Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey
On Sun, 25 Sep 2016 14:36:18 +0000 Ca By <cb.list6@gmail.com> wrote:
As long as their is one spoof capable network on the net, the problem will not be solved.
This is not strictly true. If it could be determined where a large bulk of the spoofing came from, public pressure could be applied. This may not have been the issue in this case, but in many amplification and reflection attacks, the originating spoof-enabled networks were from a limited set of networks. De-peering, service termination, shaming, etc could have an effect. John
On Sunday, September 25, 2016, John Kristoff <jtk@depaul.edu> wrote:
On Sun, 25 Sep 2016 14:36:18 +0000 Ca By <cb.list6@gmail.com <javascript:;>> wrote:
As long as their is one spoof capable network on the net, the problem will not be solved.
This is not strictly true. If it could be determined where a large bulk of the spoofing came from, public pressure could be applied. This may not have been the issue in this case, but in many amplification and reflection attacks, the originating spoof-enabled networks were from a limited set of networks. De-peering, service termination, shaming, etc could have an effect.
John
Ok, sorry for the not being exact. I am trying to be practical. My point is, a lot of access networks will respond to public pressure if the data is exposed on the offending real ips of the iot crap, and they will enforce their AUP. We have seen comcast do just that, on this list a few months back. That path has legs. Google also blocks service to certain hacked networks as well, we have seen that on this list too. That is an interesting angle in the krebs case. Will google block service to folks sharing ip with the iot ddos mess ?
Sorry but you are mistaken. I've worked at Sr. levels for several LARGE and medium sized networks. What does it cost and what do we make doing it, over rules what is "good for the internet" every time it came up. On Sun, Sep 25, 2016 at 2:27 PM, Ca By <cb.list6@gmail.com> wrote:
On Sunday, September 25, 2016, John Kristoff <jtk@depaul.edu> wrote:
On Sun, 25 Sep 2016 14:36:18 +0000 Ca By <cb.list6@gmail.com <javascript:;>> wrote:
As long as their is one spoof capable network on the net, the problem will not be solved.
This is not strictly true. If it could be determined where a large bulk of the spoofing came from, public pressure could be applied. This may not have been the issue in this case, but in many amplification and reflection attacks, the originating spoof-enabled networks were from a limited set of networks. De-peering, service termination, shaming, etc could have an effect.
John
Ok, sorry for the not being exact. I am trying to be practical.
My point is, a lot of access networks will respond to public pressure if the data is exposed on the offending real ips of the iot crap, and they will enforce their AUP.
We have seen comcast do just that, on this list a few months back. That path has legs.
Google also blocks service to certain hacked networks as well, we have seen that on this list too. That is an interesting angle in the krebs case. Will google block service to folks sharing ip with the iot ddos mess ?
On Sunday, September 25, 2016, jim deleskie <deleskie@gmail.com> wrote:
Sorry but you are mistaken. I've worked at Sr. levels for several LARGE and medium sized networks.
mazel tov
What does it cost and what do we make doing it, over rules what is "good for the internet" every time it came up.
100% agree Thats why i want to see a pie chart of attribution. Charter had this, vz had that, and so on. Headline reads "xyz isp totally hacked network overrun with bots takes down journalists...FCC and DHS demand heads role ... congress yells at ceo... investors dump stock" Perhaps release the article to the brass first, with an alternate ate headline "xyz isp seriously commit to security partners to secure critical infrastructure " You have 2 weeks to pick the story
On Sun, Sep 25, 2016 at 2:27 PM, Ca By <cb.list6@gmail.com <javascript:_e(%7B%7D,'cvml','cb.list6@gmail.com');>> wrote:
On Sunday, September 25, 2016, John Kristoff <jtk@depaul.edu <javascript:_e(%7B%7D,'cvml','jtk@depaul.edu');>> wrote:
On Sun, 25 Sep 2016 14:36:18 +0000 Ca By <cb.list6@gmail.com <javascript:_e(%7B%7D,'cvml','cb.list6@gmail.com');> <javascript:;>> wrote:
As long as their is one spoof capable network on the net, the problem will not be solved.
This is not strictly true. If it could be determined where a large bulk of the spoofing came from, public pressure could be applied. This may not have been the issue in this case, but in many amplification and reflection attacks, the originating spoof-enabled networks were from a limited set of networks. De-peering, service termination, shaming, etc could have an effect.
John
Ok, sorry for the not being exact. I am trying to be practical.
My point is, a lot of access networks will respond to public pressure if the data is exposed on the offending real ips of the iot crap, and they will enforce their AUP.
We have seen comcast do just that, on this list a few months back. That path has legs.
Google also blocks service to certain hacked networks as well, we have seen that on this list too. That is an interesting angle in the krebs case. Will google block service to folks sharing ip with the iot ddos mess ?
Has anyone stopped to consider what a gift these hackers gave all of us? They exposed their capabilities and nobody got hurt. We all had a notion as to what sort of attacks were possible in theory. Now we have reality. Business being what it is, customers may not be interested in others' security, but IoT being what it is, they might be interested in their own: in this instance, as I understand it, cameras were involved. If a camera could be used to attack someone else, it could be used to invade the privacy of the owner. If consumers come to see that as a threat, that'd be a good first step to internalizing what was an externality. At that point you can sell something. Big if, though. Eliot On 9/25/16 7:00 PM, John Kristoff wrote:
On Sun, 25 Sep 2016 14:36:18 +0000 Ca By <cb.list6@gmail.com> wrote:
As long as their is one spoof capable network on the net, the problem will not be solved. This is not strictly true. If it could be determined where a large bulk of the spoofing came from, public pressure could be applied. This may not have been the issue in this case, but in many amplification and reflection attacks, the originating spoof-enabled networks were from a limited set of networks. De-peering, service termination, shaming, etc could have an effect.
John
This time around its not about spoofing. I presume this is development of the same botnet/worm that we seen day2 of Shellshock public disclosure - its was pretty hightech - golang, arm/mips/x86 support, multiple attack vectors - inlcuding (surprisingly) very effective password guessing. It counted ~100k heads on day2, and i suppose they did grew quite a bit. Thats part of a problem why cause that much havoc - they do have real IP addresses and reasonably well conected - so they can wreck a havoc in bandwidth and tcp stack. They most likely do not have enough resources to do Full Browser Stack, thats why I think L7 capabilities of the botnet will be very basic. On Sun, Sep 25, 2016 at 7:00 PM, John Kristoff <jtk@depaul.edu> wrote:
On Sun, 25 Sep 2016 14:36:18 +0000 Ca By <cb.list6@gmail.com> wrote:
As long as their is one spoof capable network on the net, the problem will not be solved.
This is not strictly true. If it could be determined where a large bulk of the spoofing came from, public pressure could be applied. This may not have been the issue in this case, but in many amplification and reflection attacks, the originating spoof-enabled networks were from a limited set of networks. De-peering, service termination, shaming, etc could have an effect.
John
-- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800-3333-LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: la@qrator.net
This is such a golden opportunity for each of you to find compromised hosts on your network or your customer's network. The number of genuine lookups of the blog vs the number of botted machine would make it almost certain that anything directed at the blog is a compromised machine. A phone call to the customer / further analysis would reduce the false positive rate. Mark In message <CALoKGd2oN=mq_Gn75UrugUPDKfGPeD6cfq_AY+f-M1XUaCo46Q@mail.gmail.com>, Alexander Lyamin writes:
This time around its not about spoofing.
I presume this is development of the same botnet/worm that we seen day2 of Shellshock public disclosure - its was pretty hightech - golang, arm/mips/x86 support, multiple attack vectors - inlcuding (surprisingly) very effective password guessing. It counted ~100k heads on day2, and i suppose they did grew quite a bit.
Thats part of a problem why cause that much havoc - they do have real IP addresses and reasonably well conected - so they can wreck a havoc in bandwidth and tcp stack.
They most likely do not have enough resources to do Full Browser Stack, thats why I think L7 capabilities of the botnet will be very basic.
On Sun, Sep 25, 2016 at 7:00 PM, John Kristoff <jtk@depaul.edu> wrote:
On Sun, 25 Sep 2016 14:36:18 +0000 Ca By <cb.list6@gmail.com> wrote:
As long as their is one spoof capable network on the net, the problem will not be solved.
This is not strictly true. If it could be determined where a large bulk of the spoofing came from, public pressure could be applied. This may not have been the issue in this case, but in many amplification and reflection attacks, the originating spoof-enabled networks were from a limited set of networks. De-peering, service termination, shaming, etc could have an effect.
John
--
Alexander Lyamin
CEO | Qrator <http://qrator.net/>* Labs*
office: 8-800-3333-LAB (522)
mob: +7-916-9086122
skype: melanor9
mailto: la@qrator.net -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Sun, Sep 25, 2016 at 9:07 PM, Mark Andrews <marka@isc.org> wrote:
This is such a golden opportunity for each of you to find compromised hosts on your network or your customer's network. The number of genuine lookups of the blog vs the number of botted machine would make it almost certain that anything directed at the blog is a compromised machine. A phone call to the customer / further analysis would reduce the false positive rate.
Mark
i wish you luck with that. explaining to grandma that her samsung smart tv has been rooted and needs to be updated should be good fun. for isp's it's a resourcing vs revenue problem. always has been. always will be. far more inclined to hold liable the folks that are churning out terribly dangerous cpe / IoT(shit). surely some regulatory body is looking into this.
On Sep 25, 2016, at 5:50 PM, ryan landry <ryan.landry@gmail.com> wrote:
On Sun, Sep 25, 2016 at 9:07 PM, Mark Andrews <marka@isc.org> wrote:
This is such a golden opportunity for each of you to find compromised hosts on your network or your customer's network. The number of genuine lookups of the blog vs the number of botted machine would make it almost certain that anything directed at the blog is a compromised machine. A phone call to the customer / further analysis would reduce the false positive rate.
Mark
i wish you luck with that. explaining to grandma that her samsung smart tv has been rooted and needs to be updated should be good fun.
for isp's it's a resourcing vs revenue problem. always has been. always will be. far more inclined to hold liable the folks that are churning out terribly dangerous cpe / IoT(shit). surely some regulatory body is looking into this.
Yeah, ‘cause that was so successful in the past. Remember University of Wisconsin vs. D-Link and their hard-coded NTP server address? -- TTFN, patrick
On 9/25/16, 5:57 PM, "NANOG on behalf of Patrick W. Gilmore" <nanog-bounces@nanog.org on behalf of patrick@ianai.net> wrote:
Yeah, ‘cause that was so successful in the past. Remember University of Wisconsin vs. D-Link and their hard-coded NTP server address?
Ha! Yeah, an oldie but a goodie. Anyway, maybe this time will be different? (I’m an optimist.) FWIW, a few of the list members here are working on a BITAG paper on this – which will likely get some traction in policy/regulatory circles once completed. A simple paper certainly won’t turn the tide but if the paper is finished soon it presents an opportunity to get a bit wider notice & impact than it perhaps otherwise would. Jason
Thus spake Patrick W. Gilmore (patrick@ianai.net) on Sun, Sep 25, 2016 at 05:57:42PM -0400:
On Sep 25, 2016, at 5:50 PM, ryan landry <ryan.landry@gmail.com> wrote:
On Sun, Sep 25, 2016 at 9:07 PM, Mark Andrews <marka@isc.org> wrote:
This is such a golden opportunity for each of you to find compromised hosts on your network or your customer's network. The number of genuine lookups of the blog vs the number of botted machine would make it almost certain that anything directed at the blog is a compromised machine. A phone call to the customer / further analysis would reduce the false positive rate.
Mark
i wish you luck with that. explaining to grandma that her samsung smart tv has been rooted and needs to be updated should be good fun.
for isp's it's a resourcing vs revenue problem. always has been. always will be. far more inclined to hold liable the folks that are churning out terribly dangerous cpe / IoT(shit). surely some regulatory body is looking into this.
Yeah, ‘cause that was so successful in the past.
Remember University of Wisconsin vs. D-Link and their hard-coded NTP server address?
Interestingly, this was just recently looked at again for the Internet of Things Software Update Workshop (IoTSU). See: http://pages.cs.wisc.edu/~plonka/iotsu/IoTSU_2016_paper_25.pdf 3,564 devices still remain. best, Dale
Sun, Sep 25, 2016 at 05:57:42PM -0400, Patrick W. Gilmore wrote:
Remember University of Wisconsin vs. D-Link and their hard-coded NTP server address?
UW vs Netgear and Poul-Henning Kamp vs D-Link, both on NTP stuff? -- Eygene Ryabinkin, National Research Centre "Kurchatov Institute" Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
i wish you luck with that. explaining to grandma that her samsung smart tv has been rooted and needs to be updated should be good fun.
The sad thing is that if we boot out grandma they will just switch to one of our competors and the TV will still be a bot. You can't win.
Baldur Norddahl wrote:
The sad thing is that if we boot out grandma they will just switch to one of our competors and the TV will still be a bot. You can't win.
Good thing the smart TV / other IoT manufacturers have taken the responsible approach and have committed to providing lifetime software updates for all the Internet-connected devices they manufacture. Nick
Hi Ryan, On 9/25/16 11:50 PM, ryan landry wrote:
for isp's it's a resourcing vs revenue problem. always has been.
Sure. The question is whether IoT can make a change in consumer attitudes. Riek, Bohme, et al have been working on this [1]. And there is earlier work as well. What that earlier work shows, by the way, is that if someone suffers a loss, or even if they know someone who suffers a loss, they'll become considerably more risk averse towards Internet technology, to one extent or another. The Riek analysis doesn't really take into account IoT, by the way. It just looks at losses. But I think the logic is likely to hold as IoT creates more risks. The question is whether the impact will increase, and whether those losses will motivate market opportunities for SPs. I think there's a good chance of that if the solution doesn't involve a vast amount of work on the consumer's part. Eliot [1] "Estimating the costs of consumer-facing cybercrime: A tailored instrument and representative data for six EU countries/", /http://weis2016.econinfosec.org/wp-content/uploads/sites/2/2016/05/WEIS_2016...
participants (13)
-
Alexander Lyamin -
Baldur Norddahl -
Ca By -
Dale W. Carder -
Eliot Lear -
Eygene Ryabinkin -
jim deleskie -
John Kristoff -
Livingood, Jason -
Mark Andrews -
Nick Hilliard -
Patrick W. Gilmore -
ryan landry