Someone Is Learning How To Take Down the Internet, Warns Bruce Schneier (schneier.com) 237
Some of the major companies that provide the basic infrastructure that makes the internet work have seen an increase in DDoS attacks against them, says Bruce Schneier. He adds that these attacks are of much larger scale -- including the duration -- than the ones we have seen previously. These attacks, he adds, are also designed to test what all defense measures a company has got -- and they ensure that the company uses every they have got, leaving them with no choice but to demonstrate their defense capabilities to the attacker. He hasn't specifically shared details about the organizations that are under attack, but what little he has elaborated should give us a chill. From his blog post: [...] This all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes (PDF) a DDoS trends report. While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent, persistent, and complex." There's more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services. Who would do this? It doesn't seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It's not normal for companies to do that. Furthermore, the size and scale of these probes -- and especially their persistence -- points to state actors. It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.
False flag operation? (Score:3, Interesting)
Could be NSA/GCHQ false-flag operation to pin the attacks on Russia.
Re:False flag operation? (Score:5, Funny)
Or it could be Russia trying to make us think it is an NSA/GCHQ false-flag operation to pin the attacks on Russia.
But we know that they know that we know....
Re: (Score:3)
But if they know that we know that they know, we knew...who are they again?
Re: (Score:2)
Wasn't he that really tall French dude who helped America win the Civil War?
Re: (Score:2)
Re: (Score:3)
Or it could be NSA/GCHQ spies working for the Russians trying to make us think that it's a NSA/GCHQ false-flag operation to pin the attacks on Russia.
Re:False flag operation? (Score:5, Funny)
Or it could just be a windows 10 update.
Someone Is Learning How To Take Down the Internet (Score:5, Funny)
Don't worry I've already copied the internet onto a blank CD.
not necessarily a bad thing (Score:3, Insightful)
considering the number of new problems created and old problems made anew by the Internet (tm), taking it down isn't necessarily a bad thing.
Re:not necessarily a bad thing (Score:5, Funny)
Work place productivity would skyrocket... ... Until the Internet withdrawal symptoms kick in.
Re: (Score:3)
I have a simple fix:
Tell the workers that whoever gets their TPS reports in first gets "First Post".
Re: (Score:3)
I have a simpler one: Cut China, Russia, Ukraine & Nigeria the fuck off the Internet
Re: (Score:3)
Who said anything about going to pen and paper? Just unplug the WAN port...
Oh wait... the cloud... I forgot...
Re: (Score:2)
Or until you need to look something up.
... it's call a book, and there are places call the community library near you.
Re: (Score:2)
Or until you need to look something up.
... it's call a book, and there are places call the community library near you.
So I can get out of work multiple times a day to go the library? Fuckin' sweet deal.
Re:not necessarily a bad thing (Score:5, Insightful)
Re:not necessarily a bad thing (Score:4, Insightful)
This viewpoint is almost the opposite of reality. Losing the Internet is among the worst things that could happen.
It's basically identical to the situation with the two-party system in American politics. Until it actually crashes, nobody is going to bother to build a better system, because that's hard. It's better if the internet goes down now than in fifty years when we're really dependent on it for everything. We must build a better internet by then (meshed? entirely cooperative?) or someone surely will take it down and it will be the worst thing that could happen.
Re: (Score:2)
I trust you are on an "unlimited" data plan?
Re: (Score:2)
Re:Someone Is Learning How To Take Down the Intern (Score:4, Funny)
640k ought to be enough for anybody to back up the Internet.
Re:Someone Is Learning How To Take Down the Intern (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Wait, the Internet is up to version 1.4 already?
When did it move out of beta?
Re: (Score:2)
Is it possible to roll back to an earlier version? Even though it is rather old, the pre-AOL one wouldn't be too bad. Maybe the one before Canter & Seigel? Heck, I'd take the one before Eternal September.
Re: (Score:2)
Re: (Score:2)
north korea's last dieing move after the nukes fai (Score:2)
north korea's last dieing move after the nukes fail?
Re:north korea's last dieing move after the nukes (Score:4, Funny)
"All your Internet Bases are belong to us!"
Re: (Score:2)
dying.
Re: (Score:3)
Re: (Score:2)
I don't know why or how, but that just made my day so much brighter. /hat tip
I've got it figured... (Score:2)
Re: (Score:3)
"Probing" you say?
I'd say it's them dern aliens! Back in '67 I was driving in my good old '57 Chevy when I saw a bright light above me...
Never could sit on the Jon the same way after that.
Someone - or - Something... (Score:2)
Is Learning How To Take Down the Internet.
Re: (Score:3)
As long as my Badger Badger Badger Mushroom song keeps playing... I be happy.
Re: (Score:2)
Learning How To Take Down the Internet
Isn't there a "For Dummies" book for this?
Re: (Score:2)
The end of my world has come! (Score:2)
Does this mean my Internet's won't work?
How will I check my fridge when I am out of town?
Re: (Score:2)
All I have is Mountain Dew and pizza.
I guess warm pizza would be OK...
Good. Go smell the flowers. (Score:3, Interesting)
Re: (Score:2)
What is real life Like?
I'm to scared to go upstairs or turn off my phone.
Re: (Score:2)
Re: (Score:3)
3/5, would not spelunk again.
Re: (Score:3, Insightful)
Don't be an idiot.
Really
This isn't about being personally liberated from the internet. This is about attacking critical infrastructure. This is like the paving of every interstate in the country disintegrating overnight.
Sure, there would be lots of time for people to sit at home and enjoy the flowers. Meanwhile 99% of the population would immediately begin to run out of food and within a week chaos would reign - most people would have no job to work and no food to eat. The economy would take a massive
DDoS Defense (Score:2, Interesting)
1) Notice problem.
2) Look at logs/whatever and verify insane traffic levels.
3) Throttle/block source at router.
4) Repeat for every upstream switch that is impacted by the attack. For those which you don't control, call (yes call) up your peer and inform them of the issue so they may do the same.
1-3 can be automated fairly easily
4 can be automated with cooperation, agreements, established procedures, responsive personnel, etc. (4 isn't going to be automated.)
5) Inform zombie ISP customers they're part
Re: (Score:3)
Unless the attack is the type that uses perfectly normal HTTP GETs (or other expected traffic)... just from 10,000,000 sources at once... Like an old fashioned /.ing, only bigger. There is no defense against something like that other than to throttle all HTTP (or whatever) connections... but that ends up achieving the goal of the attacker anyway.
This has been demonstrated already by the Chinese government by altering unencrypted HTTP traffic to add a bit of javascript to sessions inbound to the country so t
Re:DDoS Defense (Score:5, Interesting)
The problem is that DDOS is a core vulnerability based on how the internet is built. If you get packets that should go somewhere, you try to push them there. You don't know that the guy who handed them to the guy that handed them to the guy that handed them to you is a botnet node: you just know packets go a place. You forward them.
Eventually, you hit a point where someone in that link COULD figure out that packets are part of a DDOS, but in the current model, that's just too damned far along.
Re:DDoS Defense (Score:5, Interesting)
DDoS patterns are pretty obvious, and you don't need fancy DPI either.
Happy-go-lucky packet forwarding works when everyone plays by the rules. That's not the case. You have to respond, and the ONLY response is to throttle/block the traffic. The further upstream you do this the more effective it is, but the wider impact it has for legitimate traffic. That's why step 4 is critical for the target.
It's a very simple solution to a very simple problem. DDoS is just the normal internet at an abnormal scale. All effective responses go against the general design of the internet because they involve removing a host from the internet or portions of it. So you want to limit responses to be as close to the source as possible to avoid impacting all the good actors.
Re: (Score:2)
you just know packets go a place. You forward them.
If nodes would quit forwarding packets that say they came from a place that they couldn't possibly have come from, it would cut down on some of this crap.
Re:DDoS Defense (Score:4, Informative)
There's wisdom in what you say, but the ACL black hole list could be miles long. My own iptables list is pages long, and grows every day.
I don't think that ISPs give a shit, and there's nothing and nobody to flip the blackhole switch. Even DNS tweaking isn't going to do the job. Every day my syslogs fill up with nmappers and logon failures from ugly long lists of IPv4/6 addresses.
Re: (Score:3)
The defense is to block the bad traffic as close to the source as possible, whether it be 100 Amazon VMs in a botnet or 10,000,000 home machines infected with shit or the entirety of China.
The internet only works if each network plays nice. DDoS has been a problem for so long because no one has the balls to cut home users or a country off, and certain governments don't give a fuck about going after botnet operators.
Re: (Score:2)
You should tweet that to @verisign so they know what to do when the state sponsored DDoS to take down the internet comes. As you pointed out the answer is to stop the bad traffic which should fit nicely into 140 characters and thus, save the day!
Re: (Score:2)
Maybe they should also turn on DNSSEC for verisign.com, since they are crucial and into security and all.
Re:DDoS Defense (Score:5, Insightful)
This is why slashdot sucks so much. I started reading /. back when the UIDs where in the 10k range, and only people who really knew about the subject would comment. It took me many months before I saw a topic I could contribute to with enough insight, hence my 100K UID.
Now, we have captain obvious noob giving a trivial "shut down" solution, which only works when the botnet is concentrated in an arrogant tone to the security experts in Verisign and Bruce Schneier. To top it off it gets ranked +4 Insightful.
p.s. Can we add a moderation score of -1 Rolls eyes?
Re: (Score:3)
I started reading /. back when the UIDs where in the 10k range
Yeah, I think it was always crap. Remember Signal 11? Jon Katz? The ignorant are drawn to comment sections.
Re: (Score:2)
Yeah, there have always been some idiots around, but there used to be a lot less. Also with the increased number of know-nothings moderation has degraded. Over the years I've gone from reading at 0, to 1, to 2, to 3, and now at 4 or higher.
Re: (Score:2)
If ever there was a "get off my lawn" post...
I simply lost my first account. I don't even remember the username (if I did I *might* remember the pwd).
Re: (Score:2)
This is why slashdot sucks so much. I started reading /. back when the UIDs where in the 10k range, and only people who really knew about the subject would comment.
And even Slashdot back then was ten times worse than the golden age 1988-1994 USENET already.
Re: (Score:2)
6) Cut customers off from the internet until they clean their shit up
Will never happen because Profit.
ISP's will never willingly cut off their own customers and will fight tooth and nail to prevent from being forced.
This is why US ISP's happily hand over customer identities to the *IAA for lawsuits rather than have something like a three strikes law.
Re: (Score:2)
You are correct, they won't willingly cut the cash flow. Something real interesting where everyone will have to work has to happen.
so wait for the lawsuits
Re: (Score:2)
Who said anything about blocking all traffic on a link?
These are routers. You block problem IPs.
Re: (Score:2)
Which, with a significant enough attack vector, can bring a router to its knees as it gets overwhelmed with processing the ACL trying to compare netmask of what's in the block list against the masks of what's on the inbound line. Granted it takes a massive amount of traffic from an identified bad actor to do this; but it's not outside of the realm of possibility.
Re: (Score:3)
Shut down the internet for bad actors, yes. You can't let bad hosts play on your network and then expect your network to be invited to the party all the other networks are throwing.
TFS leaves out most important piece ignoring info (Score:5, Insightful)
"The data I see suggests China, an assessment shared by the people I spoke with."
Of course, that will be buried in these comments that it's a US false flag, that obviously it's the US that's responsible, etc.
It couldn't possibly be someone like China.
Re: (Score:3)
But of course...
If the NSA can't OWN the Internet. It will do the next best thing, and throw a tantrum and shut it off.
"If we can't have it.. nobody can!"
Re: (Score:2)
Interesting timing (Score:5, Insightful)
I wonder who would stand to benefit from an Internet black out during the US presidential election?
Re: (Score:2)
A good point. A less partisan point is, what happens if you have "online voting", or any goddamned thing that requires a net to function, and it doesn't?
We have an infrastructure problem- plenty of systems assume that the internet will either always be up, or be up at least, for instance, daily.
Re: (Score:3)
We have an infrastructure problem- plenty of systems assume that the internet will either always be up, or be up at least, for instance, daily.
And it's getting worse, because the infrastructure that keeps the Internet up is starting to require the Internet actually be up.
A cow-orker installed some Meraki switches this past weekend and they are "cloud" managed. I didn't work on it, but he said you basically needed an active Internet connection to do anything with them because there was no local management at all. And of course the switches themselves had problems, cutting off Internet access until physically rebooted at least once.
Off the top of
Even the commies follow the money! (Score:3)
Is the moderation system disabled? That one deserved a "good question" mod, but the closest approximation here would be "insightful". Not only that post, but no "insightful" mods yet. That led me to check for "funny" mods, too, and couldn't find any. Anyway, I can't give you a mod point since I never get any. Many years now...
I still think that most of the spam and scams are motivated by profit, and most of the time the way to fix the problem is to figure out the business model and break it. Unfortunately,
the federal beast website / code / game / pr stun? (Score:2)
A Nascient AI Exploring its Universe? (Score:2)
"uses every they have got" (Score:2)
I hope it's us...I think (Score:2)
I hope it's US DoD trying to catch up on cyber security. Or maybe not. I'm not sure who's scarier, foreign governments or our own. Not that I like terrorists, but I'm pretty sure we all need to be more worried about all the the "official" guys we willingly bought nukes and stuff for than we do about the "alquiedas" who might like to steal one.
At what point do end-users become responsible (Score:4, Interesting)
Re: (Score:3)
"AV" software is practically useless.
How about an Internet that refuses to route packets with a forged source address?
Re: (Score:2)
Re:At what point do end-users become responsible (Score:5, Funny)
I hear your cry about antivirus software.
A website the other day detected 432 viruses on my computer. Thankfully, it also provided a link to download some high quality antivirus software that resolved the problem.
I'm glad to say I'm now part of the solution and not of the problem any more.
Re:At what point do end-users become responsible (Score:4, Funny)
I am happy to hear that you take internet security seriously. Since you seem like a kind and generous person, I would like to share with you an opportunity to make money on the internet. You could earn up to $50,000 (FIFTY THOUSAND DOLLARS!) just by following a few easy steps. If you'll kindly send me your email address, I'd be happy to provide you with details.
Re:At what point do end-users become responsible (Score:4, Insightful)
Woooossshhhhhhh....
Re: (Score:2)
OpenBSD to the rescue!!! (Score:2)
Oddly, you seem to an OS recommendation. Surely you recommend OpenBSD [openbsd.org], correct?
You also realize anti-virus software is garbage, right?
What is this gibberish? (Score:2, Insightful)
"Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains."
Somebody who has no idea how anything works must have written this.
Suspicious Claim (Score:2)
and they ensure that the company uses every [sic] they have got, leaving them with no choice but to demonstrate their defense capabilities to the attacker.
This doesn't make sense. To require them to use every defense they have would require the attacker to be precisely calibrated with the defenses the company has.
It's much more likely that the attacker has more offenses that the company doesn't have defenses for or that the attacker has fewer attacks and that the company has defenses that are not employed
Re: (Score:2)
Redesign internet with a backchannel (Score:4, Interesting)
My computer often freezes with the beachball of death or disappearing cursor. Some runaway application, interacting with OS memory managment or UI services and devices, has managed to DOS my computer. Often a reboot is the only solution.
But what was the real problem? The fact that someone designed an OS that allows runaway processes and memory managers and what not to completely dominate all other processes, or to completely hijack key devices.
Why would an OS not have a more effective segmentation; a hierarchy, which enforces rules like:
- Never dominate the pointer movement and rendering, ever, for any reason
- Give the process kill user interface (red button, X), and the process termination procedure, absolute highest priority as well.
- Have a high-priority command shell process.
- Don't let background processing and user-process memory use ever dominate and freeze user interface rendering. Probably requires a separate CPU core just for talking to the graphics subsystem.
Seems like an off-topic aside maybe?
But the same principle should be applied to Internet design.
- A backchannel allowing sys-admin commands (at low data rates only) to get through the network should have highest priority and not be affected at all by overcapacity on other "channels".
- A low data rate channel permitting only low-frequency-of-send email / messaging protocol to get through should be next in line. By design it should not permit flooding. Its functioning should be entirely independent of any DDOSable level.
- A level which supports general web-ish and messaging protocols but for trusted authenticated communicators only.
- Finally, separated from the other levels at every switch, router, and network card, something akin to the current DDOS-ABLE level where anything goes.
time to move to virtual networks (Score:2)
World ends Friday (Score:2)
The solution to DDoS Attacke is peer-to-peer. Thank goodness DNS already works that way. If Verisign goes down, the information is still available in a DNS server near you. Mail will still work. WhatsApp may be not, but hey we can still use SMS.
nice (Score:2)
nice use of "what all". feels down-home.
Kim Kardashian's Bum (Score:2)
n/t
ISP's need to hold each other more accountable (Score:2)
First off all, ISP's ought to automatically detect abnormal traffic patterns to their clients and start blocking it in a temporary access control list that would expire after some time. There should be a protocol to share this temporary ACL upstream (how far upstream TBD depending on the size of the ACL vs how much routers can fit in RAM). If a source address is continually on the ACL then the ISP owning the address should be automatically notified so that they can take action against the client. If an ISP
Re: (Score:2)
Re: (Score:2)
"What's this big red cable do? Let me just adjust the cable so I can walk by the rac "
Re: As the US surrenders control of DNS (Score:3)
Except, from TFA, "The data I see suggests China, an assessment shared by the people I spoke with."
But that's impossible in your mind...it has to be the US. It could never be a US adversary with principles that run decided counter to internet freedom, human rights, and so on. Clearly this is a US effort to leave itself a capability to "take down the internet", when we are the ones ceding control of ICANN and IANA.
Re: (Score:3)
Once China's great firewall is updated to RedOS 2.0. They can turn off the "Internet" and keep the good times rolling behind their borders...
Re: (Score:2)
Re: (Score:2)
Aware that I am replying to an AC.
The problem with the self-healing theory is the following; the multiple of grids go down.... the few basic grids on a regional level are, your basic 15 - 20 power grids. 20 or so huge Air and rail transport grids, lucky for us, the USA has redundancy system built in, it's all radio and physical. Logistical grids fail in general so expect food stocks to dwindle to nothing.
Not sure about water grids, I think they are local-ish or state-ish
We won't die, or at least a large per
Re: (Score:2)
Building out to add as many consumers at a very low cost along one network is about cost savings. A one connection policy only up and down the wider network.
The gov, party political, mil elite on the upper east coast would have great redundancy thanks to contractor overspend and mil/gov policy.
The west coast would have had the rush to build networks and in theory have a few different networks still runni
Re: (Score:2)
omg, they have already broken sentences. The rest of the internet will soon fall.