Someone Is Learning How To Take Down the Internet, Warns Bruce Schneier

Some of the major companies that provide the basic infrastructure that makes the internet work have seen an increase in DDoS attacks against them, says Bruce Schneier. He adds that these attacks are of much larger scale -- including the duration -- than the ones we have seen previously. These attacks, he adds, are also designed to test what all defense measures a company has got -- and they ensure that the company uses every they have got, leaving them with no choice but to demonstrate their defense capabilities to the attacker. He hasn't specifically shared details about the organizations that are under attack, but what little he has elaborated should give us a chill. From his blog post: [...] This all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes (PDF) a DDoS trends report. While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent, persistent, and complex." There's more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services. Who would do this? It doesn't seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It's not normal for companies to do that. Furthermore, the size and scale of these probes -- and especially their persistence -- points to state actors. It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.

False flag operation?

Could be NSA/GCHQ false-flag operation to pin the attacks on Russia.

Re:DDoS Defense

[cfalcon]

The problem is that DDOS is a core vulnerability based on how the internet is built. If you get packets that should go somewhere, you try to push them there. You don't know that the guy who handed them to the guy that handed them to the guy that handed them to you is a botnet node: you just know packets go a place. You forward them.

Eventually, you hit a point where someone in that link COULD figure out that packets are part of a DDOS, but in the current model, that's just too damned far along.

At what point do end-users become responsible

[mlw4428]

For far too long we've allowed people to buy computers, hook them up to the internet with crappy "AV" software, let the end-user allow the subscription to end, not install security updates, and do literally everything else they can do to compromise security. In effect, it's like letting a drunk driver to drive around in his car after allowing him to cut his break lines, and shove a heavy rock on the accelerator. There needs to be something that holds people accountable to do a bare minimum number of things.I realize that simple things like having a decently ranked AV, keeping it and the OS updated, keeping critical programs updated, and ensuring that home passwords are sufficiently complicated won't stop every single attack. But neither will simply telling people they should't drive drunk. That's why we have laws and cops and revokation of driver's licenses, fines, and jail time. At some point, end users need to be held accountable.

Re:DDoS Defense

[sexconker]

DDoS patterns are pretty obvious, and you don't need fancy DPI either.

Happy-go-lucky packet forwarding works when everyone plays by the rules. That's not the case. You have to respond, and the ONLY response is to throttle/block the traffic. The further upstream you do this the more effective it is, but the wider impact it has for legitimate traffic. That's why step 4 is critical for the target.

It's a very simple solution to a very simple problem. DDoS is just the normal internet at an abnormal scale. All effective responses go against the general design of the internet because they involve removing a host from the internet or portions of it. So you want to limit responses to be as close to the source as possible to avoid impacting all the good actors.

Redesign internet with a backchannel

[presidenteloco]

My computer often freezes with the beachball of death or disappearing cursor. Some runaway application, interacting with OS memory managment or UI services and devices, has managed to DOS my computer. Often a reboot is the only solution.
But what was the real problem? The fact that someone designed an OS that allows runaway processes and memory managers and what not to completely dominate all other processes, or to completely hijack key devices.
Why would an OS not have a more effective segmentation; a hierarchy, which enforces rules like:
- Never dominate the pointer movement and rendering, ever, for any reason
- Give the process kill user interface (red button, X), and the process termination procedure, absolute highest priority as well.
- Have a high-priority command shell process.
- Don't let background processing and user-process memory use ever dominate and freeze user interface rendering. Probably requires a separate CPU core just for talking to the graphics subsystem.

Seems like an off-topic aside maybe?
But the same principle should be applied to Internet design.
- A backchannel allowing sys-admin commands (at low data rates only) to get through the network should have highest priority and not be affected at all by overcapacity on other "channels".
- A low data rate channel permitting only low-frequency-of-send email / messaging protocol to get through should be next in line. By design it should not permit flooding. Its functioning should be entirely independent of any DDOSable level.
- A level which supports general web-ish and messaging protocols but for trusted authenticated communicators only.
- Finally, separated from the other levels at every switch, router, and network card, something akin to the current DDOS-ABLE level where anything goes.