Second DDOS of Major Internet backbone underway, IoT botnet still to blame.

[KuJoe]

8 hours ago, DeadEyePsycho said:

I would like to point out that this particular botnet is the same one that performed the 620Gbps and ~1Tbps DDoS attacks last month. Most of the traffic is coming from East Asia as well so hoping for a decent ISP to block it is... well yeah not likely since almost zero of the traffic is traveling though US ISPs.

This is where something like Spamhaus' DROPs should come into play. The RIRs need to come together and develop something similar to help police the internet for these kinds of attacks AND for hijacked IP ranges. If the ISPs aren't able to take action then there should be some governing body to force them to take action and protect other internet users. ISPs were able to stop the spam issue relatively easy and quickly once they realized how much it hurt their bottom line when their clients couldn't send e-mail after being listed on various RBLs, now we need something like this for IPs (and we need it implemented before IPv6 gets more widespread).

[handymanshandle]

9 hours ago, tlink said:

this could very well be state sponsored attacks, i don't think you understand the impact attacks like these have. you can literally cripple a business if you want too without any way of protecting beyond just throwing more hardware at it, and if its executed well they could even shut down parts of the internet backbone, essentially shutting down parts of the internet until they get back online. the internet is really badly optimized and caching is not done at the rate it should. atleast 75% of the requests of root DNS servers is unnecessary. this is not just some kid playing 1337 hacker, there is a lot of money behind this. imagine what the impact would be if someone shut down major american stock markets for a day.

I guess then the only question is who? But I guess it's probably hard to trace it back to a specific country since there's quite a bit of complexity with the fact that it's using devices from all around the world.

[2FA]

22 minutes ago, KuJoe said:

This is where something like Spamhaus' DROPs should come into play. The RIRs need to come together and develop something similar to help police the internet for these kinds of attacks AND for hijacked IP ranges. If the ISPs aren't able to take action then there should be some governing body to force them to take action and protect other internet users. ISPs were able to stop the spam issue relatively easy and quickly once they realized how much it hurt their bottom line when their clients couldn't send e-mail after being listed on various RBLs, now we need something like this for IPs (and we need it implemented before IPv6 gets more widespread).

In some countries, DoS attacks are considered legitimate forms of protest as it is similar to a sit in protest. At least with this botnet, the major issue is that companies don't even consider security when developing their cameras and IoT devices. I would argue that almost all connected cameras are vulnerable.

[KuJoe]

5 minutes ago, DeadEyePsycho said:

In some countries, DoS attacks are considered legitimate forms of protest as it is similar to a sit in protest. At least with this botnet, the major issue is that companies don't even consider security when developing their cameras and IoT devices. I would argue that almost all connected cameras are vulnerable.

I understand that but being forced into a "protest" should be illegal. ISPs should be blocking commonly abused ports like they do for SMTP. How is it in 2016 they still don't block port 53 and 161 by default? DNS and SNMP amplification attacks have been around for a while at this point and anybody who is running a DNS server at home or monitoring SNMP remotely can change the port and probably has the knowledge of whitelisting IPs on their firewall. The IoT manufacturers need to definitely fix the problem on their end but the ISPs can take steps to protect their clients from being involved in these types of attacks.

[Trik'Stari]

It's about time this shit started. Now maybe we can force corporations to take responsibility for all that data they been drooling over, by requiring them to put more than a token effort into securing their shit.

 

Make them liable in civil court, for damages caused by not securing their products properly, and shit will change. This needs to apply to not only a device, but the user data stored on a device as well as their servers.

[tlink]

7 hours ago, KuJoe said:

I understand that but being forced into a "protest" should be illegal. ISPs should be blocking commonly abused ports like they do for SMTP. How is it in 2016 they still don't block port 53 and 161 by default? DNS and SNMP amplification attacks have been around for a while at this point and anybody who is running a DNS server at home or monitoring SNMP remotely can change the port and probably has the knowledge of whitelisting IPs on their firewall. The IoT manufacturers need to definitely fix the problem on their end but the ISPs can take steps to protect their clients from being involved in these types of attacks.

that is a shitton of manual work. how would you determine if someone is forced to protest? that is stuff you can't handle with an AI.

[SCHISCHKA]

I'm just glad i sold my playstation and no longer depend on PSN for gaming

[KuJoe]

3 hours ago, tlink said:

that is a shitton of manual work. how would you determine if someone is forced to protest? that is stuff you can't handle with an AI.

It's extremely simple to implement and the vast majority of ISPs already do it today, they block port 25 without an issue and anybody who wants to send e-mail from their home ISP can easily use any of the other ports not blocked. The reason port 25 is blocked is because it's the most commonly hijacked port because spammers don't bother with TLS/SSL. If somebody wants to DoS attack as a form of protest, they surely aren't doing it through amplification attacks since they could just as easy as send more packets out themselves or use something like LOIC.

[tlink]

2 hours ago, KuJoe said:

It's extremely simple to implement and the vast majority of ISPs already do it today, they block port 25 without an issue and anybody who wants to send e-mail from their home ISP can easily use any of the other ports not blocked. The reason port 25 is blocked is because it's the most commonly hijacked port because spammers don't bother with TLS/SSL. If somebody wants to DoS attack as a form of protest, they surely aren't doing it through amplification attacks since they could just as easy as send more packets out themselves or use something like LOIC.

yes but that is just putting a bandaid over a shredded artery. the underlying security risk is still there and probably will just mitigate to another port. the only real way to stop them is by recognizing ddos attacks and blocking them, but since ddos can be a way of protest you need to define what is machined and what is manual. and that is something an AI can't handle.

[DXMember]

the concept of having a smart lightbulb just for the sake of switching the lights on or off with a mobile phone and having this fucking lightbulb completely compromise the entire local network is absurd to me

[KuJoe]

7 hours ago, tlink said:

yes but that is just putting a bandaid over a shredded artery. the underlying security risk is still there and probably will just mitigate to another port. the only real way to stop them is by recognizing ddos attacks and blocking them, but since ddos can be a way of protest you need to define what is machined and what is manual. and that is something an AI can't handle.

There is a obvious footprint in these attacks, just like DNS and SNMP amplification attacks an ISP can see the packet triggering these attacks and filter them out if they wanted to. ISPs rely on their clients to block these attacks but the vast majority of clients don't use a firewall or even know they are part of the attack. If a client is participating in a DoS attack as a form of protest, they wouldn't be taking part in these amplification attacks since they are the least efficient method of these attacks (setup X service, wait for somebody else to contact your service, send a small portion of your available packets to Y target that you did not select) not to mention the person participating in this "protest" doesn't even know the target so that's not even a protest anymore if you don't know who you are protesting and why. If you want to participate in a protest, there are much better ways to do so and ones that actually make the internet a better place. How many of these "protesters" actually hate LTT compared to the number of zombie devices being used to DDoS this website? My guess is less than 1%.

[tlink]

12 hours ago, KuJoe said:

There is a obvious footprint in these attacks, just like DNS and SNMP amplification attacks an ISP can see the packet triggering these attacks and filter them out if they wanted to. ISPs rely on their clients to block these attacks but the vast majority of clients don't use a firewall or even know they are part of the attack. If a client is participating in a DoS attack as a form of protest, they wouldn't be taking part in these amplification attacks since they are the least efficient method of these attacks (setup X service, wait for somebody else to contact your service, send a small portion of your available packets to Y target that you did not select) not to mention the person participating in this "protest" doesn't even know the target so that's not even a protest anymore if you don't know who you are protesting and why. If you want to participate in a protest, there are much better ways to do so and ones that actually make the internet a better place. How many of these "protesters" actually hate LTT compared to the number of zombie devices being used to DDoS this website? My guess is less than 1%.

yes but the isp is a gateway, not a gatekeeper. if we want to filter shit like this than consumer isp is probably the worst solution.

[KuJoe]

1 minute ago, tlink said:

yes but the isp is a gateway, not a gatekeeper. if we want to filter shit like this than consumer isp is probably the worst solution.

Maybe we need the Spamhaus mobsters to start focusing on the zombies in the botnets and then ISPs will get their act together like they did when they started getting their IP ranges on RBLs, no more port 25 on residential ISPs these days. It's a sad day when I'm suggesting Spamhaus as a solution for anything.

[tlink]

7 minutes ago, KuJoe said:

Maybe we need the Spamhaus mobsters to start focusing on the zombies in the botnets and then ISPs will get their act together like they did when they started getting their IP ranges on RBLs, no more port 25 on residential ISPs these days. It's a sad day when I'm suggesting Spamhaus as a solution for anything.

isp's should deliver botnet filters for company's instead of blocking consumers from using their ports. or maybe even a blacklisting system so ip's just get rerouted to null when they are known to be part of a botnet. i would rather have that than my ports getting locked because others shit me over. 

[KuJoe]

1 hour ago, tlink said:

isp's should deliver botnet filters for company's instead of blocking consumers from using their ports. or maybe even a blacklisting system so ip's just get rerouted to null when they are known to be part of a botnet. i would rather have that than my ports getting locked because others shit me over. 

See I'd rather have my ports blocked since port forwarding is so easy these days. Especially since Comcast gives out 4722366482869645213697 IPs to each client (/32 of IPv4, /56 of IPv6). Imagine what's going to happen when IPv6 becomes more common-place and every device has a dedicated public IP address, there will be no NAT to save us.

 

EDIT: Or maybe a better compromise would be to have an "opt-in" option. Block bad ports/packets by default but if a customer actually needs to use the ports then let them request to have them opened.

[apm]

the hacked IoT devices were, ofc, from china.

http://www.bbc.com/news/technology-37750798

 

do they even make "secure" webcams?

i freely logged into some a decade ago and now things are much much worse...