviously using them as a DDoS reflector and report them to a proper authority.
You're talking past each other. To draw a car analogy, let's pretend that the streets around a particular business are getting clogged up by unlicensed teens borrowing their parent's cars to go joyriding. The previous poster is suggesting that we tell those parents that they're not allowed to drive on the road until they take steps to prevent their kids from using their cars illegally. I.e. We put the onus on the owners of the cars to properly secure their vehicle before we let them use a shared resource. You're saying that he doesn't understand the problem, since other kids will just clog up the roads instead.
To some extent, you're both right.
His idea won't fix the problem overnight or for any particular attack happening right now, but if we can get enough countries to enact such policies, it would effectively cut the legs out from under any future DDoS attacks, since it would reduce the number of zombie PCs and a botnet is only as strong as the number of zombie members in its network. At that point, we'd have to worry about people from non-treaty nations (i.e. to go back to the car analogy, kids from a neighboring region where the restrictions aren't in place).
A number of colleges and universities already enact such policies as it is. The one I went to actually had a mandatory malware scan before you were allowed on their dorm network, and then if malware activity was later detected, they'd cut you off until you fixed the issue and came back clean on a subsequent scan. I'm not suggesting that would be a good policy at a national level (in fact, I'd suggest it would be a HORRIBLE idea to allow the government to require us to install and execute software of its own creation), but it is an interesting idea, nonetheless.
I wouldn't advocate a requirement to install antivirus software. Something like a 48 hour notice first, followed by 48 hour suspension. If after your service is restored and the problem isn't resolved, then you've got 24 hours to resolve, and if not resolved, the suspension time doubles to 96 hours. Something like keep doubling the suspension period until resolution. The long suspension wouldn't reset to 48 hours until about 6 months of no indication of botnet activity.
As for countries that wouldn't sign on to the treaty, you could do something like require any routers that border to a non-signatory nation have the known botnet IP addresses blocked for one week, and there is no warning period. Some of the ISP's customers might get upset really fast if they find that half of the internet doesn't even work most of the time, and let them sort out among themselves how they fix it.
Attackers use DNS in a couple of ways - one is as an amplifier, where the attacker forges a query "from" the target's IP address to a DNS server that produces a response that's larger than the query, which causes more traffic and hides the attacker's IP. (Fixing this requires configuring DNS servers not to do amplification, and getting the ISPs that the bots live on to enforce anti-spoofing - how many decades old is BCP38 now?) Another is as a way for the bots to contact their controller, and for intermediate controllers to contact their master controllers, so the controllers can change their IP addresses and keep working. Often this is "fast-flux DNS", where the name records have short expiration times, and are often bought with stolen credit cards. (There are some defenses like identifying DNS registrars that support lots of bad guys, and configuring DNS resolvers not to accept names that have been registered in the past day or so, but bots can always do their own name resolution instead of using the host's or ISP's default DNS server, and you can't simply force DNS caching times to be long because that affects DNS-based load-balancers.)
Defenders have multiple ways to use DNS. One is simply load-balancing among servers - www.example.com can hand out different IP addresses to end users based on load or whatever, and can try to guess which users are legitimate and point them to different servers than the attackers. Lots of variations on this, and also they can do things like redirect web requests from www.example.com to wwwX.example.com, where X is 1...n different groups of servers, or moves every 15 minutes, or whatever. Some things to be careful of are that real web browsers usually cache IP addresses for a long time.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The vast majority of the time somebody runs a compromised system these days, flaws in the host OS weren't the attack vector used. It's typically somebody downloading "free app that you must try now" or going to bad sites that have a flash or java exploit.
Installing a fresh copy of a Windows 7 SP1 or any newer version of Windows, or any recent Linux distribution, you aren't going to get an infected system just for having it on the network.