Jump to content

Second DDOS of Major Internet backbone underway, IoT botnet still to blame.

Pyrii

This new DDOS appears to be affecting different sites to the first as they appear to be striking a different part of Dyn's network. Level 3 and Cloudflare are seeing lots of errors in websites including Github and Playstation Network.

 

Source: Ars Technica - Double-dip Internet-of-Things botnet attack felt across the Internet

Quote

Both Level 3 and CloudFlare have not directly been affected by the attack. But many of their customers have because of a reliance on Dyn's managed domain name services. The outages began this morning when Dyn reported a distributed denial of service affecting their US East Coast infrastructure.

 

While the first attack was apparently shrugged off by mid-morning, another wave hit about mid-day Eastern Time, again affecting sites and services that use Dyn as the provider of their authoritative Domain Name Service addresses. This took down parts of Twitter's network, as well as hundreds of other sites—including Github, Box, The Verge, Playstation Network, and personal webpage provider Wix—that rely on Dyn's service to dynamically reassign domain names to Internet addresses for traffic management purposes.

 

Prince added that Cloudflare was seeing a sizable increase in errors in traffic for its customers because the attack was affecting infrastructure providers like GitHub. "If a customer's site is pointing to a git there, now we can't reach Github," he said. "There are definitely infrastructure providers that we can't reach."

 

The attack itself is likely pointed at a Dyn customer rather than at Dyn itself. Some indications point to the attack focusing on Sony's Playstation domains, though Dyn has not confirmed this.

So far, github seems to be fine for me in the UK and I haven't seen any real problems, so this could be a more focused attack. But I think the headache caused by IoT devices' poor security is going to continue to snowball. And it's been used to try and silence security researchers in the past who stumble onto criminal uses for vulnerabilities.

Quote

Earlier this month, the code for the Marai botnet was released publicly. It may have been used in the massive DDoS attack against security reporter Brian Krebs. Marai and another IoT botnet called Bashlight exploit a common vulnerability in BusyBox, a pared-down version of the Linux operating system used in embedded devices. Marai and Bashlight have recently been responsible for attacks of massive scale, including the attack on Krebs, which at one point reached a traffic volume of 620 gigabits per second.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Is that the same Brian Krebs that was calling Lizard Squad 'script kiddies' lol? 

?? 

Link to comment
Share on other sites

Link to post
Share on other sites

Like, how are defensive mechanisms not able to block this crap? Someone just waste 500 million $ on security ffs. :P

Groomlake Authority

Link to comment
Share on other sites

Link to post
Share on other sites

35 minutes ago, VerticalDiscussions said:

Like, how are defensive mechanisms not able to block this crap? Someone just waste 500 million $ on security ffs. :P

Well even if they block the traffic, the traffic is still using up the bandwidth. Only defense to these kinds of attacks is throwing more bandwidth (and thus hardware) at it which isn't cheap.

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, lvh1 said:

-snip-

Which is why more money needs to be invested :(.

Groomlake Authority

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, NinerL said:

Is that the same Brian Krebs that was calling Lizard Squad 'script kiddies' lol? 

?? 

Are you implying they weren't? The indictments for them were depressing to read, it's as if the kids behind Lizard Squad/PoodleCorp didn't know how the internet worked and took zero steps in protecting themselves. Why would you take pictures of where you live and send them to strangers online on a public service where you don't own the servers and why would you link the domains to accounts with your passports on file? Another case where greed overrides common sense but thank god these kinds of groups are limited to the knowledge Google provides them.

 

43 minutes ago, VerticalDiscussions said:

Like, how are defensive mechanisms not able to block this crap? Someone just waste 500 million $ on security ffs. :P

The problem is that it's profitable to let these attacks continue while it's expensive to deal with the problem. ISPs don't seem to care anymore as long as the owners of the infected devices continue to pay their bills and don't download any pirated content. The data centers that allow these attacks to leave their networks and host the C&Cs for them don't care because they're getting a nice chunk of change to host them and protect the people running them. A lot of these attacks could be dealt with by ISPs and data centers but then the clients would complain about being throttled or spied on depending on how they handle it. Back in the day if a device on your network was part of a botnet ISPs would throttle you or disable your modem until you fixed it (and after enough letters and warnings they would terminate your service), heaven forbid ISPs actually attempt to make the internet a better place.

 

5 minutes ago, lvh1 said:

Well even if they block the traffic, the traffic is still using up the bandwidth. Only defense to these kinds of attacks is throwing more bandwidth (and thus hardware) at it which isn't cheap.

Not true, if they turned off the client's port it wouldn't get passed their modem. If they nullrouted an external IP then the traffic wouldn't get routed anywhere on their network and upstreams won't bill you if it doesn't hit your network.

-KuJoe

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, KuJoe said:

Not true, if they turned off the client's port it wouldn't get passed their modem. If they nullrouted an external IP then the traffic wouldn't get routed anywhere on their network and upstreams won't bill you if it doesn't hit your network.

Whatever they do, the data from the attacks still reaches them(the network which blocks the traffic) thus using their bandwidth. And there is nothing you can do to stop them from doing that.

Link to comment
Share on other sites

Link to post
Share on other sites

5 minutes ago, lvh1 said:

Whatever they do, the data from the attacks still reaches them(the network which blocks the traffic) thus using their bandwidth. And there is nothing you can do to stop them from doing that.

Nope, not true at all. If you nullroute an IP address all traffic to that IP address gets dropped before it reaches your network (if your upstreams have the proper BGP communities in place which every single one should in 2016). As for stopping the source traffic, ISPs could easily disable network ports at their POPs/hubs to prevent the traffic from hitting their network.

-KuJoe

Link to comment
Share on other sites

Link to post
Share on other sites

50 minutes ago, VerticalDiscussions said:

Like, how are defensive mechanisms not able to block this crap? Someone just waste 500 million $ on security ffs. :P

It's impossible to really do so, the "distributed" part where hundreds of thousands of compromised devices are used in massive botnets. There's no way to distinguish any of this traffic from legitimate traffic so most providers just try to soak the cost of bandwidth and hope the attack goes away, or pass on the cost to the victim, who then has to decide whether to take their site offline because they can't afford it.

 

There's unfortunately no real defense as of yet because of the way the internet works and how these botnets operate.

Link to comment
Share on other sites

Link to post
Share on other sites

26 minutes ago, lvh1 said:

Well even if they block the traffic, the traffic is still using up the bandwidth. Only defense to these kinds of attacks is throwing more bandwidth (and thus hardware) at it which isn't cheap.

Not so much.

 

https://en.m.wikipedia.org/wiki/DDoS_mitigation

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Sauron said:

As usual, a bunch of retards causing worldwide damage.

i mean, it takes a lot of planning to stage attacks like this, you have to understand how DNS works for a particular area. attacks like these have been happening a lot and some security experts say this is part of a larger probing mission to find weak spots in the Internets core mechanics so they can damage them.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, vorticalbox said:

thats exactly what he said, the only way to handle them is to increase bandwidth and apply filters.

Quote

This is done by passing network traffic addressed to the attacked network through high-capacity networks with "traffic scrubbing" filters.

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, vorticalbox said:

I was talking about the 'high-capacity networks' as quoted in the article being overloaded. Because you know, those have limits as well. But I'm not sure if that was the case for this attack. Probably not, since that would require an immense amount of data.

Link to comment
Share on other sites

Link to post
Share on other sites

That refers to mitigation by the target. Of course it would be more cost-effective to stop it at the ISP, but that requires cooperation because if it is distributed enough, trafiic through each ISP isn't enough to notice and they can't tell an attack is even going on. For the same reason, there isn't much of an incentive to cooperate because it isn't costing them much money.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, tlink said:

i mean, it takes a lot of planning to stage attacks like this, you have to understand how DNS works for a particular area. attacks like these have been happening a lot and some security experts say this is part of a larger probing mission to find weak spots in the Internets core mechanics so they can damage them.

And to what end? Being a douchebag to someone they don't like. So mature.

Don't ask to ask, just ask... please 🤨

sudo chmod -R 000 /*

Link to comment
Share on other sites

Link to post
Share on other sites

20 minutes ago, Sauron said:

And to what end? Being a douchebag to someone they don't like. So mature.

this could very well be state sponsored attacks, i don't think you understand the impact attacks like these have. you can literally cripple a business if you want too without any way of protecting beyond just throwing more hardware at it, and if its executed well they could even shut down parts of the internet backbone, essentially shutting down parts of the internet until they get back online. the internet is really badly optimized and caching is not done at the rate it should. atleast 75% of the requests of root DNS servers is unnecessary. this is not just some kid playing 1337 hacker, there is a lot of money behind this. imagine what the impact would be if someone shut down major american stock markets for a day.

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, KuJoe said:

The problem is that it's profitable to let these attacks continue while it's expensive to deal with the problem. ISPs don't seem to care anymore as long as the owners of the infected devices continue to pay their bills and don't download any pirated content. The data centers that allow these attacks to leave their networks and host the C&Cs for them don't care because they're getting a nice chunk of change to host them and protect the people running them. A lot of these attacks could be dealt with by ISPs and data centers but then the clients would complain about being throttled or spied on depending on how they handle it. Back in the day if a device on your network was part of a botnet ISPs would throttle you or disable your modem until you fixed it (and after enough letters and warnings they would terminate your service), heaven forbid ISPs actually attempt to make the internet a better place.

 

4 hours ago, vorticalbox said:

I would like to point out that this particular botnet is the same one that performed the 620Gbps and ~1Tbps DDoS attacks last month. Most of the traffic is coming from East Asia as well so hoping for a decent ISP to block it is... well yeah not likely since almost zero of the traffic is traveling though US ISPs.

[Out-of-date] Want to learn how to make your own custom Windows 10 image?

 

Desktop: AMD R9 3900X | ASUS ROG Strix X570-F | Radeon RX 5700 XT | EVGA GTX 1080 SC | 32GB Trident Z Neo 3600MHz | 1TB 970 EVO | 256GB 840 EVO | 960GB Corsair Force LE | EVGA G2 850W | Phanteks P400S

Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA

Server 01: Intel Xeon D 1541 | ASRock Rack D1541D4I-2L2T | 32GB Hynix ECC DDR4 | 4x8TB Western Digital HDDs | 32TB Raw 16TB Usable

Server 02: Intel i7 7700K | Gigabye Z170N Gaming5 | 16GB Trident Z 3200MHz

Link to comment
Share on other sites

Link to post
Share on other sites

32 minutes ago, Sauron said:

And to what end? Being a douchebag to someone they don't like. So mature.

 

16 minutes ago, tlink said:

this could very well be state sponsored attacks, i don't think you understand the impact attacks like these have. you can literally cripple a business if you want too without any way of protecting beyond just throwing more hardware at it, and if its executed well they could even shut down parts of the internet backbone, essentially shutting down parts of the internet until they get back online. the internet is really badly optimized and caching is not done at the rate it should. atleast 75% of the requests of root DNS servers is unnecessary. this is not just some kid playing 1337 hacker, there is a lot of money behind this. imagine what the impact would be if someone shut down major american stock markets for a day.

I'm 99% sure that it's state-sponsored. Which state, that's to be decided. But the obvious leads are Russia and China. I'm not really sure what China has to gain from potentially sabotaging one of their biggest 'customers,' so for me, Russia seems more likely. But that's not to discount other 'rogue' states like North Korea or Iran even. Hell, it could even be the US trying to make it just look like the Russians or Chinese. As @tlink said, this is far beyond little script-kiddies or the LOIC-using Anonymous h4xx0rs. I'll need to find some links, but there have been several security researchers/firms that have noticed 'probing' of internet defenses over the last few months/years. It seems like whoever it is is slowly ramping up/testing their capabilities. To what end? Nobody knows...maybe it's just people who want to see the world burn.

Link to comment
Share on other sites

Link to post
Share on other sites

38 minutes ago, tlink said:

this could very well be state sponsored attacks, i don't think you understand the impact attacks like these have. you can literally cripple a business if you want too without any way of protecting beyond just throwing more hardware at it, and if its executed well they could even shut down parts of the internet backbone, essentially shutting down parts of the internet until they get back online. the internet is really badly optimized and caching is not done at the rate it should. atleast 75% of the requests of root DNS servers is unnecessary. this is not just some kid playing 1337 hacker, there is a lot of money behind this. imagine what the impact would be if someone shut down major american stock markets for a day.

But again - why?

Don't ask to ask, just ask... please 🤨

sudo chmod -R 000 /*

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Sauron said:

But again - why?

money or a mr robot trying to change the world. anything else would be too random imo.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, valdyrgramr said:

Scripts do it for the lulz/credit.  Real hackers do it for many reasons!  Ability testing, vulnerability testing, anger, gain, and so on.   You'd have to ask the hacker what their motive was.

 

33 minutes ago, tlink said:

money or a mr robot trying to change the world. anything else would be too random imo.

So - nothing actually worth it.

Don't ask to ask, just ask... please 🤨

sudo chmod -R 000 /*

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Sauron said:

 

So - nothing actually worth it.

dunno, how can we judge if its worth it without knowing the actual goal and larger clockwork behind it? you seem too keen to judge.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, tlink said:

dunno, how can we judge if its worth it without knowing the actual goal and larger clockwork behind it? you seem too keen to judge.

I just find it hard to imagine something that would justify an act like this.

Don't ask to ask, just ask... please 🤨

sudo chmod -R 000 /*

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×