Is it confirmed yet that so-called IoT devices were the bots?

Bruce was on point if so, arguing a couple weeks ago that accountability needs to happen on the manufacturers:

"What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the Internet as part of the Internet of Things.

Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.

"

https://www.schneier.com/blog/archives/2016/10/security_econ... ("Security Economics of the Internet of Things")

Schneier wrote about related attacks just over a month ago in a post titled "Someone Is Learning How to Take Down the Internet" (https://www.schneier.com/blog/archives/2016/09/someone_is_le...)

Irony alert:

> "But technology providers in the United States could suffer blowback. As Dyn fell under recurring attacks on Friday, Mr. York, the chief strategist, said such assaults were the reason so many companies are pushing at least parts of their infrastructure to cloud computing networks, to decentralize their systems and make them harder to attack."

Pushing your infrastructure to cloud computing is not decentralization - it's centralization, and we're all doing it. Imagine if an attack like this was against AWS... we'd all be screwed.

We seem to be needing more concerted action on what is a consumer minimum standard for an internet connected device.

Consumer devices have to be more secure because if the low user skill level - and interest.

I am always reluctant to say "there should be a law against it" but frankly if we cannot mandate minimum standards of uogradbility and security for devices we will just keep handing over our devices to the first person to scan them.

It's fashionable to blame Russia these days, but what country manufactures the most IoT devices, and has the type of government that could mandate backdoor access?

> It is too early to determine who was behind Friday’s attacks, but it is this type of DDoS attack that has election officials concerned. They are worried that an attack could keep citizens from submitting votes.

> Thirty-one states and the District of Columbia allow internet voting for overseas military and civilians. Alaska allows any Alaskan citizens to do so.

I had no idea any states allowed voting online. I wonder if the general population will ever get access to that.

This seems so out of the blue, the last attack was targeting krebs for exposing extortionists. Who is being attacked this time and why?

There is a lot of talk of iot botnets but little to no evidence. This seems too vague and up in the air.

If all it takes is script kiddies and random extortionists to generate such large 1 Tbps scale attacks then we appear to be reliant on an unbelievably fragile base.

There is a growing realization of the need for more decentralization of services but these kind of attacks is going to drive more centralization if only Google scale companies can manage to stay up. I think this is drop everything and fix time for the IT profession.

Wikileaks tweeted:

"Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point. "

Link: https://twitter.com/wikileaks/status/789574436219449345

If their claim is true, does anyone think, it will turn many sympathizers against them? I don't think attacking normal bushiness is a good thing to do.

So. Can we start talking about changing internet protocols to strengthen the integrity of internet network services against DoS attack?

Currently, the internet is very very open (as long as you don't live in certain countries). A baby monitor in Kansas can send arbitrary traffic to a router connecting a major financial services company in Hong Kong to an internet backbone. The idea, in a very hippy, world peace kinda way, is nice. But... probably not something we need to happen, much less should want to happen or allow, if good sense prevailed.

We have hacks in place that can prevent that particular situation from becoming too much trouble, but if you have enough baby monitors, something somewhere is going to choke. And really this is the point to me: you [as the network service provider] should not have to have carrier-grade infrastructure to avoid this scenario. If Casey Brogrammer wants to prop up a start-up on her DSL line (do people still have DSL?) she should be able to without fear of DoS. How do we do that?

I have no idea. But i'm betting it would require some rearchitecting of the internet and heavily modified protocols. Personally, I think the global BGP tables are gross (and, let's face it people, depending on RAM to perpetually increase in size while simultaneously decreasing in cost ad infinitum is not a realistic scaling mechanism), I think the many flaws in modern tcp/ip protocols are not designed with specific enough use cases in mind, and that the generalist design of the modern Internet has become more of a hindrance to efficiency and progress than a benefit. There is absolutely no requirement that we keep engineering ourselves into a corner, and IPv6 sure as shit isn't going to solve it.

Extensive commentary on this topic is in the update from Dyn - https://news.ycombinator.com/item?id=12759697

"And in a troubling development, the attack appears to have relied on hundreds of thousands of internet-connected devices like cameras, baby monitors and home routers that have been infected..."

Is that really confirmed or just the reporter writing gossip.

Is this the end of the Internet that news.com predicted back in 1995?

Harold Martin held without bail (high risk of flight) accused of theft of 20 years worth of government (NSA) tools/data, Trump stating he will not concede the election, tens of millions of IoT devices used in DDOS attack, Assange (wikileaks originator) cut off from internet, DNC hacked and exposed.

A conspiracy theorists dream.

I wonder why companies affected by these IoT-enabled DDoS attacks don't sue the companies building those devices, as they currently often choose security over convenience when it comes to securing them. If you can forensically prove that a large fraction of the attack was carried out using a given type of device it should be possible to hold the manufacturer liable for the damage, at least if no reasonable measures were taken to secure it (using blank or default passwords on the device could count as gross negligence).

I even kind of wish that somebody would do this, as it would finally provide a strong incentive for the manufacturers to think about security.

Kind of makes me wonder - why let up? Can it be mitigated at all? Wouldn't they have done so by now. Be interesting if they just kept piling it on until they've got the whole internet on it's knees.

One of the Krebs articles mentioned an idea of a certification (similar to UL) which could be on products like DVRs and web cams. You can't ever certify something as completely secure of course, but the certification could indicate "firmware updatable", "no hard-coded default passwords" and "where there are passwords they are generated randomly and unique to each specific product" (not family of products). Maybe even "consumer can change all passwords to new randomly generated values". I can't say that all or even many consumers will care, but if ISPs stepped up and started emailing customers about suspicious traffic coming from their home networks indicating one or more devices may have been compromised, maybe a good number of consumers would start to look for that certification when they buy. Which is important because, let's face it, if insecure products don't actually impact sales then a lot of companies aren't going to care at all. You can try to punish bad behavior after the fact, but only if their government cooperates and even then I think many times they'd just fold up shop under one name and open again under another. You really have to address it at the point of purchase to affect company behavior IMO.

Worth noting that even of stories such as these (new media, tech heavy) coverage by traditional media end up on the home page of HN. Beyond this observation, it seems that this election cycle brought home the importance of journalism for many people.

I wonder, how much electricity do these attacks spend on average? Is it significant for economy?

Yet another thing to show us that IoT is a can of worms. Yes, the technology is very helpful, but from security perspective, are we ready for it yet? Why not make existing CCTV cameras and nanny monitors more secure before having IoT?

If these sites hosted with google cloud, would they be less susceptible to ddos attacks?

Are there any downloadable DNS lookup tables which could be used as hosts.txt or /etc/hosts in case of emergency?

I know that DNS is organized in root zones with hierarchical subqueries. A global hosts file which contains the whole IP space is sort of unfeasible because domain names change within seconds.

However, in face of the current attacks the DNS maintainers should seriously consider to offer downloadable hosts files so that we could use them temporarily to circumvent DNS queries in cases of further attacks.

Would longer, say, week long TTL along with some redundancy have prevented this problem? Can it be done now to prepare for next attack? That is, TTL shortened when making updates, etc., but then set to a week the rest of the time. Here's an article that I think could be useful: https://medium.com/@brianarmstrong/youre-probably-doing-dns-...

Typical Dark Army

How long could this go on for?

Wikileaks seem to be claiming the attack for their supporters here: https://mobile.twitter.com/wikileaks/status/7895744362194493...

Any evidence to support that?

Hopefully it's not related threats about hacking during the election.

Remember that recently Biden openly threatened cyber attack on Russia if they make any attempt to tamper with the election. Which is completely unprecedented, as is the notion that DOD is openly saying Russia was behind DNC and other attacks.

Thank you, missed this piece but it was interesting.

I disagree with him on the point of "Who would do that?" He might be right about state level actors, but I think he discounts the motivations of crazy/disillusioned people, bored and curious people, and especially teenagers.

When I was a teenager, the Internet wasn't a thing yet, but we sure dreamed of all kinds of crazy schemes for taking out the phone company, power, anything really. We talked about anarchy and many "taboo" topics I can't mention here. The thing is we were good kids at heart and we had the discretion and morals not to act on those things. All of this happened in a time where our instant communication was the phone or meeting up in person. Today, it is infinitely easier to seek out like-minded people and to replace those who drop out. The ability to seek out confirmation and push is easier than ever as well.

Unfortunately, there are plenty of people that don't have that. Just because someone is a misguided teenager or crazy person does not mean they do not have intelligence, organization, and skills. Many of us certainly did our share of things and had the power, but I wonder what might have happened if we didn't stop ourselves in some cases. While perhaps the organization and probing nature likely hints at something else, it's really not that unusual for people to just mess around. Some people as they say also just want to watch the world burn. A couple of rough years in my teens, I certainly felt that way at times. I did plenty of things I'm not proud of, many people just have no shame and will take it that much further.

In the end I probably agree in terms of who is most likely, but I am kind of surprised that there were not more possibilities mentioned. Even 20 years ago, attacking Internet infrastructure seemed an obvious thing to do to us and we used to love talking about fun ways to ruin things over a burger at lunch. I mean is it really that hard to fathom people would think about attacking targets other than some organization, government, or other kind of company's servers?

Schneier's post is hardly prophetic. The idea that "china is attacking the internet" is so well ingrained, that this 2-year-old fake security attack map has "china mode", to make most of the attacks seem to come from China (part of the mockery of such maps): https://github.com/hrbrmstr/pewpew

Interestingly, in some ways this is a big selling point of AWS/Azure/Goog. The absolute scale they can handle is way up there.

The downside of course, is that whilst their infrastructure can likely handle it, handling the bill associated with 'just scale up your service' could be worse than the attack itself.

You're correct, it's centralisation, at least for the whole community.

It decentralises that one company's DNS -- instead of having one or two DNS servers, perhaps at two sites, they now have 20, at 20 sites. If someone wants to target them, they're probably better protected.

But it's the same 20 servers as a million other companies, so the chance of those servers being a target is much greater.

The cloud can be more decentralized but it more expensive, Done properly having redundancy across multiple clouds aws, rackspace, google, azure, in geographically different areas with different internet service providers it can be done in a very distributed decentralized fashion, just no one actaully does that. Instead they throw everything on one provider and pray its is backed up and secured by that cloud provider better than the IT guy down the hall they just laid off.

This is one of the many reasons AWS and cloud computing in general are way overrated.

I know of a company that pays an AWS bill sufficient to buy the equivalent of their pre-cloud datacenter's hardware every 1.5 months. The extra staff required to perform hardware maintenance would also cost about 2 months' worth of AWS each year (that means they're paying ~3x more than they would with hardware). Yet they moved to the cloud because it's the hip thing to do.

Cloud has upsides and things that are useful, especially for smaller proprietors who can take advantage of cheap droplets from DigitalOcean et al, but for grown-up companies, moving off your hardware shouldn't be automatic.

It's orthogonal to centralization. Abstracting your infrastructure allows you to easily replicate infrastructure providing the same services.

This is only ironic if you expected moving to the cloud to be what provides the redundancy.

There's also the difference between cabled systems, in which multiple elements can independently support load, and chained systems, in which any given link can fail.

The BBC was affected by the Dyn outage not because they themselves relied on Dyn, but because components of their site did.

AWS was affected at one point.

I fully agree with you about the paradox of how, in the intent to de-centralize we centralize into cloud VPSes and managed services.

The real reason for the move is that same showtune that we keep hearing in our heads and wish we could tune it out: it's cheaper to move from physical infrastructure to the cloud. It's cheaper to skimp on security by not updating IoT devices. It's cheaper to skimp on security because features need to come first. It's cheaper to outsource operational management to parties with less expertise in places that pay less. To spend less time securing infrastructure perimeters because it costs money.

We feel almost as if we feel comfort hiding behind heavyweights like Google and Amazon will protect us from the bad elements of the world, where we hear about major breaches every few weeks (eg., Yahoo being the most recent). Will this strategy pan out long-term?

With this DDOS, articles about machine learning picking up better password-cracking/guessing algorithms by having previously analyzed large volumes of passwords, major breaches in the financial world, talk of state-sponsored attacks (a la DNC emails) it certainly FEELS like the Internet has gotten a little bit more wild.

AWS was hit today, we saw a spike failures. Got hold of one of AWS guys and they basically noticed that the issue they saw in the US earlier in the day happened again in EU west. Funnily enough they probably could have avoided it if they'd deployed their mitigation to the other zones.

I'm pretty sure DDos against http resources have become quite hard to pull of, which is why there was string of attempts to blackmail smaller email provider but nothing like it happens to similar startups relying on the web. Even the Linode attacks are only possible because they're highly target at a few critical systems there.

It's harder, but you can distribute your web resources across multiple cloud providers

Or you need to make it easier for the 'black hole' solution to be pushed further and further back to the sources of the bad traffic.

A remote site shouldn't be able to get you banned from the Internet (by it's self); but it MUST be able to say, "This host is being abusive, restrain them from sending me data". ISPs SHOULD use that information to evaluate if a host from their network might be compromised or otherwise a negative player. ISPs SHOULD also take steps to inform, and link to educational resources, customers which are being bad citizens of the Internet. ISPs SHOULD also be financially motivated (punishments to them) for allowing too many uncivil customers online; this might take the form of instead banning that ISP from the Internet as a whole.

It's controversial, but I kind of agree. You need FCC approval to broadcast a radio signal due to the risk of interfering with other traffic, and you should have FCC approval that your IOT device meets minimum security standards before being sold.

Why rely on end devices? The infrastructure itself should be designed so that it cannot be broken that easily. Maybe we should return to metered connections, maybe we should implement a protocol to control routing.

The Internet has grown without proper planning using a lot of "quick and dirty" hacks (for example NATs, peering agreements) and today we just see the result. It reminds me of poorly designed email protocols that resulted in spam being the biggest part of email traffic.

If only there were an app for consumers to securely scan their own network for unspoken traffic in these connected devices.

The amount of consumer IoT currently connected with default and often outdated device settings is beyond belief.

The standards don't need to be raised much. Banning the sale of internet-connected devices with non-random default passwords doesn't seem too intrusive for the benefits it will bring.

As noted below, you need FCC or similar licences for wifi radio, why not something similar for the packers emitted.

Downside is that radio leakage licensing is fairly simple scientifically. Proving something is unhackable is harder ...

Espionage is stealing data. Disrupting utility services is an act of war, whether it is shutting down an electricity power plant, cutting communications, or any other act of sabotage.

If a foreign entity is attacking our infastructure, that could certainly be viewed as an act of war.

I think it could be either. Destruction vs information gathering would seem to be the line to me.

Hillary specifically promised to treat a cyberattack with all possible responses including military.

This woman is dangerous.