Webmail Services Struggling Against DDoS Attacks (fastmail.com) 90
An anonymous reader writes: A few days ago, privacy-oriented webmail service ProtonMail was hit by a massive DDoS attack, which was accompanied by extortion. It turns out they're not the only ones. FastMail has warned that similar attacks could lead to service disruptions this week. They have refused extortion demands, and have been hit with a couple brief attacks already. This follows attacks over the last week on Runbox, Zoho, and Hushmail. Each service has been working with data centers and network providers to mitigate the attacks as well as possible, but they're still struggling with intermittent service disruptions.
DDoS? (Score:1)
Maybe botnet members should be held responsible? (Score:3, Interesting)
Sometimes I wonder if the owners of botnet clients should be held financially responsible. For example, if someone steals a company semi and runs over people, said company will have lawsuits aplenty against it. Wonder if it should be that way with people who by negligence let their machines be part of a botnet.
Re: Maybe botnet members should be held responsibl (Score:1)
More like, the companies who wrote the OS should be responsible.
Re: Maybe botnet members should be held responsibl (Score:5, Insightful)
More like, the companies who wrote the OS should be responsible.
No. Botnets run mostly on deprecated and unpatched systems with known security holes. That is not the fault of the OS vendors. If software vendors are held liable for the stupidity of their users, then software will become far more expensive, and FOSS will disappear completely.
Re: (Score:3, Interesting)
The equivalent is not maintaining the brakes on a car. This happens, and a car goes out of control, it isn't VW that gets sued; it is the driver/operator.
Same with Internet connected devices. It is the responsibility of the owner to determine if a device is fit to connect, and if not, to disconnect it.
Right now, people don't care (they are just another snowflake in the avalanche), but if the responsibility shifts to the origin of the traffic (like it originally belonged to, way back when), PFSense with Sn
Re: (Score:1)
That will turn the internet into "cable TV" with dumb terminals connected to a few big content providers in the blink of an eye.
Re: (Score:1)
As the other reply said, the OS is responsible. Go after them. The computer is still a black box, the user has no idea what goes on inside. All they know is that if they let any smoke leak out, the machine is cooked. Like all other crimes you need to find the perpetrator. Don't fuck with those caught in the crossfire.
Re: (Score:2)
Then maybe, just maybe, they shouldn't own a computer. I know, I know... It's a horrible thought that people would be better served by knowing how to properly use the tools they own.
Re: (Score:2)
Re: (Score:1)
The consumer is being sold a defective "car", with loose bolts, faulty electrics, and bad brakes.
Re:Maybe botnet members should be held responsible (Score:5, Insightful)
I myself advocate an approach that identified zombie systems simply have their internet service shut off. We've been able to pretty cleanly identify which IP addresses are the source of these attacks, why not have legislation requiring that they simply lose their internet access until they fix it? Kind of like the ham radio days where you're held accountable for your activities when transmitting to the public.
Take it a step further and establish a treaty body that requires each signing nation set up the same laws for their ISPs, in addition to a trade organization that enforces these rules.
That would put a stop to this real fast. Either way something has to be done because this is going to get out of control real fast as even more people get high speed broadband and have no idea what the fuck they're doing with their equipment.
Re: (Score:2)
You really don't understand this shit, do you?
The goddam botnets are smart enough to change IP addresses at random, and often.
It's Whack-a-Mole.
Re:Maybe botnet members should be held responsible (Score:4, Informative)
You really don't understand this shit, do you?
The goddam botnets are smart enough to change IP addresses at random, and often.
It's Whack-a-Mole.
Theres even another level of indirection; in reflection attacks you, the recipient of the attack, gets to see the IP addresses of the machines used as reflectors. You don't get to see the IP addresses of the machines used to trigger those reflections. Only the people hosting the reflector get to see the these.
Re: (Score:3)
Well first see my post here:
http://slashdot.org/comments.p... [slashdot.org]
And in addition to that, anybody who owns something that is being used as a reflector could be required to fix it (i.e. an open relay needs to add authentication) and in the case of passive services that can be used as reflectors (such as DNS) they can keep logs of what IP addresses are obviously using them as a DDoS reflector and report them to a proper authority.
Re: (Score:1)
Oh, the botnet endpoints are smart enough to change the IP address assigned to the endpoint? Hrmm, how are they doing that on your typical user TWC or COX internet connection? Oh wait they aren't. You THINK they are because they just use different botnets for different attacks, or only utilize a % of the zombie PCs in their botnet.
Having the ISP cut the user off is a valid solution, or at the least, drop it to 56k speeds. You stop the zombies from attacking, you stop the DDoS.
Re: (Score:2)
Re: (Score:2)
I've been saying this for years. If you're exhibiting signs of malicious activity that indicates an infection then you get firewalled from the 'net in general but have access to the tools to repair it.
Re:Maybe botnet members should be held responsible (Score:5, Interesting)
Actually with that statement, I think you fundamentally misunderstand how a botnet works. They have multiple compromised hosts under their control, each of which potentially has a unique IP address. So yeah, you'll likely see the IP address appear to change even though it's the same actor behind the action.
In most cases, the botnet operator doesn't have the ability to change the IP address of each individual host, because they don't have the ability to change the WAN MAC address (which is required to get your ISP to issue you a new DHCP lease.) Even in the cases where they do (such as a compromised NAT router) there's still the matter of the WAN device itself doing sticky MAC configuration and only allowing one MAC address to access the WAN (which is almost universal among DOCSIS cable providers, DSL providers, and even fiber providers in order to conserve their limited IPv4 address pool.) In the case where they can change the WAN mac address, they don't typically have the ability to clear the old MAC first (which in the more permissive WAN bridges requires a power cycle, i.e. rebooting a cable modem. Motorola cable modems can via a web query to 192.168.1.100, but other than that most modems don't support this.)
But let's say conditions are absolutely perfect, and they can change the MAC address at will and thus change their IP address, there's another problem: Virtually all ISPs keep logs of which account has a lease to which IP address at what time.
Which means that even in the worst of cases, you can still identify what account has been participating in a DDoS, and that account could be suspended as per appropriate legislation, until they remove and/or correct any compromised systems.
Re: (Score:3)
You're talking past each other. To draw a car analogy, let's pretend that the streets around a particular business are getting clogged up by unlicensed teens borrowing their parent's cars to go joyriding. The previous poster is suggesting that we tell those parents that they're not allowed to drive on the road until they take steps to prevent their kids from using their cars illegally. I.e. We put the onus on the owners of the cars to properly secure their vehicle before we let them use a shared resource. Y
Re:Maybe botnet members should be held responsible (Score:4, Insightful)
I wouldn't advocate a requirement to install antivirus software. Something like a 48 hour notice first, followed by 48 hour suspension. If after your service is restored and the problem isn't resolved, then you've got 24 hours to resolve, and if not resolved, the suspension time doubles to 96 hours. Something like keep doubling the suspension period until resolution. The long suspension wouldn't reset to 48 hours until about 6 months of no indication of botnet activity.
As for countries that wouldn't sign on to the treaty, you could do something like require any routers that border to a non-signatory nation have the known botnet IP addresses blocked for one week, and there is no warning period. Some of the ISP's customers might get upset really fast if they find that half of the internet doesn't even work most of the time, and let them sort out among themselves how they fix it.
Son of SOPA (Score:2)
you could do something like require any routers that border to a non-signatory nation have the known botnet IP addresses blocked for one week
Isn't that what the widely hated Stop Online Piracy Act (SOPA) and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property (PROTECTIP) bills threatened to do?
Re: (Score:2)
The difference would be that, in the case of SOPA, just any random person could upload so much as a picture, and whether it belonged to the MPAA or not they could demand the site be shut down without any kind of evidence.
However with what I'm proposing, there would have to be a pattern of deliberate attack. That is, you don't have a robot crawling websites looking for words like "Happy Gilmore" and then immediately issuing a DMCA takedown. Rather it would have to be a pattern of abuse (and you can establish
Re: (Score:2)
A number of colleges and universities already enact such policies as it is. The one I went to actually had a mandatory malware scan before you were allowed on their dorm network
Is this malware scan available for OS X and major GNU/Linux distributions? Or does it work correctly in Wine? Or are students required to buy a copy of Genuine Windows® for each Mac or Linux laptop, reboot into Windows in order to connect to the Internet, replace iPad and Android tablets with Surface tablets, and leave the phones on cellular data?
Re: (Score:2)
It was back in the early 2000s. At the time, their policy only required Windows machines to do the scan. Macs and Linux didn't have to.
Again, I'm not suggesting it was or is a good policy, nor that it's something to model national policy after. I was merely pointing out that there is precedent for similar sorts of policies at a smaller scale.
Re: (Score:1)
A tighter car analogy would have considered a place where people can drive without license, car vendors increasingly hide technical details such as control lights and rev counters, and it is generally considered unfeasible for drivers to be their own security managers.
Re: (Score:2)
And how do they stop it if they don't have Internet access to download the latest patches? What if there are no patches?
Re: (Score:2)
Well if the infected system was mine, I wouldn't need a patch, I'd just wipe the systems clean and rebuild from scratch, and have your WAN edge configured as stateful and drop all unsolicited packets, which is easy to do with most SOHO gear. Don't know how to do that? Well then you should probably either learn how or hire somebody. Either way, that's better than a fine.
Re: (Score:2)
Well if the infected system was mine, I wouldn't need a patch, I'd just wipe the systems clean and rebuild from scratch
How would you download the image with which to "rebuild from scratch" and download patches released since the image was created without Internet access?
Re: (Score:1)
The image is already onsite, on removable media.
If not. Oh well. What kind of crapware OS were you running, again?
Unpatched install image (Score:2)
and download patches released since the image was created
The image is already onsite, on removable media.
The copy on removable media is more than likely not yet patched up to today. Or do you make a new install image every month with all updates slipstreamed in?
Re: (Score:3)
The vast majority of the time somebody runs a compromised system these days, flaws in the host OS weren't the attack vector used. It's typically somebody downloading "free app that you must try now" or going to bad sites that have a flash or java exploit.
Installing a fresh copy of a Windows 7 SP1 or any newer version of Windows, or any recent Linux distribution, you aren't going to get an infected system just for having it on the network.
Is there a vulnerability in Windows 7 RTM? (Score:2)
Installing a fresh copy of a Windows 7 SP1 or any newer version of Windows
I seem to remember that Windows XP RTM was vulnerable because it connected to the network before its firewall was up. This meant a PC could get remotely compromised before it could finish downloading updates, even if it ran no applications other than Windows Update. The workaround was to purchase and install an external firewall appliance. Do more recent versions of Windows have an analogous vulnerability that would require someone to have to burn an install disc with a slipstreamed service pack in order to
Re: (Score:2)
Vanilla Windows XP had a firewall, but IIRC it was off by default and was borderline useless. Microsoft didn't change that until SP2.
Mirror patches if feasible, block rest of net (Score:2)
And how do they stop it if they don't have Internet access to download the latest patches?
Devices not yet cleared for Internet access would have access to hosts other than the ones used for update services blocked. Better yet, the ISP could run a mirror of Apple Software Update, Windows Update, and Ubuntu trusty-security and wily-security.
What if there are no patches?
If patches do not exist because the operating system has reached its date of end of support, it is the subscriber's responsibility to purchase an upgrade to customer-provided equipment. If patches do not exist because the defect is still 0-day, I don't know. If
Re: (Score:2)
I wouldn't even concern with 0-day. Use a stateful firewall to block all unsolicited packets, use a modern web browser, disable all NPAPI plugins. Only do otherwise if you know what you're doing, because its your problem if you get blocked again.
If something is still exploited even after that (like say a brand new copy of Insecure Explorer 2.1 has zero day in its jpeg rendering library) then the ISPs should allow a grace period until that gets patched.
Re: (Score:2)
I was actually thinking of limiting access to certain sites but the original proposal was to just cut off all access and I was trying to make a point. While an ISP may consider hosting a mirror of updates for Apple or Microsoft (assuming they would go for it) I don't know if they would be interested in doing it for Linux and similar OS's. I've been out of the Linux environment for a while now so I don't know how fragmented it is or has it narrowed down to one or two distributions?
The other problem is what
Chilling effect (Score:3)
Re: (Score:2)
Re: (Score:1)
So, Google and Microsoft are behind this? Not that I would really be surprised, but I kinda doubt it, if only to avoid being tagged as a "theorist".
Re: (Score:2)
Smaller webmail providers can't.
NSA (Score:3, Insightful)
Sounds like the NSA is hard at work trying to stomp out anyone who thinks they can evade surveillance.
botnets cost money (Score:2)
You should always call any bluff of DDOS extortion. These botnets aren't free and cost money to get time on them. You might feel a little pain, but better than giving in to demands.
Better yet, use Cloudflare or subscribe to Spamhaus to preemptively deny traffic.
Re:botnets cost money (Score:4, Informative)
Denying traffic takes computing time too, if the attacks are as massive as the TFS suggests, any device used to filter the incoming requests would soon be overwhelmed and the service would be down anyway...
Re: (Score:1)
If this is a government attack then most likely money is no object.
The extortion demand isn't necessarily aimed at making a profit, it could be intended to further harm the targets' ability to continue doing business.
Re: (Score:1)
Botnets that aren't free and cost money to get time on are botnets that thus need to have a traceable revenue stream. Clearly more can be done to exterminate the people running the botnets, or at least make it hard to pay for the medical care they need after nearly exterminating them.
It's organized crime, and there are government agencies tasked with dealing with organized crime.
Re: (Score:2)
Cloudflare only helps with web.
Spamhaus - lovely, but the traffic is already coming down your uplink by then - we were already firewalling it all, doesn't help.
(FastMail Ops btw)
But we have a solution in place now, so we're in a lot nicer place than we were on Sunday when we were first hit.
Givernment attacks? (Score:5, Interesting)
Re:Givernment attacks? (Score:5, Insightful)
ProtonMail suspects a "state actor" but has zero evidence to support that. It makes no sense for a government to just DDOS a mail service. Governments would hack into the servers.
Re: (Score:2, Insightful)
Unless they couldn't. Then they would want to "discourage" people from using the service. Governments aren't all-powerful (yet).
Re: (Score:2)
Then they raid/confiscate with a FISA warrant.
Re: (Score:1)
It's a legal service in a foreign country. They can't. What they can do is leverage one of the bot-nets they may have taken over, to try and destroy the service. Everything about this reeks NSA and GHCQ.
Re: (Score:2)
Re: (Score:2)
Maybe they instituted amazing security recently. But they got hacked last year.
http://www.theregister.co.uk/2014/07/07/protonmail_fail_javascript/
Re: (Score:1)
It's a bit unusual that the extortion was paid and the attack continued-- it doesn't perfectly match the typical model of typical DDoS-for-ransom attacks.
Did the attack continue, or did the paid-off attacker stop only to be replaced by a new attacker who also wanted to get paid?
Nothing lost (Score:1)
This service has always been a joke. First off, they've been hacked multiple times, executing JS inside emails. It's ran by incompetent people, and you cannot secure these types of services from a faked signed SSL cert and injected JS to send off your unencrypted email contents the second they're displayed. Protonmail is the ILLUSION of security, the world is better off without it.
Why don't they attack gmail and yahoo? (Score:2)
Re: (Score:1)
Relative infrastructure. The same DDoS that cripples ProtonMail would be a small percentage change in normal gmail traffic, even less noteworthy if it was not fired off during a peak usage time.
Distribute the service itself (Score:1)
Big centralized services are vulnerable to these kinds of attacks.
Perhaps if the service were distributed over tens of thousands of nodes in thousands of data centers, it would be more difficult to perform the attack.
Anybody can hire a botnet to flood one data center. Can they flood every data center on the entire Internet at the same time?
Solution (Score:1)
Re: (Score:1)
When you are talking these large DDOSs that generate 60Gb of data, you are talking millions of hosts. You need to get them blocked upstream from yourself, otherwise you are still getting the flood and things will crawl on all of your services irregardless. However upstream blocking is generally not source address based, just destination -- sure we will blackhole all packets destined to _YOUR_ server. Therefore you are still down. Yes, you can move the target but the DDOS will just follow.
If you deal with th
DNS affects both attack and defense (Score:3)
Attackers use DNS in a couple of ways - one is as an amplifier, where the attacker forges a query "from" the target's IP address to a DNS server that produces a response that's larger than the query, which causes more traffic and hides the attacker's IP. (Fixing this requires configuring DNS servers not to do amplification, and getting the ISPs that the bots live on to enforce anti-spoofing - how many decades old is BCP38 now?) Another is as a way for the bots to contact their controller, and for intermed
Re: (Score:2)
I don't understand the lack of knowledge (Score:1)
on the part of the provider's ISP. It would be easy to learn which are the offending IP addresses and simply blackhole them at the router level. The the provider's ISP is too small to effect much of a change, the supplying ISP could easily do this. When I worked firewall and router security for the largest ISP in the US, we simply bllackholed the IP and, in some instances, entire class Cs and in a few instances, a class B coming out of Korea because the ISP wouldn't listen to reason. When enough of their cu
Re: (Score:2)
Except when its a distributed attack and its comming from infected machines belonging to clueless users all over the world its not possible to black hole all the traffic...
Where are these 'bots? (Score:2)
Has anyone done a recent analysis of where these machines are, and what version of Windows they are running? XP use is finally fading, and I have seen a surprising number of home PCs successfully upgraded from Windows 7 or 8 to Windows 10.
I would not expect a malware infection to survive the update.
So are the number of bots in the network declining?