Slashdot Mirror

← Back to Stories (view on slashdot.org)

Webmail Services Struggling Against DDoS Attacks (fastmail.com)

Posted by Soulskill on from the lag-as-a-service dept.

An anonymous reader writes: A few days ago, privacy-oriented webmail service ProtonMail was hit by a massive DDoS attack, which was accompanied by extortion. It turns out they're not the only ones. FastMail has warned that similar attacks could lead to service disruptions this week. They have refused extortion demands, and have been hit with a couple brief attacks already. This follows attacks over the last week on Runbox, Zoho, and Hushmail. Each service has been working with data centers and network providers to mitigate the attacks as well as possible, but they're still struggling with intermittent service disruptions.

11 of 90 comments (clear)

  1. Maybe botnet members should be held responsible? by Anonymous Coward · · Score: 3, Interesting

    Sometimes I wonder if the owners of botnet clients should be held financially responsible. For example, if someone steals a company semi and runs over people, said company will have lawsuits aplenty against it. Wonder if it should be that way with people who by negligence let their machines be part of a botnet.

  2. NSA by Anonymous Coward · · Score: 3, Insightful

    Sounds like the NSA is hard at work trying to stomp out anyone who thinks they can evade surveillance.

  3. Givernment attacks? by wardrich86 · · Score: 4, Interesting

    Judging by the systems being hit, I can't help but wonder if the attacks are being done by a government agency.

    1. Re:Givernment attacks? by Ralph+Wiggam · · Score: 5, Insightful

      ProtonMail suspects a "state actor" but has zero evidence to support that. It makes no sense for a government to just DDOS a mail service. Governments would hack into the servers.

  4. Re: Maybe botnet members should be held responsibl by ShanghaiBill · · Score: 4, Insightful

    More like, the companies who wrote the OS should be responsible.

    No. Botnets run mostly on deprecated and unpatched systems with known security holes. That is not the fault of the OS vendors. If software vendors are held liable for the stupidity of their users, then software will become far more expensive, and FOSS will disappear completely.

  5. Re:botnets cost money by alex67500 · · Score: 3, Informative

    Denying traffic takes computing time too, if the attacks are as massive as the TFS suggests, any device used to filter the incoming requests would soon be overwhelmed and the service would be down anyway...

  6. Re:Maybe botnet members should be held responsible by ArmoredDragon · · Score: 4, Insightful

    I myself advocate an approach that identified zombie systems simply have their internet service shut off. We've been able to pretty cleanly identify which IP addresses are the source of these attacks, why not have legislation requiring that they simply lose their internet access until they fix it? Kind of like the ham radio days where you're held accountable for your activities when transmitting to the public.

    Take it a step further and establish a treaty body that requires each signing nation set up the same laws for their ISPs, in addition to a trade organization that enforces these rules.

    That would put a stop to this real fast. Either way something has to be done because this is going to get out of control real fast as even more people get high speed broadband and have no idea what the fuck they're doing with their equipment.

  7. Re: Maybe botnet members should be held responsibl by Anonymous Coward · · Score: 3, Interesting

    The equivalent is not maintaining the brakes on a car. This happens, and a car goes out of control, it isn't VW that gets sued; it is the driver/operator.

    Same with Internet connected devices. It is the responsibility of the owner to determine if a device is fit to connect, and if not, to disconnect it.

    Right now, people don't care (they are just another snowflake in the avalanche), but if the responsibility shifts to the origin of the traffic (like it originally belonged to, way back when), PFSense with Snort routers would become very inexpensive and common.

  8. Re:Maybe botnet members should be held responsible by myowntrueself · · Score: 3, Informative

    You really don't understand this shit, do you?

    The goddam botnets are smart enough to change IP addresses at random, and often.

    It's Whack-a-Mole.

    Theres even another level of indirection; in reflection attacks you, the recipient of the attack, gets to see the IP addresses of the machines used as reflectors. You don't get to see the IP addresses of the machines used to trigger those reflections. Only the people hosting the reflector get to see the these.

    --
    In the free world the media isn't government run; the government is media run.
  9. Re:Maybe botnet members should be held responsible by ArmoredDragon · · Score: 4, Interesting

    Actually with that statement, I think you fundamentally misunderstand how a botnet works. They have multiple compromised hosts under their control, each of which potentially has a unique IP address. So yeah, you'll likely see the IP address appear to change even though it's the same actor behind the action.

    In most cases, the botnet operator doesn't have the ability to change the IP address of each individual host, because they don't have the ability to change the WAN MAC address (which is required to get your ISP to issue you a new DHCP lease.) Even in the cases where they do (such as a compromised NAT router) there's still the matter of the WAN device itself doing sticky MAC configuration and only allowing one MAC address to access the WAN (which is almost universal among DOCSIS cable providers, DSL providers, and even fiber providers in order to conserve their limited IPv4 address pool.) In the case where they can change the WAN mac address, they don't typically have the ability to clear the old MAC first (which in the more permissive WAN bridges requires a power cycle, i.e. rebooting a cable modem. Motorola cable modems can via a web query to 192.168.1.100, but other than that most modems don't support this.)

    But let's say conditions are absolutely perfect, and they can change the MAC address at will and thus change their IP address, there's another problem: Virtually all ISPs keep logs of which account has a lease to which IP address at what time.

    Which means that even in the worst of cases, you can still identify what account has been participating in a DDoS, and that account could be suspended as per appropriate legislation, until they remove and/or correct any compromised systems.

  10. Re:Maybe botnet members should be held responsible by ArmoredDragon · · Score: 3, Insightful

    I wouldn't advocate a requirement to install antivirus software. Something like a 48 hour notice first, followed by 48 hour suspension. If after your service is restored and the problem isn't resolved, then you've got 24 hours to resolve, and if not resolved, the suspension time doubles to 96 hours. Something like keep doubling the suspension period until resolution. The long suspension wouldn't reset to 48 hours until about 6 months of no indication of botnet activity.

    As for countries that wouldn't sign on to the treaty, you could do something like require any routers that border to a non-signatory nation have the known botnet IP addresses blocked for one week, and there is no warning period. Some of the ISP's customers might get upset really fast if they find that half of the internet doesn't even work most of the time, and let them sort out among themselves how they fix it.