Slashdot Mirror
Why the Silencing of KrebsOnSecurity Opens a Troubling Chapter For the Internet (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposes reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet. The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. A third post in the series is here. On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. That staggering amount of data is among the biggest ever recorded. Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free. The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers. The assault against KrebsOnSecurity represents a much greater threat for at least two reasons. First, it's twice the size. Second and more significant, unlike the Spamhaus attacks, the staggering volume of bandwidth doesn't rely on misconfigured domain name system servers which, in the big picture, can be remedied with relative ease. The attackers used Internet-of-things devices since they're always-connected and easy to "remotely commandeer by people who turn them into digital cannons that spray the internet with shrapnel." "The biggest threats as far as I'm concerned in terms of censorship come from these ginormous weapons these guys are building," Krebs said. "The idea that tools that used to be exclusively in the hands of nation states are now in the hands of individual actors, it's kind of like the specter of a James Bond movie." While Krebs could retain a DDoS mitigation service, it would cost him between $100,000 and $200,000 per year for the type of protection he needs, which is more than he can afford. What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.
They don't care that IoT is a horrible idea, and they ignore countless other security practices to increase their own pocket wads. Power holders want to track your every move and dig every loose penny they can find out of _your_ pocket in the process.
Stop connecting every damn thing to the Internet, and start securing what you have to have connected. This is not a mentally challenging thought process, so if you don't "get it" that makes you...
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
There is no fucking reason for the internet to be this much of a clusterfuck. Spoofed routing updates, IP spoofing, none of this should be possible by design.
With a non retarded internet DDOS attacks could simply be blocked at the source by certified ISPs. Any ISP who abused that ability, or ISPs which repeatedly allowed spoofed traffic to originate from their network could simply be banned from the internet. Problem fucking solved.
Stop patching up this shit and give us a next generation internet, I'm sick of this shit.
Give it a day or two and a solution will exist. It's only when problems become real that people start taking notice. If heroes can go down, then all of us must rise up.
It's not just refrigerators and light switches.
It's also light bulbs (Philips stupid mood thingie), thermostats (Nest, etc), nannycams (every manufacturer and his brother), (in)security systems, even fricking doorbells, et bloody cetera.
And I'm sure I've left out some major categories.
-- Alastair
I think this is a problem in want of a legal solution rather than a technical one. That is, people hosting ddos botnet nodes behind their internet connection, winningly or not, be held accountable. And it needs not be anything drastic, just require heavy throttling until they fix their shit. And foreign actors can simply have their mal intended traffic dropped at the border links if their country doesn't enforce similar rules.
What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.
So wait, a DDOS attack can happen to anybody? This kind of hard hitting revelation is why I keep coming back to this site.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
And I'm sure I've left out some major categories.
Oh yeah, sex toys.
-- Alastair
No, it needs a technical solution. Making ISP's liable for outbound traffic that doesn't originate from within their address range would deal with this.
The rest can then be tackled by holding the source to blame - if you have an device that's spamming, well it's up to you to shut it down or pay up.
The issue at present is that source IP spoofing is far too easy because the ISP's are routing traffic that can't legitimately be coming from inside their network.
If they are so easy to commandeer, I think a group should go around bricking these damn things. Brick enough of them and either users will toss them or return them. Either way, the vendor will actually consider lockdown and security a value add or go out of business. The world is better off.
Krebs' site had the full backing of Akamai until it became too expensive for them to continue fending off the attacks. If it's too expensive for Akamai to do this, it means that the attackers can take any site offline, no matter how big or how powerful. So, no, it's not just about one site. How long until Akamai itself can't keep up with attacks and has to shut down?
(Score: -1, Stupid)
>Krebs' site had the full backing of Akamai until it became too expensive for them to continue fending off the attacks
It wasn't too expensive for Akamai to continue fending off the attacks. It was too expensive to them to fend off the attacks for free
It''s not our computers doing this, it's the damn refrigerator. Don't blame me when your black box goes on the fritz. And don't go after the users until they can sue Microsoft and Apple, and Frigidaire for their feeble security.
“He’s not deformed, he’s just drunk!”
> articles go out from a seed source and are quickly seeded throughout the world.
That's a wonderful idea. We'd need a new protocol for distributing these "articles". We could call it Network News Transfer Protocol or something. You could tag your article according to categories andsubcategories, and people could subscribe to these different news groups. We could use ssl/tls for authentication of peers.
It probably wouldn't take too long to develop such a protocol; I bet we could have it done by 1986.
Committee for the ...And that's the nub of it.
Liberation and
Integration of
Terrifying
Organisms and their
Rehabilitation
Into
Society
https://en.wikipedia.org/wiki/List_of_fictional_espionage_organizations
If I understand this correctly, Akamai threw Krebs out because Akamai could not handle the DDS. This means I'm never sending any business to Akamai because they can't handle it properly. But it doesn't mean Krebs is off the air for long.
For example, I bet Cloudflare would take him on. They've differentiated themselves on the ability to handle DDS.
Bruce Perens.
Day or two? Here's how you do it:
Publish and have people mirror it.
The most extreme way being to publish a magnet link to whatever you published and to let the world seed it.
Content distribution at "web scale" was solved ages ago.
Site is suffering a DDoS attack, and we slashdot it.
The web, like e-mail, is going through death throes.
Gimmie a break. You know how often I've heard "email is dying"? Generally it's from some stupid millennial, or the mouthpiece of a social networking company that offers a messaging feature that, for all intents and purposes, is email (except with formatting and picture/video inserting bells and whistles). What they really mean is "we wish email were dead, so everyone would be forced to become one of our users and we could become the new defacto email".
When those kids go out and get a job and have to communicate in a serious fashion, it's not Facebook they're going to be launching -- it's Outlook.
Why would any of that work?
First, if IP address spoofing is a real thing, and it is, then it'd be trivial to turn holding the 'source' accountable into an easy money-making scam. You can't expect people to keep their devices secure as long as companies keep producing buggy devices. That would be like pressing terrorism charges against anyone who's had their phone explode in public. Completely not the user's fault. There aren't even any user-focused tools to let you know if your TV is currently attacking someone or not. Powering it off isn't good enough.
Second, the attack used millions of devices. The IPs don't need to be spoofed. A firewall can block them, but the attackers can push so many connections at the firewall that it can't handle them even if everyone gets blocked.
The only way I know to overcome a DDoS attack is to have more resources than the attacker so that they can't bottleneck anything you have. If I'm wrong, please correct me.
Ok, people my point is we have too long relied on companies protecting those that can pay (Brian cannot) the hefty fee from DDOS.
And when I introduced this thought with "one fat .. target" I meant even Akamai with its big - but limited - bandwidth is condensed to just one target when that bandwidth is exhausted.
My point: Mittigation for this scale of attack is to counter it with a "borg collective" of an even or bigger scale.
The vulnerability for Brian, us and everyone is, that the fight is one against an army. Now one could argue that going on the offensive(attacking the bots, identifying the bots) would be a favourable cause. However this would end up in many little scrimishes that drain energy and end in a victory for that bad guys, because they have more energy.
So I don't think that such an offensive would be a meaningful course of action. The best course of action would be to first weaken those DDOS attacks and then rendering them uneffective because there is not even a single target.
So todays sites are a single sitting fat target, Akamai is just a thick wall, but every wall can be shot to pieces with a big army.
But there are two known and working mittigations
a.) freenet / freesite - with its hash keys and asymetric encryption a site is even "signed", also everyone who connects to a freesite will store it in the cache/storage.
b.) bit-torrent
example: It is still active and thriving till today, under attack and not just holding up but thriving.
Idea: torrent(ify) the web
But the secondary - offensive - measure is to identify the unwilling bots of these bot nets and work on this front - long long way to go.
Which central server did these non-peers cache the newsgroups from?
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
Are you talking about a distributed denial of cervix?
NNTP was pretty decentralized, one of the challenges with it in the later days of NNTP was the relative ease of newgroup injection and crapflooding.
IIRC, NNTP server software on the hardware of the early 2000s scaled poorly and the traffic volumes were growing fast so you started to see ISPs get much more control oriented when it came to retention periods and which newgroup messages they would honor and from whom.
Well, since the figures I've seen bandied around are that protection from this level of attack would be about USD100-200K per annum, this effectively means that unless you have a lot of money or a company willing and able to pay what amounts to protection money, you potentially won't be permitted to speak - doing so with an uncomfortable topic for someone gets you knocked offline. Pay the wrong mob and you get to pay again, and again, and again.
One potential outcome may be that truly personal sites will become impossible to support and host; especially if you have any content that could be seen as controversial. You will have to pay someone to host it for you. If they agree, and it doesn't cost THEM too much, and it's not controversial - fine. Want to promote a social cause? Sorry, you can't afford to. Get back into the bit mines, peon. And this fits nicely into the whole cloud thing too, where you don't need anything in your own datacentre, host it on someone else's computer.
I'm waiting for the first wave of destruction to hit the major cloud providers - if this network supposedly of DVRs can deliver 1-1.5Tbps, and you factor in another dozen of similar size, you're talking 15-20Tbps directed at a target. I doubt even Google and the CDNs can withstand that for very long without service impacts, and that's not even factoring in attacks that actually have a little brainpower behind them.
Yeah, some have installed one of the various "Religion" DLCs available. Some have entirely unpatched systems, which might give you malware if you connect. Exclusive provider contracts seem to be one of the most reliable ways to ensure continued and safe service. If you use more than once service provider, they both start denying service. Be sure to clear your cookies! Watch out for "free" upgrades that come with their own expensive expansion packs.