Forgot your password?
typodupeerror
Security The Internet

40-Gbps DDoS Attacks Worry Even Tier-1 ISPs 146

Posted by kdawson
from the isotropic-tsunami dept.
sturgeon and other readers let us know that Arbor Networks has released their annual survey of tier-1 / tier-2 ISP security engineers. This year they got responses from 70 lead engineers. While DDoS attacks are reaching new heights of backbone-crushing traffic — 40 Gbps was seen this past year — the insiders are also worried about emerging threats to DNS and BGP. The summary notes that "Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat," but doesn't spell out what a better way of handling it might have been. All in all, the ISPs sound a bit pessimistic — one says "fewer resources, less management support, and increased workload." You can request the full PDF report here, but it will cost you contact information. In related news, an anonymous reader passes along a survey by Secure Computing of 199 international security experts and other "industry insiders" from utilities, oil and gas, financial services, government, telecommunications, transportation and other critical infrastructure industries. They are worried too.
This discussion has been archived. No new comments can be posted.

40-Gbps DDoS Attacks Worry Even Tier-1 ISPs

Comments Filter:
  • let it collapse (Score:4, Insightful)

    by nurb432 (527695) on Tuesday November 11, 2008 @03:17PM (#25724403) Homepage Journal

    Then perhaps we will fix some of the fundamental problems.

    • by Anonymous Coward on Tuesday November 11, 2008 @03:18PM (#25724427)
      nah we will just pay 700 billion to prop it up for a few months and let the next guy deal with it.
      • Re: (Score:2, Informative)

        by Spazztastic (814296)

        nah we will just pay 700 billion to prop it up for a few months and let the next guy deal with it.

        I think realistically 700 billion could fix the internet in the entire US. It would make up for the 200 billion we lost a few years ago.* Not only that we could use it to help our friends to the north.

        * Article [webpronews.com], first one I found about it.

        • Re:let it collapse (Score:4, Insightful)

          by 0100010001010011 (652467) on Tuesday November 11, 2008 @03:58PM (#25724905)

          The 700 billion would have been better spent setting up a Depression Era work force. After the bridge collapse in MN we've been hearing report after report about how the current infrastructure is falling apart around us. The electrical grid is rigged together worse than some college students' cars.

          Suspend unemployment. (Anyone willing and able to work but cannot find a job). Start putting everyone to work doing something. Bus them to and from a work site up to X miles from your home.[0] Every major bridge that isn't going to make it gets the full 24/7 treatment. When one bridge is done. You move onto the next one. Everything trickles down. Every one of those workers is going to need food, haircuts, a trailer to live in (while at work). Trucking industry would pick back up doing loads of construction supplies. Domestic construction equipment manufacturers would need to up production Only other domestic MADE, no other equipment (Cat, Deere, etc). Build the roads to European standards (Autobahn and such).
          Give the electric companies 2 choices: Fix your own damn shit with your profits or we fix it and lease it back to you or nationalize you.

          Sure there are people that are going to bitch because they're used to their handout. But handouts aren't going to help anyone. Make everyone work.

          It's not perfect but it's a hell of a lot better than handing it over to a bunch of people who managed to already lose $700b.

          [0].M-F you live in work housing or you work 4 - 10s or 7 on 7 off.

          • Re: (Score:1, Insightful)

            by cdrguru (88047)

            Back in the 1930's when construction was done by strong backs and no skills, that would have worked. And it did. Today, bridges are built by specialists with training. You want to drive on a bridge that was welded with by someone that never used one before? No? Neither does anyone else. The age of unskilled strong backs has ended. And we are discovering just how that relates to the "knowledge economy" now.

            Face it, if everyone goes to college to learn how to be a "knowledge worker", who exactly will b

            • by Hatta (162192)

              Sure, I would like to see work camps replace welfare. If you are able-bodied you get nothing unless you are in a work camp doing something.

              Why does it have to be a camp? Mandatory labor in exchange for benefits is a good idea, but relocating 6-10% of the US population into camps is just crazy.

              • Mandatory labor in exchange for benefits is a good idea

                Is it? You'd end up with many people who would come to rely on that 'job' and what do you do when you run out of tasks, knowing the government, an already inefficient method of using workers would become a giant money sink as they try and find more tasks and labor. And how would this prepare someone for any career other than the modern equivalent of ditch digging? What of professionals? Are they expected to devote their time and energy to work in exchange for food and or money?

                • by Neoprofin (871029)
                  How are any of you objections any worse than the current system of giving people money for nothing?

                  Welfare and unemployment cost money, produce nothing tangible, and in most cases do nothing to prepare workers for anything they weren't prepared for beforehand.
                  • by Bert64 (520050)

                    And prisons are even more expensive than the unemployed...

                    Make prisoners do hard labor, and other jobs that noone else wants to do...
                    Make the unemployed work on less unpleasant tasks if they want to receive their benefits, that way the costs stay roughly the same but you can get some things done that would be economically infeasible otherwise due to labor costs.
                    Also don't bother with fancy expensive tools, if the job takes longer then so be it.

                    They could do things like cleaning public areas of litter and gr

            • Re:let it collapse (Score:5, Interesting)

              by 0100010001010011 (652467) on Tuesday November 11, 2008 @04:37PM (#25725463)

              100% Absolute Bull Shit. Name 1 manufacturer that does this.

              I work for Caterpillar. (You know, Construction Equipment). I've been on the factory tours. I've SEEN a Bulldozer come together from front to end. I can't speak for every component and I'm sure that some parts come from China or elsewhere. But a chunk of the product is made right here built by American Workers. I've seen the robots cutting the plate steel out and people welding it together

              Bulldozers/Pipe Layers (Track Type Tractors) are built in East Peoria, IL.
              Large Mining Trucks, Motor Graders are built in Decatur, IL.
              Hydraulic Excavators and Large Wheel Loaders are built in Aurora, IL.
              Skid steers, Backhoes are in South Carolina. (At will factory).
              Engines are built in Lafayette, IN, Mossville, IL and Greenville, SC. (Only Mossville is Union).
              Paving equipment is in MN.
              Underground mining equipment is in Australia.

              And there are factories all around the world, Belguim, France, England, India, etc. (Ever figure the shipping on a multi-ton vehicle)

              John Deere is in Moline, IA.

              Go on a road trip sometime. Name a Chinese Manufacturer. Kumatsu and Mitsubishi and Japanese. JCB is British, Samsung is Korean. There are no (yet) big manufactures in China.

              Construction equipment is a tool. And just like with hand tools you can go to Harbor Freight or you can go to Snap-On. For some people Harbor Freight is fine. But if you run something 24/7, 365 and every hour costs you thousands of downtime. You don't go cheap.

              I know this is slashdot, but try not to talk out of your ass so much.

              • Re:let it collapse (Score:4, Informative)

                by DrugCheese (266151) on Tuesday November 11, 2008 @05:34PM (#25726181)

                John Deere is in Moline, IA.

                Moline, IL

                across the river from IA

            • Re: (Score:3, Interesting)

              You seriously think the Mexicans who built your house went to college for it?

              For that matter, you more than likely have been driving on bridges built by unskilled labor back in the 30's. They haven't collapsed on you yet it seems. And I guess the ole' Hoover dam is still there. Oh, and the Empire State Building, Pentagon, and hey, even the White House. Uh oh...

              People are incompetent and lazy, but damn, you make them sound like they're all downright idiotic and unwilling to lift so much as a finger to save t

              • You seriously think the Mexicans who built your house went to college for it?

                You think they build 4 lane bridges in the off season?

            • by srussia (884021)

              But I think you would hear cries of "slavery" so much that the idea has no chance.

              Just call it "Universal Voluntary Public Service" then.

              • Re:let it collapse (Score:4, Insightful)

                by Kent Recal (714863) on Wednesday November 12, 2008 @01:47AM (#25730403)

                No matter what you call it, it's still a problematic idea as countries that already follow that model can attest.
                In germany, for example, you can go roughly 2 years on welfare (if you have been in a job for at least 2 years before) before they start sticking you into "1 EUR jobs".
                An 1 EUR job, as the name tells, pays 1 EUR per hour. And you have to take whatever job they give you.

                The idea is that people who are forced to work for low wage will quickly become very interested in finding a *real* job (why work your ass off for 1 EUR when can you make more for the same work in a real job?).

                The problems are manyfold:

                1. Many people are simply underqualified and won't find a job no matter how hard they try. The 1-EUR-model basically turns into slave labor for them.

                2. Many people *are* reasonably qualified but still don't find a job in their profession.

                3. 1-EUR jobs now seriously compete with normal low-wage jobs such as cleaning, callcenters etc. Why should a company pay minimum wage when it can request workers for almost free from the government?

                4. At least in germany this has opened the gates for a lot of shady companies (really borderline slave-labor there) that abuse the system in various "funny" ways, squeezing the last bit of profit out of them poor souls at the bottom of the food chain.

                IMHO we have a totally unsolved problem here that nobody has dared tackling so far. The demand for low-skilled workers is declining to critical levels in the western world (because of automation and because outsourcing is cheaper for the rest) and high-skill work can never nearly cover the whole population.

                It has become a fact of life that any larger western country simply can not offer productive work to a significant part of the population. No matter how you spin it, we'll continue to subsidize these people in one way or another - unless we decide to let them die. Now while it is a legitimate desire to "want something back" from them for their subvention money I don't think *forcing* them can be the way to go.
                It's not their fault that the society doesn't need them and I find it highly problematic to force someone to "work on a bridge" (completely outside their learned profession) for minimum wage while somebody else, possibly with similar qualifications but a better family name, makes millions on wall-street.

                The current system kinda works (and has suppressed any tendencies towards civial war so far) because of the elevator effect. Once you start forcing people into minimum wage jobs on a large scale scale without offering any alternatives or escape routes you'll soon get just that: a revolution.

            • by joeytmann (664434)
              Not all of them were unskilled workers. Probably a very minimal amount of guys were skilled. Lots of those guys had no clue how to weld or what not and were trained by the skilled workers. Guys that had could be trained as welders became welders, guys that could be trained to drive trucks, became truck drivers....etc. The same could be applied here. The guys willing to do more hazardous(high steel work/working with explosives) work got better pay. The guys doing inspections and the engineers(structural and
            • What welfare do you speak of? You realize the only people eligible for "welfare" TANF checks are single mothers, and then eligibility is limited to x number of months for life. It might be a bit difficult to run a work camp full of crying babies, but if you want... We also have a federal food stamp program, any citizen without income is eligible. Upon enrollment in the program you are required to either provide a doctors letter stating you are unable to work or participate in job placement programs.
            • by afidel (530433)
              Uh, most of those bridges welded by unskilled laborers with way less tech than is available today are still standing, in fact that's kind of the problem! We haven't really replaced those public works project era bridges despite the fact that they were past their expected lifetimes a generation ago.
              • by nwf (25607)

                I think you'll find that most of the really old bridges were riveted, not welded. Riveting isn't nearly as hard as welding 2 inch thick steel.

                • Re: (Score:3, Interesting)

                  by afidel (530433)
                  OK, so we rivet the new bridges. I still fail to see why we can't do what our great grandparents did with significantly lower levels of technology.
                • Re: (Score:2, Interesting)

                  by insllvn (994053)
                  Perhaps this is a stupid question, but could we go back to riveting? The bridges have held, and if it is cheaper/easier/more practical... well, it goes against my geeky instincts to say it, but not every endeavor needs the latest tech, so long as what is used is safe and workable.
                  • Re:let it collapse (Score:5, Interesting)

                    by hairyfeet (841228) <bassbeast1968@gma i l . com> on Tuesday November 11, 2008 @10:41PM (#25729107) Journal

                    I agree. They just scraped an old WPA bridge near my home,not because it was unsafe,but because it was built in the time of single lane back roads and with all the trucks they needed a two lane bridge. That thing was built like a tank and had needed almost no maintenance in the nearly 80 years it stood. Most of the bridges here in AR,along with a lot of the electric and water lines were originally WPA,and really changed folks lives for the better in these rural states.

                    So why not a WPA now to not only fix the crumbling roads,but to build us a new national broadband infrastructure for future generations? We could cut the ranks of the unemployed and lay fiber throughout the country,from the most urban to the most rural. And since it would be owned by We,The People we could lease it out to the telecos and have us some actual free market competition for a change. Wouldn't that be nice? Oh,BTW,it isn't 700 billion,that was just smoke up your butt. The actual number so far is 2 trillion! [bloomberg.com] and they refuse to even tell us where the money went. You know,OUR money,that our great great grandkids will be paying for? You just have to love the brilliance of putting Wall Street insiders in charge of bailing out Wall Street.

          • What is the point of ending unemployment if the point is to take money off those to work (producing useful goods) to pay those who don't to dig a whole and fill it again (create bubbles and lose client assets when they pop). All that needs to happen is for shitty institutions to fail and reallocate those people to useful enterprises (via market forces).

            • Re: (Score:3, Funny)

              by Anonymous Coward

              Libertarian once shat on my carpet. Said the free market would sort it out.

          • Re:let it collapse (Score:4, Informative)

            by Vancorps (746090) on Tuesday November 11, 2008 @04:16PM (#25725141)

            I do wonder how effective that would be, my grandfather with in the CCC and was involved in building the Hoover dam.

            Did this actually help with the depression?

            Also they lost more than $700b, that was just the amount they needed to stay solvent. Alan Greenspan's reaction was priceless saying that he'd expected banks to take reasonable risks and not commit suicide. It was in their own interests to self-regulate but surprise surprise, greed won out.

            • Re:let it collapse (Score:5, Insightful)

              by Red Flayer (890720) on Tuesday November 11, 2008 @04:53PM (#25725683) Journal

              Alan Greenspan's reaction was priceless saying that he'd expected banks to take reasonable risks and not commit suicide. It was in their own interests to self-regulate but surprise surprise, greed won out.

              Just to be clear...

              First, Greenspan expected banks to make choices in their own self-interest... but instead bank executives made decisions that were in their own self interests. He forgot that corporations are not actual decision-makers, individuals are, and individuals tend to make the choices that are best for them, not the choices that are best for their company.

              Second, given the expectation of government bailout, it was no longer in the banks' self-interest to self-regulate, since they got to externalize the risk of bad investments. It's been known for years among financial circles that any bank failures big enough to potentially unhinge the economy would be prevented by government bailout. This information influenced lending decisions.

              The simple fact of the matter is that top-level decision-makers at these financial institutions made decisions to maximize their bonuses, and those of their friends. Since the bonuses were not tied to long-term health of the company, the choices made were not optimized for long-term health of the company (or the economy as a whole). Any guilt over the negative repercussions was assuaged by the knowledge that the taxpayer would step in and bail them out.

              Really, it was an investor's dream -- privatize the profits, socialize the risks.

              • Re: (Score:3, Insightful)

                by Hatta (162192)

                First, Greenspan expected banks to make choices in their own self-interest... but instead bank executives made decisions that were in their own self interests. He forgot that corporations are not actual decision-makers, individuals are, and individuals tend to make the choices that are best for them, not the choices that are best for their company.

                All the more reason to eliminate corporations as an entity in the eyes of the law.

                • Re:let it collapse (Score:5, Insightful)

                  by Mister Whirly (964219) on Tuesday November 11, 2008 @07:36PM (#25727573) Homepage
                  So when a small business employee gets into a car wreck on the job and accidentally kills somebody, the victim's family should be able to take not only all business assets, but the house and all personal assets of the owner?? Yeah, I can't see where that would cause any problems...
                  • If the goal is just to allow small businesses to shield their owners from liability, an arrangement such as a limited-liability partnership (LLP) or limited-liability company (LLC) ought to suffice.

                  • by Bert64 (520050)

                    The same as if he gets into a car wreck while driving his own personal car...

                    A company cannot force you to do anything illegal, if they tell you to drive in an unsafe manner then you are legally required to refuse and potentially report them for making such an illegal request.
                    If on the other hand you chose to drive in an unsafe manner, then you are now breaking the law and if you cause an accident as a result should be duly punished.

                    But what the poster was talking about, was making those in charge of making

                  • by Hatta (162192)

                    No, the employee should be responsible for his own actions.

              • by afidel (530433)
                So what you're saying is Greenspan made the same mistake Marx did and forgot that the one immutable fact when dealing with humans is that they are greedy? Yep, that sounds about right for a theoretical economist =)
                • by nwf (25607)

                  So what you're saying is Greenspan made the same mistake Marx did and forgot that the one immutable fact when dealing with humans is that they are greedy?

                  Not to mention lazy, selfish and not in possession of the perfect knowledge economists so often like to claim the markets operate with. Fact is, only a few have the knowledge and they use it to get rich, i.e. business leaders and Wall Street bankers. They knew they were in trouble, but voted themselves huge bonuses because they had the knowledge others didn't: the good times were about to end.

            • Re:let it collapse (Score:4, Insightful)

              by mcrbids (148650) on Wednesday November 12, 2008 @03:13AM (#25730817) Journal

              Did this actually help with the depression?

              Yes, but not right away. There's a very strict limit to how much "economy" the government can directly fund.

              But the bridges and roads built during the 30's depression are the infrastructure that the automotive boom of the 1950's was based upon. Much more was built in the 1950s and 1960s, along with an extensive power grid, telephone system, and power plants, nuclear and otherwise. Many of these freeways, highways, power lines, and power plants remain today, gridlocked or overloaded, essentially the same as they were in 1965. For 40 years, we've been milking the massive infrastructure built during an era of the United States when we were boldly looking forward.

              If we don't start looking forward again soon, our aging infrastructure will continue to crumble and groan under the burden of our much larger population. We blow 700 billion bailing out a bunch of white guys who were caught feeding at the trough of the public good, while other nations spend a similar amount remaking themselves into super powers [canucks.com].

              Tisk tisk. We should be spending 700 billion on rebuilding bridges, roads, power lines, and green energy. We could be energy independent in just 10 years if we pushed it, and the cost of doing so would create a strong economic and political power base for the United States for generations to come.

              Every day we don't, we squander the strength our fathers left for us. We should return the favor for our progeny.

          • Re: (Score:1, Flamebait)

            by MasterOfMagic (151058)

            You assume the people in Congress care about the Joe the Plumbers of the world with no money and no job instead of the wealthy Wall Street contributors. Who's going to make sure that filthy lucre flows into the machine coffers and the re-election funds? Certainly not Joe who has no job, no healthcare, and no future. So take the tribute that your citizens pay you in income taxes and give it to your Wall Street friends who, like all good money launderers, will take some off the top and return the rest in k

          • by Deadplant (212273)

            We could get all those welfare recipients filling sand bags and use the sand bags hold back the DDOS packet floods.

            Better yet we could send this army of untrained workers into peoples homes to clean the trojans from their windows boxen.

            I think we can all agree that the final solution will of course be to use them for food. Soylent green!

          • Re:let it collapse (Score:5, Informative)

            by agrounds (227704) on Tuesday November 11, 2008 @04:54PM (#25725691)

            Give the electric companies 2 choices: Fix your own damn shit with your profits or we fix it and lease it back to you or nationalize you.

            Sure there are people that are going to bitch because they're used to their handout. But handouts aren't going to help anyone. Make everyone work.

            It's not perfect but it's a hell of a lot better than handing it over to a bunch of people who managed to already lose $700b.

            [0].M-F you live in work housing or you work 4 - 10s or 7 on 7 off.

            I hate to ruin your rant with what we call "facts", but the grid in the United States is not owned by private companies that you can just boss around from your ivory tower of uninformed tripe. It is an amalgamation of state-run and multi-state entities called ISOs (Independent System Operators) that both contract and coordinate with the transmission agencies in concert with privately-owned and state-owned generation assets to produce consistent and reliable power. A grid, in the strictest sense of the word, is a series of transmission lines, owned by multiple companies, that are interlinked and under the complete autonomy of the ISO. Nothing happens without the permission and direction of the ISO or FERC (and NERC as its enforcement arm). The grid is aging, but since the ultimate authority to direct replacement lies with both federal, state, and multi-state agencies, who precisely in your little world bears the fiscal burden?

            May I suggest for your education:
            http://www.ferc.gov/ [ferc.gov]
            http://www.nerc.com/ [nerc.com]

            And for ISOs:
            http://www.ercot.com/ [ercot.com]
            http://www.caiso.com/ [caiso.com]
            http://www.nyiso.com/public/index.jsp [nyiso.com]
            http://www.pjm.com/index.jsp [pjm.com]
            http://www.midwestiso.org/home [midwestiso.org]

            Find the one that serves your area, and berate them with your uninformed bile since you obviously understand all of this better than anyone else.

            Or do you?

            • he grid is aging, but since the ultimate authority to direct replacement lies with both federal, state, and multi-state agencies, who precisely in your little world bears the fiscal burden?

              The same people that would for the $700b bailout. I didn't say I *wanted* to pay for it. I just said I thought it would be a better option than throwing money at AIG.

              And building a new damn probably requires the input from dozens of state, local and federal regulators and bodies, but somehow the Hoover Dam got built.

              • Re: (Score:3, Funny)

                by agrounds (227704)

                I didn't say I *wanted* to pay for it. I just said I thought it would be a better option than throwing money at AIG.

                To be fair, using it to line the litterbox at my house is a better option than AIG.

          • Re: (Score:1, Flamebait)

            by Bryansix (761547)
            You know the part about the Electric Company is funny and ignorant. In California they "Deregulated" the industry. But they didn't really deregulate it because their plan failed and they shot themselves in the foot. By "they" I mean the Grey Davis government. So Southern California Edison has been trying for a long time to upgrade the high voltage lines that lead out of state to other power suppliers. The problem is they have to get on their knees and ask pretty please to the California Public Utility Commi
          • Wouldnt you need more skilled labour than unskilled labour for bridges, power, water and similar things?

            • by Neoprofin (871029)
              Maybe maybe not.

              The Manhattan Project employed hundreds of thousands of people, brought in to work on short notice for less than two years when most of the skilled labor was probably already invested in the war effort.

              If they can build machines to separate Uranium isotopes I bet they can handle a powerplant under enough supervision. I bet they could rebuild the destroyed sections of New Orleans while they were at it too.
          • by Melibeus (94008)

            Give the electric companies 2 choices: Fix your own damn shit with your profits or we fix it and lease it back to you or nationalize you.

            That's three choices...

    • by Zarim (1167823)
      They could even start spending some of that money the government keeps giving them to upgrade their infrastructure.
    • by Gilmoure (18428)

      Get rid of people and just let pets run the world?

  • by mbone (558574)

    ...one says fewer resources, less management support, and increased workload.

    Welcome to the recession. Please enjoy your stay.

    • by Pope (17780)

      How is this tied to the recession? Sounds like SOP for any business that wants to bump up the bottom-line with zero thought put into the decision.

    • by Shakrai (717556)

      Welcome to the recession. Please enjoy your stay.

      Aren't the Telecom companies actually still making money? I'm somewhat skeptical to hear them crying about the recession until I see some quarterly results that don't show profits.

  • I blame... (Score:1, Funny)

    by Anonymous Coward

    ...the Jews.

    Wasn't there something in the Book of Phlobroham about not trusting a 128-bit address space? I don't want to have to get circumcised just to get to the BBC website, goddammit.

    • Re: (Score:2, Funny)

      by Anonymous Coward
      as far as trolls go, that was pretty good. that is how slashdot trolling ought to be done
  • by circletimessquare (444983) <circletimessquare@NoSpaM.gmail.com> on Tuesday November 11, 2008 @03:30PM (#25724595) Homepage Journal

    i can't decide, is the 40Gbps spike was related to fighting between criminal organizations. so its mollifying that this tool is so far only being used at such screaming proportions as turned on its creators:

    The Arbor Networks researchers said a 40-gigabit attack took place this year when two rival criminal cybergangs began quarreling over control of an online Ponzi scheme. "This was, initially, criminal-on-criminal crime though obviously the greatest damage was inflicted on the infrastructure used by the criminals," the network operator wrote in a note on the attack.

    the new york times had a good summary:

    http://www.nytimes.com/2008/11/10/technology/internet/10attacks.html?partner=permalink&exprod=permalink [nytimes.com]

    its notable that a lot of this potential is just sitting around, waiting for a chance to be used. if china goes to war with taiwan, or as when russia declared war on georgia, you will see/ saw these countries get DDosed off the face of the earth. that's the really worry: using DDos as a tool of war. the usa can sit around and wait until DDos used against vital government and civilian systems, or get ahead of the curve now

    also notable: reflective amplification. that's the methodology employed. i'm not really sure, but i think that's where you dupe completely unrelated systems into responding to forged packets. someone wiser than me on these issues: is that the general drift?

    • by whydna (9312) <whydna@hotmail.STRAWcom minus berry> on Tuesday November 11, 2008 @03:40PM (#25724699)

      Back in the day (about a decade ago), you could "smurf" folks, which is a form of reflective amplification. The process was fairly simple: you'd ping a network's broadcast address with a packet spoofed to appear to come from your victim. At the time, most networks weren't filtering the broadcast traffic. As a result all the hosts on that network would respond to the ping. Back in the days of 14.4 modems, you could easily blow somebody offline while generating a very tiny volume of traffic.

      ---> ping (src: victim [spoofed], dest: broadcast address of large network)
      <=== large number of icmp responses (src: addresses in large network, dest: victim)

      I'd guess that the attack is similar in concept.

      • by Splab (574204) on Tuesday November 11, 2008 @03:53PM (#25724841)

        Well there are all sorts of neat tricks, but basically its the same.

        First you get yourself a bunch of zombies, these can hammer away at whatever speed they got uplink - but instead of hitting the target directly you use BGP routers (hopefully most are now immune to this) and make ICMP packets claiming to be from your victim, this way the BGP routers will respond to the ping effectively making a reflected DDoS (RDDoS). The neat thing is its pretty hard to figure out where the traffic is coming from because you need to contact whoever administrates the BGP router - and you can't block the traffic since the BGP routers are kinda important for your connection(s).

      • by pdxp (1213906)
        I believe what we have now that stops this is called egress filtering.

        basically, outgoing routers at different levels check to make sure the source address of a packet will lead back to the network it originated from.
    • by russotto (537200)

      also notable: reflective amplification. that's the methodology employed. i'm not really sure, but i think that's where you dupe completely unrelated systems into responding to forged packets. someone wiser than me on these issues: is that the general drift?

      Yeah. The "smurf" attack -- where you forge an ICMP Echo Request to some large broadcast address -- is the prototype for that sort of thing. Any service which will generate a reply to an unverified source address is a potential middleman, though.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      the usa can sit around and wait until DDos used against vital government and civilian systems, or get ahead of the curve now

      That could be a bit of a self-inflated problem considering the zombie bot armies. However I do agree we need to make the telcom industry feed us some heavy doses of fiber with all those extra funds we been giving them for decades for it and less on silicone for their mistresses, thereby making the "tubes" a bit more regular in the flow and less top heavy. It would help too if things we

      • 'However I do agree we need to make the telcom industry feed us some heavy doses of fiber with all those extra funds we been giving them for decades for it and less on silicone for their mistresses, thereby making the "tubes" a bit more regular in the flow and less top heavy.'

        best idiomatic sentence i've seen on slashdot, ever. you shoehorned two idiomatic expressions in there, in parallel, without sounding verbose, and increasing the humor and potency of what you were trying to say

        pure awesome win

    • Err, why would the US gov't care? They have their own secure internetwork setups that are pretty much isolated from 'The Internet' as we know it. No one has creates a DDoS technique that can leap an air gap, so...

      I suspect that most other first-world governments have similar infrastructures as well.

      /P

  • Key comments (Score:5, Informative)

    by Animats (122034) on Tuesday November 11, 2008 @03:32PM (#25724617) Homepage
    Useful quotes from the report:
    • "Large Web mail operators like Google don't give a sh-- -- about spam originating from their networks because they know they are too large to be blacklisted. This causes significant pain."
    • "Overall, law enforcement referrals dropped for the third year in a row." "We also asked respondents if they believe law enforcement has the power and/or means to act upon information provided by network operators. Only 21 percent said Yes, while nearly 64 percent said No".
    • "The attack stopped only because the attacker was paid. The attacker remains at large and active. No bots were used in this attack. The attacker had a small number of compromised Linux boxes from which he'd launch the spoofed source DNS query. The DNS servers were all DNS servers open to recursion."
  • Most of the DDOS traffic originates from compromised Windows PCs. Most SPAM originates from Windows machines. There is lots of hand-wringing about the issue, but the fundamental cause of several serious Internet problems appears to be the insecurity of Windows (before anyone mentions "clueless users" -- the OS should not allow the users to make these mistakes -- since Windows is marketed to these very types -- it's like selling a car that does not have seatbelts and airbags to people who can't drive).

    So, wh

    • by Yetihehe (971185)

      So, when are people going to ask Microsoft the hard questions?

      When they realise windows is not secure. Which is: not very soon. Typical zombie-computer users don't know what a zombie computer is.

    • Re: (Score:3, Insightful)

      by lawaetf1 (613291)

      I don't often ride to the rescue of MSFT but if people are going to ignore updates and continue to run unpatched IE5 on Windows 2000.. what would you have them do? Force patches on people with no disable option? That'd go over real well with the /. crowd.

      Probably the best thing that could happen would be for major web sites to start rejecting IE5. That would oblige a significant chunk of the slackasses out there to upgrade and visit windowsupdate in the process. Not that this would really improve the

      • by legirons (809082)

        I don't often ride to the rescue of MSFT but if people are going to ignore updates and continue to run unpatched IE5 on Windows 2000.. what would you have them do?

        Write it correctly the first time?

        Prioritise security over trying to out-politick a court?

        Use simple published protocols in preference to ones designed to make it harder for competitors to reverse-engineer?

        Or alternatively they could just patch their shit every tuesday and blame the users for not spending their entire monthly bandwidth on software upgrades, that works too...

        • by rabbit994 (686936)

          No one gets anything correct the first time and if Linux got majority of the home users, I would see people attacking it as well. Right now it's not worth it but when it does, we will see the same problem.

          Real problem is fact that ISPs will let these zombies sit on their networks and not do a thing. If ISPs started cutting off zombie machines then this problem would be fixed. It's pretty easy to see a zombie machine at work, 50 outbound connections to 45 different SMTP server, yea, it's a zombie or at least

          • There are basic routers that take at least put a reasonable limit on SMTP scanning. One that I work with frequently is the IP3 NetAccess [ip3.com] series. There are other products as well, but I'm a happy customer.

            For public space WiFi networks it's a fairly simple solution that intercepts port 25 traffic, and throttles you to x per minute. It's designed for networks with many mobile users.

            Considering these are affordable for many types of smaller businesses, it's hard to believe that all consumer-grade ISP's can'

      • what would you have them do? Force patches on people with no disable option? That'd go over real well with the /. crowd.

        I wouldn't even expect them to correct their past mistakes. But I would expect them to make the next windows release (or heck, the next vista-patch) finally immune to at least the most obvious of attacks.

        The old and vulnerable windows versions will inevitably phase out over the next years - there, problem solved.

        The whole point is that microsoft makes no visible effort to finally fix the p

    • by david_thornley (598059) on Tuesday November 11, 2008 @09:05PM (#25728435)

      It is often the elephant in the cubicle, but there's really nothing that most people can do. For anybody outside Microsoft, and most people inside it, it's kind of like a bad Supreme Court decision.

      Now, suppose that all of these problems, all the spam and DDOSs, were due to Microsoft's incompetence, shortsightedness, and general desire to increase next quarter's profits while dooming civilization as we know it. (This isn't entirely true, of course.) Suppose that the top Microsoft execs believed they had to do something effective, or God was going to release everything Microsoft ever wrote under GPLv3.

      They decide to get to work on a more secure OS. This will take a lot of rewriting, and they'll dump other features before they get it out the door. They decide to keep the eye candy intact, and give the RIAA and MPAA everything they want. They call it, for the sake of argument, Mojave. (Vista may not be ideal, but it has a lot more security built in than XP.)

      Now, what do they do about older software? Most people and businesses have some software they rely on, which really won't work on a secure machine. The developers of Roller Blade Tycoon and The Sins had administrator accounts, after all, and that's what they tested on. Everybody took advantage of all the security holes, because it made it possible to get their stuff out the door a week sooner, at the expense of dooming civilization as we know it of course.

      Ballmer thinks. He can't just enforce security, because nobody will buy Mojave. He can't leave all the holes there, or he gets Eric Raymond and Richard Stallman as permanent house guests. The only thing he can do is plug the holes, and let the users decide what they want to run under the Users Are Competent program.

      At this point, the users notice that Mojave runs slower, and when they try to run their favorite game, Uncle Wiggley DDOSs WWW.Apple.Com, they have to click through all these boxes, which is annoying even to the multitudes who are completely trained to click OK on "See dancing pigs and doom civilization as we know it!" They start badmouthing Mojave, and stick to XP as much as they can. When they get Vista, the ones who know enough disable all those annoying little dialog boxes, and the rest just click through them to get them off the screen. "Hey, dancing pigs!"

      So, regardless of what you think of Microsoft's bad security practices and shortsightedness, there's really very little they can do about the situation they helped create. We have to deal with the computers we have, not the ones we wish everybody had.

      • by whoever57 (658626)

        It is often the elephant in the cubicle, but there's really nothing that most people can do. For anybody outside Microsoft, and most people inside it, it's kind of like a bad Supreme Court decision.

        There is plenty that people can do. I agree that it is probably very difficult, if not impossible for MS to fix the problem on XP and older OSes. However, that should not stop people from recognizing the root cause. Having identified the root cause, people can then modify their buying practices based upon that

  • by sizzlinkitty (1199479) on Tuesday November 11, 2008 @04:22PM (#25725241)
  • IPv6 and DDoS? (Score:5, Interesting)

    by Midnight Thunder (17205) on Tuesday November 11, 2008 @04:35PM (#25725449) Homepage Journal

    Have any studies been made with regards to DDoS attacks and IPv6. While at this point highly theoretical, would the differences in address range and lack of NATs reduce, increase or have no change on the risk?

  • by Spatial (1235392) on Tuesday November 11, 2008 @04:54PM (#25725705)
    ...take them out.

    The computers I mean. If it's that bad the zombies need to be killed off.

    I've read a few stories about researchers infiltrating botnets and being able to see a list of all the compromised computers. I wonder if it's possible to completely stop network access remotely without causing data loss.

    If I was in a position where I could press a button and wipe the MBR of every zombied computer on a gigantic botnet, I'm not sure if I would or not. Would you?
    • by swilde23 (874551)
      Orrin Hatch wants you to join the "we'll blow up your computer" army. Do you have what it takes?
    • by KrimZon (912441)

      There's probably a downside I don't see.

    • Depends. Can somebody trace and/or sue me?
    • by shentino (1139071)

      The trouble with this plan is collateral damage.

      Often, zombies are also hostages.

      As long as the process makes sure that reinstallation of the OS doesn't burn up any licenses for anything (I'm looking at YOU EA...), then I would be in favor of such a move.

      The annoying inconvenience should be incentive enough for people to invest in securing their computers. Anything more severe than that, and you're treating the disease by killing the patient.

      As far as getting caught, I just remember that galileo got tried

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Heh, yeah good luck with that. Oldskool botnets weren't that hard, since they were controlled over IRC ... just /join the channel and work out the commands. Modern bots use public key encryption, custom p2p protocols, and most significantly they have no static central server: they move around constantly by means of election protocols, heartbeat monitoring and fast-flux DNS. In fact there are usually several tiers of roles which continually self-reorganise. Oh, and they detect attempts to probe them and DDoS

    • Your post advocates a

      (x) technical ( ) legislative ( ) market-based (x) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      (x) Mailing lists and other legitimate email uses would be affected
      (x) No one will be able to find the guy or collect the mone
    • by ITEric (1392795)

      ...I've read a few stories about researchers infiltrating botnets and being able to see a list of all the compromised computers. I wonder if it's possible to completely stop network access remotely without causing data loss.

      If it's possible to get lists of compromised computers, why not spend some resources on notifying the clueless masses that they are compromised and let them know what to do about it?

      It would seem to be a lot more ethical than just blowing them out of the water.

  • by icedcool (446975)
    Nuclear bombs even worry 1st world countries.
  • Great Explaination (Score:5, Insightful)

    by IceCreamGuy (904648) on Tuesday November 11, 2008 @05:17PM (#25726007) Homepage

    Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat

    The Kaminsky thing? The ISPs thought it was handled poorly? How ***the fuck*** should it have been handled then? The day they disclosed publicly that there was a vulnerability, nevermind that they didn't disclose the details, they had patches out for every major DNS server and any ISP who wanted to be patched could have been. WTF?

    • by jallen02 (124384)

      Actually the vulnerability was always there. The exploit is what came out the same day.

      It was such a relatively easy to figure out flaw that once Dan even mentioned it many security researchers, not even really into network protocols, took a gander at the way DNS worked and figured it out. So, the irresponsibility is that if these guys consider it to be such a probably that they did not make it a top priority to correct it.

      Yeah..

  • Scary stuff (Score:5, Funny)

    by Larryish (1215510) <larryish&gmail,com> on Tuesday November 11, 2008 @05:27PM (#25726105)
    This is terrifying.

    So terrifying, in fact, that I fully support the rebuilding of the entire Internet by pseudo-Democratic countries like the United States, and large businesses such as General Electric and Monsanto.

    We have to stop these faceless Internet terrorists once and for all!
  • CRY HAVOC (Score:2, Funny)

    by Lunzo (1065904)

    And let SLIP the dogs of war.

    Taggers, please quote correctly.

  • They're only worried about it happening to them, they don't seem to care if it happens to anyone else.

    In otherwords, they're not worried enough to do sufficient egress filtering, or to cut off their infected customers in order to keep it from happening to other people. Almost a "NIMBY" situation, but not quite.

I'm a Lisp variable -- bind me!

Working...