Slashdot Mirror
Why the Silencing of KrebsOnSecurity Opens a Troubling Chapter For the Internet (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposes reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet. The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. A third post in the series is here. On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. That staggering amount of data is among the biggest ever recorded. Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free. The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers. The assault against KrebsOnSecurity represents a much greater threat for at least two reasons. First, it's twice the size. Second and more significant, unlike the Spamhaus attacks, the staggering volume of bandwidth doesn't rely on misconfigured domain name system servers which, in the big picture, can be remedied with relative ease. The attackers used Internet-of-things devices since they're always-connected and easy to "remotely commandeer by people who turn them into digital cannons that spray the internet with shrapnel." "The biggest threats as far as I'm concerned in terms of censorship come from these ginormous weapons these guys are building," Krebs said. "The idea that tools that used to be exclusively in the hands of nation states are now in the hands of individual actors, it's kind of like the specter of a James Bond movie." While Krebs could retain a DDoS mitigation service, it would cost him between $100,000 and $200,000 per year for the type of protection he needs, which is more than he can afford. What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.
There is no fucking reason for the internet to be this much of a clusterfuck. Spoofed routing updates, IP spoofing, none of this should be possible by design.
With a non retarded internet DDOS attacks could simply be blocked at the source by certified ISPs. Any ISP who abused that ability, or ISPs which repeatedly allowed spoofed traffic to originate from their network could simply be banned from the internet. Problem fucking solved.
Stop patching up this shit and give us a next generation internet, I'm sick of this shit.
If they are so easy to commandeer, I think a group should go around bricking these damn things. Brick enough of them and either users will toss them or return them. Either way, the vendor will actually consider lockdown and security a value add or go out of business. The world is better off.
Day or two? Here's how you do it:
Publish and have people mirror it.
The most extreme way being to publish a magnet link to whatever you published and to let the world seed it.
Content distribution at "web scale" was solved ages ago.
Why would any of that work?
First, if IP address spoofing is a real thing, and it is, then it'd be trivial to turn holding the 'source' accountable into an easy money-making scam. You can't expect people to keep their devices secure as long as companies keep producing buggy devices. That would be like pressing terrorism charges against anyone who's had their phone explode in public. Completely not the user's fault. There aren't even any user-focused tools to let you know if your TV is currently attacking someone or not. Powering it off isn't good enough.
Second, the attack used millions of devices. The IPs don't need to be spoofed. A firewall can block them, but the attackers can push so many connections at the firewall that it can't handle them even if everyone gets blocked.
The only way I know to overcome a DDoS attack is to have more resources than the attacker so that they can't bottleneck anything you have. If I'm wrong, please correct me.