Slashdot Asks: How Can We Prevent Packet-Flooding DDOS Attacks?

Just last month Brian Krebs wrote "What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale," warning that countless ISPs still weren't implementing the BCP38 security standard, which was released "more than a dozen years ago" to filter spoofed traffic. That's one possible solution, but Slashdot reader dgallard suggests the PEIP and Fair Service proposals by Don Cohen: PEIP (Path Enhanced IP) extends the IP protocol to enable determining the router path of packets sent to a target host. Currently, there is no information to indicate which routers a packet traversed on its way to a destination (DDOS target), enabling use of forged source IP addresses to attack the target via packet flooding... Rather than attempting to prevent attack packets, instead PEIP provides a way to rate-limit all packets based on their router path to a destination.
I've also heard people suggest "just unplug everything," but on Friday the Wall Street Journal's Christopher Mim suggested another point of leverage, tweeting "We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure." Is the best solution technical or legislative -- and does it involve hardware or software? Leave your best thoughts in the comments. How can we prevent packet-flooding DDOS attacks?

How do we prevent flooding the phone system?

If a manufacturer made a device that connected to the public phone system, that could be compromised and made to call thousands of people at random, they'd soon find themselves facing product recalls, fines, import bans, and liability for the disruption caused.

Why should IoT devices be any different?

Some shitty noname Chinese remote webcam manufacturer hardcoded 'admin' as the password and tunnels through routers using uPnP to listen on the internet? Import ban that shit. Slap on a fine. Seize any of their American assets or property to pay it. They'll soon get the message that security can't be neglected. It's not hard to fix this stuff given the will.

Re:Technical OR legislative?

"Why is it so hard to grasp the concept that both a problem and a solution can be more than ONE THING?"

Oh, you silly...
Technical solutions are intrinsically International. Information wants to breathe free. The Source Code for Mirai has been available for weeks, in any event.
Civil or criminal solutions are intrinsically Local, with varying measures of corruption involved.
The attack on Thursday and Friday came from yet unknown players, probably some species of Asian Script kiddies, using defective Chinese Industrial Security, largely on the US Infrastructure, although I gather, swabs of Europe were also later involved that same day.
Which Barney Fife do you suggest gets called in?

I feel that the Gray Hatters are correct. Use Mirai to massively Brick all of those XiongMai Internet Whore Boards, and later use any and all Courts to bloodily gut all of the lazyass Companies involved. Eastern and Western.

China, when these things are brought to International Attention, has been known to hang a few... embarrassments...

A Fine and Worthy Message.

Prevent the participants

[Opportunist]

It's been said before here, so allow me to offer a "how" for the obvious and already mentioned "secure the damn crap people hook up to the net".

This will only work with legislature. Sorry to all my libertarian friends here, but yes, there are times when the only way to sort out a problem is government intervention. These times are when you have to force people to do something for the "greater good" when they themselves would have a (smaller) profit from not giving a shit. And if there has ever been a good example, it's this. People don't give a shit about their IoT devices being insecure, because it does not affect them directly, but these insecure devices threaten the usability of the internet for all of us.

This is one of the reasons organizations like the FCC were created. Remember that sticker? Few people notice it nowadays because, well, it's a given that devices don't create harmful interference and that they don't go bananas if they are subject to any, but this was anything but certain in the early days of electronics. And no, that sticker itself doesn't do jack, of course, but it is a promise that the manufacturer has to live up to or face a heavy fine and ban of his device.

We need something like this for the IoT devices. "This device will not cause trouble on the internet and cannot be hijacked from there". Live up to it or see your device recalled. It pains me to ask for this, but it's time to create a government entity that deals with this. Or maybe hand it to the FCC so they start doing something useful again.

Re:blacklists

[Opportunist]

If this was so simple, you'd see spam blacklists being used that way. Wonder why that doesn't happen...? Right, because you have to spam to get on the list! And to get on the new list, you'd have to have an insecure IoT device in your house.

Still, it's not a good solution. Spamming blacklists hit email providers who better are professionals (and if not, it's a DAMN GOOD idea to block them anyway), while IoT users are primarily private people. You cannot expect them to do a full audit of every piece of junk they buy.

It's time to put the burden on the makers of those shoddy devices, not expect a CS degree from anyone who wants to use one.

Re:Technical OR legislative?

[AmiMoJo]

The problem is that people buy stuff on eBay from China. It will be nearly impossible to block all those sales or hold the manufacturers to account.

In the EU at least the onus would be on the vendor, i.e. the shop that sold the thing, to ensure updates were available. Again, not that helpful for imports but perhaps eBay or Amazon could be made liable to encourage them to vet sellers. If that IoT toaster they sold 3 years ago was discovered to be vulnerable and no fix was available, the customer could return it for a partial refund. eBay and Amazon would have to be required to notify buyers too.

Re:DoS

Mod parent up.

This is not a technical problem, a technical solution won't fix it.

You could start by...

[dohzer]

You could start by not giving IP addresses to kettles and toasters.

Re:Technical OR legislative?

If the FCC and CE require network security tests and not only Safety/EMI/RFI tests, then China will not be able to sell crap and customs will impound it at the border.

Re:blacklists

[Geeky]

When I buy an electrical device, I assume it's passed all the relevant consumer safety checks and complies with the regulations, as otherwise the shop would be breaking the law selling it to me (in the UK at least). I assume I'm safe to plug it in unless there's an absolutely obvious flaw (damaged power cable, for example).

Most people will go and buy a security camera or other device that connects to the internet and assume there's nothing to worry about if they're buying it from a high street shop. These things are sold as consumer devices in major stores, targeted at non-technical people. That should be enough, in an ideal world, for buyers to be confident they can connect them to the internet in the same way they can connect the microwave they buy to the power without worrying about whether it's safe.

OK, I accept that these days you can buy no-name stuff on the internet that probably doesn't meet safety standard (electrically or otherwise). That's your lookout and you should absolutely be liable for problems that result. But if you buy it at Currys? Argos? Well, in the UK consumer law says anything sold must be fit for purpose.

Re:Ineffective

[Smidge204]

I guess it depends on what qualifies as a "technical measure" then?

From what I understand, a very large portion of the devices were compromised because they used default passwords that were never changed. I would consider having a device disabled/crippled out of the box until a new password was set to be a technical measure.
=Smidge=

Re:Ineffective

[Smidge204]

That's exactly what my router has. But we can take it a step farther and perhaps even simpler;

Disable the device's full functionality until a new password is set. This is a firmware change and doesn't add a single cent to the manufacturing costs. No labels, no special programming for each device.

Lost your password? Use the hardware reset button. Device is disabled again until a new password is set.
=Smidge=

non centralized DNS

[Lumpy]

I was 100% unaffrected by the DDOS attack on DNS because I run a cacheing DNS server that I set to break the rules of DNS. I cache DNS until I get an update.

a DNS request is passed through to the main servers, if I get no response in 100ms I fall back to cached information. cached information does not expire for 30 days

so unless some obscure site that changes it's IP constantly decides to hop IP's during the DDOS attack I have zero issues.

Re:Technical OR legislative?

[AmiMoJo]

The only solution I can see is regulation, like we have for radio transmitters. Everything has to be certified to meet minimum security requirements before it can be sold. The problem is that for radios it is fairly easy to test the output, but to check firmware for security you need access to source code and time to understand and evaluate it.