40-Gbps DDoS Attacks Worry Even Tier-1 ISPs 146
sturgeon and other readers let us know that Arbor Networks has released their annual survey of tier-1 / tier-2 ISP security engineers. This year they got responses from 70 lead engineers. While DDoS attacks are reaching new heights of backbone-crushing traffic — 40 Gbps was seen this past year — the insiders are also worried about emerging threats to DNS and BGP. The summary notes that "Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat," but doesn't spell out what a better way of handling it might have been. All in all, the ISPs sound a bit pessimistic — one says "fewer resources, less management support, and increased workload." You can request the full PDF report here, but it will cost you contact information. In related news, an anonymous reader passes along a survey by Secure Computing of 199 international security experts and other "industry insiders" from utilities, oil and gas, financial services, government, telecommunications, transportation and other critical infrastructure industries. They are worried too.
Welcome to the recession. (Score:2, Interesting)
...one says fewer resources, less management support, and increased workload.
Welcome to the recession. Please enjoy your stay.
what's scarier, or not (Score:5, Interesting)
i can't decide, is the 40Gbps spike was related to fighting between criminal organizations. so its mollifying that this tool is so far only being used at such screaming proportions as turned on its creators:
the new york times had a good summary:
http://www.nytimes.com/2008/11/10/technology/internet/10attacks.html?partner=permalink&exprod=permalink [nytimes.com]
its notable that a lot of this potential is just sitting around, waiting for a chance to be used. if china goes to war with taiwan, or as when russia declared war on georgia, you will see/ saw these countries get DDosed off the face of the earth. that's the really worry: using DDos as a tool of war. the usa can sit around and wait until DDos used against vital government and civilian systems, or get ahead of the curve now
also notable: reflective amplification. that's the methodology employed. i'm not really sure, but i think that's where you dupe completely unrelated systems into responding to forged packets. someone wiser than me on these issues: is that the general drift?
Re:what's scarier, or not (Score:5, Interesting)
Well there are all sorts of neat tricks, but basically its the same.
First you get yourself a bunch of zombies, these can hammer away at whatever speed they got uplink - but instead of hitting the target directly you use BGP routers (hopefully most are now immune to this) and make ICMP packets claiming to be from your victim, this way the BGP routers will respond to the ping effectively making a reflected DDoS (RDDoS). The neat thing is its pretty hard to figure out where the traffic is coming from because you need to contact whoever administrates the BGP router - and you can't block the traffic since the BGP routers are kinda important for your connection(s).
IPv6 and DDoS? (Score:5, Interesting)
Have any studies been made with regards to DDoS attacks and IPv6. While at this point highly theoretical, would the differences in address range and lack of NATs reduce, increase or have no change on the risk?
Re:let it collapse (Score:5, Interesting)
100% Absolute Bull Shit. Name 1 manufacturer that does this.
I work for Caterpillar. (You know, Construction Equipment). I've been on the factory tours. I've SEEN a Bulldozer come together from front to end. I can't speak for every component and I'm sure that some parts come from China or elsewhere. But a chunk of the product is made right here built by American Workers. I've seen the robots cutting the plate steel out and people welding it together
Bulldozers/Pipe Layers (Track Type Tractors) are built in East Peoria, IL.
Large Mining Trucks, Motor Graders are built in Decatur, IL.
Hydraulic Excavators and Large Wheel Loaders are built in Aurora, IL.
Skid steers, Backhoes are in South Carolina. (At will factory).
Engines are built in Lafayette, IN, Mossville, IL and Greenville, SC. (Only Mossville is Union).
Paving equipment is in MN.
Underground mining equipment is in Australia.
And there are factories all around the world, Belguim, France, England, India, etc. (Ever figure the shipping on a multi-ton vehicle)
John Deere is in Moline, IA.
Go on a road trip sometime. Name a Chinese Manufacturer. Kumatsu and Mitsubishi and Japanese. JCB is British, Samsung is Korean. There are no (yet) big manufactures in China.
Construction equipment is a tool. And just like with hand tools you can go to Harbor Freight or you can go to Snap-On. For some people Harbor Freight is fine. But if you run something 24/7, 365 and every hour costs you thousands of downtime. You don't go cheap.
I know this is slashdot, but try not to talk out of your ass so much.
Re:let it collapse (Score:3, Interesting)
You seriously think the Mexicans who built your house went to college for it?
For that matter, you more than likely have been driving on bridges built by unskilled labor back in the 30's. They haven't collapsed on you yet it seems. And I guess the ole' Hoover dam is still there. Oh, and the Empire State Building, Pentagon, and hey, even the White House. Uh oh...
People are incompetent and lazy, but damn, you make them sound like they're all downright idiotic and unwilling to lift so much as a finger to save themselves.
If times get tough enough, even you might be willing to put down your mouse and pick up a shovel.
If it's really that big a problem then... (Score:5, Interesting)
The computers I mean. If it's that bad the zombies need to be killed off.
I've read a few stories about researchers infiltrating botnets and being able to see a list of all the compromised computers. I wonder if it's possible to completely stop network access remotely without causing data loss.
If I was in a position where I could press a button and wipe the MBR of every zombied computer on a gigantic botnet, I'm not sure if I would or not. Would you?
Re:let it collapse (Score:3, Interesting)
Re:let it collapse (Score:2, Interesting)
Re:If it's really that big a problem then... (Score:1, Interesting)
Heh, yeah good luck with that. Oldskool botnets weren't that hard, since they were controlled over IRC ... just /join the channel and work out the commands. Modern bots use public key encryption, custom p2p protocols, and most significantly they have no static central server: they move around constantly by means of election protocols, heartbeat monitoring and fast-flux DNS. In fact there are usually several tiers of roles which continually self-reorganise. Oh, and they detect attempts to probe them and DDoS you off the face of the earth.
Sure it's possible, but infiltrations of modern top-tier botnets are newsworthy for a reason. Even if mass-disinfection were possible it would be illegal under most jurisdictions, since your modifications are just as unauthorised as the infection. Getting permission across all those jurisdictions, with a moving target, is of course totally infeasible. For all intents and purposes the bad guys have won, and security researchers know it.
Comment removed (Score:5, Interesting)
Re:let it collapse (Score:5, Interesting)
We have exactly this discussion here in germany right now.
Germany is one of the last countries in europe that doesn't have a minimum wage and the slave labor lobby is trying hard to keep it that way.
I agree that a minimum wage should alleviate a large part of the immediate problem. But the bigger problem remains unchanged: We have more people than we have jobs.
The government can (and does) create artificial jobs by making people clean up parks or even repair bridges that would otherwise not be repaired - but that will always be a losing game. If these jobs would provide enough value to justify the cost then they'd already exist as regular jobs and there was no need to create them. Such "created" jobs are really just subventions in disguise and a tool to keep people busy so they don't start thinking.
The question is: For how much longer can the (steadily shrinking) productive portion of the population drag the (rapidly growing) non-productive part of the population along?
It doesn't matter much whether a non-productive worker is collecting welfare or is kept busy in a pseudo-job. The cost to society is almost the same.
I think therein lies the real crux that we're facing these days. Maybe the new messiah (err, obama) will finally at least acknowledge the problem so we can start looking for solutions.