40-Gbps DDoS Attacks Worry Even Tier-1 ISPs

sturgeon and other readers let us know that Arbor Networks has released their annual survey of tier-1 / tier-2 ISP security engineers. This year they got responses from 70 lead engineers. While DDoS attacks are reaching new heights of backbone-crushing traffic — 40 Gbps was seen this past year — the insiders are also worried about emerging threats to DNS and BGP. The summary notes that "Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat," but doesn't spell out what a better way of handling it might have been. All in all, the ISPs sound a bit pessimistic — one says "fewer resources, less management support, and increased workload." You can request the full PDF report here, but it will cost you contact information. In related news, an anonymous reader passes along a survey by Secure Computing of 199 international security experts and other "industry insiders" from utilities, oil and gas, financial services, government, telecommunications, transportation and other critical infrastructure industries. They are worried too.

let it collapse

Then perhaps we will fix some of the fundamental problems.

Re:let it collapse

nah we will just pay 700 billion to prop it up for a few months and let the next guy deal with it.

Re:let it collapse

The 700 billion would have been better spent setting up a Depression Era work force. After the bridge collapse in MN we've been hearing report after report about how the current infrastructure is falling apart around us. The electrical grid is rigged together worse than some college students' cars.

Suspend unemployment. (Anyone willing and able to work but cannot find a job). Start putting everyone to work doing something. Bus them to and from a work site up to X miles from your home.[0] Every major bridge that isn't going to make it gets the full 24/7 treatment. When one bridge is done. You move onto the next one. Everything trickles down. Every one of those workers is going to need food, haircuts, a trailer to live in (while at work). Trucking industry would pick back up doing loads of construction supplies. Domestic construction equipment manufacturers would need to up production Only other domestic MADE, no other equipment (Cat, Deere, etc). Build the roads to European standards (Autobahn and such).
Give the electric companies 2 choices: Fix your own damn shit with your profits or we fix it and lease it back to you or nationalize you.

Sure there are people that are going to bitch because they're used to their handout. But handouts aren't going to help anyone. Make everyone work.

It's not perfect but it's a hell of a lot better than handing it over to a bunch of people who managed to already lose $700b.

[0].M-F you live in work housing or you work 4 - 10s or 7 on 7 off.

Re:let it collapse

I do wonder how effective that would be, my grandfather with in the CCC and was involved in building the Hoover dam.

Did this actually help with the depression?

Also they lost more than $700b, that was just the amount they needed to stay solvent. Alan Greenspan's reaction was priceless saying that he'd expected banks to take reasonable risks and not commit suicide. It was in their own interests to self-regulate but surprise surprise, greed won out.

Re:let it collapse

Alan Greenspan's reaction was priceless saying that he'd expected banks to take reasonable risks and not commit suicide. It was in their own interests to self-regulate but surprise surprise, greed won out.

Just to be clear...

First, Greenspan expected banks to make choices in their own self-interest... but instead bank executives made decisions that were in their own self interests. He forgot that corporations are not actual decision-makers, individuals are, and individuals tend to make the choices that are best for them, not the choices that are best for their company.

Second, given the expectation of government bailout, it was no longer in the banks' self-interest to self-regulate, since they got to externalize the risk of bad investments. It's been known for years among financial circles that any bank failures big enough to potentially unhinge the economy would be prevented by government bailout. This information influenced lending decisions.

The simple fact of the matter is that top-level decision-makers at these financial institutions made decisions to maximize their bonuses, and those of their friends. Since the bonuses were not tied to long-term health of the company, the choices made were not optimized for long-term health of the company (or the economy as a whole). Any guilt over the negative repercussions was assuaged by the knowledge that the taxpayer would step in and bail them out.

Really, it was an investor's dream -- privatize the profits, socialize the risks.

Re:let it collapse

So when a small business employee gets into a car wreck on the job and accidentally kills somebody, the victim's family should be able to take not only all business assets, but the house and all personal assets of the owner?? Yeah, I can't see where that would cause any problems...

Re:let it collapse

Give the electric companies 2 choices: Fix your own damn shit with your profits or we fix it and lease it back to you or nationalize you.

Sure there are people that are going to bitch because they're used to their handout. But handouts aren't going to help anyone. Make everyone work.

It's not perfect but it's a hell of a lot better than handing it over to a bunch of people who managed to already lose $700b.

[0].M-F you live in work housing or you work 4 - 10s or 7 on 7 off.

I hate to ruin your rant with what we call "facts", but the grid in the United States is not owned by private companies that you can just boss around from your ivory tower of uninformed tripe. It is an amalgamation of state-run and multi-state entities called ISOs (Independent System Operators) that both contract and coordinate with the transmission agencies in concert with privately-owned and state-owned generation assets to produce consistent and reliable power. A grid, in the strictest sense of the word, is a series of transmission lines, owned by multiple companies, that are interlinked and under the complete autonomy of the ISO. Nothing happens without the permission and direction of the ISO or FERC (and NERC as its enforcement arm). The grid is aging, but since the ultimate authority to direct replacement lies with both federal, state, and multi-state agencies, who precisely in your little world bears the fiscal burden?

May I suggest for your education:
http://www.ferc.gov/ [ferc.gov]
http://www.nerc.com/ [nerc.com]

And for ISOs:
http://www.ercot.com/ [ercot.com]
http://www.caiso.com/ [caiso.com]
http://www.nyiso.com/public/index.jsp [nyiso.com]
http://www.pjm.com/index.jsp [pjm.com]
http://www.midwestiso.org/home [midwestiso.org]

Find the one that serves your area, and berate them with your uninformed bile since you obviously understand all of this better than anyone else.

Or do you?

Re:let it collapse

100% Absolute Bull Shit. Name 1 manufacturer that does this.

I work for Caterpillar. (You know, Construction Equipment). I've been on the factory tours. I've SEEN a Bulldozer come together from front to end. I can't speak for every component and I'm sure that some parts come from China or elsewhere. But a chunk of the product is made right here built by American Workers. I've seen the robots cutting the plate steel out and people welding it together

Bulldozers/Pipe Layers (Track Type Tractors) are built in East Peoria, IL.
Large Mining Trucks, Motor Graders are built in Decatur, IL.
Hydraulic Excavators and Large Wheel Loaders are built in Aurora, IL.
Skid steers, Backhoes are in South Carolina. (At will factory).
Engines are built in Lafayette, IN, Mossville, IL and Greenville, SC. (Only Mossville is Union).
Paving equipment is in MN.
Underground mining equipment is in Australia.

And there are factories all around the world, Belguim, France, England, India, etc. (Ever figure the shipping on a multi-ton vehicle)

John Deere is in Moline, IA.

Go on a road trip sometime. Name a Chinese Manufacturer. Kumatsu and Mitsubishi and Japanese. JCB is British, Samsung is Korean. There are no (yet) big manufactures in China.

Construction equipment is a tool. And just like with hand tools you can go to Harbor Freight or you can go to Snap-On. For some people Harbor Freight is fine. But if you run something 24/7, 365 and every hour costs you thousands of downtime. You don't go cheap.

I know this is slashdot, but try not to talk out of your ass so much.

Re:let it collapse

John Deere is in Moline, IA.

Moline, IL

across the river from IA

Re:let it collapse

I agree. They just scraped an old WPA bridge near my home,not because it was unsafe,but because it was built in the time of single lane back roads and with all the trucks they needed a two lane bridge. That thing was built like a tank and had needed almost no maintenance in the nearly 80 years it stood. Most of the bridges here in AR,along with a lot of the electric and water lines were originally WPA,and really changed folks lives for the better in these rural states.

So why not a WPA now to not only fix the crumbling roads,but to build us a new national broadband infrastructure for future generations? We could cut the ranks of the unemployed and lay fiber throughout the country,from the most urban to the most rural. And since it would be owned by We,The People we could lease it out to the telecos and have us some actual free market competition for a change. Wouldn't that be nice? Oh,BTW,it isn't 700 billion,that was just smoke up your butt. The actual number so far is 2 trillion! [bloomberg.com] and they refuse to even tell us where the money went. You know,OUR money,that our great great grandkids will be paying for? You just have to love the brilliance of putting Wall Street insiders in charge of bailing out Wall Street.

Re:let it collapse

No matter what you call it, it's still a problematic idea as countries that already follow that model can attest.
In germany, for example, you can go roughly 2 years on welfare (if you have been in a job for at least 2 years before) before they start sticking you into "1 EUR jobs".
An 1 EUR job, as the name tells, pays 1 EUR per hour. And you have to take whatever job they give you.

The idea is that people who are forced to work for low wage will quickly become very interested in finding a *real* job (why work your ass off for 1 EUR when can you make more for the same work in a real job?).

The problems are manyfold:

1. Many people are simply underqualified and won't find a job no matter how hard they try. The 1-EUR-model basically turns into slave labor for them.

2. Many people *are* reasonably qualified but still don't find a job in their profession.

3. 1-EUR jobs now seriously compete with normal low-wage jobs such as cleaning, callcenters etc. Why should a company pay minimum wage when it can request workers for almost free from the government?

4. At least in germany this has opened the gates for a lot of shady companies (really borderline slave-labor there) that abuse the system in various "funny" ways, squeezing the last bit of profit out of them poor souls at the bottom of the food chain.

IMHO we have a totally unsolved problem here that nobody has dared tackling so far. The demand for low-skilled workers is declining to critical levels in the western world (because of automation and because outsourcing is cheaper for the rest) and high-skill work can never nearly cover the whole population.

It has become a fact of life that any larger western country simply can not offer productive work to a significant part of the population. No matter how you spin it, we'll continue to subsidize these people in one way or another - unless we decide to let them die. Now while it is a legitimate desire to "want something back" from them for their subvention money I don't think *forcing* them can be the way to go.
It's not their fault that the society doesn't need them and I find it highly problematic to force someone to "work on a bridge" (completely outside their learned profession) for minimum wage while somebody else, possibly with similar qualifications but a better family name, makes millions on wall-street.

The current system kinda works (and has suppressed any tendencies towards civial war so far) because of the elevator effect. Once you start forcing people into minimum wage jobs on a large scale scale without offering any alternatives or escape routes you'll soon get just that: a revolution.

Re:let it collapse

We have exactly this discussion here in germany right now.
Germany is one of the last countries in europe that doesn't have a minimum wage and the slave labor lobby is trying hard to keep it that way.

I agree that a minimum wage should alleviate a large part of the immediate problem. But the bigger problem remains unchanged: We have more people than we have jobs.
The government can (and does) create artificial jobs by making people clean up parks or even repair bridges that would otherwise not be repaired - but that will always be a losing game. If these jobs would provide enough value to justify the cost then they'd already exist as regular jobs and there was no need to create them. Such "created" jobs are really just subventions in disguise and a tool to keep people busy so they don't start thinking.

The question is: For how much longer can the (steadily shrinking) productive portion of the population drag the (rapidly growing) non-productive part of the population along?
It doesn't matter much whether a non-productive worker is collecting welfare or is kept busy in a pseudo-job. The cost to society is almost the same.

I think therein lies the real crux that we're facing these days. Maybe the new messiah (err, obama) will finally at least acknowledge the problem so we can start looking for solutions.

what's scarier, or not

i can't decide, is the 40Gbps spike was related to fighting between criminal organizations. so its mollifying that this tool is so far only being used at such screaming proportions as turned on its creators:

The Arbor Networks researchers said a 40-gigabit attack took place this year when two rival criminal cybergangs began quarreling over control of an online Ponzi scheme. "This was, initially, criminal-on-criminal crime though obviously the greatest damage was inflicted on the infrastructure used by the criminals," the network operator wrote in a note on the attack.

the new york times had a good summary:

http://www.nytimes.com/2008/11/10/technology/internet/10attacks.html?partner=permalink&exprod=permalink [nytimes.com]

its notable that a lot of this potential is just sitting around, waiting for a chance to be used. if china goes to war with taiwan, or as when russia declared war on georgia, you will see/ saw these countries get DDosed off the face of the earth. that's the really worry: using DDos as a tool of war. the usa can sit around and wait until DDos used against vital government and civilian systems, or get ahead of the curve now

also notable: reflective amplification. that's the methodology employed. i'm not really sure, but i think that's where you dupe completely unrelated systems into responding to forged packets. someone wiser than me on these issues: is that the general drift?

Re:what's scarier, or not

Back in the day (about a decade ago), you could "smurf" folks, which is a form of reflective amplification. The process was fairly simple: you'd ping a network's broadcast address with a packet spoofed to appear to come from your victim. At the time, most networks weren't filtering the broadcast traffic. As a result all the hosts on that network would respond to the ping. Back in the days of 14.4 modems, you could easily blow somebody offline while generating a very tiny volume of traffic.

---> ping (src: victim [spoofed], dest: broadcast address of large network)
<=== large number of icmp responses (src: addresses in large network, dest: victim)

I'd guess that the attack is similar in concept.

Re:what's scarier, or not

Well there are all sorts of neat tricks, but basically its the same.

First you get yourself a bunch of zombies, these can hammer away at whatever speed they got uplink - but instead of hitting the target directly you use BGP routers (hopefully most are now immune to this) and make ICMP packets claiming to be from your victim, this way the BGP routers will respond to the ping effectively making a reflected DDoS (RDDoS). The neat thing is its pretty hard to figure out where the traffic is coming from because you need to contact whoever administrates the BGP router - and you can't block the traffic since the BGP routers are kinda important for your connection(s).

Key comments

Useful quotes from the report:

• "Large Web mail operators like Google don't give a sh-- -- about spam originating from their networks because they know they are too large to be blacklisted. This causes significant pain."
• "Overall, law enforcement referrals dropped for the third year in a row." "We also asked respondents if they believe law enforcement has the power and/or means to act upon information provided by network operators. Only 21 percent said Yes, while nearly 64 percent said No".
• "The attack stopped only because the attacker was paid. The attacker remains at large and active. No bots were used in this attack. The attacker had a small number of compromised Linux boxes from which he'd launch the spoofed source DNS query. The DNS servers were all DNS servers open to recursion."

DO NOT WANT MORE SPAM!!!!

Skip the spam and just download directly here... http://www.arbornetworks.com/en/docman/worldwide-infrastructure-security-report-volume-iv-2008-/download.html [arbornetworks.com]

IPv6 and DDoS?

Have any studies been made with regards to DDoS attacks and IPv6. While at this point highly theoretical, would the differences in address range and lack of NATs reduce, increase or have no change on the risk?

If it's really that big a problem then...

...take them out.

The computers I mean. If it's that bad the zombies need to be killed off.

I've read a few stories about researchers infiltrating botnets and being able to see a list of all the compromised computers. I wonder if it's possible to completely stop network access remotely without causing data loss.

If I was in a position where I could press a button and wipe the MBR of every zombied computer on a gigantic botnet, I'm not sure if I would or not. Would you?

Great Explaination

Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat

The Kaminsky thing? The ISPs thought it was handled poorly? How ***the fuck*** should it have been handled then? The day they disclosed publicly that there was a vulnerability, nevermind that they didn't disclose the details, they had patches out for every major DNS server and any ISP who wanted to be patched could have been. WTF?

Scary stuff

This is terrifying.

So terrifying, in fact, that I fully support the rebuilding of the entire Internet by pseudo-Democratic countries like the United States, and large businesses such as General Electric and Monsanto.

We have to stop these faceless Internet terrorists once and for all!

Re:Welcome to the recession.

Except the economy is fake and "they" pull this recession bullshit every ten years or so.

you got quotation marks, but no point. please elaborate.

Obviously the Anti-Illuminati. You'd think "they" meant Illuminati, which is why it has to be the Anti-Illuminati. Unless "they" knew you'd think that...

Re:Frist POST FUCKKERRER

Where's my "-1, Epic Fail!" moderation option when I need it?

Re:Why isn't the insecurity of Windows mentioned?

It is often the elephant in the cubicle, but there's really nothing that most people can do. For anybody outside Microsoft, and most people inside it, it's kind of like a bad Supreme Court decision.

Now, suppose that all of these problems, all the spam and DDOSs, were due to Microsoft's incompetence, shortsightedness, and general desire to increase next quarter's profits while dooming civilization as we know it. (This isn't entirely true, of course.) Suppose that the top Microsoft execs believed they had to do something effective, or God was going to release everything Microsoft ever wrote under GPLv3.

They decide to get to work on a more secure OS. This will take a lot of rewriting, and they'll dump other features before they get it out the door. They decide to keep the eye candy intact, and give the RIAA and MPAA everything they want. They call it, for the sake of argument, Mojave. (Vista may not be ideal, but it has a lot more security built in than XP.)

Now, what do they do about older software? Most people and businesses have some software they rely on, which really won't work on a secure machine. The developers of Roller Blade Tycoon and The Sins had administrator accounts, after all, and that's what they tested on. Everybody took advantage of all the security holes, because it made it possible to get their stuff out the door a week sooner, at the expense of dooming civilization as we know it of course.

Ballmer thinks. He can't just enforce security, because nobody will buy Mojave. He can't leave all the holes there, or he gets Eric Raymond and Richard Stallman as permanent house guests. The only thing he can do is plug the holes, and let the users decide what they want to run under the Users Are Competent program.

At this point, the users notice that Mojave runs slower, and when they try to run their favorite game, Uncle Wiggley DDOSs WWW.Apple.Com, they have to click through all these boxes, which is annoying even to the multitudes who are completely trained to click OK on "See dancing pigs and doom civilization as we know it!" They start badmouthing Mojave, and stick to XP as much as they can. When they get Vista, the ones who know enough disable all those annoying little dialog boxes, and the rest just click through them to get them off the screen. "Hey, dancing pigs!"

So, regardless of what you think of Microsoft's bad security practices and shortsightedness, there's really very little they can do about the situation they helped create. We have to deal with the computers we have, not the ones we wish everybody had.

Re:Why isn't the insecurity of Windows mentioned?

Most Spam originates through incorrectly configured mail servers that allow mail relaying. In reality, it's much easier to leave on open relay on something like Sendmail on Unix than it probably is on Microsoft Exchange.

Did we just jump in back 5 (or more) years in time?

You are joking, right? Open relays have been oveshadowed by compromised destop machines as spam sources for a few years now. Plus, since SMTP MTAs tend to be on static IPs, the use of RBLs has effectively limited the reach of open relays as sources for any kind of email (SPAM or otherwise).