Why the Silencing of KrebsOnSecurity Opens a Troubling Chapter For the Internet

An anonymous reader quotes a report from Ars Technica: For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposes reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet. The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. A third post in the series is here. On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. That staggering amount of data is among the biggest ever recorded. Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free. The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers. The assault against KrebsOnSecurity represents a much greater threat for at least two reasons. First, it's twice the size. Second and more significant, unlike the Spamhaus attacks, the staggering volume of bandwidth doesn't rely on misconfigured domain name system servers which, in the big picture, can be remedied with relative ease. The attackers used Internet-of-things devices since they're always-connected and easy to "remotely commandeer by people who turn them into digital cannons that spray the internet with shrapnel." "The biggest threats as far as I'm concerned in terms of censorship come from these ginormous weapons these guys are building," Krebs said. "The idea that tools that used to be exclusively in the hands of nation states are now in the hands of individual actors, it's kind of like the specter of a James Bond movie." While Krebs could retain a DDoS mitigation service, it would cost him between $100,000 and $200,000 per year for the type of protection he needs, which is more than he can afford. What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.

Wait a minute..

I thought everyone said the internet treats censorship as damage and routes around it. You mean to tell me that's not true and I got bad information from Slashdot?!? My mind is blown!

Re:Wait a minute..

Give it a day or two and a solution will exist. It's only when problems become real that people start taking notice. If heroes can go down, then all of us must rise up.

Re:Wait a minute..

[ArmoredDragon]

I think this is a problem in want of a legal solution rather than a technical one. That is, people hosting ddos botnet nodes behind their internet connection, winningly or not, be held accountable. And it needs not be anything drastic, just require heavy throttling until they fix their shit. And foreign actors can simply have their mal intended traffic dropped at the border links if their country doesn't enforce similar rules.

Re:Wait a minute..

No, it needs a technical solution. Making ISP's liable for outbound traffic that doesn't originate from within their address range would deal with this.

The rest can then be tackled by holding the source to blame - if you have an device that's spamming, well it's up to you to shut it down or pay up.

The issue at present is that source IP spoofing is far too easy because the ISP's are routing traffic that can't legitimately be coming from inside their network.

Re: Wait a minute..

You're either woefully naive or particularly unintelligent, or some combination in between. DDOS sources are not relegated to any particular region, at least not any sophisticated ones. That's why they're "distributed", and the more uniform the distribution in the geographical domain the better the attack and harder to prevent. It's really just a fundamental weakness in our primitive peer-based network architectures and protocols.

Re:Wait a minute..

Make software creators/vendors legally liable for the lack of security that enables creation of botnets used for attacks.

Re:Wait a minute..

[XparXnoiaX]

Of course, the legal solution of punishing the guy who did it is already available, if you can find him, and if he lives in a country with laws friendly to that sort of thing.

Time for a license to get on the internet, eh? You need to pass a test about keeping your system patched.

And for those companies releasing IoT products with open FTP ports, may they die in a fire.

Re:Wait a minute..

[fustakrakich]

It''s not our computers doing this, it's the damn refrigerator. Don't blame me when your black box goes on the fritz. And don't go after the users until they can sue Microsoft and Apple, and Frigidaire for their feeble security.

Re:Wait a minute..

[Z00L00K]

Unfortunately it's not that easy, the target should be the ones building the botnets - make it a capital crime.

Re:Wait a minute..

[sexconker]

Day or two? Here's how you do it:

Publish and have people mirror it.
The most extreme way being to publish a magnet link to whatever you published and to let the world seed it.

Content distribution at "web scale" was solved ages ago.

Re:Wait a minute..

Why would any of that work?

First, if IP address spoofing is a real thing, and it is, then it'd be trivial to turn holding the 'source' accountable into an easy money-making scam. You can't expect people to keep their devices secure as long as companies keep producing buggy devices. That would be like pressing terrorism charges against anyone who's had their phone explode in public. Completely not the user's fault. There aren't even any user-focused tools to let you know if your TV is currently attacking someone or not. Powering it off isn't good enough.

Second, the attack used millions of devices. The IPs don't need to be spoofed. A firewall can block them, but the attackers can push so many connections at the firewall that it can't handle them even if everyone gets blocked.

The only way I know to overcome a DDoS attack is to have more resources than the attacker so that they can't bottleneck anything you have. If I'm wrong, please correct me.

Re:Wait a minute..

[WaffleMonster]

No, it needs a technical solution. Making ISP's liable for outbound traffic that doesn't originate from within their address range would deal with this.

The technical solution is cleaning up millions of owned systems.

The rest can then be tackled by holding the source to blame - if you have an device that's spamming, well it's up to you to shut it down or pay up.

This isn't 1996. Nobody runs botnets where individual hosts overtly "spam" and expect to keep their network intact.

The issue at present is that source IP spoofing is far too easy because the ISP's are routing traffic that can't legitimately be coming from inside their network.

This just happens to be the low hanging fruit.

Re:Wait a minute..

Or their products launched.

Re:Wait a minute..

[nukenerd]

No, it needs a technical solution [as opposed a legal one]. Making ISP's liable .........

That is a legal solution.

The rest can then be tackled by holding the source to blame

So is that.

Re: Wait a minute..

We could stop using TCPIP and peer-based based networking. Ultimately, DDOS is only possible because the protocols and architecture allow it.

Re:Wait a minute..

While this is true for most DDoS attacks, it's irrelevant for this one. The majority of the traffic was TCP, HTTP GET and POST spam.

Re:Wait a minute..

Are you fuckin retarded, or what?

Re:Wait a minute..

If you thought the BitTorrent DHT is secure against someone making a particular infohash disappear you would be wrong.

Re: Wait a minute..

I have a security solution for IoT devices that would use low memory and resources but it would require a basic...very basic iptables firewall on IoT devices. Prevent them from being overtaken in the first place. Developers interested in such a solution should leave an anonymous email address here and i will get back in touch. Must have firewall and IoT development experience both gateways and IoT devices alike to pull this off. I am looking for partners on the idea.

Talk soon!

Re:Wait a minute..

YES! This is why I just came to the comments page. We all need to willingly mirror such content so nobody can affect it.

Re:Wait a minute..

[gweihir]

It is pretty unlikely this attack needed source spoofing. Far more likely each insecure IoT device only contributed a trickle, and that with a legitimate IP address.

What is needed instead is to make manufacturers of these crappy, insecure devices liable for the full damage caused. They can then try to get that money back from the attackers (good luck with that...).

Re:Wait a minute..

Why would any of that work?

First, if IP address spoofing is a real thing, and it is, then it'd be trivial to turn holding the 'source' accountable into an easy money-making scam.

Why would that work? (see, I can use that weapon too). I.e. go ahead and explain your trivial scam. I think you are oversimplifying things for yourself (though I'm responding to you because this is the right solution thread to explore). You sound like you imagine the internet to be a somewhat homogeneous collection of networks. It is much more diverse than that. The right solution along these lines won't look like a patch that gets deployed, and in 48 hours everything is fixed. The right solution will start working for a particular subset of the problem, then percolate outwards. But it will happen, be patient (or not care about what happens long after you're dead because stupid politicians were too skilled at their stupidity during your lifetime, whatever).

You can't expect people to keep their devices secure as long as companies keep producing buggy devices.

But if they start getting charged for that malware (or even just manufacturer bug) based traffic emminating from those devices, you can imagine they will unplug them from the net. Problem solved.

That would be like pressing terrorism charges against anyone who's had their phone explode in public.

No, it's not at all like that. Not even remotely close. So far in fact that I conclude you are not arguing in good faith. If these devices could trigger $100k bills of datacap charges overnight, that somehow stood up in court, you might have a point. If however the ISPs just physically or virtually disconnect such 'harmful devices to the network' when detected, then the situation will look nothing at all like pressing terrorism charges against people whose defective phones had thermal runaway events.

Completely not the user's fault. There aren't even any user-focused tools to let you know if your TV is currently attacking someone or not. Powering it off isn't good enough.

This is the problem with the orwellian NSA 'unlimited' internet bandwidth anti-datacap psy-op. As soon as people have to care that a leaky pipe they otherwise never would have needed to care about is costing them $100/month in water charges, they will get it fixed. If water is 'unlimited', there is no incentive to fix some leaky landscaping pipe that is draining potable water into a nearby stream.

Second, the attack used millions of devices. The IPs don't need to be spoofed.

Indeed, which is why it takes 'herd immunity' to solve this problem. Accepting that 10% of internet users have malware running and consuming network resources is just stupid. But the NSA doesn't want people to be that self-aware of their own internet traffic. They like to hide amongst the noise of the spam. If we actually fought against spam and malware, they wouldn't be able to hide in that noise. The only reason we can't fight is because the NSA is powerful enough to effectively tie our hands through its influence on policy and law and the legal system.

A firewall can block them, but the attackers can push so many connections at the firewall that it can't handle them even if everyone gets blocked.

Right, which is why you have to take the fight and the prosecution of the perp to the source- to them. They will have a harder time if they are locked in prison, or hopefully bankruptcy (or even just the equivelent of a littering fine/ticket) will provide a sufficient earlier step impediment.

The only way I know to overcome a DDoS attack is to have more resources than the attacker so that they can't bottleneck anything you have. If I'm wrong, please correct me.

Or find them, and lock them in jail. Not looking for them however, as an optional alternative, seems to have just the sorts of results you would expect.

Re:Wait a minute..

[kamakazi]

I guess you aren't understanding a simple fact here. This is not devices that are spamming, this is thousands and thousands of devices, none of which is generating more traffic than could be legitimate.

The design of the internet says I can send packets from any device to any device on any port I choose, and that is what these bots are doing. I am sure that no single device out there is putting out as much traffic as a single high resolution web cam watching baby eagles hatch or many other non-evil uses.

This kind of attack is basically unstoppable, since much of the traffic is indistinguishable from normal web site visitors.

A technical solution would have to involve attacker device identification, by profiling traffic originating from pretty much every IP on the internet, and as such would not be a real time defense, it would be a long term, continuous, ongoing effort to identify and remedy every exploited device out there.

That pretty much means that no one can afford to dedicate the resources that are required, even state entities will not be willing to spend that much on such a cause. Actually, the state actors seem to be more interested in using exploitable devices than fixing them, and they sure aren't helping anybody else fix them.

And last time I checked easily exploited devices are being attached to the internet at an increasing rate with no sign of slowing in the future.

I agree about IP spoofing, if everyone set their routers up correctly it simply wouldn't exist, but I also don't think IP spoofing is a significant contributor to DDOS attacks. Why would the bad guys care if you know where the individual devices in their botnet are? They aren't on the hook if some ISP shuts down your smart TV or thermostat or Windows XP box for being bad.

I also was pretty impressed by the numbers in this attack, Akamai kinda shines in this story, they took surges over half a terabit a second and didn't fall over, they should use those numbers for advertising.

Re: Wait a minute..

[Provocateur]

So if there is a leak or a hole, shouldn't it be plugged then?

Being aware that the problem exists isn't enough. What's the next step, an RFC of some kind? So that our leading technologists can find a solution?

Re:Wait a minute..

What is needed is for people to stop buying all this useless IoT enabled stuff.

My water heater has an IoT port for an add-on wifi module. With maybe a few exceptions, no one needs this.

My new heat-pump - when getting quotes they all pushed the IoT as a selling point - look you can control this thing with your phone AMAZBALLZ! And by default the quotes included this option. After deciding which one to go with I asked them to remove that option and not install it. Again this stuff is neat, but its just enables pure laziness for most people, and a gaping security concern to the infrastructure of your house.

Now we have IoT fridges that show you a live stream of the inside of your fridge, WTF. If you're that lazy just snap a photo of it before you go out, guess thats too hard ;-)

All the current home security systems push the "live streaming" spy on our house feature, F*** that, I dont need a live stream of every room of my house going into the cloud somewhere. I wonder how many divorces thats caused, or enabled already untrusting paranoid spouses to spy on their partners every move at home. Again F*** that.

I flat out refuse to have anything "IoT" in my house or on my home network. Just forget it, I cant trust that these things are secure or that the manufacture cares, its pretty clear they don't, and wont as long as people keep buying this junk.

Re:Wait a minute..

[gweihir]

While I agree that this would be the best approach, it requires one thing that we are not going to get anytime soon: A significant majority of non-stupid people. IoT has zero reasonable applications at this time. But far too many people are not mentally equipped to see that.

Re: Wait a minute..

Another solution would be for Krebs to donate his old content to any site that will publish it online.

But first I'd like to see some proof that IOT was involved. Name them and shame them and produce at least one device before making unprovable accusations.

Re:Wait a minute..

That would be like pressing terrorism charges against anyone who's had their phone explode in public.

No, that would be like pressing negligence charges against anyone whose car exploded because they weren't diligent with it's maintenance. Computing devices should be held to the same standard of safety we hold other possessions that could be harmful to others when mismanaged.

Re: Wait a minute..

Agreed!

Re:Wait a minute..

[doccus]

I have to agree.. until people's bloody fridges become just a touch more intelligent. Nobody needs a fridge that will accept instructions from Chechnya or Nigeria. Internet protocols are woefully obsolete. WHy aspoofing hasn't been completely eradicated is beyound me, and I don't wan't my fooking dishwasher to be able to relay dDos action. Period.This is all Boolsheet. A disastrous overlooked concern that should have been a priority for dealing with, a decade ago. Instead, everybody's spent all their time drooling over the latest smart frikkin this and smart that. So maybe security ain't glamorous. Deal with it, and get on the train. NOW!

Re:Wait a minute..

[rickb928]

"Making ISP's liable for outbound traffic that doesn't originate from within their address range would deal with this."

Probably not. ISPs that won't respond will not help, and taking those offline risks harming innocent users, and we have a problem that cannot well be solved. And I bet a small Americano that many of these ISPs are major players, and will not be taken to account.

"The rest can then be tackled by holding the source to blame - if you have an device that's spamming, well it's up to you to shut it down or pay up."

Sure, bill the homeowner running a door cam. Maybe if you start up the technical solution of denying the MAC addresses associated with the attack, disabling a variety of devices and risking more lawsuits.

Ultimately, perhaps, we are learning that plugging in tiny, useful devices that are insecure and easily commandeered is a good business model for the manufacturers, and users love them, but they cannot be permitted access, and therefore cannot be used, because they are exceedingly dangerous. Disproportionately so.

Darn. But then, a single bullet, not really so dangerous sitting on a countertop, is exceedingly dangerous if it becomes lodged int he brain of an American President. It's the implementation. Cheap IoT devices are, sadly, dangerous. They need to be made better.

Re:Wait a minute..

[rickb928]

Think you patch your IoT door cam?

I doubt it. These are stupid simple, and that's the problem.

Re:Wait a minute..

[DontTrustWhatIType]

I think that there is a bit more than can be done than just adding resources, and the wrong place to put the liability is at the ISP or individual owner.

There are very good reasons not to push the liability to ISPs, not the least of which is that they will have all the more "legitimate" seeming reasons to push back on net neutrality, and ultimately we'd be pushing the resource problem to the ISP (to include hardware, software, support, insurance, litigation costs, etc.) which will in turn push them to customers and the like.

Pushing liability to the owner is, absurd. Have you made sure that your water meter is secure? Have to verified that your smart alarm, smart phone, fit bit, smoke detector, HVAC controller board, tankless water heater controller board, electric meter, alarm system, garage door opener, etc., etc., etc., are secure? Do we think it should be our, our parent's, and our children should get CISSP certification and secure those devices?

Attacking the problem will require more than just one solution, but one that is sorely missing is the liability of the producer of the IoT devices. The fact that we have CIOs and, shamefully, CISOs of some of the largest IoT device manufacturers possess a complete lack of understanding of what it takes to reasonably secure devices and communications is, in my not so humble opinion, a travesty. Even if you were trained as an oncologist, you cannot become a Chief Medical Officer of a Med-Tech company and then claim that "infectious diseases are not my speciality", nor can you hide behind board certification when your decisions (or lack thereof) result in harm to the users of your device. Why do we tolerate this with IT?

If you are the CIO/CISO of windmill controllers and say that you cannot be hacked from the Internet because "your devices use cellular networks" (read 4G internet), you should be fired on the spot and your company deserves to be crippled financially for having facilitated the creation of a botnet from your staggering ignorance. If you are a CIO/CISO of building control systems and you think that your smart thermostats do not need to be secured, because, who cares if they get hacked, you should suffer the same consequence. And here, I am talking about two of the biggest players in both fields, one of whom is still sadly my company's strategic partner.

Re: Wait a minute..

[Coren22]

Block all by default? Only open SSH, and outbound connections ONLY to the cloud server?

Internet of Things?

[sheramil]

I thought the "internet of things" was a .. "diegetic prototype", ie a fantasy. how many net-addressable refrigerators and automatic light switches are there, that they can mount a DDOS of this scale? -- if all you have is a bow, every problem looks like a skeleton

Re:Internet of Things?

I thought

oops there's your problem

Re:Internet of Things?

[AJWM]

It's not just refrigerators and light switches.

It's also light bulbs (Philips stupid mood thingie), thermostats (Nest, etc), nannycams (every manufacturer and his brother), (in)security systems, even fricking doorbells, et bloody cetera.

And I'm sure I've left out some major categories.

Re:Internet of Things?

[AJWM]

And I'm sure I've left out some major categories.

Oh yeah, sex toys.

Re:Internet of Things?

how many net-addressable refrigerators and automatic light switches are there, that they can mount a DDOS of this scale?

I have this feeling that many ISPs have persecuted server operators, and used some handwaving justification that net-addressability has anything to do with further enabling DDOS botnets. I.e. net-addressability is the defining requirement of server operation. Wheras to send spam, being behind a NAT really isn't an impediment.

Re:Internet of Things?

[h33t+l4x0r]

Yeah, I'm not sure I buy blaming IoT devices either. Yes they're all vulnerable, but you have to be nearby to exploit.

Re: Internet of Things?

Are you talking about a distributed denial of cervix?

Re: Internet of Things?

[mrbester]

Half the population of the planet is currently engaged in that against me, and has been for some time now. No idea why I was targeted, but I'm sure others have been as well so at least it's indiscriminate.

Re:Internet of Things?

Yeah, I'm not sure I buy blaming IoT devices either. Yes they're all vulnerable, but you have to be nearby to exploit.

You're not really too clear on how this whole internet thing works, are you?

Re: Internet of Things?

There's millions of the things out there.
In fact, likely even more just sitting around unused.

That's just the hacked ones!

Re:Internet of Things?

[JustAnotherOldGuy]

Yes they're all vulnerable, but you have to be nearby to exploit.

No, you don't, and that's the whole point. Someone 1,000 miles away can fiddle with your IoT gear, own it, or use it maliciously.

Re:Internet of Things?

[h33t+l4x0r]

That would only be true if the device had a public IP address

Re: Internet of Things?

You probably need to install the latest fashion patches. If the system health is really bad, try running /bin/workout for an hour each day.

Re:Internet of Things?

I think the bigger issue is that a number of these devices are being purchased with malware already on them. Maybe not the big brands, but there are a lot of players in the cameras and lighting space. Related, there are a lot of cheap off-brand android tablets that get sold to consumers, new, that arrive with malware installed. These devices might not be part of a botnet per se, but they could be the ingress point for malware that worms its way into other devices on whatever network it connects to. IoT devices might be the soft targets they want.

Re: Internet of Things?

No mod points this end but fuck it, that deserved a +1, Funny.

F_T

Re: Internet of Things?

[WallyL]

Yeah, some have installed one of the various "Religion" DLCs available. Some have entirely unpatched systems, which might give you malware if you connect. Exclusive provider contracts seem to be one of the most reliable ways to ensure continued and safe service. If you use more than once service provider, they both start denying service. Be sure to clear your cookies! Watch out for "free" upgrades that come with their own expensive expansion packs.

Re: Internet of Things?

Are you talking about a distributed denial of cervix?

Sounds like my ex-wives

We tried to tell people

[s.petry]

They don't care that IoT is a horrible idea, and they ignore countless other security practices to increase their own pocket wads. Power holders want to track your every move and dig every loose penny they can find out of _your_ pocket in the process.

Stop connecting every damn thing to the Internet, and start securing what you have to have connected. This is not a mentally challenging thought process, so if you don't "get it" that makes you...

Re:We tried to tell people

[Oligonicella]

*Some* of us tried to tell people it was a terrible idea. A lot of /.ers thought it was just a peachy thing and volubly heckled us about it, laying out in great detail how beneficial it was to have your refrigerator keep your grocery list for you to check as you shopped, be able to automatically turn you lights on and off as you went to and from work, etc.

Re:We tried to tell people

> They don't care that IoT is a horrible idea...

IoT is no worse an idea than "Make Internet-connected portable computers that are so cheap that nearly anyone who wants one can have one.".

Hardware and software vendors who CBA to even _try_ to ship a product that doesn't expose an open root shell to the Internet are the horrible ones.

IoT is great. Companies that short-change the software are _awful_.

Re:We tried to tell people

[Darinbob]

Stop lumping all things that are on the internet with IoT paranoia. There are very good internet enabled things that have nothing to do with silly consumer gadgets, and they use high security as well (not the weak wifi stuff).

Re:We tried to tell people

[drinkypoo]

They don't care that IoT is a horrible idea, and they ignore countless other security practices to increase their own pocket wads.

If the internet is vulnerable to such attacks, then we have already lost. And of course, it is, so we have.

Stop connecting every damn thing to the Internet, and start securing what you have to have connected.

How about we add some security to the actual network? No amount of security will protect you from a DDoS.

Re:We tried to tell people

[ThatsMyNick]

The thing is you werent telling the right thing. IoT is not a bad idea at all (much less a horrible idea). You come off as a luddite when you say that. What you should have said is security is important IoT or no IoT. It seems obvious but apparently not to some people. May be if you had been pro-security rather than anti-IoT, you would have taken more seriously. Just my 2 cents.

Re:We tried to tell people

s.petry, I'm in total agreement with you. And judging from the replies to your comment, we're in a minority here on slashdot.

Personally, I'm looking around for an alternative to slashdot, whose community is more aligned with our point of view.

Re:We tried to tell people

There are very good internet enabled things that have nothing to do with silly consumer gadgets, and they use high security as well (not the weak wifi stuff).

Name one.

Re: We tried to tell people

Https://soylentnews.org

Re:We tried to tell people

oldfartsandluddites.org

Re: We tried to tell people

I bet the security on those body cams that special forces sometimes wear is pretty good.

Re:We tried to tell people

No mod points but you thoroughly deserved your +5. Sense on the internet. Who'da thunk it?

Stability

I fear the stable internet days are numbered...

We need a new secure internet

There is no fucking reason for the internet to be this much of a clusterfuck. Spoofed routing updates, IP spoofing, none of this should be possible by design.

With a non retarded internet DDOS attacks could simply be blocked at the source by certified ISPs. Any ISP who abused that ability, or ISPs which repeatedly allowed spoofed traffic to originate from their network could simply be banned from the internet. Problem fucking solved.

Stop patching up this shit and give us a next generation internet, I'm sick of this shit.

Re: We need a new secure internet

That will be abused to cut off ISPs that tolerate piracy, and we can't let that happen. According to Slashdot users, piracy is a basic human right that nobody should be allowed to infringe upon.

Re:We need a new secure internet

Any ISP who abused that ability, or ISPs which repeatedly allowed spoofed traffic to originate from their network could simply be banned from the internet.

Right. Companies who make billions of dollars a year as ISPs (Comcast, Charter-Time Warner, etc) are going to allow you to ban them from the internet.

Please get out of your mom's basement and learn how the world really works.

Re:We need a new secure internet

We don't even need an internet.

Re:We need a new secure internet

In a normal country, you can setup things called "laws" that companies need to adhere to.... I know it's a foreign concept but it does actually happen in some places!

Re: We need a new secure internet

Youre damn right

Re: We need a new secure internet

I'm about to buffer overrun your butt if you don't stop bad mothing C, the language of our lord.

Re:We need a new secure internet

In a normal country, you can setup things called "laws" that companies need to adhere to.... I know it's a foreign concept but it does actually happen in some places!

Just not anywhere of importance. Tell us again: how many Goldman-Sachs bankers are in jail? How about HSBC bankers? How much competition does Microsoft have in the PC OS space? How many people at Sony landed in jail after the rootkits?

Re:We need a new secure internet

You wouldn't be reading this webpage if traffic that didn't originate in a given ISPs network wasn't forwarded. The packets that constitute your HTTP requests travel through several different networks between your home router and a server hosting a website. If any of those networks blocked packets that did not originate in their network you wouldn't be reading these comments.

Learn how routing works....

Re:We need a new secure internet

[Burz]

Really, security researchers should have started moving to Tor and I2P services years ago. When the bandwidth is spread out among many limited intermediaries, DDOS will just threaten to take down parts of the net you yourself use... if it gets anywhere at all.

Re:We need a new secure internet

[WaffleMonster]

There is no fucking reason for the internet to be this much of a clusterfuck.

There isn't much daylight between Internet we have today and the ideal version of it in my view. Shit that runs over it is an entirely different story.

Spoofed routing updates, IP spoofing, none of this should be possible by design.

If everyone got off their asses and implemented BCP 38 it would be more difficult yet I'm not so sure we would see a better outcome. Preventing reflection is helpful and having more confidence in source addresses important yet I find it hard to believe this is a solution to anything.

With a non retarded internet DDOS attacks could simply be blocked at the source by certified ISPs.

Problem isn't spoofed traffic it is desire and capability to flood others. If you own a botnet you don't need to spoof traffic to cause havoc.

Any ISP who abused that ability, or ISPs which repeatedly allowed spoofed traffic to originate from their network could simply be banned from the internet. Problem fucking solved.

We allowed countless millions of devices and PCs to become owned and now some of us get to pay the price for that. It isn't the Internet's fault we suck.

Re:We need a new secure internet

[DNS-and-BIND]

It's all because the Internet is a trust-based network. What you describe are flaws in a trust-based system. Frighteningly, your solution is to get rid of trust.

What you really want is not trust, but control. Once systems like the one you propose are in place, there will be the ability (which doesn't exist right now) to really control Internet traffic. About five minutes after that happens, the first government abuse of that power will take place. Then, the abuses will just get larger and larger. Good luck with your controlled network, because you won't be able to say much on it.

Re: We need a new secure internet

[smallfries]

Unlikely, torrent no work so good with spoofed address. Plenty of upload but the down is painfully slow.

Re:We need a new secure internet

[buss_error]

Fine. Can I send you the bill for these multi-million dollar routers you want to turn in to boat anchors? I have two or three dozen I'll need to replace.

Re:We need a new secure internet

Seconded. And everyone let near the Internet should be recognizable by an uspoofable ID. No more hiding behind fake personalities!

Right, Anonymous Coward?

Yikes.

Re:We need a new secure internet

Problem fucking solved.

Stop patching up this shit and give us a next generation internet, I'm sick of this shit.

First thing: Get rid of online anonymity!

Re:We need a new secure internet

[drinkypoo]

There isn't much daylight between Internet we have today and the ideal version of it in my view. Shit that runs over it is an entirely different story.

Uh no. The internet is the network and the computers. It's an inter-net-work of computers. The shit that runs over it is likewise therefore also part of the internet. If the internet will happily carry shit traffic, then it's a shit internet.

I love it too, but let's not pretend that it's not grossly flawed.

Re:We need a new secure internet

[drinkypoo]

Fine. Can I send you the bill for these multi-million dollar routers you want to turn in to boat anchors? I have two or three dozen I'll need to replace.

If the internet becomes just a lot of DDoS then they'll effectively be boat anchors anyway. The problem needs fixing at any cost, because the cost of not fixing it is that the internet becomes useless and that cost is too much to bear. Will you ignore the disease until it kills the host? Or will you administer a painful medicine?

Re:We need a new secure internet

Eyeball monopolies have to pay for the fix. Publishers are the victims. "ban from the Internet" won't work because the victims don't have enough power: eyeball monopolies are monopolies.

Re:We need a new secure internet

Spoofing of a non customer IP should be stopped at the very first ISP hop (no your shitty enterprise customer with his overly complex network setup is not the exception which justifies blowing a huge hole in internet security, every one of his IP ranges should be registered in the ingress filter and clearly belong to him). Any ISP who can not manage that doesn't belong on the internet.

Malicious traffic generation should be able to be blocked by request at the ISP edge router connecting to whatever customer originated the shit. Any ISP who can not manage that doesn't belong on the internet.

All ISPs don't belong on the internet, we need a new one.

Re:We need a new secure internet

There is no way to enforce ISPs to be good actors at the moment. Which is why we need a parallel proper internet, on which only proper ISPs operating by best practices are allowed by a contractual covenant. With harsh measures for those who violate it. Proper ingress filtering, proper DDOS filtering at the source etc. would all be part of that.

Old internet traffic could then simply be assigned lower priority on this proper internet.

Re: We need a new secure internet

s/piracy/fair\ use//

Re:We need a new secure internet

No, I want a social contract.

Any abuse of the source blocking mechanism outside of malicious traffic generation would break the contract. Fix the cause, if you won't you get thrown off the internet. So any government which would try would quickly run out of ISPs in its country.

Problem solved.

Re:We need a new secure internet

[WaffleMonster]

Uh no. The internet is the network and the computers. It's an inter-net-work of computers. The shit that runs over it is likewise therefore also part of the internet. If the internet will happily carry shit traffic, then it's a shit internet.

I love it too, but let's not pretend that it's not grossly flawed.

No I'm talking about the architecture of the network itself and have made that quite clear. You can invent whatever definitions you want and ignore the clear context of parents remarks yet in doing so you are no longer communicating any useful information.

Asserting pipes are shit because you pumped them full of shit is itself worthless shit.

Brian said "SPECTRE", not "specter"

SPECTRE. The SPecial Executive for Counter-intelligence, Terrorism, Revenge and Extortion.

From a James Bond movie.
https://en.wikipedia.org/wiki/SPECTRE

Re:Brian said "SPECTRE", not "specter"

[AJWM]

"From a James Bond movie."

Kids these days.

Even if you're going to restrict yourself to movies, SPECTRE was the villain in most of the Sean Connery Bond flics. And that was in no small part because they took liberally from Ian Fleming's books.

At least you got the acronym right.

Now, for bonus points, what did THRUSH (the Man from UNCLE bad guys) stand for? (And, trivia note, Ian Fleming contributed concepts for that TV series, including the name of the main character, Napoleon Solo.)

Are we sufficiently off-topic yet? ;)

Re: Brian said "SPECTRE", not "specter"

Books are just first-drafts of screenplays.

Re:Brian said "SPECTRE", not "specter"

You mean "The Technological Hierarchy for the Removal of Undesirables and the Subjugation of Humanity."

Re: Brian said "SPECTRE", not "specter"

[Kozar_The_Malignant]

Books are just first-drafts of screenplays.

Unless it's the other way 'round like 2001: A Space Odyssey.

Re:Brian said "SPECTRE", not "specter"

THRUSH;
Technological
Hierarchy for the
Removal of
Undesirables and the
Subjugation of
Humanity.

UNCLE
United
Network
Command for
Law
Enforcement.

HA I win

Re:Brian said "SPECTRE", not "specter"

Committee for the
Liberation and
Integration of
Terrifying
Organisms and their
Rehabilitation
Into
Society ...And that's the nub of it.

https://en.wikipedia.org/wiki/List_of_fictional_espionage_organizations

Re:Brian said "SPECTRE", not "specter"

[Zontar+The+Mindless]

THRUSH isn't an acronym. It's the name of the organisation. Attempts to make it one came later, in some of the novelisations, I think.

Re:Brian said "SPECTRE", not "specter"

[dbIII]

Now, for bonus points, what did THRUSH stand for?

Stand? No. Squirm uncomfortably? Yes.

Re:Brian said "SPECTRE", not "specter"

or RECTUM?

Reasonable Expectation Cruel Torture Under Menace!

and let's not even get into The Man from ANUS!

Re: Brian said "SPECTRE", not "specter"

Books are just first-drafts of screenplays.

This is something someone who doesn't read books says.

Re:Brian said "SPECTRE", not "specter"

"Kid"? I posted the comment to which you replied, and I assure you I'm no kid. My undergraduate degree in computer science, for example, included the use of IBM 029 keypunch machines.

Also, your complaint makes no sense. I understand that SPECTRE was in most James Bond films; that's why you can find it in a James Bond film.

Also, you're complaining to the wrong person. I was merely setting straight the Brian Krebs quote. If you think it's somehow wrong to say that "SPECTRE may be found in a James Bond film" (which, as I say, it is not), you can direct your (mistaken) complaint to krebsonsecurity.com.

"Kids". Sheesh!

Business as usual...

[Bob_Who]

As long as it scales in parallel to money, its nothing new or revolutionary. New gun for hire, different day.

Well, we learned one thing...

[argStyopa]

...that there's ANOTHER reason the "internet of things" is a stupid idea.

A single domain was silenced.

[Hylandr]

Big deal. One domain was silenced.

He can still work and do what he needs, now he has to participate in the rest of the media network.

That's the whole point of the Internet being invented in the 60's to begin with. One site / segment get's bombed, you can still get on in other segments of the network. All he needs to do is submit Press Releases just like everyone else.

Problem that's not a problem has been solved.

Re:A single domain was silenced.

[bheerssen]

Krebs' site had the full backing of Akamai until it became too expensive for them to continue fending off the attacks. If it's too expensive for Akamai to do this, it means that the attackers can take any site offline, no matter how big or how powerful. So, no, it's not just about one site. How long until Akamai itself can't keep up with attacks and has to shut down?

Re: A single domain was silenced.

This is a problem in itself. What you suggest means the end of a free internet. Only domain owned by organizations big enough to absorb that kind of ddos or too small to attract attention would be left in the end.

Re:A single domain was silenced.

>Krebs' site had the full backing of Akamai until it became too expensive for them to continue fending off the attacks

It wasn't too expensive for Akamai to continue fending off the attacks. It was too expensive to them to fend off the attacks for free

Re:A single domain was silenced.

For as much Libertarian cock sucking goes on around /. this seems to be exactly the free market at work. Only he was getting service for free. So yeah, he wasn't worth keeping around without being a real customer.

Re:A single domain was silenced.

Maybe Akamai is a shitty host
https://twitter.com/olesovhcom...

Re:A single domain was silenced.

DISTRIBUTE THE INFORMATION WIDELY. Publish them in dead tree editions. mirror all over the internet. Kinda like a fractal

Re:A single domain was silenced.

[DavidRawling]

Well, since the figures I've seen bandied around are that protection from this level of attack would be about USD100-200K per annum, this effectively means that unless you have a lot of money or a company willing and able to pay what amounts to protection money, you potentially won't be permitted to speak - doing so with an uncomfortable topic for someone gets you knocked offline. Pay the wrong mob and you get to pay again, and again, and again.

One potential outcome may be that truly personal sites will become impossible to support and host; especially if you have any content that could be seen as controversial. You will have to pay someone to host it for you. If they agree, and it doesn't cost THEM too much, and it's not controversial - fine. Want to promote a social cause? Sorry, you can't afford to. Get back into the bit mines, peon. And this fits nicely into the whole cloud thing too, where you don't need anything in your own datacentre, host it on someone else's computer.

I'm waiting for the first wave of destruction to hit the major cloud providers - if this network supposedly of DVRs can deliver 1-1.5Tbps, and you factor in another dozen of similar size, you're talking 15-20Tbps directed at a target. I doubt even Google and the CDNs can withstand that for very long without service impacts, and that's not even factoring in attacks that actually have a little brainpower behind them.

Re:A single domain was silenced.

[Hylandr]

The censorship has been happening here on Slashdot for years already. Instead of concentrated DDOS attacks it's been in the form for mod-point-activism.

Re:A single domain was silenced.

[swillden]

Well, since the figures I've seen bandied around are that protection from this level of attack would be about USD100-200K per annum

Google offers it free to all journalists.

You don't say...

[Plus1Entropy]

What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.

So wait, a DDOS attack can happen to anybody? This kind of hard hitting revelation is why I keep coming back to this site.

Re:You don't say...

[smallfries]

You heard it here first. Now there's something they don't say about slashdot

Re:You don't say...

[drinkypoo]

I've been DDoS'd for talking shit on irc. Well, I say shit, but what I was saying was true... only inflammatory. But back then it didn't take a very large attack to knock someone off ye olde internet, an ISP would scarcely notice.

Distributed websites

[phorm]

This sounds like a good use for some torrent-type technology to supply "distributed websites"
Rather than having a server or "servers", articles go out from a seed source and are quickly seeded throughout the world. Maybe add some sort of checksumming/encryption to help validate that an article did in-fact come from the real source and not an impostor... it would stop sh*t like this from happening.

Re:Distributed websites

Stanford EE380 had lectures a while back...here and here.

Re: Distributed websites

That's been tried with freenet. It is slow as shit, you don't pick the content you download and seed, and it is full of child porn. So basically your computer will be full of child porn and you won't even know it, and the websites you try to access won't load.

Re:Distributed websites

[Burz]

I2P does this... https://geti2p.net/en/docs/app...

In fact, addresses within both Tor and I2P are crypto public keys.

It even has a distributed filesystem.

Re:Distributed websites

[r0kk3rz]

This sounds like a good use for some torrent-type technology to supply "distributed websites" Rather than having a server or "servers", articles go out from a seed source and are quickly seeded throughout the world. Maybe add some sort of checksumming/encryption to help validate that an article did in-fact come from the real source and not an impostor... it would stop sh*t like this from happening.

You've almost literally described IPFS, which is like the lovechild of Bittorrent and Git

Re: Distributed websites

You will know it as soon as the authorities localize said CP on your IP.
You have been CP-ied

Superdistribution of Content

[lazarus]

The attackers are distributed. The victims are not. We need to superdistribute web content like we do with music. Think TOR meets torrents. It would take httpd authors, browser authors, and even search engines to get in on the act, but it would put an end to the problem. (somebody is probably already working on this)

The web, like e-mail, is going through death throes. The kids will decide what lives and what dies I guess.

Re:Superdistribution of Content

There are people working on this sort of thing, but last I checked it's still in its infancy.
Some interesting discussion to start the reader off on on stackoverflow

Re:Superdistribution of Content

Like newsgroups?

Re:Superdistribution of Content

is superdistribution kind of like another way of saying "distributed with redundancy". Ok, nice buzzword bingo, the solution remains doing the work of the obvious things (like distribution and redundancy that we are all very familiar with, though superdistribution sounds like some new quantum computing thing. I bet some of that quantum computing pixie dust can fix all our cyber problemz...

Re:Superdistribution of Content

[sexconker]

No, like:

pubs.site.tld would return the contents of site.txt which is simply

2016-09-23 15:41:23 magnet:sfgalkfgalfgalfgasf
2016-09-21 11:34:08 magnet:sfgalkfgalfgalfgasf ...

----Public Key----
dgsh;slgh;sdg

Then you grab and seed what you want. The torrent contents would be signed. Other sites / journalists / whoever could verify the public key with the actual author if needed.

Re:Superdistribution of Content

[SeaFox]

The web, like e-mail, is going through death throes.

Gimmie a break. You know how often I've heard "email is dying"? Generally it's from some stupid millennial, or the mouthpiece of a social networking company that offers a messaging feature that, for all intents and purposes, is email (except with formatting and picture/video inserting bells and whistles). What they really mean is "we wish email were dead, so everyone would be forced to become one of our users and we could become the new defacto email".

When those kids go out and get a job and have to communicate in a serious fashion, it's not Facebook they're going to be launching -- it's Outlook.

Re:Superdistribution of Content

[Burz]

"TOR meets torrents" is I2P.

It has distributed content sites like Syndie, and even has bittorrent contained within the net (not a gateway to clearnet) and a distributed filesystem (Tahoe-lafs).

Re: Superdistribution of Content

This verification of authors authenticity may fail if authentication server is ddos-ed.
OK you say but at least we have content and TTY hr authentication can be done later so it is not a problem. Wrong - in the meantime some copies Mey refer to some life altering stuff like child porn etc. In other words this does not solve the problem.

Re:Superdistribution of Content

[mrchaotica]

Generally it's from some stupid millennial, or the mouthpiece of a social networking company that offers a messaging feature that, for all intents and purposes, is email (except with centralization, censorship, advertising and data-mining). What they really mean is "we wish email were dead, so everyone would be forced to become one of our users and we could become the new defacto email".

FTFY.

Stupid IoT

[orlanz]

If they are so easy to commandeer, I think a group should go around bricking these damn things. Brick enough of them and either users will toss them or return them. Either way, the vendor will actually consider lockdown and security a value add or go out of business. The world is better off.

Re:Stupid IoT

To ISPs "servers" are considered 'harmful devices', but botnets of these sorts of clients with out of development closed source firmwares are considered "nonharmful devices". Lol.

Make it LAW

Make egress filters mandatory. No ifs or buts. Make it law.

Make it law that I can disconnect any user who isn't egress filtering and is sending me shit. Consumer business enterprise government state.

This shit all has a fucking solution. It's fucking 2016 people. Egress filtering stops a lot of this shit. Any business not doing it needs to gtfo off the internet.

Shitty isps who don't filter will quickly get th picture when I can legally shut down their bgp session despite contracts.

Literally, there is no reason not to do this. Anyone pushing back is either extremely naive, completely technically inept, or a criminal. Seriously.

Re:Make it LAW

[Enigma2175]

Make egress filters mandatory. No ifs or buts. Make it law.

Make it law that I can disconnect any user who isn't egress filtering and is sending me shit.

Make it a law where? If it's just in the US, or just the US and the EU, then the law does no good. It would need to be a worldwide law, good luck getting such a law in every country.

Re:We tried to tell people. Tell them DICK!

They don't care that IoT is a horrible idea, and they ignore countless other security practices to increase their own pocket wads. Power holders want to track your every move and dig every loose penny they can find out of _your_ pocket in the process.

Stop connecting every damn thing to the Internet, and start securing what you have to have connected. This is not a mentally challenging thought process, so if you don't "get it" that makes you...

My penis is so very big. It is also incredibly penisey! It could go right up your rancid butt hole.

Re:hyperbole

-1? Lol, looks like I struck a nerve.

Great idea! Articles could be categorized and dist

[raymorris]

> articles go out from a seed source and are quickly seeded throughout the world.

That's a wonderful idea. We'd need a new protocol for distributing these "articles". We could call it Network News Transfer Protocol or something. You could tag your article according to categories andsubcategories, and people could subscribe to these different news groups. We could use ssl/tls for authentication of peers.

It probably wouldn't take too long to develop such a protocol; I bet we could have it done by 1986.

packets are speech

packets are speech, just like money
right?

IPv6

The sooner we move to IPv6 the sooner we say goodbye to this crap.

Re: IPv6

How's that? Won't IPv6 just mean more public unsecured IPs?

Re:IPv6

[Z00L00K]

And we will see new problems instead.

But ISPs seems to delay the introduction of IPv6 a lot, which sucks.

Re:IPv6

[h33t+l4x0r]

Why, because the ISPs who can't block the spoofed IPv4 packets will somehow be able to block spoofed IPv6 packets? What's the thinking there?

Re:IPv6

[gweihir]

Excuse me? This will not even help one bit. The biggest danger to the Internet are morons that have no clue how it works.

Re:IPv6

Yeah, that'll solve all of our problems. "What do you mean every device in my house has a public, world routable address? My cable thingy keeps me safe right? And Windows 10 is unhackable anyway, that kid at Best Buy told me all about it."

Re:IPv6

[kamakazi]

ummm, how does moving to IPv6 make my internet connection bigger or my web server capable of handling more connections? The problem here is simply the number of connections, not the protocols they used to connect. For that matter, this was on Akamai infrastructure, do we have any idea what percentage of this attack was IPv6?

IPv6 is not a universal panacea, it simply fixes a few structural issues with IPv4 and makes the address space a lot bigger. (Actually IP space is bigger than MAC address space, we are gonna hafta fix that one sooner or later, a non-expiring universal MAC address is unsubstainable since we throw a few away with every piece of hardware we dispose of.)

IPv6 does not prevent DDOS attacks or any other nefarious behaviour.

What if I told you Krebs was Republican?

That would turn your frown upside down and you'd be full of joy that his evil hate speech is finally offline.

Well good news. Krebs is totally a republican and is voting for Trump - so this is the GOOD kind of censorship.

Re:What if I told you Krebs was Republican?

Sure he's not one of those Republicans who are announcing—by the cartload, it seems—their support for Hillary?

Re:What if I told you Krebs was Republican?

[Opportunist]

Why should I give a fuck about what side of The Party he prefers?

Re:hyperbole

You flatter yourself. You're another douchy AC, just like me. No more, no less. You are irrelevant here, just like me.

Story's Not Over

[Bruce+Perens]

If I understand this correctly, Akamai threw Krebs out because Akamai could not handle the DDS. This means I'm never sending any business to Akamai because they can't handle it properly. But it doesn't mean Krebs is off the air for long.

For example, I bet Cloudflare would take him on. They've differentiated themselves on the ability to handle DDS.

Re:Story's Not Over

Ah, Cloudfare. The ones attempting to captcha the entire Internet; people would be cheering the attackers in that case.

Re:Story's Not Over

[Daniel+Boisvert]

If I understand this correctly, Akamai threw Krebs out because Akamai could not handle the DDS. This means I'm never sending any business to Akamai because they can't handle it properly. But it doesn't mean Krebs is off the air for long.

Do you have a source for this? All I've seen is that Akamai/Prolexic was unwilling to keep doing it for free, because it was getting really expensive. That seems like a significant difference, especially from the perspective of somebody intending to pay money for the services rendered.

Re:Story's Not Over

I believe the issue with Cloudflare is that they hide several very bad actors that Krebs has uncovered.

Re:Story's Not Over

I am not a DDoS researcher -- but the previous largest DDoS I know of was the 602Gbps against the BBC

http://www.csoonline.com/artic...

Comparatively, during the 2016 olympics, 7.3 Tbps was served (presumably in addition to routine customer traffic) without substantial complaint.

https://www.akamai.com/us/en/m...

This DDoS was very possibly just another slightly-unusual-day-in-the-life of Akamai, but one that actually started to cost non-trivial resources (just like TFA stated).

Given the current structure of the internet, you asking any company to "handle it properly" for anything approaching the terrabit scale is absurd. There is no playbook for that -- there's only sysadmins making the most solid QoS decisions their background and knowledge permits, and infrastructure investments. Most likely, there's sysadmins shuffling capacity around while trying to protect paying customers.

How many full-time sysadmin-days should be dedicated to a gratis customer -- even one as important to the world as Krebs?

Re:Story's Not Over

You don't have any business to send to Akamai, Perens. Krebs is actually relevant, no one's given a rat's ass about you since you did that goofy film with Stallman et. al.

On the other hand thanks for doing that, because now every time I read what you post, I imagine it being said in that incredibly nasal tone you speak in, as if you were literally trying to enunciate through your nostrils without the use of your tongue.

Re:Story's Not Over

For example, I bet Cloudflare would take him on. They've differentiated themselves on the ability to handle DDS.

There's no differentiation needed for a reflected attack. You just have to sink the traffic. For L7 DDoS, where the attacking nodes will do full SSL negotiation and click on buttons and such, differentiation is meaningful because there's some art to classifying the traffic. However all of this traffic would have been immediately dropped by the kernel so there's no opportunity for differentiating software to help.

Do you think Cloudflare or Akamai is bigger?

I have my own bet, and :(

Do you have a source for this? All I've seen is that Akamai/Prolexic was unwilling to keep doing it for free, because it was getting really expensive.

That doesn't make much sense. They do not pay for each bit that arrives. They pay for the ability to handle arriving bits. And DDoSers focused on Krebs can't DDoS Akamai's other customers. It's a size war: total capacity of DDoS vs. total capacity of CDN. The more realistic story is that they were worried of falling over in public and losing all their customers.

Said differently: the reason one mitigates a DDoS for free is (a) it costs you nothing, (b) it gains you credibility and future customers. (a) will not change. You stop the free service when (b) changes---when you're about to lose.

Re:Story's Not Over

Not judging you nor Perens, but I am curious to know the name of this movie.
quick search using:
bruce perens stallman movie
doesn't help (me anyway)

Re:Story's Not Over

[swillden]

If I understand this correctly, Akamai threw Krebs out because Akamai could not handle the DDS. This means I'm never sending any business to Akamai because they can't handle it properly. But it doesn't mean Krebs is off the air for long.

For example, I bet Cloudflare would take him on. They've differentiated themselves on the ability to handle DDS.

There's also Google's Project Shield, which is free for journalists.

Re:Story's Not Over

You misunderstand. Akamai did NOT demonstrate an inability to handle the DDS. Akamai ONLY demonstrated an inability to fund handling it. Akamai remains able to provide the service for clients that can fund them to provide it.

I hope you refill your coffee and reconsider your post there. Since Akamai has graciously supported Krebs for so long it'd be really shitty to have your miss-statement stand.

Re:Story's Not Over

[Bruce+Perens]

There's also Google's Project Shield, which is free for journalists.

That's a really good point. This service sure isn't going to throw someone off for being attacked too much. I'll ask someone at Google to expedite the process.

Re:Story's Not Over

[Bruce+Perens]

OK. The folks who run Project Shield have been informed!

Re:Story's Not Over

I wouldn't be surprised if CloudFlare is already hosting the people behind the DDoS attack.

CloudFlare has many criminal customers. Check out this recent list of DDoS/"Stresser"/"Booter" websites proudly hosted by CloudFlare:

alphastress.com, anonymous-stresser.net, aurastresser.com, beststresser.com, boot4free.com, booter.eu, booter.org, booter.xyz, bullstresser.com, buybooters.com, cnstresser.com, connectionstresser.com, crazyamp.me, critical-boot.com, cstress.net, cyberstresser.org, darkstresser.info, darkstresser.net, databooter.com, ddos-fighter.com, ddos-him.com, ddos.city, ddosbreak.com, ddosclub.com, ddostheworld.com, defcon.pro, destressbooter.com, destressnetworks.com, diamond-stresser.net, diebooter.com, diebooter.net, down-stresser.com, downthem.org, exitus.to, exostress.in, free-boot.xyz, freebooter4.me, freestresser.xyz, grimbooter.com, heavystresser.com, hornystress.me, iddos.net, inboot.me, instabooter.com, ipstresser.co, ipstresser.com, jitterstresser.com, k-stress.pw, layer-4.com, layer7.pw, legionboot.com, logicstresser.net, mercilesstresser.com, mystresser.com, netbreak.ec, netspoof.net, networkstresser.com, neverddos.com, nismitstresser.net, onestress.com, onestresser.net, parabooter.com, phoenixstresser.com, pineapple-stresser.com, powerstresser.com, privateroot.fr, purestress.net, quantumbooter.net, quezstresser.com, ragebooter.net, rawlayer.com, reafstresser.ga, restricted-stresser.info, routerslap.com, sharkstresser.com, signalstresser.com, silence-stresser.com, skidbooter.info, spboot.net, stormstresser.net, str3ssed.me, stressboss.net, stresser.club, stresser.in, stresser.network, stresser.ru, stresserit.com, synstress.net, titaniumbooter.net, titaniumstresser.net, topstressers.com, ts3booter.net, unseenbooter.com, vbooter.org, vdos-s.com, webbooter.com, webstresser.co, wifistruggles.com, xboot.net, xr8edstresser.com, xtreme.cc, youboot.net

If CloudFlare would stop providing bulletproof hosting for criminals and spammers, the internet would be a better place. But CloudFlare apparently loves its criminal customers. DDoS purveyors, terrorist websites, malware distributors, CloudFlare seems to welcome them all to its hive of scum and villainy. Maybe it's time to revive the concept of the Usenet Death Penalty and apply it to all traffic to and from CloudFlare. They're the sewer of the internet and should be null routed and de-peered.

See also: CloudFlare Watch

Re:Story's Not Over

You misunderstand. Akamai did NOT demonstrate an inability to handle the DDS. Akamai ONLY demonstrated an inability to fund handling it.

Nope, YOU misunderstand. DDoSes do not cost per bit received on a scale of minutes or days. The DDoS bits consume capacity on transit and peering links that the DDoS mitigator purchases, or negotiates for free, on a scale of years. The whole point of DDoS prevention is to have more total prevention capacity than there is total DDoS capacity. If you have that much, DDoS are free, and you are a good DDoS mitigator. If you have less than that, you aren't a good DDoS mitigator. Saying there is a cost is an implicit admission of not enough capacity.

That's why DDoS prevention on blogspot.com is free: the cost of protecting your single blog from DDoS is the cost of defending against the biggest bot-herd these criminals are capable of mustering, and the cost of protecting all blogs on the Internet is the exact same number.

That Akamai dropped Krebs suggests Akamai doesn't have more total prevention capacity than there is total DDoS capacity.

Now, to be fair, it's not quite that simple because Akamai gets paid as CDN as well as DDoS mitigator. If they push customer bits over higher latency links than normal their customers might notice and become unhappy, so if DDoSers overwhelm the Indiana POP, but not North America generally, Akamai may be able to handle the DDoS but only by degrading other customers. Google's in a slightly better position on this front, business-wise, because they're their own CDN's biggest customer, so they can balance Youtube degradation against GCP reputation gain without worrying about losing Youtube as a customer of their own CDN.

Discussion about Akamai being "gracious" and that I had better watch myself to avoid offending them is just broken so let's stop that right now. Interpersonal retaliation is probably why you and I both post as AC's: enabling games of retaliation, gratitude, deference to nerd mafia "protection," is not the way you get the truthiest rumors. You sound like the sort of guy who suddenly becomes very polite on irc when some asshole claims to have a DDoS bot herd. I understand your sniveling behaviour, but I don't respect it. If you think I'm wrong about the technology, correct me, but don't suggest I leave out part of the story because "gratitude".

Re:Story's Not Over

second link using your search terms on google yielded Revolution OS, which is a movie title, not an operating system.
https://en.wikipedia.org/wiki/Revolution_OS
I'm pretty sure that documentary is the "goofy film" being referred to, but I haven't seen it.

Re:Story's Not Over

The problem with the "it's too expensive because it's free" theory is that the cost of the paid service is by definition quite inexpensive because it is effectively a kind of insurance; it's not like the $1000 a month Akamai charges their commercial customers is going to somehow offset the DDOS they were experiencing in any meaningful way.

Probably the correct interpretation is this one: the anti-DDOS services will dump you with little warning and few options if the DDOS is big enough.

The answer is already here...

The answer is already here.
Use ipfs
https://ipfs.io/
This problem goes away on it's own. Sure they DDoS but they only be hitting 127.0.0.1

Call the FBI

They will help.

Ironic

[twistedcubic]

Site is suffering a DDoS attack, and we slashdot it.

Re:Ironic

[Burz]

https://www.youtube.com/watch?...

Re:Ironic

is "slashdotting" a site still a thing?

This is a stupid attack

[DeltaQH]

Why should an entity reveal its capabilites setting up such attack bringing himself too much in the public light and without any monetary profit. It may backfire by getting the authorities, and even other ddos attacks users, on his trail and by triggering the search and implementation of technical and regulatory measures to reduce or eliminate the means he uses for the attack. The entity behind this does attack may have just triggered a Barbara Streisand attack.

Re:This is a stupid attack

I think it is assumed that the DDoS was retaliation for Krebs' reveal of the two Israeli individuals running vDos. The motivation is simple: make an example to send a message that you shouldn't mess with the guys running DDoS services.

Given that Krebs no longer has a site - is this mission accomplished?

It's a sign of continuing centralization

[Casandro]

In the past it was trivial to just mirror websites as they typically only consisted of some HTML pages and some images. If something like that happened in the past, you'd just have mirrors popping up everywhere.

Today websites are much more complicated. Even something as simple as a blog is now dynamically generated every time its loaded. You cannot simply mirror that.

Re:It's a sign of continuing centralization

[NotAPK]

"You cannot simply mirror that."

You can actually mirror a dynamic site trivially, it's just that the snapshot goes immediately out of date.

The first way to improve dynamic website performance is to put a proxy in front of the web server to cache content and minimise the number of hits that reach dynamic code.

I'll add a caveat to my comment about mirroring dynamic sites: I'm not talking about the latest wave of non-HTML sites that use JS to render directly in the browser. In theory they can be mirrored as well, but the mirroring software has to execute the JS to retrieve all of the referenced objects to build the site. Bleh, so horrible.

Re:Great idea! Articles could be categorized and d

[phorm]

Gee, sarcasm.

newsgroups are different than a P2P seeding system. There wasn't really a peer so much that your ISP and some other major odies would keep local cache's of the top groups. The obvious disadvantage of this being that those same bodies get to choose which newsgroups they clone/share, whereas in P2P anyone who has picked up the document/article/whatever is potentially also a peer.

I for one welcome our new IoT overlords.

That.

Problem of todays web: "One fat sitting target"

[burni2]

Ok, people my point is we have too long relied on companies protecting those that can pay (Brian cannot) the hefty fee from DDOS.

And when I introduced this thought with "one fat .. target" I meant even Akamai with its big - but limited - bandwidth is condensed to just one target when that bandwidth is exhausted.

My point: Mittigation for this scale of attack is to counter it with a "borg collective" of an even or bigger scale.

The vulnerability for Brian, us and everyone is, that the fight is one against an army. Now one could argue that going on the offensive(attacking the bots, identifying the bots) would be a favourable cause. However this would end up in many little scrimishes that drain energy and end in a victory for that bad guys, because they have more energy.

So I don't think that such an offensive would be a meaningful course of action. The best course of action would be to first weaken those DDOS attacks and then rendering them uneffective because there is not even a single target.

So todays sites are a single sitting fat target, Akamai is just a thick wall, but every wall can be shot to pieces with a big army.

But there are two known and working mittigations

a.) freenet / freesite - with its hash keys and asymetric encryption a site is even "signed", also everyone who connects to a freesite will store it in the cache/storage.

b.) bit-torrent
example: It is still active and thriving till today, under attack and not just holding up but thriving.

Idea: torrent(ify) the web

But the secondary - offensive - measure is to identify the unwilling bots of these bot nets and work on this front - long long way to go.

Re:Problem of todays web: "One fat sitting target"

You raise a good point; it isn't right that only those with millions of dollars to spend can keep a web site up. Nor should corporate entities be smack in the middle of social networks with censorship capability. Centralization of web services, social networks, etc. is fundamentally broken, and it also raises the barrier of entry for new services.

Further, a low-latency reliable connection will not always be available, so we should be moving from server-side dynamically generated content to something that can be done client-side and cached in the network. We haven't colonized the moon or mars yet, but we should be thinking in that direction;.satellite connections are bad enough on earth already. The other problem is that server-side dynamic content can't be archived properly.

That said, there is a lot of work yet to be done laying the foundation for robust distributed services. At a minimum, we need to restore the end-end connectivity of the Internet, and banish asymmetric connections. It is disturbing just how far backwards the Internet has come as a medium for distributing information. In the early days, it was all content-centric, and trivial to mirror sites.

Re:Great idea! Articles could be categorized and d

[smallfries]

Which central server did these non-peers cache the newsgroups from?

Hey slashdot, want to make some ad revenue?

I know that I now want to read the articles, whereas before, I wasn't even aware of them.

Security profesionalls wanting to mitigate the threat of DDOS could start by widely distributing the articles across multiple sites. If every site that cares about security mirrored their targetted colleagues in time of need...

Re:Drama queens

[andot]

Well, next time it could be your website. Or your bank's website or any other web site or service you need and you don't even know you need it badly.

Just start syndication

[evilviper]

Krebs just needs to change his distribution model. Instead of limiting this info to his own website, just start publishing the content on any interested website. Why hasn't slashdot already contacted him and offered to host his content? Even if they can DDoS a single major site into submission, they won't stand a chance of taking several offline.

For that matter, why wasn't Akamai sending out tons of abuse@ emails during this mess, telling ISPs to stop the flood coming from their side, or face financial liability for any continuing traffic? That would actually SOLVE the DDoS problem, quickly and permanently diminishing the ranks of their botnets, and eliminating the attackers resources, costing them money.

Re:We tried to tell people. Tell them DICK!

My penis is so very big. It is also incredibly penisey! It could go right up your rancid butt hole.

Which would be the best sex you ever had. Leaving you to die, decades later, broken hearted and confused.

Re:Drama queens

Then stop posting you fucking moron.

IoT should just be stopped dead now.

Just the first round of all the Bad Things IoT is going to bring society. From monster-size DDoSes to the coming binding of real world events to can't-be-made-secure-computers , you know like the one you're typing on now, IoT is a motherfucking disaster in the making and we should stop it dead in its tracks right now.

But no.... think of the future. Think of the children.

Re:Great idea! Articles could be categorized and d

[swb]

NNTP was pretty decentralized, one of the challenges with it in the later days of NNTP was the relative ease of newgroup injection and crapflooding.

IIRC, NNTP server software on the hardware of the early 2000s scaled poorly and the traffic volumes were growing fast so you started to see ISPs get much more control oriented when it came to retention periods and which newgroup messages they would honor and from whom.

Just ask Alexa and Siri - "stop botnet"

Just ask Alexa and Siri - "stop botnet"

Re:Drama queens

> or service you need and you don't even know you need it badly.

Have we really come to the point where we can not live with a couple of sites being temporarily knocked off the internet?
Heaven forbid someone figures out how to ddos the power grid because that would take down all sites!

Easy solution

[Opportunist]

Hold manufacturers of such shitty IoT appliances liable for facilitating crimes. Not only will we be spared fridges that spy on our lives, this whole mess would end pretty fucking quickly.

Fatal Flaws

[JustAnotherOldGuy]

It's not a good thing when one or two jackasses can fuck over the entire internet.

And yes, I know this wasn't the entire internet, but imagine this attack writ large, performed by multiple actors, possibly with state backing (or maybe just a lot of personal resources).

The internet is basically at the mercy of whoever feels malicious on any given day and who has the ability to push a few buttons.

Re:hyperbole

It's time for you to go to the mountains for awhile, AC. Nobody here cares about your boring existential crisis.

Yep, no hyperbole at all here

DOSing is easy. It's easy to DOS. Botnets are cheap as fuck these days and seemingly in neverending supply. If you're pissing off the "wrong" people then you better sure as fuck expect this kind of shit (and worse) to happen.

Post your shit far and wide. Put a mitigation service into play and have a backup ready to go. Hire some personal physical security. Be as visible to the public as you can. If you can't do this, then you need to properly consider what you're getting yourself into.

The article comes across a a creative writing assignment disguised as journalism, which is a bit of a shame.

In all terror on line or other

rockets solve the problem.

Akamai

Fair amount of Akamai hate going on here.

"Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free."

THAT SHIT AIN'T CHEAP. As it turns out, companies can only do so much before they actually need to get paid for their service. If Mr. Intrepid Security Internet Reporter had some actual contingencies in place, such as the ability to pay for his website's mitigation services during a stepped up attack, when maybe things would be a bit different right now.

Krebs now hosted by google

[Jayfar]

The site is back! Now hosted by google.

3x Wikipedia blasted every second

www.securitytaco.com reports that the staggering amount of junk data involved in the DDOS is equivalent to 3x the holdings of Wikipedia every second. http://www.securitytaco.com/2016/09/24/iot-household-appliances-take-down-website-ddos-attack-is-largest-ever-recorded-and-your-toaster-oven-may-be-on-the-prowl/

Partially sarcastic

[raymorris]

> newsgroups are different than a P2P seeding system. There wasn't really a peer so much that your ISP and some other odies (bodies?)

You didn't have to use your ISP's servers, just like you don't have to use their DNS. People routinely used other news servers, and nerds often ran their own. Of course using your ISP's local servers tends to be faster and more efficient than some server on a far-away network.

Until shortly before NNTP mostly died, most ISPs didn't want liability from choosing to carry specific news groups, so they didn't choose - they carried all of the official ones, and most of alt.

> Gee, sarcasm.

Half sarcasm, and moderated +5 Informative. I work with engineers born in the 1990s. It's not uncommon for such people to invent something, not knowing it was commonly used in the 1980s.

If you haven't noticed it in tech, you've surely noticed it in policy discussions - people argue, predicting what the effect of trying policy X might be, apparently unaware that policy X has already been tried many times in many places. I'd guess that close to 50% of political posts are people predicting the past.

Re:Partially sarcastic

> ... It's not uncommon for such people to invent something, not knowing it was commonly used in the 1980s...

Which brings us back to systemd.

NNTP

[phorm]

I was a pretty strong NNTP user until some of my more regular groups became unavailable (dropped by ISP, probably due to piracy concerns) and the rest started getting spam-flooded.

The big difference in this, other than distribution, is that NNTP was generally synchronised by topic, whereas I'm speaking more on something like a distributed "site" seemed and keyed by a single author/organisation. I.E. for Krebs, only he or somebody affiliated with him should be able to post.

Another user mentioned "ipfs". It seems a bit complicated to setup but is a similar premise.