Slashdot Mirror
Why the Silencing of KrebsOnSecurity Opens a Troubling Chapter For the Internet (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposes reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet. The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. A third post in the series is here. On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. That staggering amount of data is among the biggest ever recorded. Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free. The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers. The assault against KrebsOnSecurity represents a much greater threat for at least two reasons. First, it's twice the size. Second and more significant, unlike the Spamhaus attacks, the staggering volume of bandwidth doesn't rely on misconfigured domain name system servers which, in the big picture, can be remedied with relative ease. The attackers used Internet-of-things devices since they're always-connected and easy to "remotely commandeer by people who turn them into digital cannons that spray the internet with shrapnel." "The biggest threats as far as I'm concerned in terms of censorship come from these ginormous weapons these guys are building," Krebs said. "The idea that tools that used to be exclusively in the hands of nation states are now in the hands of individual actors, it's kind of like the specter of a James Bond movie." While Krebs could retain a DDoS mitigation service, it would cost him between $100,000 and $200,000 per year for the type of protection he needs, which is more than he can afford. What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.
I thought the "internet of things" was a .. "diegetic prototype", ie a fantasy. how many net-addressable refrigerators and automatic light switches are there, that they can mount a DDOS of this scale?
--
if all you have is a bow, every problem looks like a skeleton
They don't care that IoT is a horrible idea, and they ignore countless other security practices to increase their own pocket wads. Power holders want to track your every move and dig every loose penny they can find out of _your_ pocket in the process.
Stop connecting every damn thing to the Internet, and start securing what you have to have connected. This is not a mentally challenging thought process, so if you don't "get it" that makes you...
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
There is no fucking reason for the internet to be this much of a clusterfuck. Spoofed routing updates, IP spoofing, none of this should be possible by design.
With a non retarded internet DDOS attacks could simply be blocked at the source by certified ISPs. Any ISP who abused that ability, or ISPs which repeatedly allowed spoofed traffic to originate from their network could simply be banned from the internet. Problem fucking solved.
Stop patching up this shit and give us a next generation internet, I'm sick of this shit.
SPECTRE. The SPecial Executive for Counter-intelligence, Terrorism, Revenge and Extortion.
From a James Bond movie.
https://en.wikipedia.org/wiki/SPECTRE
Give it a day or two and a solution will exist. It's only when problems become real that people start taking notice. If heroes can go down, then all of us must rise up.
As long as it scales in parallel to money, its nothing new or revolutionary. New gun for hire, different day.
...that there's ANOTHER reason the "internet of things" is a stupid idea.
-Styopa
I think this is a problem in want of a legal solution rather than a technical one. That is, people hosting ddos botnet nodes behind their internet connection, winningly or not, be held accountable. And it needs not be anything drastic, just require heavy throttling until they fix their shit. And foreign actors can simply have their mal intended traffic dropped at the border links if their country doesn't enforce similar rules.
What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.
So wait, a DDOS attack can happen to anybody? This kind of hard hitting revelation is why I keep coming back to this site.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
This sounds like a good use for some torrent-type technology to supply "distributed websites"
Rather than having a server or "servers", articles go out from a seed source and are quickly seeded throughout the world. Maybe add some sort of checksumming/encryption to help validate that an article did in-fact come from the real source and not an impostor... it would stop sh*t like this from happening.
The attackers are distributed. The victims are not. We need to superdistribute web content like we do with music. Think TOR meets torrents. It would take httpd authors, browser authors, and even search engines to get in on the act, but it would put an end to the problem. (somebody is probably already working on this)
The web, like e-mail, is going through death throes. The kids will decide what lives and what dies I guess.
I am not interested in articles about life extension advancements.
No, it needs a technical solution. Making ISP's liable for outbound traffic that doesn't originate from within their address range would deal with this.
The rest can then be tackled by holding the source to blame - if you have an device that's spamming, well it's up to you to shut it down or pay up.
The issue at present is that source IP spoofing is far too easy because the ISP's are routing traffic that can't legitimately be coming from inside their network.
If they are so easy to commandeer, I think a group should go around bricking these damn things. Brick enough of them and either users will toss them or return them. Either way, the vendor will actually consider lockdown and security a value add or go out of business. The world is better off.
Krebs' site had the full backing of Akamai until it became too expensive for them to continue fending off the attacks. If it's too expensive for Akamai to do this, it means that the attackers can take any site offline, no matter how big or how powerful. So, no, it's not just about one site. How long until Akamai itself can't keep up with attacks and has to shut down?
(Score: -1, Stupid)
This is a problem in itself. What you suggest means the end of a free internet. Only domain owned by organizations big enough to absorb that kind of ddos or too small to attract attention would be left in the end.
>Krebs' site had the full backing of Akamai until it became too expensive for them to continue fending off the attacks
It wasn't too expensive for Akamai to continue fending off the attacks. It was too expensive to them to fend off the attacks for free
Of course, the legal solution of punishing the guy who did it is already available, if you can find him, and if he lives in a country with laws friendly to that sort of thing.
Time for a license to get on the internet, eh? You need to pass a test about keeping your system patched.
And for those companies releasing IoT products with open FTP ports, may they die in a fire.
Irresponsible disclosure is responsible
It''s not our computers doing this, it's the damn refrigerator. Don't blame me when your black box goes on the fritz. And don't go after the users until they can sue Microsoft and Apple, and Frigidaire for their feeble security.
“He’s not deformed, he’s just drunk!”
> articles go out from a seed source and are quickly seeded throughout the world.
That's a wonderful idea. We'd need a new protocol for distributing these "articles". We could call it Network News Transfer Protocol or something. You could tag your article according to categories andsubcategories, and people could subscribe to these different news groups. We could use ssl/tls for authentication of peers.
It probably wouldn't take too long to develop such a protocol; I bet we could have it done by 1986.
For as much Libertarian cock sucking goes on around /. this seems to be exactly the free market at work. Only he was getting service for free. So yeah, he wasn't worth keeping around without being a real customer.
Unfortunately it's not that easy, the target should be the ones building the botnets - make it a capital crime.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
If I understand this correctly, Akamai threw Krebs out because Akamai could not handle the DDS. This means I'm never sending any business to Akamai because they can't handle it properly. But it doesn't mean Krebs is off the air for long.
For example, I bet Cloudflare would take him on. They've differentiated themselves on the ability to handle DDS.
Bruce Perens.
The answer is already here.
Use ipfs
https://ipfs.io/
This problem goes away on it's own. Sure they DDoS but they only be hitting 127.0.0.1
And we will see new problems instead.
But ISPs seems to delay the introduction of IPv6 a lot, which sucks.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Day or two? Here's how you do it:
Publish and have people mirror it.
The most extreme way being to publish a magnet link to whatever you published and to let the world seed it.
Content distribution at "web scale" was solved ages ago.
Site is suffering a DDoS attack, and we slashdot it.
Why, because the ISPs who can't block the spoofed IPv4 packets will somehow be able to block spoofed IPv6 packets? What's the thinking there?
Why should an entity reveal its capabilites setting up such attack bringing himself too much in the public light and without any monetary profit. It may backfire by getting the authorities, and even other ddos attacks users, on his trail and by triggering the search and implementation of technical and regulatory measures to reduce or eliminate the means he uses for the attack. The entity behind this does attack may have just triggered a Barbara Streisand attack.
In the past it was trivial to just mirror websites as they typically only consisted of some HTML pages and some images. If something like that happened in the past, you'd just have mirrors popping up everywhere.
Today websites are much more complicated. Even something as simple as a blog is now dynamically generated every time its loaded. You cannot simply mirror that.
Gee, sarcasm.
newsgroups are different than a P2P seeding system. There wasn't really a peer so much that your ISP and some other major odies would keep local cache's of the top groups. The obvious disadvantage of this being that those same bodies get to choose which newsgroups they clone/share, whereas in P2P anyone who has picked up the document/article/whatever is potentially also a peer.
Why would any of that work?
First, if IP address spoofing is a real thing, and it is, then it'd be trivial to turn holding the 'source' accountable into an easy money-making scam. You can't expect people to keep their devices secure as long as companies keep producing buggy devices. That would be like pressing terrorism charges against anyone who's had their phone explode in public. Completely not the user's fault. There aren't even any user-focused tools to let you know if your TV is currently attacking someone or not. Powering it off isn't good enough.
Second, the attack used millions of devices. The IPs don't need to be spoofed. A firewall can block them, but the attackers can push so many connections at the firewall that it can't handle them even if everyone gets blocked.
The only way I know to overcome a DDoS attack is to have more resources than the attacker so that they can't bottleneck anything you have. If I'm wrong, please correct me.
Ok, people my point is we have too long relied on companies protecting those that can pay (Brian cannot) the hefty fee from DDOS.
And when I introduced this thought with "one fat .. target" I meant even Akamai with its big - but limited - bandwidth is condensed to just one target when that bandwidth is exhausted.
My point: Mittigation for this scale of attack is to counter it with a "borg collective" of an even or bigger scale.
The vulnerability for Brian, us and everyone is, that the fight is one against an army. Now one could argue that going on the offensive(attacking the bots, identifying the bots) would be a favourable cause. However this would end up in many little scrimishes that drain energy and end in a victory for that bad guys, because they have more energy.
So I don't think that such an offensive would be a meaningful course of action. The best course of action would be to first weaken those DDOS attacks and then rendering them uneffective because there is not even a single target.
So todays sites are a single sitting fat target, Akamai is just a thick wall, but every wall can be shot to pieces with a big army.
But there are two known and working mittigations
a.) freenet / freesite - with its hash keys and asymetric encryption a site is even "signed", also everyone who connects to a freesite will store it in the cache/storage.
b.) bit-torrent
example: It is still active and thriving till today, under attack and not just holding up but thriving.
Idea: torrent(ify) the web
But the secondary - offensive - measure is to identify the unwilling bots of these bot nets and work on this front - long long way to go.
No, it needs a technical solution. Making ISP's liable for outbound traffic that doesn't originate from within their address range would deal with this.
The technical solution is cleaning up millions of owned systems.
The rest can then be tackled by holding the source to blame - if you have an device that's spamming, well it's up to you to shut it down or pay up.
This isn't 1996. Nobody runs botnets where individual hosts overtly "spam" and expect to keep their network intact.
The issue at present is that source IP spoofing is far too easy because the ISP's are routing traffic that can't legitimately be coming from inside their network.
This just happens to be the low hanging fruit.
Which central server did these non-peers cache the newsgroups from?
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
I know that I now want to read the articles, whereas before, I wasn't even aware of them.
Security profesionalls wanting to mitigate the threat of DDOS could start by widely distributing the articles across multiple sites. If every site that cares about security mirrored their targetted colleagues in time of need...
Well, next time it could be your website. Or your bank's website or any other web site or service you need and you don't even know you need it badly.
Krebs just needs to change his distribution model. Instead of limiting this info to his own website, just start publishing the content on any interested website. Why hasn't slashdot already contacted him and offered to host his content? Even if they can DDoS a single major site into submission, they won't stand a chance of taking several offline.
For that matter, why wasn't Akamai sending out tons of abuse@ emails during this mess, telling ISPs to stop the flood coming from their side, or face financial liability for any continuing traffic? That would actually SOLVE the DDoS problem, quickly and permanently diminishing the ranks of their botnets, and eliminating the attackers resources, costing them money.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
NNTP was pretty decentralized, one of the challenges with it in the later days of NNTP was the relative ease of newgroup injection and crapflooding.
IIRC, NNTP server software on the hardware of the early 2000s scaled poorly and the traffic volumes were growing fast so you started to see ISPs get much more control oriented when it came to retention periods and which newgroup messages they would honor and from whom.
Well, since the figures I've seen bandied around are that protection from this level of attack would be about USD100-200K per annum, this effectively means that unless you have a lot of money or a company willing and able to pay what amounts to protection money, you potentially won't be permitted to speak - doing so with an uncomfortable topic for someone gets you knocked offline. Pay the wrong mob and you get to pay again, and again, and again.
One potential outcome may be that truly personal sites will become impossible to support and host; especially if you have any content that could be seen as controversial. You will have to pay someone to host it for you. If they agree, and it doesn't cost THEM too much, and it's not controversial - fine. Want to promote a social cause? Sorry, you can't afford to. Get back into the bit mines, peon. And this fits nicely into the whole cloud thing too, where you don't need anything in your own datacentre, host it on someone else's computer.
I'm waiting for the first wave of destruction to hit the major cloud providers - if this network supposedly of DVRs can deliver 1-1.5Tbps, and you factor in another dozen of similar size, you're talking 15-20Tbps directed at a target. I doubt even Google and the CDNs can withstand that for very long without service impacts, and that's not even factoring in attacks that actually have a little brainpower behind them.
No, it needs a technical solution [as opposed a legal one]. Making ISP's liable .........
That is a legal solution.
The rest can then be tackled by holding the source to blame
So is that.
We could stop using TCPIP and peer-based based networking. Ultimately, DDOS is only possible because the protocols and architecture allow it.
Hold manufacturers of such shitty IoT appliances liable for facilitating crimes. Not only will we be spared fridges that spy on our lives, this whole mess would end pretty fucking quickly.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why should I give a fuck about what side of The Party he prefers?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Make egress filters mandatory. No ifs or buts. Make it law.
Make it law that I can disconnect any user who isn't egress filtering and is sending me shit.
Make it a law where? If it's just in the US, or just the US and the EU, then the law does no good. It would need to be a worldwide law, good luck getting such a law in every country.
Enigma
It's not a good thing when one or two jackasses can fuck over the entire internet.
And yes, I know this wasn't the entire internet, but imagine this attack writ large, performed by multiple actors, possibly with state backing (or maybe just a lot of personal resources).
The internet is basically at the mercy of whoever feels malicious on any given day and who has the ability to push a few buttons.
Just cruising through this digital world at 33 1/3 rpm...
It is pretty unlikely this attack needed source spoofing. Far more likely each insecure IoT device only contributed a trickle, and that with a legitimate IP address.
What is needed instead is to make manufacturers of these crappy, insecure devices liable for the full damage caused. They can then try to get that money back from the attackers (good luck with that...).
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Excuse me? This will not even help one bit. The biggest danger to the Internet are morons that have no clue how it works.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The censorship has been happening here on Slashdot for years already. Instead of concentrated DDOS attacks it's been in the form for mod-point-activism.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Well, since the figures I've seen bandied around are that protection from this level of attack would be about USD100-200K per annum
Google offers it free to all journalists.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I guess you aren't understanding a simple fact here. This is not devices that are spamming, this is thousands and thousands of devices, none of which is generating more traffic than could be legitimate.
The design of the internet says I can send packets from any device to any device on any port I choose, and that is what these bots are doing. I am sure that no single device out there is putting out as much traffic as a single high resolution web cam watching baby eagles hatch or many other non-evil uses.
This kind of attack is basically unstoppable, since much of the traffic is indistinguishable from normal web site visitors.
A technical solution would have to involve attacker device identification, by profiling traffic originating from pretty much every IP on the internet, and as such would not be a real time defense, it would be a long term, continuous, ongoing effort to identify and remedy every exploited device out there.
That pretty much means that no one can afford to dedicate the resources that are required, even state entities will not be willing to spend that much on such a cause. Actually, the state actors seem to be more interested in using exploitable devices than fixing them, and they sure aren't helping anybody else fix them.
And last time I checked easily exploited devices are being attached to the internet at an increasing rate with no sign of slowing in the future.
I agree about IP spoofing, if everyone set their routers up correctly it simply wouldn't exist, but I also don't think IP spoofing is a significant contributor to DDOS attacks. Why would the bad guys care if you know where the individual devices in their botnet are? They aren't on the hook if some ISP shuts down your smart TV or thermostat or Windows XP box for being bad.
I also was pretty impressed by the numbers in this attack, Akamai kinda shines in this story, they took surges over half a terabit a second and didn't fall over, they should use those numbers for advertising.
"Proximity to wonder has blunted our perception and appreciation of it" --Tim Hartnell in 'Exploring ARTIFICIAL INTELLI
ummm, how does moving to IPv6 make my internet connection bigger or my web server capable of handling more connections? The problem here is simply the number of connections, not the protocols they used to connect. For that matter, this was on Akamai infrastructure, do we have any idea what percentage of this attack was IPv6?
IPv6 is not a universal panacea, it simply fixes a few structural issues with IPv4 and makes the address space a lot bigger. (Actually IP space is bigger than MAC address space, we are gonna hafta fix that one sooner or later, a non-expiring universal MAC address is unsubstainable since we throw a few away with every piece of hardware we dispose of.)
IPv6 does not prevent DDOS attacks or any other nefarious behaviour.
"Proximity to wonder has blunted our perception and appreciation of it" --Tim Hartnell in 'Exploring ARTIFICIAL INTELLI
So if there is a leak or a hole, shouldn't it be plugged then?
Being aware that the problem exists isn't enough. What's the next step, an RFC of some kind? So that our leading technologists can find a solution?
WARNING: Smartphones have side effects--most of them undocumented.
While I agree that this would be the best approach, it requires one thing that we are not going to get anytime soon: A significant majority of non-stupid people. IoT has zero reasonable applications at this time. But far too many people are not mentally equipped to see that.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The site is back! Now hosted by google.
I have to agree.. until people's bloody fridges become just a touch more intelligent. Nobody needs a fridge that will accept instructions from Chechnya or Nigeria. Internet protocols are woefully obsolete. WHy aspoofing hasn't been completely eradicated is beyound me, and I don't wan't my fooking dishwasher to be able to relay dDos action. Period.This is all Boolsheet. A disastrous overlooked concern that should have been a priority for dealing with, a decade ago. Instead, everybody's spent all their time drooling over the latest smart frikkin this and smart that. So maybe security ain't glamorous. Deal with it, and get on the train. NOW!
> newsgroups are different than a P2P seeding system. There wasn't really a peer so much that your ISP and some other odies (bodies?)
You didn't have to use your ISP's servers, just like you don't have to use their DNS. People routinely used other news servers, and nerds often ran their own. Of course using your ISP's local servers tends to be faster and more efficient than some server on a far-away network.
Until shortly before NNTP mostly died, most ISPs didn't want liability from choosing to carry specific news groups, so they didn't choose - they carried all of the official ones, and most of alt.
> Gee, sarcasm.
Half sarcasm, and moderated +5 Informative. I work with engineers born in the 1990s. It's not uncommon for such people to invent something, not knowing it was commonly used in the 1980s.
If you haven't noticed it in tech, you've surely noticed it in policy discussions - people argue, predicting what the effect of trying policy X might be, apparently unaware that policy X has already been tried many times in many places. I'd guess that close to 50% of political posts are people predicting the past.
"Making ISP's liable for outbound traffic that doesn't originate from within their address range would deal with this."
Probably not. ISPs that won't respond will not help, and taking those offline risks harming innocent users, and we have a problem that cannot well be solved. And I bet a small Americano that many of these ISPs are major players, and will not be taken to account.
"The rest can then be tackled by holding the source to blame - if you have an device that's spamming, well it's up to you to shut it down or pay up."
Sure, bill the homeowner running a door cam. Maybe if you start up the technical solution of denying the MAC addresses associated with the attack, disabling a variety of devices and risking more lawsuits.
Ultimately, perhaps, we are learning that plugging in tiny, useful devices that are insecure and easily commandeered is a good business model for the manufacturers, and users love them, but they cannot be permitted access, and therefore cannot be used, because they are exceedingly dangerous. Disproportionately so.
Darn. But then, a single bullet, not really so dangerous sitting on a countertop, is exceedingly dangerous if it becomes lodged int he brain of an American President. It's the implementation. Cheap IoT devices are, sadly, dangerous. They need to be made better.
deleting the extra space after periods so i can stay relevant, yeah.
Think you patch your IoT door cam?
I doubt it. These are stupid simple, and that's the problem.
deleting the extra space after periods so i can stay relevant, yeah.
I think that there is a bit more than can be done than just adding resources, and the wrong place to put the liability is at the ISP or individual owner.
There are very good reasons not to push the liability to ISPs, not the least of which is that they will have all the more "legitimate" seeming reasons to push back on net neutrality, and ultimately we'd be pushing the resource problem to the ISP (to include hardware, software, support, insurance, litigation costs, etc.) which will in turn push them to customers and the like.
Pushing liability to the owner is, absurd. Have you made sure that your water meter is secure? Have to verified that your smart alarm, smart phone, fit bit, smoke detector, HVAC controller board, tankless water heater controller board, electric meter, alarm system, garage door opener, etc., etc., etc., are secure? Do we think it should be our, our parent's, and our children should get CISSP certification and secure those devices?
Attacking the problem will require more than just one solution, but one that is sorely missing is the liability of the producer of the IoT devices. The fact that we have CIOs and, shamefully, CISOs of some of the largest IoT device manufacturers possess a complete lack of understanding of what it takes to reasonably secure devices and communications is, in my not so humble opinion, a travesty. Even if you were trained as an oncologist, you cannot become a Chief Medical Officer of a Med-Tech company and then claim that "infectious diseases are not my speciality", nor can you hide behind board certification when your decisions (or lack thereof) result in harm to the users of your device. Why do we tolerate this with IT?
If you are the CIO/CISO of windmill controllers and say that you cannot be hacked from the Internet because "your devices use cellular networks" (read 4G internet), you should be fired on the spot and your company deserves to be crippled financially for having facilitated the creation of a botnet from your staggering ignorance. If you are a CIO/CISO of building control systems and you think that your smart thermostats do not need to be secured, because, who cares if they get hacked, you should suffer the same consequence. And here, I am talking about two of the biggest players in both fields, one of whom is still sadly my company's strategic partner.
I was a pretty strong NNTP user until some of my more regular groups became unavailable (dropped by ISP, probably due to piracy concerns) and the rest started getting spam-flooded.
The big difference in this, other than distribution, is that NNTP was generally synchronised by topic, whereas I'm speaking more on something like a distributed "site" seemed and keyed by a single author/organisation. I.E. for Krebs, only he or somebody affiliated with him should be able to post.
Another user mentioned "ipfs". It seems a bit complicated to setup but is a similar premise.
Block all by default? Only open SSH, and outbound connections ONLY to the cloud server?
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?