Amid Major Internet Outages, Affected Websites Have Lessons To Learn (zdnet.com)

← Back to Stories (view on slashdot.org)

Amid Major Internet Outages, Affected Websites Have Lessons To Learn (zdnet.com)

Posted by msmash on Friday October 21, 2016 @08:50AM from the lessons-to-learn dept.

Earlier today, Dyn, an internet infrastructure company, was hit by several DDoS attacks, which interestingly affected several popular websites including The New York Times, Reddit, Spotify, and Twitter that were directly or indirectly using Dyn's services. The attack is mostly visible across the US eastern seaboard with rest of the world noticing a few things broken here and there. Dyn says it's currently investigating a second round of DDoS attacks, though the severity of the outage is understandably less now. In the meantime, the Homeland Security said that it is aware of the attack and is investigating "all potential causes." Much of who is behind these attacks is unknown for now, and it is unlikely that we will know all the details until at least a few days. The attacks however have revealed how unprepared many websites are when their primary DNS provider goes down. ZDNet adds: The elephant in the room is that this probably shouldn't have happened. At very least there's a lot to learn already about the frailty of the internet DNS system, and the lack of failsafes and backups for websites and tech companies that rely on outsourced DNS service providers. "It's also a reminder of one risk of relying on multi-tenant service providers, be they DNS, or a variety of many other managed cloud service providers," said Steve Grobman, chief technology officer at Intel Security. Grobman warned that because this attack worked, it can be exploited again. "Given how much of our connected world must increasingly rely upon such cloud service providers, we should expect more such disruptions," he said. "We must place a premium of service providers that can present backup, failover, and enhance security capabilities allowing them to sustain and deflect such attacks." And that's key, because even though Dyn is under attack, it's the sites and services that rely on its infrastructure who should rethink their own "in case of emergency" failsafes. It may only be the east coast affected but lost traffic means lost revenue. Carl Levine, senior technical evangelist for NS1, another major managed DNS provider, said that the size and scale of recent attacks "has far exceeded what the industry thought was the upper end of the spectrum." "Large companies need to constantly upgrade their flood defenses. Some approaches that worked just a few years ago are now basically useless," said Kevin Curran, senior member with IEEE.We also recommend reading security reporter Brian Krebs's take on this.

135 comments

Min score:

Reason:

Sort:

First lesson by unixisc · 2016-10-21 08:53 · Score: 4, Interesting

Make your website IPv6 only, so that DDOS attacks would have to be totally re-engineered to target them, and that too will be a tall order.
1. Re:First lesson by m.dillon · 2016-10-21 09:02 · Score: 0
  
  IPV6 actually makes things worse.
  -Matt
2. Re:First lesson by BenFranske · 2016-10-21 09:07 · Score: 1
  
  You can't just say that, please explain your reasoning.
3. Re:First lesson by unixisc · 2016-10-21 09:08 · Score: 1
  
  Why? DDOS attacks would then have to target the entire /64 subnet, which would be no mean feat
4. Re:First lesson by darkain · 2016-10-21 09:24 · Score: 2
  
  How exactly would being on a /64 prevent such an attack against a publicly facing entity? These attacks are not address space scanning attacks at all, they are known and publicly published IP addresses (in this case, DNS servers). Flood the public facing IP (the DNS server) would be exactly the same if IPv4 or IPv6. The only thing this would temporarily mitigate is the fact there are far fewer devices/users on the IPv6 network, so less of a botnet to control currently.
5. Re:First lesson by Jamie+Lokier · 2016-10-21 09:25 · Score: 1
  
  Wrong. This type of attack targets known IPs of public servers, directly or indirectly.
  A bigger subnet doesn't help.
6. Re: First lesson by Anonymous Coward · 2016-10-21 09:26 · Score: 0
  
  No... You'd still target the weakest point and/or DNS... And if the traffic still overwhelms the weak link into the /64....
7. Re:First lesson by unixisc · 2016-10-21 09:32 · Score: 1
  
  But on the IPv6 network, you have the potential to have thousands of DNS servers, or even multicast/anycast addresses for DNS servers. Not that many on IPv4, where you are short of addresses, and where you can't use private IP addresses for DNS servers.
8. Re:First lesson by unixisc · 2016-10-21 09:34 · Score: 1
  
  True, but on a /64 network, a server need not be restricted to one address. Like if you click on a link, it could redirect to another virtual host instead of a sub-directory, and here, the virtual host can use a different IP address instead of sharing it as is done in IPv4. There are several ways one could mitigate this issue
9. Re: First lesson by Anonymous Coward · 2016-10-21 09:41 · Score: 1
  
  The servers were just fine, the DNS was the problem.
  Process:
  0. user enters xyz.com
  1. lookup Ip address
  2. connect to ip
  3. serve content
  step 1 was the problem. all else was fine. you 'solution' addresses step 2 which however was not the problem here.
  No. Step 1 was the problem. Stop whining alright.
10. Re:First lesson by Anonymous Coward · 2016-10-21 09:46 · Score: 0
  
  Depends. It always depends.
  If one machine is dual stack, then yes a IPv4 DDoS is going to do equal damage
  If different machines, or even different ethernet cards serve ipv4 and ipv6, then the damage is mitigated 50% unless both addresses are attacked
  If the load balance has the world-visible ip address, then it's the load balancer that is going to be overwhelmed.
  This is why "cloud" services are awful. All of these things are implemented in software, so all a DDoS has to do is break the machine that is acting as the load balancer and the rest of the cloud dies with it. You should not "cloudify" your services unless you are actually serving "content" that can be duplicated. This is not the case for things like Twitter which change in realtime, but is the case for spotify. This is why when Twitter started malfunctioning, it started with the images, then the CSS and Javascript assets.
  Now, if you want to prevent a DDoS in the first place, the thing that needs to happen is to break the IP-address link. A "virtual air-gap" so to speak The visible ip address should cycle, and the DNS should update with that cycling, so one IP address is always out of the cycle. When a DDoS fires up, it will likely hit that out-of-the-cycle address because it's directed at the IP address when it originally resolved the address. So that gives you an early warning if suddenly that traffic on that out of cycle address spikes and it's not due to be in cycle.
  Of course there's no money in this, which is why the entire DNS registry exists. It's a profit game.
11. Re:First lesson by Anonymous Coward · 2016-10-21 10:21 · Score: 0
  
  And thousands of DNS servers, on all independent hardware, separate physical network segments, etc would be absolutely cost prohibitive, so please.. go back to the whiteboard
12. Re: First lesson by hackwrench · 2016-10-21 10:49 · Score: 1
  
  Twitter has new content coming in in real-time, but once that content is created, it is as duplicatable as the data that has infrequent updates.
13. Re: First lesson by dilvish_the_damned · 2016-10-21 11:11 · Score: 2
  
  If your app can find the right server for the service, so can the attacking software.
  
  --
  I think you underestimate just how much I just dont care.
14. Re:First lesson by m.dillon · 2016-10-21 11:18 · Score: 4, Interesting
  
  I have two major beefs with IPV6. The first is that the end-point 2^48 switch address space wasn't well thought-through. Hey, wouldn't it be great if we didn't have to use NAT and give all of those IOT devices their own IPV6 address? Well... no actually, NAT does a pretty good job of obscuring the internal topology of the end-point network. Just having a statefull firewall and no NAT exposes the internal topology. Not such a good idea.
  The second is that all the discovery protocols were left unencrypted and made complex enough to virtually guarantee a plethora of possible exploits. Some have been discovered and fixed, I guarantee there are many more in the wings. IPV4 security is a well known problem with well known solutions. IPV6 security is a different beast entirely.
  Other problems including the excessively flexible protocol layering allowing for all sorts of encapsulation tricks (some of which have already been demonstrated), pasting on a 'mandatory' IPSEC without integration with a mandatory secure validation framework (making it worthless w/regards to generic applications being able to assert a packet-level secure connection), assumptions that the address space would be too big to scan (yah right... the hackers didn't get that memo my tcpdump tells me), not making use of MAC-layer features that would have improved local LAN security, if only a little. Also idiotically and arbitrarily blocking off a switch subspace, eating 48 bits for no good reason and trying to disallow routing within that space (which will soon have to be changed considering that number of people who want to have stateful *routers* to break up their sub-48-bit traffic and who have no desire whatsoever to treat those 48 bits as one big switched sub-space).
  The list goes on. But now we are saddled with this pile, so we have to deal with it.
  -Matt
15. Re:First lesson by MightyMartian · 2016-10-21 11:27 · Score: 3, Interesting
  
  NAT may do a good job obscuring internal topology, but it does saw at considerable cost; breaking the end to end concept of the original ARPANET structure, requiring more resources, and creating far greater complexity for routers. Yes, a flat address space that sits in the public address space might, on the surface, expose more devices, but this is where firewalls come into play. I can still have a rather complex topology, but now I have to worry less about routing and connection tables, and can use less resource expensive techniques like tagging.
  It was never IPv6's intention to be more secure, and you're right that many existing issues will remain with IPv6, and there will likely be new ones, but one thing is certain, if the solution is NAT, then that solution is worse than the disease it purports to cure. And it isn't as if NAT can't be vulnerable in its own way, and the only way to make it less vulnerable is, you guessed it, firewalls, authentication, and other security measures which are also needed in an IPv6 world.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
16. Re:First lesson by JustAnotherOldGuy · 2016-10-21 12:10 · Score: 1
  
  IPV6 can make some things worse, especially spam.
  For example, it makes banning or classifying an IP address as a spam source nearly impossible. There's so much address space that spammers will be able to use an IP to send 1000 emails and then discard it, never to be used again. The incredibly huge address space makes this quite practical. Banning by IP address will become meaningless because there are so many useable (and therefore discardable) IPs.
  How much address space is there? Well....
  Let's assume every single one of the 100 billion stars in the galaxy is inhabited, and each star has a population of 10 trillion humans in orbit around it, and each human has 1 billion devices that need IP addresses.
  In that case, only 1/340,282nd of the possible 128-bit IPv6 addresses would need to be assigned.
  Put another way, IPv6 would (will) provide roughly 5,000 assignable IP addresses for every square micron of the Earth's surface.
  Hell, they could use one IP address per spam and never run out of fresh IPs in our lifetime.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
17. Re:First lesson by sabri · 2016-10-21 12:17 · Score: 2
  
  go back to the whiteboard
  APK was right all along! C:\WINDOWS\HOSTS is the solution ;)
  
  *goes to hide under a rock*
  
  --
  I'm not a complete idiot... Some parts are missing.
18. Re:First lesson by BenFranske · 2016-10-21 14:22 · Score: 1
  
  +1 There is so much undeserved hate for IPv6 because people haven't taken the time to understand it.
  NAT is not a security solution. If you would put a NAT device between your network and the Internet you can put a firewall between your network and the Internet. Yes, someone could potentially learn a small amount about your internal topology, well if you call being able to identify possible subnets withing your network learning about the topology, but the little they can learn is of dubious use. You still have no idea how most of those subnets are connected to each other (if you disable ICMP at your firewall or otherwise block tracerouting of your network from the Internet you can even prevent more) and even if you did please explain what substantial advantage an attacker has knowing how subnets are connected? If they're going that far it's an APT attack against your organization directly and you're probably done for because they will likely just trick someone inside the organization into installing malware on the network allowing them inside access and you'd have the same problems on IPv4.
  Most of the rest of the list sounds like whining about more things you would have liked to have seen done, not things that are actually worse in IPv6 compared with IPv4.
19. Re:First lesson by BenFranske · 2016-10-21 14:25 · Score: 1
  
  Except that in reality the way it works is that each customer of an ISP is assigned a network block of IPs. If you find that customer is spamming you could block the entire network block. This is effectively the same thing as blocking the single IPv4 address assigned to a customer. The spammer would either need a new block of addresses from the ISP or a new ISP, effectively the same situation you have now with IPv4.
20. Re:First lesson by JustAnotherOldGuy · 2016-10-21 15:10 · Score: 2
  
  Except that in reality the way it works...
  Except that in reality some ISPs are owned by the Russian Business Network (RBN), and they'll be given 100 million IPs to play with, and then another 100 million, and so on. The RBN owns lots of ISPs that are known for their friendliness towards "bulletproof" hosting companies and for working hand-in-hand with spammers.
  -
  
  The spammer would either need a new block of addresses from the ISP or a new ISP, effectively the same situation you have now with IPv4.
  No, it's not the same situation because the address space that will be available to these criminal ISPs will be magnitudes of order larger than with IPV4. An ISP now may have a hundred thousand IPs to allocate (if that many), but now they'll have tens or hundreds of millions.
  Seriously, this is going to be a problem, and more than a few security professionals have been discussing this problem for a while now.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
21. Re:First lesson by Anonymous Coward · 2016-10-21 15:51 · Score: 0
  
  assumptions that the address space would be too big to scan (yah right... the hackers didn't get that memo my tcpdump tells me)
  10Gb NIC can do a max of 14.88mil packets per second
  (2^64 Ip addresses)/(14.88mil pps) = 39,311 years. If you have issues of people scanning your ipv6 /64 subnet, you must have the largest DDOS hitting you, ever. On my home connection, I can scan the entire ipv4 address range in 5 hours, less if I actually exclude non-routable addresses.
22. Re: First lesson by buchanmilne · 2016-10-21 17:42 · Score: 1
  
  "But on the IPv6 network, you have the potential to have thousands of DNS servers, or even multicast/anycast addresses for DNS servers."
  Most large DNS deployments already use IP Anycast on IPv4.
  For example, Google's public recursive DNS (8.8.4.4, 8.8.8.8) uses IP Anycast. Most DNS root servers use IP Anycast.
  There are two main benefits to IP Anycast, but the most relevant is allowing the distribution of an IP address over multiple geographic location, which allows lower latency, but also limits the number of attackers who can attack a specific deployment.
23. Re:First lesson by Anonymous Coward · 2016-10-21 21:14 · Score: 0
  
  Why would you even consider using the lower 64 bits for routing? You don't have to put everything into one switched network. It doesn't matter that you're only using a handful of addresses out of 2^64. There are more than enough address bits to use for routing beside the local part.
24. Re:First lesson by unixisc · 2016-10-22 01:17 · Score: 1
  
  But most ISPs do provide their own DNS servers - they don't just rely on 8.8.8.8. If you had all the DNS servers in the world, all part of a multicast to something like ffff::d5 or something, then it would be impossible to take down targeted websites via this route.
25. Re:First lesson by unixisc · 2016-10-22 01:23 · Score: 1
  
  The IP cycling that you suggest is something that I can see happening in IPv6. Have a mechanism in DHCPv6 whereby the PAM can cycle certain addresses to the domain name every x minutes/hours. That cannot be done in IPv4 due to address exhaustion - one can't use private addresses here under NAT
26. Re:First lesson by unixisc · 2016-10-22 01:27 · Score: 1
  
  As I've pointed out in past IPv6 threads, using the lower 64 bits is overkill. No subnet is ever gonna come close to even 32 bits, but in the meantime, you're limiting the hierarchical routing upstream in the global prefix that could have used some 16-32 bits more. In other words, had we had a split of 96:32 instead of 64:64, that would have made more sense. The subnet addresses could have used 16 bits, so that you'd have had a global prefix of 80, subnet addresses 16 and lowest 32 bits the interface ID. And one can still do auto-configuration under that system
27. Re:First lesson by unixisc · 2016-10-22 01:42 · Score: 1
  
  I have two major beefs with IPV6. The first is that the end-point 2^48 switch address space wasn't well thought-through. Hey, wouldn't it be great if we didn't have to use NAT and give all of those IOT devices their own IPV6 address? Well... no actually, NAT does a pretty good job of obscuring the internal topology of the end-point network. Just having a statefull firewall and no NAT exposes the internal topology. Not such a good idea.
  The second is that all the discovery protocols were left unencrypted and made complex enough to virtually guarantee a plethora of possible exploits. Some have been discovered and fixed, I guarantee there are many more in the wings. IPV4 security is a well known problem with well known solutions. IPV6 security is a different beast entirely.
  Other problems including the excessively flexible protocol layering allowing for all sorts of encapsulation tricks (some of which have already been demonstrated), pasting on a 'mandatory' IPSEC without integration with a mandatory secure validation framework (making it worthless w/regards to generic applications being able to assert a packet-level secure connection), assumptions that the address space would be too big to scan (yah right... the hackers didn't get that memo my tcpdump tells me), not making use of MAC-layer features that would have improved local LAN security, if only a little. Also idiotically and arbitrarily blocking off a switch subspace, eating 48 bits for no good reason and trying to disallow routing within that space (which will soon have to be changed considering that number of people who want to have stateful *routers* to break up their sub-48-bit traffic and who have no desire whatsoever to treat those 48 bits as one big switched sub-space).
  The list goes on. But now we are saddled with this pile, so we have to deal with it.
  -Matt
  The first point about NAT - while that used to be a shortcoming in terms of topology masking and load balancing, the IETF did explicitly define Network Prefix Translation, which is a 1:1 NAT mechanism that would do what you want, but avoid the pitfalls associated w/ the 1:many mapping in IPv4 NAT. Also, IPv4 NAT consumes several port addresses, and also often several NAT layers, reducing the networking to layer 2. As for IPSEC, I didn't exactly get your point on why that is a bad thing. As for the subnet port scanning, I happen to think that having a DHCP-PAM setup where addreses can be set to change regularly would be more effective at preventing a breaking, rather than relying on the brute force of trying to prevent a port scan of /64. But this is something that can be done in IPv6, where you have no address shortage within your subnet, as opposed to IPv4, where chances are you wouldn't have > 256 addresses to play w/, unless you happen to be IBM or HP or one of the early recipients of public Class A blocks.
  Also, on the 48 bit space - I somewhat agree w/ you that assigning 64-bits to the interface ID was way overkill. But if you are assigned a /48, you can have 65536 subnets of /64 within that - that's what the convention allows. Breaking it up more is what may create problems, which again, I disagree w/. The main thing about the subnet address assignment is that the moment you want to lend structure to it, the number of effective subnets you can create goes down. Which is why I wish they had made the entire top half the global prefix, and then split the bottom half b/w the subnet address and interface ID. Something like a 16:48 would have been ideal, or else, even a 32:32 if one needed plenty of structure from the subnet addressing plan.
28. Re:First lesson by unixisc · 2016-10-22 01:45 · Score: 1
  
  Assuming that all the addresses coming out of, say, Russia, are suspect, one can look up RIPE's address assignments to see which addresses they have been assigned, and block them. In fact, this is something that one can do pretty easily if one needs to block out a country. Like you think all the addresses from Syria are owned by ISIS? Check out RIPE, see which blocks have been assigned to Syria, and instruct your firewall to drop all their packets. This can be done as high up as ISP level
29. Re:First lesson by Dagger2 · 2016-10-22 04:54 · Score: 1
  
  They'll have more address space available, but it'll still be in contiguous blocks. If an ISP as a whole is being a problem then all you have to do is block their v6 allocations, which is no harder than blocking their v4 allocations. (Or possibly easier since the ISP is likely to have a single v6 allocation vs dozens of v4 ones.)
30. Re:First lesson by JustAnotherOldGuy · 2016-10-22 07:06 · Score: 1
  
  If an ISP as a whole is being a problem then all you have to do is block their v6 allocations, which is no harder than blocking their v4 allocations.
  You're talking about blocking 10 million or maybe 100 million IP addresses, and in that range are going to be some (or even many) legitimate users. Also, there's no guarantee that the address space will be contiguous, it may be broken up into various blocks. If they have their way then it will almost certainly be spread across many, many different blocks of IP addresses.
  And finally, in addition to being spread out over many ISPs and many blocks, they'll almost certainly be using IP-shifting, fast-flux, or other masking techniques that will make this a whack-a-mole problem that anti-spam services will never be able to keep up with.
  These people aren't amateurs, they know what they're doing, they have lots and lots of money and talented people at their disposal, and they're thinking ahead. And that's just the RBN.
  To think that this is going to be solved by blocking a few ranges of IPs is really kind of naive.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
What's the Solution? by BenFranske · 2016-10-21 08:54 · Score: 3, Insightful

I've heard a lot of people today saying there's a problem. Several of the commenters (on Brian Krebs' blog for example, on the NANOG list for another, and probably soon here on ./) say we should do something to fix this so it doesn't happen again. What I haven't heard is a real proposal about what to do about stopping DDoS attacks.
1. Re:What's the Solution? by Anonymous Coward · 2016-10-21 09:03 · Score: 0
  
  If you only had two devices connected to the internet, you could use one to mount a DoS attack on the other. You'd need a third to mount a DDoS attack. So... just have two devices connected? No, I'm not being serious, I'm just curious to see if that's the best proposal.
2. Re:What's the Solution? by Anonymous Coward · 2016-10-21 09:04 · Score: 5, Insightful
  
  I've seen it a million times, in no small part because I've posted it myself:
  ISPs need to start egress filtering to block spoofed packets coming from end users with forged source addresses. If a packet comes from joe blow's cable modem with a source IP from some other country, it should just be dropped.
3. Re: What's the Solution? by Anonymous Coward · 2016-10-21 09:05 · Score: 1
  
  A good start would be to criminalize the manufacture and sale of iot devices with little or no security.
4. Re:What's the Solution? by BenFranske · 2016-10-21 09:07 · Score: 1
  
  Yes, this is effective against some subset of attacks. There was a good reminder/discussion of this on the NANOG list this morning. The problem is 1) probably pretty much every ISP which can be convinced to do this is already doing it at this point, the others are probably a lost cause and 2) this only prevents attacks where the address actually is spoofed. If a large number of compromised devices are running malware they can just make an overwhelming number of legitimate service requests en masse...
5. Re: What's the Solution? by BenFranske · 2016-10-21 09:11 · Score: 2
  
  1) Yes, poorly designed IoT devices make the problem worse but it's existed long before IoT came along. 2) What qualifies as an IoT device, every Arduino with an Ethernet/WiFi port? The code isn't on them until you program them... 3) If mass regulation of all network connected products is the only way we have a problem because you're never going to get global agreement on that and it's going to be nearly impossible to enforce.
6. Re:What's the Solution? by rudy_wayne · 2016-10-21 09:25 · Score: 1
  
  ( 2) this only prevents attacks where the address actually is spoofed. If a large number of compromised devices are running malware they can just make an overwhelming number of legitimate service requests en masse...
  Why would an ISP allow me to make "an overwhelming number of legitimate service requests"? Oh, that's right, you answered that question in point #1 -- most ISPs don't give a shit.
7. Re:What's the Solution? by guruevi · 2016-10-21 09:30 · Score: 2
  
  A) Avoid a single point of failure (the cause of downtime across all these providers)
  B) avoid using a single point of failure
  C) stop using public DNS (or DNS at all) for self-configuration and discovery of your hosted servers
  D) stop using a single provider for all your stuff
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
8. Re:What's the Solution? by Anonymous Coward · 2016-10-21 09:35 · Score: 0
  
  Why would an ISP allow me to make "an overwhelming number of legitimate service requests"?
  You completely missed the point, if enough devices are compromised the ISP doesn't see you making an overwhelming number of legitimate requests it see's you making a small amount of requests that's seemingly normal.
  The problem is the First "D" - Distributed.
9. Re: What's the Solution? by Anonymous Coward · 2016-10-21 09:35 · Score: 0
  
  Clearly we must do as Al Gore wanted, and return the Internet to the forum for the informative discussion among academics that he always intended the Internet to be.
  We made a mistake. And it's all AOL's fault.
10. Re:What's the Solution? by guruevi · 2016-10-21 09:38 · Score: 2
  
  Not how the Internet works. Yes that's true on the edges but once you enter into the public Internet, packets could be routed from anywhere to anywhere. The only solution here is to shut down ISPs that are participants but you're talking about getting participation from people that often are themselves involved in the criminal enterprise (that's true for US, Europese, Chinese etc providers) and are profiting from these attacks through overage fees etc.
  You wouldn't imagine but even providers like Verizon won't shut off mobile connections because they are often charging their customers per GB consumer. A lot of sleazy hosting provider (the cheap $5/mo.VPS) simply delays intentionally or unintentionally because they don't have the staff to keep up and they are often paid for by the criminals.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
11. Re:What's the Solution? by Penguinisto · 2016-10-21 09:39 · Score: 1
  
  ...and #2 is going to become a *lot* more common, thanks to growth in IoT. :/
  Wish they'd have paid more attention to crap like this back in the late 90's when the whole idea first surfaced on a serious note (e.g. JINI).
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
12. Re: What's the Solution? by Anonymous Coward · 2016-10-21 10:06 · Score: 0
  
  Sure. But first criminalize cloud services with bad security. You get hacked and user data gets stolen, CEO goes to jail for 5 years and company gets a fine so big it is shut down. Simple. Now shut up and stop building useless and broken "services".
13. Re:What's the Solution? by Archangel+Michael · 2016-10-21 10:06 · Score: 2
  
  It is worse than that.The problem with DDOS is that the real victim probably doesn't know about it.
  The proper way to thwart these kinds of attacks is to have a method of detecting them and then cutting off people who are making an inordinate amount of those kinds of packets aimed at that address. The solution to a coordinated attack is a coordinated response.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
14. Re:What's the Solution? by Anonymous Coward · 2016-10-21 10:18 · Score: 0
  
  Yes they do, however that would not have stopped anything today from the sounds of it most everything today were legit packets, it was the shear size of botnet this time.
  "Dyn's chief strategy officer Kyle York told The Register by phone that devices behind tens of millions of IP addresses were attacking his company's data centers.
  A lot of this traffic – but not all – is coming from Internet-of-Things devices compromised by the Mirai botnet malware."
  10's of millions...god damn, even if he was exaggerating and it was just millions that's quite a bump in the arms race.
15. Re:What's the Solution? by BenFranske · 2016-10-21 10:21 · Score: 1
  
  I would maintain that's not possible. Attackers will just write software that mirrors normal user traffic accessing a site. It's simply the fact that millions of devices will be accessing the site at the same time that takes the site/service down. Just like ye olden days when nearly every site mentioned in a ./ summary went down. The fundamental problem is that a truly distributed denial of service attack is just a coordinated accessing of a site from a large number of hosts. The only difference between that and just a lot of people visiting your site is that one is coordinated. Good luck detecting the coordination.
16. Re:What's the Solution? by Anonymous Coward · 2016-10-21 10:23 · Score: 0
  
  You're missing the point. Many attacks now don't operate like that, there just hundreds of thousands of bots making what appear to be a reasonable amount of completely legit requests. Like today, where supposedly if you believe DYN's spokeperson 10's of millions of IP's were involved in just sending mostly legit traffic, it the was shear simultaneous amount that was the problem.
17. Re:What's the Solution? by Anonymous Coward · 2016-10-21 10:28 · Score: 0
  
  Yup. This would have prevents most of the problems for most of DYN's customers today, all of those most effected had ALL their authoritative records pointing at one provider, and in some cases one or two data centers of that provider in the same general region. ..oh just outsource it all to one place, they're too big to fail. -Not a good idea.
18. Re:What's the Solution? by Anonymous Coward · 2016-10-21 10:52 · Score: 1
  
  It would make life very difficult for the attackers.
  Attackers would have to reduce the rate at which they access the site from any single bot in their botnet, otherwise the bot sticks out, can be identified and cut of the internet. That means they need more bots.
  At the same time, if ISP's finally start to follow up on abuse notices, the number of bots would actually be reduced.
  Together these would greatly reduce any botnets power.
  At the same time we only need someone to maintain a list of ISP's who refuse to clean up their act. Everyone who does care about this can then blackhole those IP addresses. Or, in the case of a website, refuse access with a message explaining why.
  If enough websites and internet services do this, the bad ISP's will get in serious trouble. Pissed of customers are bad for business. ow they have an incentive to clean up their act. It worked for spam too, many ISP now simply block the smtp port by default.
19. Re: What's the Solution? by hackwrench · 2016-10-21 10:57 · Score: 1
  
  The key to understanding wat is an IoT device is in the word thing. Devices like network controllable light bulbs aren't multipurpose devices like a regular computer or an Arduino.
20. Re:What's the Solution? by turbidostato · 2016-10-21 11:55 · Score: 1
  
  "The proper way to thwart these kinds of attacks is to have a method of detecting them and then cutting off people who are making an inordinate amount of those kinds of packets"
  Unless there're no inordinate amount of those kinds of packets but an inordinate amount of clients requesting usual amounts of packets each. That's the first D on DDoS, after all. How can you distinguish a malicious DDoS from the Slashdot-effect of yold?
  On the other hand, this was not a DDoS attack targeted against the servers themselves but against the DNS that allow clients to find them.
  "The solution to a coordinated attack is a coordinated response."
  It really depends on the nature of the attack. History shows that against a coordinate attack just entrenching may very well be the proper counter.
21. Re:What's the Solution? by Zero__Kelvin · 2016-10-21 12:39 · Score: 1
  
  How many different ways can you say the same thing?
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
22. Re:What's the Solution? by Dutch+Gun · 2016-10-21 13:42 · Score: 1
  
  How many different ways can you say the same thing?
  A) Several ways
  B) A lot of ways
  C) Nearly infinite ways
  D) About four, it seems
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
23. Re: What's the Solution? by BenFranske · 2016-10-21 14:11 · Score: 1
  
  An Arduino is just an AVR microcontroller, the same chip found in many electroinc/IoT devices. Point being when does it become an IoT device? If I sell it? How about if I just sell it to a few friends? Maybe I make and sell a small quantity on etsy? etc. It's hard to draw a line about when it's an IoT device and when it's just me playing around with electronics.
24. Re:What's the Solution? by flabman · 2016-10-21 19:09 · Score: 1
  
  These attacks cause service outages because legitimate DNS lookups can't be handled by the servers that are under attack (which I'm assuming here to be the authoritative name servers for the domains that are experiencing service outages). Most users don't ever query the authoritative servers directly; the legitimate queries come from their ISPs' resolvers, and those resolvers only query the authoritative servers if they don't already have the answer in their local cache. And that only happens (in respect of popular sites) when the cache entry's time-to-live has come and gone.
  So perhaps one way of at least partially mitigating these attacks is for resolvers to hang onto cached records past their TTL and to continue serving them when the authoritative name servers are unavailable. Those resolvers will then of course need a robust alternative cache ejection policy (e.g. based on the frequency with which an expired record continues to be used, how overdue it is, and overall resource usage).
  I do realise that Dyn is also known for their dynamic DNS service, and that the above mitigation isn't effective for ephemeral records which intentionally have a short TTL. That can't be helped.
25. Re:What's the Solution? by Anonymous Coward · 2016-10-21 20:36 · Score: 0
  
  stop using public DNS (or DNS at all)?
  - are you high?
Look at the Bright Side by tmjva · 2016-10-21 08:57 · Score: 2

At least the hackers didn't bother shutting down Slashd...

--
Tracy Johnson
Old fashioned text games hosted below:
http://empire.openmpe.com/
BT
1. Re:Look at the Bright Side by MachineShedFred · 2016-10-21 09:20 · Score: 2
  
  Well, we all know that Slashdot uses the mighty APK HOSTS engine to protect it!
  Just hang around here long enough, you'll see everything you've ever wanted to know about it.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
2. Re:Look at the Bright Side by un1nsp1red · 2016-10-21 09:39 · Score: 1
  
  Well, we all know that Slashdot uses the mighty APK HOSTS engine to protect it!
  Just hang around here long enough, you'll see everything you've ever wanted to know about it.
  Actually, it's been weeks or months since I've seen APK. Can we get a wellness check on that fella?
3. Re:Look at the Bright Side by Anonymous Coward · 2016-10-21 10:29 · Score: 0
  
  do we really want one.
4. Re:Look at the Bright Side by unixisc · 2016-10-22 01:51 · Score: 1
  
  He responded above to my curiosity about his Russian heritage, so yeah, he's here
Flood defenses? by m.dillon · 2016-10-21 08:59 · Score: 5, Informative

There is no flood defense possible for most businesses at the tail-end of the pipe. When an attacker pushes a terrabit/s at you and at all the routers in the path leading to you as well as other leafs that terminate at those routers, from 3 million different IP addresses from compromised IOT devices, your internet pipes are dead, no matter how much redundancy you have.
Only the biggest companies out there can handle these kinds of attacks. The backbone providers have some defenses, but it isn't as simple as just blocking a few IPs.
-Matt
1. Re:Flood defenses? by Dadoo · 2016-10-21 09:25 · Score: 3, Insightful
  
  but it isn't as simple as just blocking a few IPs.
  And this is why people need to be fined, if a device on their home network is found to be part of a botnet. Individuals need to be responsible for their networks, because the authorities are virtually powerless against botnets, Unless it costs them money, people just won't care.
  
  --
  Sit, Ubuntu, sit. Good dog.
2. Re:Flood defenses? by 0123456 · 2016-10-21 09:41 · Score: 3, Interesting
  
  And then what?
  They buy a device that's horribly insecure, the manufacturer sends out one security update, then abandons it, and it becomes part of a botnet. And you fine the person who bought it?
  Actually, you're right. That's a great idea, because it will kill the whole 'Internet of Things' idiocy overnight. No-one will risk attaching anything to their network if they can't verify it's secure.
3. Re:Flood defenses? by Dadoo · 2016-10-21 12:58 · Score: 1
  
  That's a great idea, because it will kill the whole 'Internet of Things' idiocy overnight. No-one will risk attaching anything to their network if they can't verify it's secure.
  Well, that's one potential side-effect - and not necessarily a bad one, in my opinion. Either they learn how to manage their devices, or don't connect them to the Internet.
  
  --
  Sit, Ubuntu, sit. Good dog.
4. Re:Flood defenses? by Anonymous Coward · 2016-10-21 16:56 · Score: 0
  
  My dad had a stroke almost a year ago. His motor control isn't as good as it used to be so yesterday he accidentally clicked on an ad without realizing it. It took him to website with a blue screen of death looking error message and a constantly reopening pop-up that said to immediately stop using your computer in order to prevent complete data loss then call this Microsoft support number to fix it. So the family called and did whatever the tech guy told them to do because they didn't think a scam artist would spend an hour of his time helping them fix their computer issues. Scam artists aren't nice people, they aren't helpful or friendly, so obviously this isn't a scam. The tech guy talked them into installing some remote access software and then brought up the Windows Event Viewer to show them all the issues their computer was having (if you ever looked at that you'd know it's always filled with warnings and errors). Basically a good salesman* feeding off the confusion and ignorance of the listeners as every salesman** I know was trained to do (which is why so many people hate you guys). He almost talked them into spending $120 to fix all their computers issues and improve performance but luckily they called me first, though that was after installing the malware and providing real contact details.
  You can't really fire someone living at home, so how big of a fine should my dad get for being scammed into installing malware or should society toss him in jail? Why not fine the actual scammer? How about the website that served the ad? How about the ad's server owner? How about Microsoft for not sending take down notices to every site that has a picture of a blue screen of death? How about the browser for having pop-ups that look like an OS pop up? What about the phone company?
  You don't seem to understand how the world works. People willingly pay money to become part of a botnet and are glad to do so, no hacking required. Creating less buggy devices won't change that. Charging people even more money after the fact would simply make everything worse because then those scammers would also be able to use the scam: "Our institute has discovered your computer is part of a botnet. This is a criminal offense [which everyone will know is true because such a change would make the news], but if you pay us a mere $80 we'll clean your computer and install this software that'll prevent it from ever happening again. If not, we're legally required to notify the police." Please think through your proposals before making them. Fining the end-user would only make things worse. We should use technical solutions to fix technical problems. But that requires companies to not be greedy assholes, so we'll always have these types of issues.
  *If you got offended that I said salesman instead of sales person then please fuck off.
  ** I don't know any saleswomen so again that was the proper word to use.
5. Re:Flood defenses? by Anonymous Coward · 2016-10-22 07:23 · Score: 0
  
  No, manufacturers need to be fined and sued for releasing garbage products that become weapons so eaily. Fuck blaming this on the customers.
Tackling Mirai by subk · 2016-10-21 08:59 · Score: 4, Insightful

Now that the source code for Mirai is out there being used, is there something that can be done to tackle the spread? Call me crazy, but perhaps a modified version could go out and actually change the passwords on these insecure IoT devices to random strings? Sure, the owner would lose access to the device.. But it would alert them that something was wrong, and stop the spread of Mirai.

--
Now, if you'll excuse me, I have backups to corrupt.
1. Re:Tackling Mirai by Anonymous Coward · 2016-10-21 09:55 · Score: 0
  
  Make it a serious felony to sell an internet-connected device with piss-poor security like stupid default credentials. That would have some impact for sure.
2. Re:Tackling Mirai by ArylAkamov · 2016-10-21 11:26 · Score: 1
  
  1. Modify it to use all infected devices as a giant neural network
  2. Resurrect Tay A.I.
  3. ???
  4. Bow down to our Nazi A.I. overlord
3. Re:Tackling Mirai by citizenr · 2016-10-21 16:58 · Score: 1
  
  reuse infecting part, replace bot part with firmware updater flashing data straight from /dev/urandom
  brisk every single alliexpress special $20 web camera out there, repeat every 3-5 months when new hardware comes out until Public learns NOT TO PUT GARBAGE on the public internet
  
  --
  Who logs in to gdm? Not I, said the duck.
Homeland Security? by Anonymous Coward · 2016-10-21 09:00 · Score: 0

Sure glad Homeland Security is looking into this. I would lose sleep at night if the Five Eyes didn't have someone looking into this to make us feel more safe.
DNS Replication Service Suggestions? by codebot · 2016-10-21 09:01 · Score: 1

Anyone have recommendations for a good DNS replication service?
Would prefer to be able to replicate rather than maintain two sets of data.
A search turned up www.buddyns.com, but I've not yet dug into their details yet.
1. Re:DNS Replication Service Suggestions? by Qzukk · 2016-10-21 09:07 · Score: 2
  
  How about http://dyn.com/secondary-dns/ ?
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
2. Re:DNS Replication Service Suggestions? by OverlordQ · 2016-10-21 09:15 · Score: 1
  
  Why do you need a replication service? If your stuff is automated, just point it to two providers.
  
  --
  Your hair look like poop, Bob! - Wanker.
3. Re:DNS Replication Service Suggestions? by codebot · 2016-10-21 09:17 · Score: 1
  
  Dyn is who I want to replicate.
4. Re:DNS Replication Service Suggestions? by guruevi · 2016-10-21 09:25 · Score: 1
  
  I think EasyDNS has a product but it's as simple as maintaining two sets of DNS records and pointing your domain to two different providers (e.g. powerDns and easydns).
  This "attack" could've been easily prevented if they had a single SysAdmin with 15-20y experience in Internet hosting. Having multiple DNS providers used to be standard practice for any medium to large organization.
  Imagine dyndns CEO or disgruntled employees simply pulling the plug out. Same result and a reason to avoid SPOF even if you're "in the cloud"
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
5. Re: DNS Replication Service Suggestions? by Anonymous Coward · 2016-10-21 09:33 · Score: 0
  
  Setup a bunch of bind servers shotgunned all over the 'net setup as the SOA for your zones and let bind notify do the replication?
6. Re:DNS Replication Service Suggestions? by Anonymous Coward · 2016-10-21 11:58 · Score: 0
  
  We set up EasyDNS in a rush today at work because they make replication pretty easy. Set up and verify your replication, add NS records for the secondary DNS host, and publish your new NS records on your domain. Wipe hands on pants.
dare I say it? APK APK APK! by Anonymous Coward · 2016-10-21 09:03 · Score: 2, Funny

As a backup everybody should maintain a HOSTS file with every internet address ever in it.
Can't DDOS that.

Lameness filter encountered. Post aborted! Filter error: Please use fewer 'junk' characters.

Proof the system is rigged...
Don't hire a guy with an anatomy degree... by Anonymous Coward · 2016-10-21 09:06 · Score: 0

to be your senior architect. That's what I learned when I interviewed there. From the top, they're not experienced with software or the Internet.
This is a test. This is ONLY a test. by cfalcon · 2016-10-21 09:13 · Score: 2

If this had been an actual attack, all internet services would be rendered inoperative for long enough for whomever the fuck is doing this to have accomplished whatever the fuck awfulness they desire.
Re:dare I say it? APK APK APK! by unixisc · 2016-10-21 09:17 · Score: 1

Are the Russkies behind these DDOS attacks? If yes, nothing like an APK solution to fix it. A Russian solution to a Russian problem!!!
Re:dare I say it? APK APK APK! by snookiex · 2016-10-21 09:22 · Score: 1

Since my ISP stopped allowing me to access the admin console of my modem and started exposing a remote management interface to the internet, I don't trust anymore the DNS information provided via DHCP. Probably using a VPN service would be more practical, but for now, I use the hosts file for the sites that require authentication.

--
Open Source Network Inventory for the masses! Kuwaiba
Re:dare I say it? APK APK APK! by barbariccow · 2016-10-21 09:28 · Score: 2

HOSTS file
sshhh... If you say H***** file 3 times in a mirror you'll summon APK... DO NOT ATTEMPT!
Is it really a war? by beheaderaswp · 2016-10-21 09:31 · Score: 5, Interesting

I've been looking at the mainstream media outlets and they are reporting on this attack as if we were just invaded by Russia.
This was an attack against DNS... at worst this type of attack stops people from "doing something". That "something" could be playing Pokemon... or banking... or working. But it doesn't "take down" the internet.
The internet is just fine. To take down the "whole internet" you'd have to attack routers. And the numbers of routers exceed the ability of anyone to saturate them. So why does the media get all hyped up when Twitter goes down?
It irks me so badly that the media and the general public get so completely flustered when some third world country, or a group of kids, decide to play games with the system. And that is all it is.
Certainly we should defend against disruptions like this. How they are done should be researched. Perhaps in the future the system can be hardened so it's incredibly difficult to attack it.
But it's a pretty minor league attack against the "internet". Twitter is down? The NYT?
I just turned 50 last year. Still up to date on tech. Still as sharp as I was at 25 when I lugged a Compaq suitcase around. This seems like such a small issue to me. When the real issue should be router security, the idiotic idea of tying SSL certs to domain names, or the sad security of home routers.

--
Another consultant who stuck it out.

"We are the Priests, of the Temples of Syrinx..."
1. Re:Is it really a war? by DerekLyons · 2016-10-21 10:14 · Score: 1
  
  This seems like such a small issue to me.
  That's because you just handwave away the issue, mostly by pedantically nitpicking the terminology.
2. Re:Is it really a war? by 0123456 · 2016-10-21 10:41 · Score: 1
  
  So why does the media get all hyped up when Twitter goes down?
  The media thinks Twitter is The Internet.
  The real point of these attacks is that DNS, like any other centralized service on the Internet, is broken by design.
3. Re:Is it really a war? by beheaderaswp · 2016-10-21 10:51 · Score: 1
  
  Yes I do handwave the issue- because it's a small one.
  If you want to talk about big ones, I can go there as well. The US could deploy an alternative DNS system in days. Either with the current tech or something truly distributed.
  That's the real issue. The press thinks this current attack is important. And what does the public do with this information? Are they going to revise the system?
  If I had my druthers the whole DNS system would have been trashed around 2005 and replaced with a blockchain that would have a node density so high it could not be attacked effectively..
  So if you think that's nitpicking terminology I fear you are far less competent on these issues than your low number on this site would infer you to be.
  
  --
  Another consultant who stuck it out.
  
  "We are the Priests, of the Temples of Syrinx..."
4. Re:Is it really a war? by Anonymous Coward · 2016-10-21 11:14 · Score: 0
  
  It really isn't a big fucking deal. Another day, another DDOS. It really isn't anywhere near as important as the hyperbolically challenged media would like to have you believe.
5. Re:Is it really a war? by c · 2016-10-21 11:24 · Score: 1
  
  But it's a pretty minor league attack against the "internet". Twitter is down? The NYT?
  I was just reading a Facebook comment from a friend about a hospital basically shutting down... presumably they had a dependency on something "in the cloud".
  Now, I'll certainly grant that said hospital fucked up beyond belief by having that dependency, and I'd hope that heads will roll over it, but the impact seems to go beyond mere entertainment.
  
  --
  Log in or piss off.
6. Re:Is it really a war? by Dynedain · 2016-10-21 11:52 · Score: 1
  
  "The Internet" hasn't meant the physical network for at least 2 decades. Since at least the early '90s and the "internet superhighway", average people have used "The Internet" to refer to the collective set of interactive services and activities made possible by the network, rather than the underlying network hardware itself.
  What good is the physical link if nothing intended to run on it is actually functioning?
  
  --
  I'm out of my mind right now, but feel free to leave a message.....
7. Re:Is it really a war? by turbidostato · 2016-10-21 12:03 · Score: 1
  
  "I was just reading a Facebook comment from a friend about a hospital basically shutting down... presumably they had a dependency on something "in the cloud".
  Now, I'll certainly grant that said hospital fucked up beyond belief by having that dependency, and I'd hope that heads will roll over it, but the impact seems to go beyond mere entertainment."
  Wont' happen. Executives *love* "the cloud" because, among other things, it can very effectively deflect blame. It was not me, it's been DynDNS, a reputable actor in the industry, who would have expected it! (by "who" being other executives, of course, not somebody with actual technical acumen). So the most that will happen is that they'll go from this sole provider for that service to another one with even higher "corporate image".
8. Re:Is it really a war? by mars-nl · 2016-10-21 12:07 · Score: 1
  
  It doesn't have to be centralized. Hierarchical, yes, centralized no. Putting all your eggs in one basket (Dyn) is just not a good idea. People outsource stuff and then stop thinking. People assume that if they outsource to a company, nothing can go wrong. But big companies are bigger targets and when they fall over, the mess is much bigger. So yes, decentralize.
9. Re:Is it really a war? by thegarbz · 2016-10-21 21:35 · Score: 1
  
  But it doesn't "take down" the internet. The internet is just fine.
  Sorry but this very serious and you ignore the realities of the modern internet which is as much dependent on DNS as it is those routers. DNS isn't just a name lookup service anymore. You can't fall back to something else when DNS is down. Many devices and programs come with hardcoded domain entries. Much of the internet is now wholly dependent on DNS to correctly localise services or even know what content to serve you. www.siteofinterest.com may resolve to a specific IP address, but good luck typing in that IP address and getting to that site which may be sitting in a datacentre hosting any number of virtual servers.
  The internet was not "just fine" yesterday.
10. Re:Is it really a war? by c · 2016-10-22 00:56 · Score: 1
  
  So the most that will happen is that they'll go from this sole provider for that service to another one with even higher "corporate image".
  I believe it's a Canadian hospital, so its executives might have a different sort of accountability. I hope.
  
  --
  Log in or piss off.
11. Re:Is it really a war? by turbidostato · 2016-10-23 16:32 · Score: 1
  
  "I believe it's a Canadian hospital, so its executives might have a different sort of accountability. I hope."
  They most probably don't. And even if they do, that won't be the case for long. The nice thing about globalization is that it is a race to the bottom. In this case it translates to -how we Canadians can be competitive if our executives have higher accountability than their USA counterparts?
Yet more proof and confirmation that... by X86BSD · 2016-10-21 09:35 · Score: 5, Insightful

CLOUD anything and outsourcing your infrastructure because you are lazy and/or cheap is a BAD IDEA. Consolidating services you no longer control to a third party means you've lost the ability to survive these attacks.
1. Re:Yet more proof and confirmation that... by beheaderaswp · 2016-10-21 09:37 · Score: 1
  
  I so totally agree.... I'd mod you up but I posted and can't.
  
  --
  Another consultant who stuck it out.
  
  "We are the Priests, of the Temples of Syrinx..."
2. Re:Yet more proof and confirmation that... by Anonymous Coward · 2016-10-21 13:53 · Score: 0
  
  This is a disastrous idea for most companies. I would bet $100,000 that if you took a study which examined the security of internal IT versus what AWS provides out of the box, AWS will come away the winner 90% of the time. I've seen some of these internal networks, and for the most part they are a mess. There is a reason why my school email (run by my university) gets 10x as much spam as my Gmail when I only use the school email for school business (i.e. not signing up for randosite.com on it)...
  Also, in the specific case of DDoS, you would be either basically helpless or be forced to pay an obscene amount of money in over-allocation to prevent them against your own servers. Cloud at least allows you to bring on extra servers within a couple of minutes versus having to wait weeks for new hardware. Cloud costs a premium, but most sites and internal datacenters are over-provisioned. With cloud providers, it is much easier to adjust services depending on load. See "A View of Cloud Computing" by Armbrust et. al. for a good overview of the economic argument for IaaS.
Russians! by mi · 2016-10-21 09:41 · Score: 0

17 intelligence agencies agree: Russia is behind the attack because it wants Trump to win. Or something...

--
In Soviet Washington the swamp drains you.
1. Re:Russians! by Anonymous Coward · 2016-10-21 13:23 · Score: 1
  
  Naa aar, I heard it was Hillary trying to delete those last few emails from her server.
2. Re:Russians! by unixisc · 2016-10-22 01:54 · Score: 1
  
  But why would the Russians then shut down Trump's main channel - Twitter?
It was WikiLeaks (supporters)? by CustomSolvers2 · 2016-10-21 09:44 · Score: 1

At least, this is what they said in their Twitter account.

--
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
1. Re:It was WikiLeaks (supporters)? by CustomSolvers2 · 2016-10-22 21:39 · Score: 1
  
  Apparently, I wrote this post too soon, because it didn't become news until some hours later.
  
  --
  Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
November 1987, RFC 1034. Secondary DNS servers by raymorris · 2016-10-21 09:44 · Score: 5, Insightful

For this specific attack, set up a secondary name server, using a secondary provider.
In November 1987, RFC 1034 was published. It describes how secondary DNS servers automatically sync from the primary. For about twelve years, people took that seriously. The used ar least two name servers that were unlikely to be affected by the same problem - separated geographically far apart and using two (or more) different network providers. Nowadays it's likely their two name servers are sitting right on top of each other in the same rack.
If both your DNS servers are with the same provider, wherher that be Amazon, DynDNS, or any other single provider, they are subject to fail due to the same cause, at the same time.
Btw ona different, but related topic - there's also an RFC for exactly how to build CDNs (reverse proxies) that actually work right. We've known how to do that correctly for decades, so everybody can read the damn RFC and stop inventing new ways to completely screw it up. First hint - the protocol for reverse proxies has been around far longer than the buzzword "CDN" that's now used to sell them.
1. Re:November 1987, RFC 1034. Secondary DNS servers by Anonymous Coward · 2016-10-21 23:50 · Score: 0
  
  First hint - the protocol for reverse proxies has been around far longer than the buzzword "CDN" that's now used to sell them.
  Just that this CDN buzzword tends to include geographic dispersal of these reverse proxies. Which is pretty damn useful for the multinational company who needs CDN services.
Real Business Implications of Internet 3 by WillAffleckUW · 2016-10-21 09:56 · Score: 2

Look, when we built the Internet (back in the ARPA days), it was restricted to trusted players at military and research universities.
Then we let in the unwashed masses.
Then some morons decided to give Internet capability to every single device in the Internet of Things.
First principles, people:
Build one Internet based on IPv6sec for the trusted peers. The backbone.
Build a second Internet for the identified non-object computers based on IPv6sec. The unwashed masses. If parts misbehave, turn off their feeds until they fix them. Drought solves lots of problems.
Build a third Internet for the Internet of Things based on IPv6 and IPv4. Restrict the ports and traffic to essentials. So you can't play Disney in your car, too bad.

--
-- Tigger warning: This post may contain tiggers! --
1. Re:Real Business Implications of Internet 3 by Anonymous Coward · 2016-10-21 12:10 · Score: 0
  
  News for you. Every member of Slashdot is the "Unwashed Masses".
2. Re:Real Business Implications of Internet 3 by bn-7bc · 2016-10-22 04:34 · Score: 1
  
  Well yes, but(without putting words into gps mouth) I think she/he reffered to people who could not separate udp from tcp if their life depended on it. You now the kids nd if people that says the internet is down when they cant get to ( insert one populare service here) without checking if any other service is still working
Solution? by mrPalomar · 2016-10-21 10:14 · Score: 2

Is it time for blockchain DNS?
1. Re:Solution? by guruevi · 2016-10-21 11:07 · Score: 2
  
  No, just DNS the way it was intended. DNS and all early Internet services were designed to withstand nuclear war and attacks by state-sized actors, actually specifically designed to withstand an attack from Russia.
  The problem is the cloud has aggregated all that diversity of everyone running their own services into a handful of really big corporations. Today's just a reminder that any one of those corporations has a significant amount of control if it were a truly bad actor. Imagine Dyn intentionally pointing all the Twitter etc DNS records elsewhere, they did it for their "free" accounts a decade ago just to make them pay.
  It seems no one at those big corporations remembers the true history of DynDNS, and how they screwed their customers over. I was surprised they were still in business at all.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
2. Re:Solution? by toonces33 · 2016-10-21 13:14 · Score: 1
  
  Just turning off or filtering DNS UDP packets would be a start.
  DNS over UDP works fine on an intranet. Just block it on the way out onto the rest of the net.
3. Re:Solution? by BenFranske · 2016-10-21 14:35 · Score: 1
  
  Actually, in cases like this it would make it worse. This is not the DoS of your youth with spoofed IP addresses. This is millions of bots making seemingly legitimate requests simultaneously. With UDP DNS requests are a single packet. With TCP you get a SYN, SYN ACK, and SYN before you even get to the part where you're making the query...that would dramatically multiply the number of packets for each query from each bot, or for that matter on a regular day from a legitimate user meaning the connections would just be that much closer to being flooded all the time.
Reddit, Spotify, and the New York Times were down? by clonehappy · 2016-10-21 10:25 · Score: 1

There's only one answer: Activate Homeland Security!
You know, the department established to thwart terrorists who plan on mass murdering people in spectacular displays like knocking down skyscrapers? The one plenty of us told you was going to be used for every crime in the book in addition to terrorism?
Nah, that kind of scope creep would never happen I was told...
Damn dirty commies by Anonymous Coward · 2016-10-21 10:39 · Score: 0

Now I'm not going to jump to any conclusions based on the zero evidence I have so far...
but clearly it was the Russians. They hate our democracy and will do anything to interfere.
I hope that secret covert clandestine cyberattack we've been cyberpromising hits them soon.
OpenDNS SmartCache by Jayfar · 2016-10-21 10:50 · Score: 2

I was reading elsewhere that users utilizing OpenDNS' SmartCache feature were unaffected. Basically, in the event that a domain's authoritative servers all become unavailable, smartcache uses the last known good resource records, regardless of whether their TTL has expired. Are any of the other DNS providers and ISPs utilizing anything similar?
1. Re:OpenDNS SmartCache by Anonymous Coward · 2016-10-21 17:05 · Score: 0
  
  Doing so is a huge security risk. It is trivial to mimic the login page of any site and if you know its IP address changed but the user doesn't, then you can grab that old IP and pretend to be the site they're looking for. It's better for the site to go offline than trust expired entries for anything that matters.
  To have prevented these site outages, all the end-user needed was a backup DNS that wasn't provided by the attacked party. You can configure your system to do that. If all DNS providers are attacked then you're screwed, but then so is everyone else.
2. Re:OpenDNS SmartCache by Anonymous Coward · 2016-10-22 14:20 · Score: 0
  
  And for that matter, how can I setup Bind or another DNS caching server to do this internally? This broke services I use, and I had to make hosts entries for the day until they got back on their feet.
Re:This is a test. This is ONLY a test. by Anonymous Coward · 2016-10-21 12:06 · Score: 0

Agreed. This seemed pretty targetted in timing. By my estimation, it started at 7:30am, ended at 9am, then started up again Noon through quitting time on a Friday. (All times EDT). It smelled of "display of power" to me. I can't help but wonder if Dyn is getting ransom'd behind the scenes.
No Russian ancestry here... apk by Anonymous Coward · 2016-10-21 13:48 · Score: 0

However, I'm a "relative"/cousin of sorts being decended from a neighboring fellow slavic tribe nation Poland.
* ONLY nation that ever took Russia & held it (1610, even though "the infamous they" say nobody can invade & hold them, especially in winters) & that also drove back the muslim hordes for the rest of Europe under Sobieski when the rest of Europe bitched out.
APK
P.S.=> I'm also a 1st generation United States citizen by birth... apk
1. Re:No Russian ancestry here... apk by unixisc · 2016-10-22 01:50 · Score: 1
  
  You're talking about the grand duchy of Poland-Lithuania? That included what's today Belarus and the western parts of Ukraine. Saying that Poland took 'Russia' seems to suggest that they took the entire country. At the time in question, I doubt that the Poles even had Moscow, much less the western Urals
eh by Anonymous Coward · 2016-10-21 14:55 · Score: 0

at least all the PRON sites are up - the internet is alive and kicking !!!!!
APK is pure by unixisc · 2016-10-22 01:46 · Score: 1

APK is a pure unix/linux guy ;-)
Anyone else did the same OR better? by Anonymous Coward · 2016-10-22 03:38 · Score: 0

Poland (w/ swedes) did occupy Moscow https://www.youtube.com/watch?... & yes, Poland & Lithuania were involved in alliance vs. Muslims under Sobieski's command.
APK
P.S.=> Answer the question in my subject - I'm personally not aware of ANY nation that's done that in the entirety of history itself... apk
1. Re:Anyone else did the same OR better? by unixisc · 2016-10-23 08:32 · Score: 1
  
  You are right about the Poles under Sobieski repelling the Muslims at the gates of Vienna. But as far as the question of whether any nation conquered Russia in a major way, nobody did it more comprehensively than the Mongols - both under Genghiz Khan and under the Golden Horde.
Circular logic by DerekLyons · 2016-10-22 04:36 · Score: 1

Yes I do handwave the issue- because it's a small one.
Thereby creating a circular chain of logic.
WRONG man... apk by Anonymous Coward · 2016-10-22 05:33 · Score: 0

See subject & https://tech.slashdot.org/comments.pl?sid=9800533&cid=53129995/ + originally here before it https://tech.slashdot.org/comments.pl?sid=9800533&cid=53127509/
* Responded? It was more like CORRECTING YOUR ERROR & ERRONEOUS ASSUMPTION I am of Russian decent (a 'cousin/relative' slav perhaps would have been better on your part) man + more on Poland's history (driving out the Muslim invasion, Mongols too iirc but I didn't put that there, + taking Russia too which I've never known anyone else to do so, not Alexander & not Napoleon, Hitler etc. - et al)...
(REPEAT - NO RUSSIAN HERE!)
I also see you've made another mistake here https://tech.slashdot.org/comm... too - I started on VMS (VAX-1180) & *NIX (Sun) + IBM AS/400-OS/400 & System 34/36/38 before it... but I'm a "Windows man" primarily since 1991 (it's most used & thus, has the most monetary opportunity for a career though I haven't worked full-time in computing since 2007 for anyone - I work for myself now & my monies work for me (not the other way around)).
APK
P.S.=> I must "correct" myself saying it was swedes operating WITH Poland on the 1st one (said it wrong imo) - it was RUSSIA & SWEDES that Poland took down (for 2 yrs.) & YES they did occupy + hold Moscow (no one else in history has managed it afaik, ever)... apk
Dunning-Kruger Effect? by Gazzonyx · 2016-10-22 06:06 · Score: 1

FWIW, the GP poster is Matt Dillon. He's a well known FreeBSD/Linux kernel hacker and the founder/maintainer of DragonFly BSD and his list of Nerd Cred is legit and long. I'm sure he's forgotten more about network protocols than I ever knew in spite of my kernel patches and Samba contributions. I'd wager he's painfully aware of the ins-and-outs of NAT and IPv6 at a low level.
Don't get me wrong; that doesn't mean he might not be wrong in his evaluation of the protocol. He'd just be wrong on a much more detailed level than I could comment on with any comfort. :)

--
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
Luddites by Hognoxious · 2016-10-22 09:11 · Score: 1

They should get with the times and move from the olde worlde internet to the all new shiny shiny cloud!

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Not all /. but I'll let some speak for it... by Anonymous Coward · 2016-10-22 16:22 · Score: 0

his hosts program is actually pretty good by xenotransplant

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

take a look at the APK hosts file engine by SuperKendall

APK is kinda right. I've tried his hosts file generating software. It works by bmo

APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience by chihowa

I like your host file system by Karmashock

I find your hosts file admirable by vel-ex-tech

* My code's liked/used by /.'ers + recommended & hosted by Malwarebytes' hpHosts.
APK
P.S.=> - It's doing well so I'm pleased - plus hundreds here use hosts files also... apk
Who drove them back? Poland + Hungary by Anonymous Coward · 2016-10-24 11:00 · Score: 0

See subject: "3 strikes" & they were "outta there" (poles & hungarians did it), no more attempts after that...
APK
P.S.=> Poland DID take Moscow for 2++ yrs. man, no questions asked... thanks for the 'refresher' on mongol invasions (which I had to re-review since as I stated I had to look up details on again as I was hazy on them & again, that I didn't mention in my initial post regarding poles driving back the muslim hordes though when everyone else except Lithunia was backing down)... apk