1) (Mainly) the huge increase in upstream capacity of residential broadband connections with FTTH. It's not uncommon for homes to have 2gbit/sec up now and certainly 1gbit/sec is fairly commonplace, which is an enormous amount of bandwidth compared to many interconnects. 10, 40 and 100gbit/sec are the most common and a handful of users can totally saturate these.
2) Many more powerful IoT devices that can handle this level of attack outbound. A $1 SoC can easily handle this these days.
3) Less importantly, CGNAT is a growing problem. If you have 10k (say) users on CGNAT that are compromised, it's likely that there's at least 1 on each CGNAT IP. This means you can't just null route compromised IPs as you are effectively null routing the entire ISP.
I think we probably need more government regulation of these IoT devices. For example, having a "hardware" limit of (say) 10mbit/sec or less for all networking unless otherwise required. 99% all of them don't need more than this.
> 3) Less importantly, CGNAT is a growing problem. If you have 10k (say) users on CGNAT that are compromised, it's likely that there's at least 1 on each CGNAT IP. This means you can't just null route compromised IPs as you are effectively null routing the entire ISP.
Null routing is usually applied to the targets of the attack, not the sources. If one of your IPs is getting attacked, you null route it, so upstream routers drop traffic instead of sending it to you.
> If you have 10k (say) users on CGNAT that are compromised, it's likely that there's at least 1 on each CGNAT IP. This means you can't just null route compromised IPs as you are effectively null routing the entire ISP.
How about we actually finally roll out IPv6 and bury CGNAT in the graveyard where it belongs?
Suddenly, everybody (ISPs, carriers, end users) can blackhole a compromised IP and/or IP range without affecting non-compromised endpoints.
And DDoS goes poof. And, as a bonus, we get the end to end nature of the internet back again.
From having worked on DDoS mitigation, there's pretty much no difference between CGNAT and IPv6. Block or rate limit an IPv4 address and you might block some legitimate traffic if it's a NAT address. Block a single IPv6 address... And you might discover that the user controls an entire /64 or whatever prefix. So if you're in a situation where you can't filter out attack trafic by stateless signature (which is pretty bad already), you'll probably err on the side of blocking larger prefixes anyway, which potentially affect other users, the same as with CGNAT.
Insofar as it makes a difference for DDoS mitigation, the scarcity of IPv4 is more of a feature than a bug.
Is there any money an ISP would make, or save, by sinking money and effort on switching to IPv6? If there's none, why would they act? If there is some, where?
For instance, mobile phone operators, which had to turn ISPs a decade or two ago, had a natural incentive to switch to IPv6, especially as they grew. Would old ISPs make enough from selling some of their IPv4 pools?
Some time ago I decided for our site to not roll out ipv6 due to these concerns. (a couple of million visitors per month) We have meta ads reps constantly encourage us to enable it which also do not sit right with me.
Although I belive fingerprinting is sofisticated enough to work without using ip's so the impact of using ipv6 might not be a meaningful difference.
> How about we actually finally roll out IPv6 and bury CGNAT in the graveyard where it belongs?
That depends on the service you are DDosing actually having an IPv6 presence. And lots of sites really don't.
It doesn't help if you have IPv6 if you need to fallback to IPv4 anyway. And if bot-net authors knows they can hide behind CGNAT, why would they IPv6 enable their bot-load when all sites and services are guaranteed to be reachable bia IPv4 for the next 3 decades?
I think there's some exaggeration as few $1 SoC parts come with 10G Ethernet, and >1G to the home is not common, but pretty much any home router can saturate its own uplink - it would be useless if it couldn't!
Haha that last part is pretty wild. rather than worrying about systemic problems in the entire internet let's just make mandates crippling devices that China, where all these devices are made, will defffinitely 100% listen to. Sure, seems reasonable. Systems that rely on the goodwill of the entire world to function are generally pretty robust, after all.
> I think we probably need more government regulation of these IoT devices. For example, having a "hardware" limit of (say) 10mbit/sec or less for all networking unless otherwise required. 99% all of them don't need more than this.
What about DDoSs that come from sideloaded, unofficial, buggy, or poorly written apps? That's what IoT manufacturers will point to, and where most attacks historically come from. They'll point to whether your Mac really needs more than 100mbps.
The government is far more likely to figure it out along EU lines: Signed firmware, occasional reboots, no default passwords, mandatory security updates for a long-term period, all other applicable "common sense" security measures. Signed firmware and the sideloading ID requirements on Android also helps to prevent stalkerware, which is a growing threat far scarier than some occasional sideloaded virus or DDoS attack. Never assume sideloading is consensual.
>What about DDoSs that come from sideloaded, unofficial, buggy, or poorly written apps? That's what IoT manufacturers will point to, and where most attacks historically come from.
any source for this claim? Outside of very specific scenarios which differ significantly for the current botnet market (like manjaro sending too many requests to the aur or an android application embedding an url to a wikipedia image) I cannot remember one occourence of such a bug being versatile enough to create a new whole cybercrime market segment.
>They'll point to whether your Mac really needs more than 100mbps.
it does, because sometimes my computer bursts up to 1gbps for a sustained amount of time, unlike the average iot device that has a predictable communication pattern.
>Signed firmware and the sideloading ID requirements on Android also helps to prevent stalkerware, which is a growing threat far scarier than some occasional sideloaded virus or DDoS attack. Never assume sideloading is consensual.
if someone can unlock your phone, go into the settings, enable installation of apps for an application (ex. a browser), download an apk and install it then they can do quite literally anything, from enabling adb to exfiltrating all your files.
Seems more likely that residential modems will be required to use ISP-provided equipment that has government mandated chips, firmware, etc to filter outbound traffic for DDoS prevention.
This is very challenging, in about one year the biggest recorded DDoS attack has increased from 5 Tbps to almost 30.
Almost all of the DDoS mitigation providers have been struggling for a few weeks because they just don't have enough edge capacity.
And normal hosting companies that are not focused on DDoS mitigation also seem to have had issues, but with less impact to other customers as they'll just blackhole addresses under larger attacks. For example, I've seen all connections to / from some of my services at Hetzner time out way more frequently than usual, and some at OVH too. Then one of my smaller hosting providers got hit with an attack of at least 1 Tbps which saturated a bunch of their transit links.
Cloudflare and maybe a couple of the other enterprise providers (Gcore?) operate at a large enough scale to handle these attacks, but all the smaller ones (who tend to have more affordable rates and more application-specific filters for sensitive applications that can't deal with much leakage) seem to be in quite a bad spot right now. Cloudflare Magic Transit pricing supposedly starts at around $4k / month, and it would really suck if that became the floor for being able to run a non-HTTP service online.
Something like Team Cymru's UTRS service (with Flowspec support) could potentially help to mitigate attacks at the source, but residential ISPs and maybe the T1s would need to join it, and I don't see that happening anytime soon.
> “The problem is, even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in.”
In the year 2025, we should understand that such devices are defective. They should become bricks and companies that continue to sell such defective merchandise should fail.
So they get to ship a dangerous device that harms innocent third parties because they cut corners, but we’re supposed to reward them by doing the work to secure the devices they couldn’t be bothered with?
I'd rather there be periodic DDoS attacks, than a locked-down highly-regulated internet. Don't forget that infamous Franklin quote, and what Stallman has been warning us about for the past few decades.
I can already see the authoritarians salivating every time something like this happens.
> I can already see the authoritarians salivating every time something like this happens.
Tinfoil hat theory says they do this intentionally so that the users demand stricter access willingly. Always better to have someone think it is their idea
Some people get very emotional about the games that they play and will pay to have them DDoSed because of something or someone they're angry about. Others just love to cause chaos and will happily buy a DDoS attack to screw other people over. They even get to watch the outcome in real-time because of streamers.
This is what I wonder. Must be fascinating to engineer such a massive distributed system, but at some point there’s no added value from another bazillion hosts in the network.
I'd rather the industry standardizes on some sort of guest network and proxy/hub. It could even ship with hardware from ISPs. Separating the network buys you a lot of security, and running everything through a proxy makes it easier to inspect data and creates a standard hook for using abandonware.
Ehhh I can see it. The right attack at the right time could directly or indirectly kill people, and that’s ignoring the fact it can cause economic havoc.
Having the entire internet function on a “pay or be nuked” threshold that could easily get much worse if companies like cloudflare become less ethical (not that they’re saints).
I'm honestly kinda curious why nobody's blocking these IPs from sending data near the source.
Like, I can come up with plenty of possible reasons, and reasons why it could potentially be very bad if ISPs started cracking down on this, but I don't actually know any reasons.
Are any talking about why / why not? It seems like this whole insecure-IoT-device thing would probably dry up pretty quickly if people's internet was cut off when one was detected. They can then turn around and lambast / sue / etc the company that sold it, putting pressure on the source of the problem. Right now there's no reason for sellers to do anything at all to ensure security, afaict.
So... not actually arguing in favor of it, but definitely curious about any stated ISP / core networking system's stated reasons.
> “The outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff,” Dobbin said. “We’re now in a situation where ISPs are routinely seeing terabit-per-second plus outbound attacks from their networks that can cause operational problems.”
ISPs are starting to feel the pain, so perhaps in the near future they will do something about it.
This does happen, but it seems to depend on the ISP. In the Netherlands I've seen ISPs block the internet connectivity when they've detected infected devices, sometimes they send a letter before blocking and some ISPs seem to dump your internet connection in a captive portal. In all these cases it's been enough to call the ISP after finding the problem and you're connected again minutes later.
Yes, you generally see this kind of thing start from the pain-feelers and move up the chain to the pain-causers.
So why hasn't that happened? These are clearly damaging to many, and ISPs are apparently doing next to nothing to prevent it, and it has been extremely clear for a while now that it's going to just become a bigger and bigger problem.
Are there ISPs that don't charge customers for the amount of bandwidth they consume? Even "unlimited" has been ruled by courts to not really mean "unlimited", after all.
A large part of the article is dedicated to this, noting how disruptive it is to other services and customers, and listing a few countermeasures (detection and blocking at the ISP level, detection and blocking at the router level, and educating customers on not buying vulnerable IoT trash).
Not really? At best it's "DDOS prevention sellers are having trouble" and "ISPs say they're doing fine". The vast majority of the article is talking about the various kinds of malware causing this, and how some have been "fixed" by stopping the individuals running it (which clearly doesn't work very well, new ones just fill the void).
Or this:
>“The crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,” Dobbins continued. “A lot of network operators are learning that lesson now, and there’s going to be a period ahead where there’s some scrambling and potential disruption going on.”
Uh. No. That's gross negligence if they are only starting to think about it now - the trend has been clear for over a decade, and the IoT threat has been obvious since day 1 and even blasted over public news for the past few years. Their status is pretty much only one of: incompetent, malicious, or they have had plans but haven't acted on them fast enough or strongly enough for [some reason], and that reason isn't something I've seen. Surprises happen, prevention costs money and time, and there are plenty of reasons why everyone isn't already prepared for everything, so I think "incompetent or malicious" is pretty rare.... but what are those reasons?
> They can then turn around and lambast / sue / etc the company that sold it, putting pressure on the source of the problem
Or just unplug the culprit. But the key seems to be that the device continues working. Ideally you would just shutdown or disconnect the device. If fridge is infected, the fridge can still fridge, but it no longer has internet privileges.
Any device that participates in a DDOS needs to be recalled by the manufacturer, mandated by law. Make it potentially economically crippling to sell a vulnerable device, and security will be taken very seriously. Frivolous uses of tech, won't be worth the risk.
ISPs should be regulated to require alerting and disconnecting users with compromised devices.
Furthermore, device manufacturers should be regulated and held accountable for comprised devices. This also implies forbidding sale of noncompliant devices, which requires regulation of platforms and logistics supply chains to prevent counterfeit and dangerous goods from being sold.
This really is a function of two things:
1) (Mainly) the huge increase in upstream capacity of residential broadband connections with FTTH. It's not uncommon for homes to have 2gbit/sec up now and certainly 1gbit/sec is fairly commonplace, which is an enormous amount of bandwidth compared to many interconnects. 10, 40 and 100gbit/sec are the most common and a handful of users can totally saturate these.
2) Many more powerful IoT devices that can handle this level of attack outbound. A $1 SoC can easily handle this these days.
3) Less importantly, CGNAT is a growing problem. If you have 10k (say) users on CGNAT that are compromised, it's likely that there's at least 1 on each CGNAT IP. This means you can't just null route compromised IPs as you are effectively null routing the entire ISP.
I think we probably need more government regulation of these IoT devices. For example, having a "hardware" limit of (say) 10mbit/sec or less for all networking unless otherwise required. 99% all of them don't need more than this.
> 3) Less importantly, CGNAT is a growing problem. If you have 10k (say) users on CGNAT that are compromised, it's likely that there's at least 1 on each CGNAT IP. This means you can't just null route compromised IPs as you are effectively null routing the entire ISP.
Null routing is usually applied to the targets of the attack, not the sources. If one of your IPs is getting attacked, you null route it, so upstream routers drop traffic instead of sending it to you.
Sorry, late here. You are right. I mean filter the IP in question.
> If you have 10k (say) users on CGNAT that are compromised, it's likely that there's at least 1 on each CGNAT IP. This means you can't just null route compromised IPs as you are effectively null routing the entire ISP.
How about we actually finally roll out IPv6 and bury CGNAT in the graveyard where it belongs?
Suddenly, everybody (ISPs, carriers, end users) can blackhole a compromised IP and/or IP range without affecting non-compromised endpoints.
And DDoS goes poof. And, as a bonus, we get the end to end nature of the internet back again.
From having worked on DDoS mitigation, there's pretty much no difference between CGNAT and IPv6. Block or rate limit an IPv4 address and you might block some legitimate traffic if it's a NAT address. Block a single IPv6 address... And you might discover that the user controls an entire /64 or whatever prefix. So if you're in a situation where you can't filter out attack trafic by stateless signature (which is pretty bad already), you'll probably err on the side of blocking larger prefixes anyway, which potentially affect other users, the same as with CGNAT.
Insofar as it makes a difference for DDoS mitigation, the scarcity of IPv4 is more of a feature than a bug.
10 replies →
Is there any money an ISP would make, or save, by sinking money and effort on switching to IPv6? If there's none, why would they act? If there is some, where?
For instance, mobile phone operators, which had to turn ISPs a decade or two ago, had a natural incentive to switch to IPv6, especially as they grew. Would old ISPs make enough from selling some of their IPv4 pools?
5 replies →
I am a bit split this topic. There is some privacy concerns with using ipv6. https://www.rfc-editor.org/rfc/rfc7721.html#page-6
Some time ago I decided for our site to not roll out ipv6 due to these concerns. (a couple of million visitors per month) We have meta ads reps constantly encourage us to enable it which also do not sit right with me.
Although I belive fingerprinting is sofisticated enough to work without using ip's so the impact of using ipv6 might not be a meaningful difference.
3 replies →
Isn't it enough that the target of the DDOS only accepts ipv6?
Is it advantageous to be someone who supports IPv6 on a day like today?
> How about we actually finally roll out IPv6 and bury CGNAT in the graveyard where it belongs?
That depends on the service you are DDosing actually having an IPv6 presence. And lots of sites really don't.
It doesn't help if you have IPv6 if you need to fallback to IPv4 anyway. And if bot-net authors knows they can hide behind CGNAT, why would they IPv6 enable their bot-load when all sites and services are guaranteed to be reachable bia IPv4 for the next 3 decades?
(Disclaimer: This comment posted on IPv6)
> A $1 SoC can easily handle this these days.
Could you elaborate?
I think there's some exaggeration as few $1 SoC parts come with 10G Ethernet, and >1G to the home is not common, but pretty much any home router can saturate its own uplink - it would be useless if it couldn't!
1 reply →
Haha that last part is pretty wild. rather than worrying about systemic problems in the entire internet let's just make mandates crippling devices that China, where all these devices are made, will defffinitely 100% listen to. Sure, seems reasonable. Systems that rely on the goodwill of the entire world to function are generally pretty robust, after all.
If they don’t then the devices are not sold in the United States. It’s quite simple.
2 replies →
> I think we probably need more government regulation of these IoT devices. For example, having a "hardware" limit of (say) 10mbit/sec or less for all networking unless otherwise required. 99% all of them don't need more than this.
What about DDoSs that come from sideloaded, unofficial, buggy, or poorly written apps? That's what IoT manufacturers will point to, and where most attacks historically come from. They'll point to whether your Mac really needs more than 100mbps.
The government is far more likely to figure it out along EU lines: Signed firmware, occasional reboots, no default passwords, mandatory security updates for a long-term period, all other applicable "common sense" security measures. Signed firmware and the sideloading ID requirements on Android also helps to prevent stalkerware, which is a growing threat far scarier than some occasional sideloaded virus or DDoS attack. Never assume sideloading is consensual.
> Signed firmware and the sideloading ID requirements
Ending the last corner of actually free market in software is quite a cost for something that wouldn't prevent DDoS.
> sideloaded, unofficial, buggy, or poorly written apps? That's what IoT manufacturers will point to, and where most attacks historically come from
Is that actually true? What evidence do we have, vs. vulnerabilities in the OEM software (the more common case)?
>What about DDoSs that come from sideloaded, unofficial, buggy, or poorly written apps? That's what IoT manufacturers will point to, and where most attacks historically come from.
any source for this claim? Outside of very specific scenarios which differ significantly for the current botnet market (like manjaro sending too many requests to the aur or an android application embedding an url to a wikipedia image) I cannot remember one occourence of such a bug being versatile enough to create a new whole cybercrime market segment.
>They'll point to whether your Mac really needs more than 100mbps.
it does, because sometimes my computer bursts up to 1gbps for a sustained amount of time, unlike the average iot device that has a predictable communication pattern.
>Signed firmware and the sideloading ID requirements on Android also helps to prevent stalkerware, which is a growing threat far scarier than some occasional sideloaded virus or DDoS attack. Never assume sideloading is consensual.
if someone can unlock your phone, go into the settings, enable installation of apps for an application (ex. a browser), download an apk and install it then they can do quite literally anything, from enabling adb to exfiltrating all your files.
1 reply →
1gb upload is extraordinarily rare.
It’s not; most places that give you gigabit fiber will give you a symmetric connection.
14 replies →
Seems more likely that residential modems will be required to use ISP-provided equipment that has government mandated chips, firmware, etc to filter outbound traffic for DDoS prevention.
Sometimes the attack, or amplification, comes from the ISP-provided router and its bargain basement firmware.
Why should they be required to have hardware in their own network to filter that out when the ISP is obviously receiving all of their traffic anyway?
This is very challenging, in about one year the biggest recorded DDoS attack has increased from 5 Tbps to almost 30.
Almost all of the DDoS mitigation providers have been struggling for a few weeks because they just don't have enough edge capacity.
And normal hosting companies that are not focused on DDoS mitigation also seem to have had issues, but with less impact to other customers as they'll just blackhole addresses under larger attacks. For example, I've seen all connections to / from some of my services at Hetzner time out way more frequently than usual, and some at OVH too. Then one of my smaller hosting providers got hit with an attack of at least 1 Tbps which saturated a bunch of their transit links.
Cloudflare and maybe a couple of the other enterprise providers (Gcore?) operate at a large enough scale to handle these attacks, but all the smaller ones (who tend to have more affordable rates and more application-specific filters for sensitive applications that can't deal with much leakage) seem to be in quite a bad spot right now. Cloudflare Magic Transit pricing supposedly starts at around $4k / month, and it would really suck if that became the floor for being able to run a non-HTTP service online.
Something like Team Cymru's UTRS service (with Flowspec support) could potentially help to mitigate attacks at the source, but residential ISPs and maybe the T1s would need to join it, and I don't see that happening anytime soon.
> has increased from 5 Tbps to almost 30
That's nearly a pint, or over 2 daL!
I'm surprised that the best response to ddos is not blocking traffic, but just handling it.
Are there any practical ways to monitor my home network traffic and detect if any devices on my network are compromised?
Aren't cisco machines compromised by default by design? I imagine all of them are at this point. I wouldn't worry too much about it.
Not sure about monitoring, but I always put any device I don’t trust on a jailed LAN/AP.
A lot of home routers will give you a traffic graph - if yours doesn't you can either find one that does or flash/build one.
I currently run opnsense which has an ok graph out of the box, I haven't fiddled with it to see if there's something fancy I could do here.
I also used to use IPFire which was slightly clunkier but had a nicer usage graph.
Your ISP should give you a bandwidth usage meter.
Haha. My ISP barely gives me an Internet connection
1 reply →
> “The problem is, even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in.”
In the year 2025, we should understand that such devices are defective. They should become bricks and companies that continue to sell such defective merchandise should fail.
Just wait 6 months, and the IoT vendor will go out of business and shut down the cloud servers which will effectively brick the device.
That may brick it for its intended use, but nothing's stopping a botnet from repurposing it.
1 reply →
How about some good old tort liability
Absolutely not. They should be patched and fixed.
So they get to ship a dangerous device that harms innocent third parties because they cut corners, but we’re supposed to reward them by doing the work to secure the devices they couldn’t be bothered with?
2 replies →
I'd rather there be periodic DDoS attacks, than a locked-down highly-regulated internet. Don't forget that infamous Franklin quote, and what Stallman has been warning us about for the past few decades.
I can already see the authoritarians salivating every time something like this happens.
> I can already see the authoritarians salivating every time something like this happens.
Tinfoil hat theory says they do this intentionally so that the users demand stricter access willingly. Always better to have someone think it is their idea
Big botnet has nothing better to do than DDoS Minecraft servers?
…to sell ddos protection to the minecraft server admins, basically extortion.
what about as an demonstration of their capabilities for someone else?
1 reply →
Same happens to our online game: https://news.ycombinator.com/item?id=28675094. Not sure what it is about online games that attracts DDoSes.
Some people get very emotional about the games that they play and will pay to have them DDoSed because of something or someone they're angry about. Others just love to cause chaos and will happily buy a DDoS attack to screw other people over. They even get to watch the outcome in real-time because of streamers.
This is what I wonder. Must be fascinating to engineer such a massive distributed system, but at some point there’s no added value from another bazillion hosts in the network.
I guess if they go after bigger targets they draw unwanted attention? Seemed odd to me too.
Seems pretty clear that the US needs strict regulation on any device connecting to the internet.
* no default password * * no login if not on the local wifi or wired ethernet *
I'd rather the industry standardizes on some sort of guest network and proxy/hub. It could even ship with hardware from ISPs. Separating the network buys you a lot of security, and running everything through a proxy makes it easier to inspect data and creates a standard hook for using abandonware.
Many manufacturers are already moving there of their own accord. I really don't think we'd need some legislation to fix this problem.
Ehhh I can see it. The right attack at the right time could directly or indirectly kill people, and that’s ignoring the fact it can cause economic havoc.
Having the entire internet function on a “pay or be nuked” threshold that could easily get much worse if companies like cloudflare become less ethical (not that they’re saints).
I'm honestly kinda curious why nobody's blocking these IPs from sending data near the source.
Like, I can come up with plenty of possible reasons, and reasons why it could potentially be very bad if ISPs started cracking down on this, but I don't actually know any reasons.
Are any talking about why / why not? It seems like this whole insecure-IoT-device thing would probably dry up pretty quickly if people's internet was cut off when one was detected. They can then turn around and lambast / sue / etc the company that sold it, putting pressure on the source of the problem. Right now there's no reason for sellers to do anything at all to ensure security, afaict.
So... not actually arguing in favor of it, but definitely curious about any stated ISP / core networking system's stated reasons.
> “The outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff,” Dobbin said. “We’re now in a situation where ISPs are routinely seeing terabit-per-second plus outbound attacks from their networks that can cause operational problems.”
ISPs are starting to feel the pain, so perhaps in the near future they will do something about it.
Perhaps, or perhaps not. Maybe if we held them accountable they would?
This does happen, but it seems to depend on the ISP. In the Netherlands I've seen ISPs block the internet connectivity when they've detected infected devices, sometimes they send a letter before blocking and some ISPs seem to dump your internet connection in a captive portal. In all these cases it's been enough to call the ISP after finding the problem and you're connected again minutes later.
There's no economic incentive for YOU (as the proximate ISP) to do anything about it, it would cost money, and cost you customers.
Any idea why they don't fix it?
Yes, you generally see this kind of thing start from the pain-feelers and move up the chain to the pain-causers.
So why hasn't that happened? These are clearly damaging to many, and ISPs are apparently doing next to nothing to prevent it, and it has been extremely clear for a while now that it's going to just become a bigger and bigger problem.
6 replies →
Are there ISPs that don't charge customers for the amount of bandwidth they consume? Even "unlimited" has been ruled by courts to not really mean "unlimited", after all.
3 replies →
Of course there is. If you've got all your internet egress tied up with DDoS attacks from your network it is a big problem.
2 replies →
A large part of the article is dedicated to this, noting how disruptive it is to other services and customers, and listing a few countermeasures (detection and blocking at the ISP level, detection and blocking at the router level, and educating customers on not buying vulnerable IoT trash).
Not really? At best it's "DDOS prevention sellers are having trouble" and "ISPs say they're doing fine". The vast majority of the article is talking about the various kinds of malware causing this, and how some have been "fixed" by stopping the individuals running it (which clearly doesn't work very well, new ones just fill the void).
Or this:
>“The crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,” Dobbins continued. “A lot of network operators are learning that lesson now, and there’s going to be a period ahead where there’s some scrambling and potential disruption going on.”
Uh. No. That's gross negligence if they are only starting to think about it now - the trend has been clear for over a decade, and the IoT threat has been obvious since day 1 and even blasted over public news for the past few years. Their status is pretty much only one of: incompetent, malicious, or they have had plans but haven't acted on them fast enough or strongly enough for [some reason], and that reason isn't something I've seen. Surprises happen, prevention costs money and time, and there are plenty of reasons why everyone isn't already prepared for everything, so I think "incompetent or malicious" is pretty rare.... but what are those reasons?
> They can then turn around and lambast / sue / etc the company that sold it, putting pressure on the source of the problem
Or just unplug the culprit. But the key seems to be that the device continues working. Ideally you would just shutdown or disconnect the device. If fridge is infected, the fridge can still fridge, but it no longer has internet privileges.
Any device that participates in a DDOS needs to be recalled by the manufacturer, mandated by law. Make it potentially economically crippling to sell a vulnerable device, and security will be taken very seriously. Frivolous uses of tech, won't be worth the risk.
6 replies →
9gigsofram was prolific in the "Minecraft Server era" (2010-2016).
Source: Server Owner's Chat
Our smart homes are becoming dumb weapons in the wrong hands.
No evidence, just a wild guess, Aisuru might be tied to DDoS mitigation folks.
Isn't OVH known for offering relatively good anti-DDoS services? Why did they boot them?
ISPs should be regulated to require alerting and disconnecting users with compromised devices.
Furthermore, device manufacturers should be regulated and held accountable for comprised devices. This also implies forbidding sale of noncompliant devices, which requires regulation of platforms and logistics supply chains to prevent counterfeit and dangerous goods from being sold.
"A spokesperson for Comcast responded, 'Currently our network is not experiencing impacts and we are able to handle the traffic.'"
In other words, attacks coming from our own IP's are not our problem ¯\_(ツ)_/¯
This doesn't seem very loving.
[dead]
[flagged]