Re: Over a decade of DDOS--any progress yet?
One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those. In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect. I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past. Regards. -as On 8 Dec 2010, at 10:00, nanog-request@nanog.org wrote:
Date: Wed, 8 Dec 2010 10:58:38 +0000 From: bmanning@vacation.karoshi.com Subject: Re: Over a decade of DDOS--any progress yet? To: "Dobbins, Roland" <rdobbins@arbor.net> Cc: North American Operators' Group <nanog@nanog.org> Message-ID: <20101208105838.GD5841@vacation.karoshi.com.> Content-Type: text/plain; charset=us-ascii
actually, botnets are an artifact. claiming that the tool is the problem might be a bit short sighted. with the evolution of Internet technologies (IoT) i suspect botnet-like structures to become much more prevelent and useful for things other than coordinated attacks.
just another PoV.
--bill
On Wed, Dec 08, 2010 at 04:46:13AM +0000, Dobbins, Roland wrote:
On Dec 8, 2010, at 11:26 AM, Sean Donelan wrote:
Other than trying to hide your real address, what can be done to prevent DDOS in the first place.
DDoS is just a symptom. The problem is botnets.
Preventing hosts from becoming bots in the first place and taking down existing botnets is the only way to actually *prevent* DDoS attacks. Note that prevention is distinct from *defending* oneself against DDoS attacks.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Sell your computer and buy a guitar.
On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those.
The technology exists to detect and classify this attack traffic, and is deployed in production networks today. And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes.
In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect.
Actually, there're lots of things they can do.
I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past.
It already exists. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
On 08/12/10 4:28 AM, Arturo Servin wrote:
One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those.
ISPs are not the source. The source is Microsoft. The source is their buggy OS that is easily compromised to enable the computers to be taken over as part of the botnet. Why isn't ANYONE going after Microsoft over this? If Microsoft were held accountable for the spam and DDOSs that spew from their crappy software, they would find a way to stop the problem. I've raised this issue before, IMHO Windows OSs are "attractive nuisances" and that legal argument can be used to hold Microsoft responsible for not putting an adequate "fence" around their "attractive nuisance". If all the big ISPs banded together to file suit against Microsoft, they could share the cost (and pain) of the lawsuit. Instead, you each individually keep trying to implement in-house solutions to filter/block spam and DDOSs. How's that working for ya? jc
On 12/8/2010 9:43 AM, JC Dill wrote:
Why isn't ANYONE going after Microsoft over this? If Microsoft were held accountable for the spam and DDOSs that spew from their crappy software, they would find a way to stop the problem. I've raised this issue before, IMHO Windows OSs are "attractive nuisances" and that legal argument can be used to hold Microsoft responsible for not putting an adequate "fence" around their "attractive nuisance".
I call BS. Windows has it's problems, but it is the most common exploited as it holds the largest market share. Many Windows infections I've seen occur not due to the OS, but due to lack of patching of applications on the OS. The system does as much as it can. I've seen plenty of webmail/php/cgi hacks to not blame M$ for having market share. Jack
On 12/8/2010 08:06, Jack Bates wrote:
I call BS. Windows has it's problems, but it is the most common exploited as it holds the largest market share. Many Windows infections I've seen occur not due to the OS, but due to lack of patching of applications on the OS. The system does as much as it can.
And end users clicking/running every shiny thing they come across, consequences be damned. ~Seth
On 12/8/2010 3:04 PM, Seth Mattinen wrote:
On 12/8/2010 08:06, Jack Bates wrote:
I call BS. Windows has it's problems, but it is the most common exploited as it holds the largest market share. Many Windows infections I've seen occur not due to the OS, but due to lack of patching of applications on the OS. The system does as much as it can. And end users clicking/running every shiny thing they come across, consequences be damned.
ActiveX is the problem. Its got about as much security as a piece of swiss cheese.
i found it funny how M$ started giving away virus/security software for its OS. it can't fix the leaky roof, so it includes a roof patch kit. (and puts about 10 companies out of business at the same time)
Many Windows infections I've seen occur not due to the OS, but due to lack of patching of applications on the OS. The system does as much as it can.
which applications are home users using which are exploited more than RPC and friends? -g -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
Greg Whynott writes:
i found it funny how M$ started giving away virus/security software for its OS. it can't fix the leaky roof, so it includes a roof patch kit. (and puts about 10 companies out of business at the same time)
I actually like the new arrangement better, where Microsoft provides the security software to its OS customers "for free". The previous setup had third parties (anti-virus vendors) profiting from the weaknesses in Microsoft's software. The new arrangement provides better incentives for fixing the security weaknesses at the source, at least as far as Microsoft is concerned. Even for third-party providers of buggy software, Microsoft probably better leverage towards them than the numerous anti-virus vendors. But then maybe my armchair economics are totally wrong. -- Simon.
Hello: On 12/8/10 10:43 AM, JC Dill wrote:
On 08/12/10 4:28 AM, Arturo Servin wrote:
One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those.
ISPs are not the source. The source is Microsoft. The source is their buggy OS that is easily compromised to enable the computers to be taken over as part of the botnet.
Many third party vendors like Adobe, Sun and others are just as culpable in this sense, if not more. A large majority of the vulnerabilities leveraged to deploy modern malware / botnets come from these client-side applications (e.g. flash, reader, java, etc) and not the OS specifically. It's beyond the point that we can blame just Microsoft. Yes, they can get better, but they've actually made great strides in software security in the last few years. Now that the other vendors are starting to feel the pain, hopefully they'll start to follow suit. Aaron
On Wed, 08 Dec 2010 07:43:52 PST, JC Dill said:
Why isn't ANYONE going after Microsoft over this? If Microsoft were held accountable for the spam and DDOSs that spew from their crappy software, they would find a way to stop the problem. I've raised this issue before, IMHO Windows OSs are "attractive nuisances" and that legal argument can be used to hold Microsoft responsible for not putting an adequate "fence" around their "attractive nuisance".
Unfortunately, this is one you really don't want to do. Microsoft's current offerings are about as hardened as the competition (Apple and Linux, mostly) right out of the box. And it's not clear that you can *make* a system much harder and still sell it to consumers (try using a Linux box with SELinux turned on in full MLS/MCS mode - quite secure, but *not* the easiest thing in the world to admin, especially if you ever add a third-party program that doesn't have a suitable MLS security policy description already).
If all the big ISPs banded together to file suit against Microsoft, they could share the cost (and pain) of the lawsuit.
And if you win the lawsuit, what does that get you? Microsoft goes broke, quits shipping security updates to everybody - and things are even worse than before, because now *everybody* is unpatched. The second issue is that if you *do* establish a legal precident that software vendors are liable for faults no matter what the contract/EULA says, you're going to see pretty much all the open-source projects pack up and go home unless they find a way to protect themselves. Quite likely some commercial software vendors will bail as well, or charge a *lot* more for their stuff. Be careful what you ask for, for you may surely get it.
On 08/12/10 1:38 PM, Valdis.Kletnieks@vt.edu wrote:
The second issue is that if you *do* establish a legal precident that software vendors are liable for faults no matter what the contract/EULA says,
It doesn't matter what contract an auto maker makes with someone who purchases the car, if the brakes fail and the car hits ME, I can sue the auto maker due to the defective brakes. If they design the car in a way that a 3rd party can easily tamper with the brakes, and then the car hits me, I can also sue the auto maker. They are legally required to take due care in how they design the car to ensure that innocent bystanders aren't injured or killed by a design defect. IMHO, there's no difference in the core responsibility that software makers should be held to, to ensure that their software isn't easily compromised and used to attack and injure 3rd parties. The EULA is a red herring, as it only applies to the purchaser (who agrees to the EULA when they purchase the computer or software), not to 3rd parties who are injured. If the software doesn't work as designed and the purchaser is unhappy, that's between them and the company they bought the software from. But when it injures a 3rd party, that's a whole different ball game. I truly don't understand why ISP's (who bear the brunt of the burden of the fall-out from the compromised software, as they fight spam and have to provide customer support to users who complain that the "internet is slow" etc.) haven't said ENOUGH. jc
On Wed, Dec 8, 2010 at 8:02 PM, JC Dill <jcdill.lists@gmail.com> wrote:
On 08/12/10 1:38 PM, Valdis.Kletnieks@vt.edu wrote:
The second issue is that if you *do* establish a legal precident that software vendors are liable for faults no matter what the contract/EULA says,
It doesn't matter what contract an auto maker makes with someone who purchases the car, if the brakes fail and the car hits ME, I can sue the auto maker due to the defective brakes. If they design the car in a way that a 3rd party can easily tamper with the brakes, and then the car hits me, I can also sue the auto maker. They are legally required to take due care in how they design the car to ensure that innocent bystanders aren't injured or killed by a design defect. IMHO, there's no difference in the core responsibility that software makers should be held to, to ensure that their software isn't easily compromised and used to attack and injure 3rd parties. The EULA is a red herring, as it only applies to the purchaser (who agrees to the EULA when they purchase the computer or software), not to 3rd parties who are injured.
If the software doesn't work as designed and the purchaser is unhappy, that's between them and the company they bought the software from. But when it injures a 3rd party, that's a whole different ball game. I truly don't understand why ISP's (who bear the brunt of the burden of the fall-out from the compromised software, as they fight spam and have to provide customer support to users who complain that the "internet is slow" etc.) haven't said ENOUGH.
jc
If you look at the national vulnerability database listings, though, it's really not clear who you'd need to go after: http://blogs.technet.com/b/security/archive/2008/05/15/q1-2008-client-os-vul... Granted, that was two years ago; but it sure seems that just vilifying Microsoft, satisfying though it might be, would be to ignore the breadth of the problem. Matt
If you look at the national vulnerability database listings, though, it's really not clear who you'd need to go after:
http://blogs.technet.com/b/security/archive/2008/05/15/q1-2008-client- os-vulnerability-scorecard.aspx
Granted, that was two years ago; but it sure seems that just vilifying Microsoft, satisfying though it might be, would be to ignore the breadth of the problem.
Matt
Is anyone actually using Ubuntu 6.06LTS anymore? That was published for Q1 2008, that was almost three years ago which in "internet years" is a long time. One also has to wonder (since the link to the original paper seems to be dead) if that was "out of the box" 6.06LTS or 6.06LTS kept updated with the security releases.
On Thursday, December 09, 2010 03:43:11 am George Bonser wrote:
Is anyone actually using Ubuntu 6.06LTS anymore? That was published for Q1 2008, that was almost three years ago which in "internet years" is a long time.
Yes. I have some desktop users still on 6.06LTS, and they are kept updated. Plans to migrate to CentOS 6 are in the works, with very careful application mapping for the least user retraining, and we should be able to do the migration shortly after CentOS 6 is out, which could be a little while (I would guess February or March timeframes for final C6 release, personally, press reports notwithstanding). So we're taking our time doing that Further, I know of RH9 and RH8.0 systems still in production, and have a Red Hat Linux 5.2 box still in (not connected to the Internet) production, where it's run for the last 12 years, with a few hardware repairs and upgrades of the years. It wouldn't be wise to run that box on an open Internet connection; but for the application it serves it works, and retooling the app to run on something later isn't currently an option (the app uses libc5, and the version in Red Hat Linux 6 doesn't get along with the app very well). It will soon be time to virtualize it, and, like COBOL and FORTRAN apps of yesteryear, it will live on and on and on and on...
On Wed, Dec 08, 2010 at 07:43:52AM -0800, JC Dill wrote:
ISPs are not the source. The source is Microsoft. The source is their buggy OS that is easily compromised to enable the computers to be taken over as part of the botnet.
I often disagree vehemently with JC, but not this time. I've been studying bot-generated spam for most of the last decade, and to about 6 nine's, it's all been from Windows boxes. (The rest? A smattering of "indeterminate" and various 'nix systems including MacOS.) The botnet problem is a Microsoft problem. Now...whether the botnet problem will still be a Microsoft problem in 2015: can't say. Clearly attackers have plenty of reasons to attack other systems and in some cases, they'll be successful. But it appears that to date, the advantages they might accrue from owning a box running one of the superior operating systems are outweighed by the costs of the effort to do so. (With a few rare exceptions, of course.) But you don't have to take my word for this. Turn on passive OS fingerprinting on your MX's and start recording data, including DNS and rDNS, putative sender, recipient, etc. Accumulate a couple years' worth and analyze. This is why some rather effective defensive techniques (not just for spam) can be constructed by differentiating traffic based on the operating system of the host originating that traffic. ---rsk
On Thu, Dec 9, 2010 at 3:45 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Wed, Dec 08, 2010 at 07:43:52AM -0800, JC Dill wrote:
ISPs are not the source. The source is Microsoft. The source is their buggy OS that is easily compromised to enable the computers to be taken over as part of the botnet.
I often disagree vehemently with JC, but not this time.
I've been studying bot-generated spam for most of the last decade, and to about 6 nine's, it's all been from Windows boxes. (The rest? A smattering of "indeterminate" and various 'nix systems including MacOS.)
The botnet problem is a Microsoft problem.
OK. People took exception to my last message, as the data from it was 2 years old. Here's data from 2010, which shows that the problem isn't the MSFT OS itself; it's the third-party apps that people happily double click on and install willy-nilly: http://blogs.computerworld.com/16575/security_firm_says_apple_has_more_secur... (yes, you have to read past some apple bashing at the beginning; get past that, and you hit the real aspect, which is that the major security vulnerabilities exist in third party applications, rather than the OS itself.) So, as much as I love Microsoft bashing as much as the next person (and the folks here know there's definite reasons why I'll usually be one of the first in line to bash them, when the situation calls for it), in this case, putting the thumbscrews to Microsoft isn't going to fix buggy Acrobat Reader software, and all those other third party apps that people use to exploit the platform.
Now...whether the botnet problem will still be a Microsoft problem in 2015: can't say. Clearly attackers have plenty of reasons to attack other systems and in some cases, they'll be successful. But it appears that to date, the advantages they might accrue from owning a box running one of the superior operating systems are outweighed by the costs of the effort to do so. (With a few rare exceptions, of course.)
The sheer volume of bots may still be Windows boxes, yes; but that doesn't mean the initial vulnerability and exploit happened anywhere in the Microsoft code base. Look at how many vulnerabilities have been listed for Adobe Acrobat Reader, for example: https://secunia.com/advisories/product/19237/ 159 vulnerabilities in Adobe Reader, vs 69 in Windows 7: https://secunia.com/advisories/product/27467/
But you don't have to take my word for this. Turn on passive OS fingerprinting on your MX's and start recording data, including DNS and rDNS, putative sender, recipient, etc. Accumulate a couple years' worth and analyze.
This is why some rather effective defensive techniques (not just for spam) can be constructed by differentiating traffic based on the operating system of the host originating that traffic.
Sure, there's more windows boxes out there than any other OS. But that doesn't mean the weakness and vulnerabilities being exploited are *part of the native OS*. If the OS is 100% bulletproof, but users are still installing insecure third party apps that are riddled with holes, you're still going to see more botnet machines with that OS fingerprint than any other, simply based on their overall percentage representation out of the total count of computers; but hammering on the OS vendor isn't going to do *anything* to slow down the rate of infection--there isn't anything more they can do. So--as much as I dislike Microsoft, beating on them isn't the answer here. Tell people to stop installing buggy software like Adobe Acrobat Reader, and you'll get closer to stemming the tide of infections. Matt
On Thu, 09 Dec 2010 06:45:45 EST, Rich Kulawiec said:
I've been studying bot-generated spam for most of the last decade, and to about 6 nine's, it's all been from Windows boxes. (The rest? A smattering of "indeterminate" and various 'nix systems including MacOS.)
The botnet problem is a Microsoft problem.
If it's a Flash exploit, and the miscreants only do a Windows version because that gets them 85% of the targets and they feel the effort of creating a Mac/ Linux version isn't worth the incremental 15%, then you'll only see hits from Windows boxes. But how does that make it a Microsoft problem? You don't see spam from many Linux boxes because there aren't enough Linux boxes to make it cost-effective to develop malware for. If you need 5,000 bots, it's easier to find 5,000 Windows targets than finding 5,000 Linux targets. And the reason you don't see worms that target Z/OS or VMS or Irix isn't because of their inherent security. The only way you'll get it to be a non-Microsoft problem is by changing the playing field enough so that OSX and Linux and others have enough market share that targeting just Windows is a losing strategy. Good luck with that. Meanwhile, ponder what I mentioned in a previous mail - Windows is *already* close to "as secure as you can sell to an end user". Consider these Google results for SELinux: SELinux howto - about 96,900 results SELInux disable - about 178,000 results SELinux turn off - about 199,000 results It's pretty obvious that there is a point where most users won't put up with the inconvenience of security, and SELinux is already on the far side of it, even for the probably-more-technical users of Linux. How are you going to sell similar hardening to Joe Sixpack, given that most of the hardening will result in either additional "are you sure?" pop-ups or breakage of things they bought the computer to do? The first time a user gets fragged in WoW or other game because the security threw up a pop-up at an inopportune time, that user *will* look for a way to turn the security off.
participants (14)
-
Aaron Peterson -
Arturo Servin -
Curtis Maurand -
Dobbins, Roland -
George Bonser -
Greg Whynott -
Jack Bates -
JC Dill -
Lamar Owen -
Matthew Petach -
Rich Kulawiec -
Seth Mattinen -
Simon Leinen -
Valdis.Kletnieks@vt.edu