Slashdot Mirror
Someone Is Learning How To Take Down the Internet, Warns Bruce Schneier (schneier.com)
Some of the major companies that provide the basic infrastructure that makes the internet work have seen an increase in DDoS attacks against them, says Bruce Schneier. He adds that these attacks are of much larger scale -- including the duration -- than the ones we have seen previously. These attacks, he adds, are also designed to test what all defense measures a company has got -- and they ensure that the company uses every they have got, leaving them with no choice but to demonstrate their defense capabilities to the attacker. He hasn't specifically shared details about the organizations that are under attack, but what little he has elaborated should give us a chill. From his blog post: [...] This all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes (PDF) a DDoS trends report. While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent, persistent, and complex." There's more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services. Who would do this? It doesn't seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It's not normal for companies to do that. Furthermore, the size and scale of these probes -- and especially their persistence -- points to state actors. It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.
Could be NSA/GCHQ false-flag operation to pin the attacks on Russia.
Don't worry I've already copied the internet onto a blank CD.
"All your Internet Bases are belong to us!"
Work place productivity would skyrocket... ... Until the Internet withdrawal symptoms kick in.
"The data I see suggests China, an assessment shared by the people I spoke with."
Of course, that will be buried in these comments that it's a US false flag, that obviously it's the US that's responsible, etc.
It couldn't possibly be someone like China.
I wonder who would stand to benefit from an Internet black out during the US presidential election?
Cwm, fjord-bank glyphs vext quiz
640k ought to be enough for anybody to back up the Internet.
The problem is that DDOS is a core vulnerability based on how the internet is built. If you get packets that should go somewhere, you try to push them there. You don't know that the guy who handed them to the guy that handed them to the guy that handed them to you is a botnet node: you just know packets go a place. You forward them.
Eventually, you hit a point where someone in that link COULD figure out that packets are part of a DDOS, but in the current model, that's just too damned far along.
For far too long we've allowed people to buy computers, hook them up to the internet with crappy "AV" software, let the end-user allow the subscription to end, not install security updates, and do literally everything else they can do to compromise security. In effect, it's like letting a drunk driver to drive around in his car after allowing him to cut his break lines, and shove a heavy rock on the accelerator. There needs to be something that holds people accountable to do a bare minimum number of things.I realize that simple things like having a decently ranked AV, keeping it and the OS updated, keeping critical programs updated, and ensuring that home passwords are sufficiently complicated won't stop every single attack. But neither will simply telling people they should't drive drunk. That's why we have laws and cops and revokation of driver's licenses, fines, and jail time. At some point, end users need to be held accountable.
This viewpoint is almost the opposite of reality. Losing the Internet is among the worst things that could happen.
DDoS patterns are pretty obvious, and you don't need fancy DPI either.
Happy-go-lucky packet forwarding works when everyone plays by the rules. That's not the case. You have to respond, and the ONLY response is to throttle/block the traffic. The further upstream you do this the more effective it is, but the wider impact it has for legitimate traffic. That's why step 4 is critical for the target.
It's a very simple solution to a very simple problem. DDoS is just the normal internet at an abnormal scale. All effective responses go against the general design of the internet because they involve removing a host from the internet or portions of it. So you want to limit responses to be as close to the source as possible to avoid impacting all the good actors.
This is why slashdot sucks so much. I started reading /. back when the UIDs where in the 10k range, and only people who really knew about the subject would comment. It took me many months before I saw a topic I could contribute to with enough insight, hence my 100K UID.
Now, we have captain obvious noob giving a trivial "shut down" solution, which only works when the botnet is concentrated in an arrogant tone to the security experts in Verisign and Bruce Schneier. To top it off it gets ranked +4 Insightful.
p.s. Can we add a moderation score of -1 Rolls eyes?
Don't be an idiot.
Really
This isn't about being personally liberated from the internet. This is about attacking critical infrastructure. This is like the paving of every interstate in the country disintegrating overnight.
Sure, there would be lots of time for people to sit at home and enjoy the flowers. Meanwhile 99% of the population would immediately begin to run out of food and within a week chaos would reign - most people would have no job to work and no food to eat. The economy would take a massive pounding.
Captcha: pounding
Just save it to the cloud! That way, when the internet goes down, you can still run your sites through your smartphone!
My computer often freezes with the beachball of death or disappearing cursor. Some runaway application, interacting with OS memory managment or UI services and devices, has managed to DOS my computer. Often a reboot is the only solution.
But what was the real problem? The fact that someone designed an OS that allows runaway processes and memory managers and what not to completely dominate all other processes, or to completely hijack key devices.
Why would an OS not have a more effective segmentation; a hierarchy, which enforces rules like:
- Never dominate the pointer movement and rendering, ever, for any reason
- Give the process kill user interface (red button, X), and the process termination procedure, absolute highest priority as well.
- Have a high-priority command shell process.
- Don't let background processing and user-process memory use ever dominate and freeze user interface rendering. Probably requires a separate CPU core just for talking to the graphics subsystem.
Seems like an off-topic aside maybe?
But the same principle should be applied to Internet design.
- A backchannel allowing sys-admin commands (at low data rates only) to get through the network should have highest priority and not be affected at all by overcapacity on other "channels".
- A low data rate channel permitting only low-frequency-of-send email / messaging protocol to get through should be next in line. By design it should not permit flooding. Its functioning should be entirely independent of any DDOSable level.
- A level which supports general web-ish and messaging protocols but for trusted authenticated communicators only.
- Finally, separated from the other levels at every switch, router, and network card, something akin to the current DDOS-ABLE level where anything goes.
Where are we going and why are we in a handbasket?
There's wisdom in what you say, but the ACL black hole list could be miles long. My own iptables list is pages long, and grows every day.
I don't think that ISPs give a shit, and there's nothing and nobody to flip the blackhole switch. Even DNS tweaking isn't going to do the job. Every day my syslogs fill up with nmappers and logon failures from ugly long lists of IPv4/6 addresses.
---- Teach Peace. It's Cheaper Than War.
This viewpoint is almost the opposite of reality. Losing the Internet is among the worst things that could happen.
It's basically identical to the situation with the two-party system in American politics. Until it actually crashes, nobody is going to bother to build a better system, because that's hard. It's better if the internet goes down now than in fifty years when we're really dependent on it for everything. We must build a better internet by then (meshed? entirely cooperative?) or someone surely will take it down and it will be the worst thing that could happen.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"