40-Gbps DDoS Attacks Worry Even Tier-1 ISPs 146
sturgeon and other readers let us know that Arbor Networks has released their annual survey of tier-1 / tier-2 ISP security engineers. This year they got responses from 70 lead engineers. While DDoS attacks are reaching new heights of backbone-crushing traffic — 40 Gbps was seen this past year — the insiders are also worried about emerging threats to DNS and BGP. The summary notes that "Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat," but doesn't spell out what a better way of handling it might have been. All in all, the ISPs sound a bit pessimistic — one says "fewer resources, less management support, and increased workload." You can request the full PDF report here, but it will cost you contact information. In related news, an anonymous reader passes along a survey by Secure Computing of 199 international security experts and other "industry insiders" from utilities, oil and gas, financial services, government, telecommunications, transportation and other critical infrastructure industries. They are worried too.
let it collapse (Score:4, Insightful)
Then perhaps we will fix some of the fundamental problems.
Re:let it collapse (Score:4, Funny)
Re: (Score:2, Informative)
nah we will just pay 700 billion to prop it up for a few months and let the next guy deal with it.
I think realistically 700 billion could fix the internet in the entire US. It would make up for the 200 billion we lost a few years ago.* Not only that we could use it to help our friends to the north.
* Article [webpronews.com], first one I found about it.
Re:let it collapse (Score:4, Insightful)
The 700 billion would have been better spent setting up a Depression Era work force. After the bridge collapse in MN we've been hearing report after report about how the current infrastructure is falling apart around us. The electrical grid is rigged together worse than some college students' cars.
Suspend unemployment. (Anyone willing and able to work but cannot find a job). Start putting everyone to work doing something. Bus them to and from a work site up to X miles from your home.[0] Every major bridge that isn't going to make it gets the full 24/7 treatment. When one bridge is done. You move onto the next one. Everything trickles down. Every one of those workers is going to need food, haircuts, a trailer to live in (while at work). Trucking industry would pick back up doing loads of construction supplies. Domestic construction equipment manufacturers would need to up production Only other domestic MADE, no other equipment (Cat, Deere, etc). Build the roads to European standards (Autobahn and such).
Give the electric companies 2 choices: Fix your own damn shit with your profits or we fix it and lease it back to you or nationalize you.
Sure there are people that are going to bitch because they're used to their handout. But handouts aren't going to help anyone. Make everyone work.
It's not perfect but it's a hell of a lot better than handing it over to a bunch of people who managed to already lose $700b.
[0].M-F you live in work housing or you work 4 - 10s or 7 on 7 off.
Re: (Score:1, Insightful)
Back in the 1930's when construction was done by strong backs and no skills, that would have worked. And it did. Today, bridges are built by specialists with training. You want to drive on a bridge that was welded with by someone that never used one before? No? Neither does anyone else. The age of unskilled strong backs has ended. And we are discovering just how that relates to the "knowledge economy" now.
Face it, if everyone goes to college to learn how to be a "knowledge worker", who exactly will b
Re: (Score:3)
Sure, I would like to see work camps replace welfare. If you are able-bodied you get nothing unless you are in a work camp doing something.
Why does it have to be a camp? Mandatory labor in exchange for benefits is a good idea, but relocating 6-10% of the US population into camps is just crazy.
Re: (Score:2)
Mandatory labor in exchange for benefits is a good idea
Is it? You'd end up with many people who would come to rely on that 'job' and what do you do when you run out of tasks, knowing the government, an already inefficient method of using workers would become a giant money sink as they try and find more tasks and labor. And how would this prepare someone for any career other than the modern equivalent of ditch digging? What of professionals? Are they expected to devote their time and energy to work in exchange for food and or money?
Re: (Score:2)
Welfare and unemployment cost money, produce nothing tangible, and in most cases do nothing to prepare workers for anything they weren't prepared for beforehand.
Re: (Score:2)
And prisons are even more expensive than the unemployed...
Make prisoners do hard labor, and other jobs that noone else wants to do...
Make the unemployed work on less unpleasant tasks if they want to receive their benefits, that way the costs stay roughly the same but you can get some things done that would be economically infeasible otherwise due to labor costs.
Also don't bother with fancy expensive tools, if the job takes longer then so be it.
They could do things like cleaning public areas of litter and gr
Re:let it collapse (Score:5, Interesting)
100% Absolute Bull Shit. Name 1 manufacturer that does this.
I work for Caterpillar. (You know, Construction Equipment). I've been on the factory tours. I've SEEN a Bulldozer come together from front to end. I can't speak for every component and I'm sure that some parts come from China or elsewhere. But a chunk of the product is made right here built by American Workers. I've seen the robots cutting the plate steel out and people welding it together
Bulldozers/Pipe Layers (Track Type Tractors) are built in East Peoria, IL.
Large Mining Trucks, Motor Graders are built in Decatur, IL.
Hydraulic Excavators and Large Wheel Loaders are built in Aurora, IL.
Skid steers, Backhoes are in South Carolina. (At will factory).
Engines are built in Lafayette, IN, Mossville, IL and Greenville, SC. (Only Mossville is Union).
Paving equipment is in MN.
Underground mining equipment is in Australia.
And there are factories all around the world, Belguim, France, England, India, etc. (Ever figure the shipping on a multi-ton vehicle)
John Deere is in Moline, IA.
Go on a road trip sometime. Name a Chinese Manufacturer. Kumatsu and Mitsubishi and Japanese. JCB is British, Samsung is Korean. There are no (yet) big manufactures in China.
Construction equipment is a tool. And just like with hand tools you can go to Harbor Freight or you can go to Snap-On. For some people Harbor Freight is fine. But if you run something 24/7, 365 and every hour costs you thousands of downtime. You don't go cheap.
I know this is slashdot, but try not to talk out of your ass so much.
Re:let it collapse (Score:4, Informative)
John Deere is in Moline, IA.
Moline, IL
across the river from IA
Re: (Score:1)
Re: (Score:3, Insightful)
Which is quite a bit different than us buying everything from China and restamping it over here. For some things (Cat Machines for example) it's cheaper to make it where it's going to be used.
And as far as "Big Chinese Manufactures" I meant like Shandong SEM. Now if everything in the US has a "Shandong SEM" and was repainted yellow and put out to use then the post I was replying to might have a bit of a point.
Re: (Score:3, Interesting)
You seriously think the Mexicans who built your house went to college for it?
For that matter, you more than likely have been driving on bridges built by unskilled labor back in the 30's. They haven't collapsed on you yet it seems. And I guess the ole' Hoover dam is still there. Oh, and the Empire State Building, Pentagon, and hey, even the White House. Uh oh...
People are incompetent and lazy, but damn, you make them sound like they're all downright idiotic and unwilling to lift so much as a finger to save t
Re: (Score:2)
You seriously think the Mexicans who built your house went to college for it?
You think they build 4 lane bridges in the off season?
Re: (Score:2)
But I think you would hear cries of "slavery" so much that the idea has no chance.
Just call it "Universal Voluntary Public Service" then.
Re:let it collapse (Score:4, Insightful)
No matter what you call it, it's still a problematic idea as countries that already follow that model can attest.
In germany, for example, you can go roughly 2 years on welfare (if you have been in a job for at least 2 years before) before they start sticking you into "1 EUR jobs".
An 1 EUR job, as the name tells, pays 1 EUR per hour. And you have to take whatever job they give you.
The idea is that people who are forced to work for low wage will quickly become very interested in finding a *real* job (why work your ass off for 1 EUR when can you make more for the same work in a real job?).
The problems are manyfold:
1. Many people are simply underqualified and won't find a job no matter how hard they try. The 1-EUR-model basically turns into slave labor for them.
2. Many people *are* reasonably qualified but still don't find a job in their profession.
3. 1-EUR jobs now seriously compete with normal low-wage jobs such as cleaning, callcenters etc. Why should a company pay minimum wage when it can request workers for almost free from the government?
4. At least in germany this has opened the gates for a lot of shady companies (really borderline slave-labor there) that abuse the system in various "funny" ways, squeezing the last bit of profit out of them poor souls at the bottom of the food chain.
IMHO we have a totally unsolved problem here that nobody has dared tackling so far. The demand for low-skilled workers is declining to critical levels in the western world (because of automation and because outsourcing is cheaper for the rest) and high-skill work can never nearly cover the whole population.
It has become a fact of life that any larger western country simply can not offer productive work to a significant part of the population. No matter how you spin it, we'll continue to subsidize these people in one way or another - unless we decide to let them die. Now while it is a legitimate desire to "want something back" from them for their subvention money I don't think *forcing* them can be the way to go.
It's not their fault that the society doesn't need them and I find it highly problematic to force someone to "work on a bridge" (completely outside their learned profession) for minimum wage while somebody else, possibly with similar qualifications but a better family name, makes millions on wall-street.
The current system kinda works (and has suppressed any tendencies towards civial war so far) because of the elevator effect. Once you start forcing people into minimum wage jobs on a large scale scale without offering any alternatives or escape routes you'll soon get just that: a revolution.
Re:let it collapse (Score:5, Interesting)
We have exactly this discussion here in germany right now.
Germany is one of the last countries in europe that doesn't have a minimum wage and the slave labor lobby is trying hard to keep it that way.
I agree that a minimum wage should alleviate a large part of the immediate problem. But the bigger problem remains unchanged: We have more people than we have jobs.
The government can (and does) create artificial jobs by making people clean up parks or even repair bridges that would otherwise not be repaired - but that will always be a losing game. If these jobs would provide enough value to justify the cost then they'd already exist as regular jobs and there was no need to create them. Such "created" jobs are really just subventions in disguise and a tool to keep people busy so they don't start thinking.
The question is: For how much longer can the (steadily shrinking) productive portion of the population drag the (rapidly growing) non-productive part of the population along?
It doesn't matter much whether a non-productive worker is collecting welfare or is kept busy in a pseudo-job. The cost to society is almost the same.
I think therein lies the real crux that we're facing these days. Maybe the new messiah (err, obama) will finally at least acknowledge the problem so we can start looking for solutions.
Re: (Score:2)
This shows how the expectations have changed. But people still believe it's a reasonable goal to work to
Re: (Score:2)
Yes, you are right. I mis-translated the terms. Ofcourse the first 2 years is "unemployent insurance", then comes wellfare - which is cut down hard or even frozen when you refuse to take an 1 EUR job.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I think you'll find that most of the really old bridges were riveted, not welded. Riveting isn't nearly as hard as welding 2 inch thick steel.
Re: (Score:3, Interesting)
Re: (Score:2, Interesting)
Comment removed (Score:5, Interesting)
Soviet Socialist Republics of America (Score:2)
What is the point of ending unemployment if the point is to take money off those to work (producing useful goods) to pay those who don't to dig a whole and fill it again (create bubbles and lose client assets when they pop). All that needs to happen is for shitty institutions to fail and reallocate those people to useful enterprises (via market forces).
Re: (Score:3, Funny)
Libertarian once shat on my carpet. Said the free market would sort it out.
Re:let it collapse (Score:4, Informative)
I do wonder how effective that would be, my grandfather with in the CCC and was involved in building the Hoover dam.
Did this actually help with the depression?
Also they lost more than $700b, that was just the amount they needed to stay solvent. Alan Greenspan's reaction was priceless saying that he'd expected banks to take reasonable risks and not commit suicide. It was in their own interests to self-regulate but surprise surprise, greed won out.
Re:let it collapse (Score:5, Insightful)
Just to be clear...
First, Greenspan expected banks to make choices in their own self-interest... but instead bank executives made decisions that were in their own self interests. He forgot that corporations are not actual decision-makers, individuals are, and individuals tend to make the choices that are best for them, not the choices that are best for their company.
Second, given the expectation of government bailout, it was no longer in the banks' self-interest to self-regulate, since they got to externalize the risk of bad investments. It's been known for years among financial circles that any bank failures big enough to potentially unhinge the economy would be prevented by government bailout. This information influenced lending decisions.
The simple fact of the matter is that top-level decision-makers at these financial institutions made decisions to maximize their bonuses, and those of their friends. Since the bonuses were not tied to long-term health of the company, the choices made were not optimized for long-term health of the company (or the economy as a whole). Any guilt over the negative repercussions was assuaged by the knowledge that the taxpayer would step in and bail them out.
Really, it was an investor's dream -- privatize the profits, socialize the risks.
Re: (Score:3, Insightful)
First, Greenspan expected banks to make choices in their own self-interest... but instead bank executives made decisions that were in their own self interests. He forgot that corporations are not actual decision-makers, individuals are, and individuals tend to make the choices that are best for them, not the choices that are best for their company.
All the more reason to eliminate corporations as an entity in the eyes of the law.
Re:let it collapse (Score:5, Insightful)
there are other limited-liability arrangements (Score:2)
If the goal is just to allow small businesses to shield their owners from liability, an arrangement such as a limited-liability partnership (LLP) or limited-liability company (LLC) ought to suffice.
Re: (Score:2)
The same as if he gets into a car wreck while driving his own personal car...
A company cannot force you to do anything illegal, if they tell you to drive in an unsafe manner then you are legally required to refuse and potentially report them for making such an illegal request.
If on the other hand you chose to drive in an unsafe manner, then you are now breaking the law and if you cause an accident as a result should be duly punished.
But what the poster was talking about, was making those in charge of making
Re: (Score:2)
No, the employee should be responsible for his own actions.
Re: (Score:2)
Re: (Score:2)
So what you're saying is Greenspan made the same mistake Marx did and forgot that the one immutable fact when dealing with humans is that they are greedy?
Not to mention lazy, selfish and not in possession of the perfect knowledge economists so often like to claim the markets operate with. Fact is, only a few have the knowledge and they use it to get rich, i.e. business leaders and Wall Street bankers. They knew they were in trouble, but voted themselves huge bonuses because they had the knowledge others didn't: the good times were about to end.
Re: (Score:2)
Yes, so instead of bailing them out, nationalize them...
That way, the shareholders are at risk of losing their investment completely, and they will keep the directors in check...
Once nationalized, force them to play by new rules and fire the staff who caused the problems in the first place. Bring the business back to profitability, and then sell it off.
People should not be rewarded for irresponsible behavior which causes their business to fold, and certainly shouldn't be rewarded for the arrogance and greed
Re:let it collapse (Score:4, Insightful)
Did this actually help with the depression?
Yes, but not right away. There's a very strict limit to how much "economy" the government can directly fund.
But the bridges and roads built during the 30's depression are the infrastructure that the automotive boom of the 1950's was based upon. Much more was built in the 1950s and 1960s, along with an extensive power grid, telephone system, and power plants, nuclear and otherwise. Many of these freeways, highways, power lines, and power plants remain today, gridlocked or overloaded, essentially the same as they were in 1965. For 40 years, we've been milking the massive infrastructure built during an era of the United States when we were boldly looking forward.
If we don't start looking forward again soon, our aging infrastructure will continue to crumble and groan under the burden of our much larger population. We blow 700 billion bailing out a bunch of white guys who were caught feeding at the trough of the public good, while other nations spend a similar amount remaking themselves into super powers [canucks.com].
Tisk tisk. We should be spending 700 billion on rebuilding bridges, roads, power lines, and green energy. We could be energy independent in just 10 years if we pushed it, and the cost of doing so would create a strong economic and political power base for the United States for generations to come.
Every day we don't, we squander the strength our fathers left for us. We should return the favor for our progeny.
Re: (Score:1, Flamebait)
You assume the people in Congress care about the Joe the Plumbers of the world with no money and no job instead of the wealthy Wall Street contributors. Who's going to make sure that filthy lucre flows into the machine coffers and the re-election funds? Certainly not Joe who has no job, no healthcare, and no future. So take the tribute that your citizens pay you in income taxes and give it to your Wall Street friends who, like all good money launderers, will take some off the top and return the rest in k
Re: (Score:2)
We could get all those welfare recipients filling sand bags and use the sand bags hold back the DDOS packet floods.
Better yet we could send this army of untrained workers into peoples homes to clean the trojans from their windows boxen.
I think we can all agree that the final solution will of course be to use them for food. Soylent green!
Re:let it collapse (Score:5, Informative)
Give the electric companies 2 choices: Fix your own damn shit with your profits or we fix it and lease it back to you or nationalize you.
Sure there are people that are going to bitch because they're used to their handout. But handouts aren't going to help anyone. Make everyone work.
It's not perfect but it's a hell of a lot better than handing it over to a bunch of people who managed to already lose $700b.
[0].M-F you live in work housing or you work 4 - 10s or 7 on 7 off.
I hate to ruin your rant with what we call "facts", but the grid in the United States is not owned by private companies that you can just boss around from your ivory tower of uninformed tripe. It is an amalgamation of state-run and multi-state entities called ISOs (Independent System Operators) that both contract and coordinate with the transmission agencies in concert with privately-owned and state-owned generation assets to produce consistent and reliable power. A grid, in the strictest sense of the word, is a series of transmission lines, owned by multiple companies, that are interlinked and under the complete autonomy of the ISO. Nothing happens without the permission and direction of the ISO or FERC (and NERC as its enforcement arm). The grid is aging, but since the ultimate authority to direct replacement lies with both federal, state, and multi-state agencies, who precisely in your little world bears the fiscal burden?
May I suggest for your education:
http://www.ferc.gov/ [ferc.gov]
http://www.nerc.com/ [nerc.com]
And for ISOs:
http://www.ercot.com/ [ercot.com]
http://www.caiso.com/ [caiso.com]
http://www.nyiso.com/public/index.jsp [nyiso.com]
http://www.pjm.com/index.jsp [pjm.com]
http://www.midwestiso.org/home [midwestiso.org]
Find the one that serves your area, and berate them with your uninformed bile since you obviously understand all of this better than anyone else.
Or do you?
Re: (Score:2)
he grid is aging, but since the ultimate authority to direct replacement lies with both federal, state, and multi-state agencies, who precisely in your little world bears the fiscal burden?
The same people that would for the $700b bailout. I didn't say I *wanted* to pay for it. I just said I thought it would be a better option than throwing money at AIG.
And building a new damn probably requires the input from dozens of state, local and federal regulators and bodies, but somehow the Hoover Dam got built.
Re: (Score:3, Funny)
I didn't say I *wanted* to pay for it. I just said I thought it would be a better option than throwing money at AIG.
To be fair, using it to line the litterbox at my house is a better option than AIG.
Re: (Score:1, Flamebait)
Re: (Score:2)
Wouldnt you need more skilled labour than unskilled labour for bridges, power, water and similar things?
Re: (Score:2)
The Manhattan Project employed hundreds of thousands of people, brought in to work on short notice for less than two years when most of the skilled labor was probably already invested in the war effort.
If they can build machines to separate Uranium isotopes I bet they can handle a powerplant under enough supervision. I bet they could rebuild the destroyed sections of New Orleans while they were at it too.
Re: (Score:1)
Give the electric companies 2 choices: Fix your own damn shit with your profits or we fix it and lease it back to you or nationalize you.
That's three choices...
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Get rid of people and just let pets run the world?
Welcome to the recession. (Score:2, Interesting)
...one says fewer resources, less management support, and increased workload.
Welcome to the recession. Please enjoy your stay.
Re: (Score:2)
How is this tied to the recession? Sounds like SOP for any business that wants to bump up the bottom-line with zero thought put into the decision.
Re: (Score:2)
Re: (Score:2)
you got quotation marks, but no point. please elaborate.
Re:Welcome to the recession. (Score:5, Funny)
Except the economy is fake and "they" pull this recession bullshit every ten years or so.
you got quotation marks, but no point. please elaborate.
Obviously the Anti-Illuminati. You'd think "they" meant Illuminati, which is why it has to be the Anti-Illuminati. Unless "they" knew you'd think that...
I blame... (Score:1, Funny)
...the Jews.
Wasn't there something in the Book of Phlobroham about not trusting a 128-bit address space? I don't want to have to get circumcised just to get to the BBC website, goddammit.
Re: (Score:2, Funny)
what's scarier, or not (Score:5, Interesting)
i can't decide, is the 40Gbps spike was related to fighting between criminal organizations. so its mollifying that this tool is so far only being used at such screaming proportions as turned on its creators:
the new york times had a good summary:
http://www.nytimes.com/2008/11/10/technology/internet/10attacks.html?partner=permalink&exprod=permalink [nytimes.com]
its notable that a lot of this potential is just sitting around, waiting for a chance to be used. if china goes to war with taiwan, or as when russia declared war on georgia, you will see/ saw these countries get DDosed off the face of the earth. that's the really worry: using DDos as a tool of war. the usa can sit around and wait until DDos used against vital government and civilian systems, or get ahead of the curve now
also notable: reflective amplification. that's the methodology employed. i'm not really sure, but i think that's where you dupe completely unrelated systems into responding to forged packets. someone wiser than me on these issues: is that the general drift?
Re:what's scarier, or not (Score:5, Informative)
Back in the day (about a decade ago), you could "smurf" folks, which is a form of reflective amplification. The process was fairly simple: you'd ping a network's broadcast address with a packet spoofed to appear to come from your victim. At the time, most networks weren't filtering the broadcast traffic. As a result all the hosts on that network would respond to the ping. Back in the days of 14.4 modems, you could easily blow somebody offline while generating a very tiny volume of traffic.
---> ping (src: victim [spoofed], dest: broadcast address of large network)
<=== large number of icmp responses (src: addresses in large network, dest: victim)
I'd guess that the attack is similar in concept.
Re:what's scarier, or not (Score:5, Interesting)
Well there are all sorts of neat tricks, but basically its the same.
First you get yourself a bunch of zombies, these can hammer away at whatever speed they got uplink - but instead of hitting the target directly you use BGP routers (hopefully most are now immune to this) and make ICMP packets claiming to be from your victim, this way the BGP routers will respond to the ping effectively making a reflected DDoS (RDDoS). The neat thing is its pretty hard to figure out where the traffic is coming from because you need to contact whoever administrates the BGP router - and you can't block the traffic since the BGP routers are kinda important for your connection(s).
Re: (Score:1)
basically, outgoing routers at different levels check to make sure the source address of a packet will lead back to the network it originated from.
Re: (Score:2)
Yeah. The "smurf" attack -- where you forge an ICMP Echo Request to some large broadcast address -- is the prototype for that sort of thing. Any service which will generate a reply to an unverified source address is a potential middleman, though.
Re: (Score:2, Funny)
That could be a bit of a self-inflated problem considering the zombie bot armies. However I do agree we need to make the telcom industry feed us some heavy doses of fiber with all those extra funds we been giving them for decades for it and less on silicone for their mistresses, thereby making the "tubes" a bit more regular in the flow and less top heavy. It would help too if things we
holy alliteration batman (Score:2)
'However I do agree we need to make the telcom industry feed us some heavy doses of fiber with all those extra funds we been giving them for decades for it and less on silicone for their mistresses, thereby making the "tubes" a bit more regular in the flow and less top heavy.'
best idiomatic sentence i've seen on slashdot, ever. you shoehorned two idiomatic expressions in there, in parallel, without sounding verbose, and increasing the humor and potency of what you were trying to say
pure awesome win
Re: (Score:2)
Err, why would the US gov't care? They have their own secure internetwork setups that are pretty much isolated from 'The Internet' as we know it. No one has creates a DDoS technique that can leap an air gap, so...
I suspect that most other first-world governments have similar infrastructures as well.
Key comments (Score:5, Informative)
Why isn't the insecurity of Windows mentioned? (Score:2)
Most of the DDOS traffic originates from compromised Windows PCs. Most SPAM originates from Windows machines. There is lots of hand-wringing about the issue, but the fundamental cause of several serious Internet problems appears to be the insecurity of Windows (before anyone mentions "clueless users" -- the OS should not allow the users to make these mistakes -- since Windows is marketed to these very types -- it's like selling a car that does not have seatbelts and airbags to people who can't drive).
So, wh
Re: (Score:2)
When they realise windows is not secure. Which is: not very soon. Typical zombie-computer users don't know what a zombie computer is.
Re: (Score:3, Insightful)
I don't often ride to the rescue of MSFT but if people are going to ignore updates and continue to run unpatched IE5 on Windows 2000.. what would you have them do? Force patches on people with no disable option? That'd go over real well with the /. crowd.
Probably the best thing that could happen would be for major web sites to start rejecting IE5. That would oblige a significant chunk of the slackasses out there to upgrade and visit windowsupdate in the process. Not that this would really improve the
Re: (Score:2)
I don't often ride to the rescue of MSFT but if people are going to ignore updates and continue to run unpatched IE5 on Windows 2000.. what would you have them do?
Write it correctly the first time?
Prioritise security over trying to out-politick a court?
Use simple published protocols in preference to ones designed to make it harder for competitors to reverse-engineer?
Or alternatively they could just patch their shit every tuesday and blame the users for not spending their entire monthly bandwidth on software upgrades, that works too...
Re: (Score:2)
No one gets anything correct the first time and if Linux got majority of the home users, I would see people attacking it as well. Right now it's not worth it but when it does, we will see the same problem.
Real problem is fact that ISPs will let these zombies sit on their networks and not do a thing. If ISPs started cutting off zombie machines then this problem would be fixed. It's pretty easy to see a zombie machine at work, 50 outbound connections to 45 different SMTP server, yea, it's a zombie or at least
Re: (Score:1)
There are basic routers that take at least put a reasonable limit on SMTP scanning. One that I work with frequently is the IP3 NetAccess [ip3.com] series. There are other products as well, but I'm a happy customer.
For public space WiFi networks it's a fairly simple solution that intercepts port 25 traffic, and throttles you to x per minute. It's designed for networks with many mobile users.
Considering these are affordable for many types of smaller businesses, it's hard to believe that all consumer-grade ISP's can'
Re: (Score:2)
I wouldn't even expect them to correct their past mistakes. But I would expect them to make the next windows release (or heck, the next vista-patch) finally immune to at least the most obvious of attacks.
The old and vulnerable windows versions will inevitably phase out over the next years - there, problem solved.
The whole point is that microsoft makes no visible effort to finally fix the p
Re:Why isn't the insecurity of Windows mentioned? (Score:4, Insightful)
It is often the elephant in the cubicle, but there's really nothing that most people can do. For anybody outside Microsoft, and most people inside it, it's kind of like a bad Supreme Court decision.
Now, suppose that all of these problems, all the spam and DDOSs, were due to Microsoft's incompetence, shortsightedness, and general desire to increase next quarter's profits while dooming civilization as we know it. (This isn't entirely true, of course.) Suppose that the top Microsoft execs believed they had to do something effective, or God was going to release everything Microsoft ever wrote under GPLv3.
They decide to get to work on a more secure OS. This will take a lot of rewriting, and they'll dump other features before they get it out the door. They decide to keep the eye candy intact, and give the RIAA and MPAA everything they want. They call it, for the sake of argument, Mojave. (Vista may not be ideal, but it has a lot more security built in than XP.)
Now, what do they do about older software? Most people and businesses have some software they rely on, which really won't work on a secure machine. The developers of Roller Blade Tycoon and The Sins had administrator accounts, after all, and that's what they tested on. Everybody took advantage of all the security holes, because it made it possible to get their stuff out the door a week sooner, at the expense of dooming civilization as we know it of course.
Ballmer thinks. He can't just enforce security, because nobody will buy Mojave. He can't leave all the holes there, or he gets Eric Raymond and Richard Stallman as permanent house guests. The only thing he can do is plug the holes, and let the users decide what they want to run under the Users Are Competent program.
At this point, the users notice that Mojave runs slower, and when they try to run their favorite game, Uncle Wiggley DDOSs WWW.Apple.Com, they have to click through all these boxes, which is annoying even to the multitudes who are completely trained to click OK on "See dancing pigs and doom civilization as we know it!" They start badmouthing Mojave, and stick to XP as much as they can. When they get Vista, the ones who know enough disable all those annoying little dialog boxes, and the rest just click through them to get them off the screen. "Hey, dancing pigs!"
So, regardless of what you think of Microsoft's bad security practices and shortsightedness, there's really very little they can do about the situation they helped create. We have to deal with the computers we have, not the ones we wish everybody had.
Re: (Score:2)
There is plenty that people can do. I agree that it is probably very difficult, if not impossible for MS to fix the problem on XP and older OSes. However, that should not stop people from recognizing the root cause. Having identified the root cause, people can then modify their buying practices based upon that
Re:Why isn't the insecurity of Windows mentioned? (Score:5, Informative)
Did we just jump in back 5 (or more) years in time?
You are joking, right? Open relays have been oveshadowed by compromised destop machines as spam sources for a few years now. Plus, since SMTP MTAs tend to be on static IPs, the use of RBLs has effectively limited the reach of open relays as sources for any kind of email (SPAM or otherwise).
Re: (Score:1, Troll)
Re: (Score:2)
You might have more success in correcting me, if you did not pull stuff out of your rear orifice.
/., but there has been little to
First it was open relays, now it is compromized acccounts: you can't even be consistent.
There has been a lot of discussion of the automated or semi-automated creation and use of Gmail and Hotmail accounts on
Re: (Score:2)
Re: (Score:2)
Fail.
Seriously, that was like the Hindenburg. "Oh! The inanity!"
If your mail server tells a different story, now would be the time to prove your allegations. Failing that, I would go back and actually read the post you just responded to.
DO NOT WANT MORE SPAM!!!! (Score:5, Informative)
IPv6 and DDoS? (Score:5, Interesting)
Have any studies been made with regards to DDoS attacks and IPv6. While at this point highly theoretical, would the differences in address range and lack of NATs reduce, increase or have no change on the risk?
If it's really that big a problem then... (Score:5, Interesting)
The computers I mean. If it's that bad the zombies need to be killed off.
I've read a few stories about researchers infiltrating botnets and being able to see a list of all the compromised computers. I wonder if it's possible to completely stop network access remotely without causing data loss.
If I was in a position where I could press a button and wipe the MBR of every zombied computer on a gigantic botnet, I'm not sure if I would or not. Would you?
Re: (Score:2)
Re: (Score:1)
There's probably a downside I don't see.
Re: (Score:1)
Re: (Score:1)
The trouble with this plan is collateral damage.
Often, zombies are also hostages.
As long as the process makes sure that reinstallation of the OS doesn't burn up any licenses for anything (I'm looking at YOU EA...), then I would be in favor of such a move.
The annoying inconvenience should be incentive enough for people to invest in securing their computers. Anything more severe than that, and you're treating the disease by killing the patient.
As far as getting caught, I just remember that galileo got tried
Re: (Score:1, Interesting)
Heh, yeah good luck with that. Oldskool botnets weren't that hard, since they were controlled over IRC ... just /join the channel and work out the commands. Modern bots use public key encryption, custom p2p protocols, and most significantly they have no static central server: they move around constantly by means of election protocols, heartbeat monitoring and fast-flux DNS. In fact there are usually several tiers of roles which continually self-reorganise. Oh, and they detect attempts to probe them and DDoS
Re: (Score:2)
(x) technical ( ) legislative ( ) market-based (x) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the mone
Re: (Score:1)
...I've read a few stories about researchers infiltrating botnets and being able to see a list of all the compromised computers. I wonder if it's possible to completely stop network access remotely without causing data loss.
If it's possible to get lists of compromised computers, why not spend some resources on notifying the clueless masses that they are compromised and let them know what to do about it?
It would seem to be a lot more ethical than just blowing them out of the water.
In other news (Score:2, Funny)
Great Explaination (Score:5, Insightful)
Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat
The Kaminsky thing? The ISPs thought it was handled poorly? How ***the fuck*** should it have been handled then? The day they disclosed publicly that there was a vulnerability, nevermind that they didn't disclose the details, they had patches out for every major DNS server and any ISP who wanted to be patched could have been. WTF?
Re: (Score:2)
Actually the vulnerability was always there. The exploit is what came out the same day.
It was such a relatively easy to figure out flaw that once Dan even mentioned it many security researchers, not even really into network protocols, took a gander at the way DNS worked and figured it out. So, the irresponsibility is that if these guys consider it to be such a probably that they did not make it a top priority to correct it.
Yeah..
Scary stuff (Score:5, Funny)
So terrifying, in fact, that I fully support the rebuilding of the entire Internet by pseudo-Democratic countries like the United States, and large businesses such as General Electric and Monsanto.
We have to stop these faceless Internet terrorists once and for all!
CRY HAVOC (Score:2, Funny)
And let SLIP the dogs of war.
Taggers, please quote correctly.
They're worried, huh? (Score:2)
They're only worried about it happening to them, they don't seem to care if it happens to anyone else.
In otherwords, they're not worried enough to do sufficient egress filtering, or to cut off their infected customers in order to keep it from happening to other people. Almost a "NIMBY" situation, but not quite.
Re:Frist POST FUCKKERRER (Score:5, Funny)
Where's my "-1, Epic Fail!" moderation option when I need it?
Re: (Score:1)