There are DDoS attacks, then there's this 809 million packet-per-second tsunami Akamai says it just caught Akamai reckons it blocked what may be the largest distributed denial-of-service attack ever, in terms of packets per second. The content delivery network today said it successfully warded off the mammoth traffic flood, even as it was hit with a peak load of 809 million packets per second (PPS). The attack, which began on 21 …
Can Akamai pass the IP addresses from which they got the attack to the various ISP's, so that the ISP's can contact the associated end user and suggest they give their machines a thorough cleaning?
Otherwise, I dont really see a difference to the police stopping a bank robbery in progress, identifying the perps, and then saying "Ah well, its too hard to go and grab these crooks at their home address. We stopped them from stealing anything, so we'll just forget this ever happened..."
That's not going to stop the next attack, now is it...
Quite easy
Bill the endpoint
This incentivizes both the ISP and the End User
The ISP can do it easily enough within the existing T&C's because their was "effort" to process the IP logs, say $10 which is waived instantly if they phone/email and declare they have cleaned up their network/PC/router
That would be attractive to the ISP (sicne people are lazy they get to keep a portion) and reward people who take care... (while educating people to the cost)
honestly I don't know why they don't do it...
What happens when I find out your IP, decide I don't like you and regularly flood Akamai with UDP packets with the source address being yours so that you get billed? Even if you say "I've cleaned it", your ISP is going to get dubious quickly.
Not to mention, there are a lot of ISPs who couldn't be trusted with that responsibility
If that happened often enough then ISPs would be forced to filter on source IPs so you couldn't spoof my IP in your UDP packets unless we were both in the same subnet with the same ISP.
I can't believe this still isn't being done universally, as there is no reason other than mischief why you would want to send out packets claiming someone else's source IP.
I recall being responsible for adjusting the filter rules for the firewall of a small ~500 person engineering firm connected via T1 back in 1994. Even though it wasn't part of the requested change I added a filter that blocked exgress of packets claiming an IP address outside our subnet range just because it seemed like a reasonable precaution. Among our customers was the DoD and if something went wrong when the engineers were testing stuff we probably didn't want to be spoofing a .mil address.
Quite.
There's also a simple speed issue. If you have to pass EVERY PACKET through a kill-list of several thousand/million source addresses (MAC, IP, NAT browser token, whatever) before passing it through, what do you think is going to happen to your machine load and hence your performance and hence your N-1 innocent clients+visitors who suddenly take 2mins per page to load and hence the screaming starts on the support phones.
This is all done by ASICs for firewalls that have to service high bandwidth links, but a run of the mill wireless router running Linux/iptables can handle several hundred megabits of throughput without even breaking a sweat. You think if you spend tens or hundreds of thousands on dedicated hardware it is going to choke and require "two minutes per page" to load?
EVERY site you visit on the internet passes through at least one and often more than one firewall with a long list of filter rules, adding one more will not affect the performance at all.
Well, I was just thinking back to my own time hands-on ~10yrs ago in a small ISP + MgdSvcs. 2 main routers public-facing, each north of £25k at the time per the boss, who paid for them. So...what... about US$40k back then, plus 10yrs inflation. So, what, about US$60-70k each, now?
We were tiny. And laying off traffic upstream on every opportunity. Yet they were periodically rammed.
So many many many things we COULD have done, if it wasn't for all that traffic. We had a 12 page iptables config (9pt font Courier) just to safely manage our VoIP commitments.
Given all the mandatory crap you're already doing, yeah sorry we didn't have a shit-ton of freely magic spare capacity to wave the magic ultra resources wonderment Wand Of Nothing Else To Do over.
But yeah I agree with you: if we didn't have clients, they could have smashed it. Absolutely smashed it.
"What happens when I find out your IP, decide I don't like you and regularly flood Akamai with UDP packets with the source address being yours so that you get billed?"
Maybe 30 years ago those sorts of packets would route through an ISP, but certainly not through the one I work for or all others I'd imagine..... Even the most basic of routing protocols configured properly prevent this.
Routing protocols route packets, based on the destination address, why bother looking at the source when you're concerned with getting to the destination.
How do you deal with buisness customers with their own AS and own IP ranges that are not part of your companies allocation but you must route for them? How about i send packets from your net spoofing other customers source IP? Same net different originator.
You can report IP addresses to ISPs but nothing ever happens.
Such ip addresses are regularly blacklisted by other ISPs. It's just not effective because the addresses can be recycled fairly quickly so that you get assigned one after it has become blacklisted.
More important is setting up honeypots long enough for law enforcement bodies to gather data, not only about infected machines, but more importantly about the networks controlling them.
It's just not effective because the addresses can be recycled fairly quickly so that you get assigned one after it has become blacklisted.
My ISP or RSP as they are now called here, has assigned me 54,000 Quadrillion IP addresses so I am not running out of numbers (and letters) any time soon if my machine(s) are part of any attack. They would have to block the subnet rather than the IP or range.
I wouldnt believe a call, no. but if i received a letter from my ISP on company letterhead. Stating that "We've detected traffic from your IP address being involved in an DDOS attack. this may mean your machine or a device on your network has been compromised. Please consider running a Virus scan across your entire network or take your computer to a specialist repair shop for diagnosis."
The number one rule with these types of communications is not to offer your own solutions, do not link to any online fixes and dont be accusatory. And frankly, dont do it over email.
If you send something with a "You can test your computer by using our free diagnostics tool here" then of course people are going to think your a scammer.
Not that difficult.
there really is a new generation of idiots rising up with no clue as to why things are the way they are.
who is the one to send out the letter, the traffic originating ISP after notification from the system that was ddos'd?
define ddos, what constitutes a significant enough ddos that the isp has to spend their own money sending letters to customers who won't understand what they are receiving in the post then phone for advice and then decide to move to an isp that won't bother them?
as someone else has posted, its totally possible to send tcp & udp packets with false source ip addresses. the sender will never get anything back but if enough packets are sent say with talk talk ip addresses, the recipient will see that they received a lot of traffic from talk talk addresses not the actually perpetrator so talk talk could end up contacting their customers about things that never happened and their customers would be rightly unhappy that they have been accused of something they never did. of course not all attacks can be spooofed, but what if the attack originates from a dodgy frame in a bbc news website that forces clients to connect and request something from a site not sized for the demand thus causing the issue?
it is really not as trivial or obvious as some make it out to be.
"as someone else has posted, its totally possible to send tcp & udp packets with false source ip addresses."
On what ISP does that work? I'm not aware of any now.
Talktalk would be fully aware of what their customers did or didn't do. To suggest talktalk would route packets with an invalid source address and still have no idea is absurd.
With the fake source IP address, what would you use as the df gateway? What routing protocol would forward it and under what circumstance? Why would BGP forward it?
"Talktalk would be fully aware of what their customers did or didn't do."
--Thats debatable
"To suggest talktalk would route packets with an invalid source address and still have no idea is absurd."
--we are talking about valid source addresses that are not the senders actual source address.
"With the fake source IP address, what would you use as the df gateway?"
-- the same df gateway as non fake source address, how else would you route the traffic upstream?
"What routing protocol would forward it and under what circumstance? Why would BGP forward it?"
-- BGP doesn't route traffic, its a routing protocol used to exchange routes to different systems across the internet. Routers route traffic using information from routing protocols in order to determine where (routes) to forward traffic, yes including forwarding to null. Routes provide information about where to forward traffic to based on destination addressing.
"Just" secure their computer. Which is running Windows, with weekly security bugfixes, who knows how many existing viruses, new ones being written all the time, etc. I, personally, have gotten a virus from visiting a legitimate website with an up-to-date browser, OS, and antivirus - there was a rogue ad with a not-yet-protected-against exploit. Is that my fault?
Best move would be notifying the ISP, who would notify the user (in some way that they can prove it's the ISP). Possibly repeat offenders within some reasonable timeframe (6 months? A year?) would pay a small fine, increasing after each offense.
Is that my fault?
Absolutely your it's fault. AFAICS, most "solutions" to Internet security involve either blaming the victim, and/or insisting that some incredibly complex sequence of activities will provide perfect security and can't possibly fail. You're clearly the victim. You must have done something wrong you dolt. Shape up.
(I do think that some day -- probably decades from now -- we'll have a reasonably secure digital universe. But think that it very likely won't look much like what we have today and likely not much like what we envision today.)
Can Akamai pass the IP addresses from which they got the attack to the various ISP's, so that the ISP's can contact the associated end user and suggest they give their machines a thorough cleaning?
What they need to do is to speak to a few of the ISPs and get traffic logs for some of these PCs. Try to work out the command & control addresses - these are the real ones to chase - not the hapless users running a compromised Microsoft machine. Maybe examine a few of these machine to see what malware they have.
It will be interesting to see who the botnet controllers are: criminals or governments (mind you sometimes they are the same thing).
"come from compromised routers and other devices"
Which simply reinforces alain's comment that it's "not the hapless users" that need to be chased. (But definitely go after the ISP that provides a hackable device, like mine with TR-069 enabled and world-accessible, with no way to turn it off, and tech support not knowing what that is.)
As an end user (and small server owner), I'd love for my ISP to notify me if there's malware-related traffic coming from my systems. Though they'd definitely have to prove it's really them and not "Windows" calling...
I used to be a tech for an ISP+Managed Services Provider and we would periodically have core services flooded by a malware infection on one of our clients' VMs or even websites (web "coders" are nearly all script kiddies).
I'm proud of one event. Spambot seized a website via poor JavaScript; flooded mailserver: mail temp dir of multi terabyte size, normally ~empty by good proc server, filled 10secs after we got the first alarm. Jammed.
15mins later with nothing we tried working (server spending every cycle it had on clearing those emails; in fact the ONLY thing we could get even to open was a shell) we bit the bullet and went all surgeon-with-a-chainsaw.
rm -f *
Crashed with overflow error on the parameter list argument.
I wrote an inline parameter-piping loop taking advantage of the combination of head's intelligent termination and shell's character-by-character streaming inter-pipe (intra-pipe?), and turned it into a race condition. My script vs the malware's script. (With the mailserver intruding on both of us)
I won.
Yessssssssssss
Despite the naysayers' naysayings, we've been reporting abuse IP addresses to ISP's for the last 10 years (well, our IDS/IPS has) with excellent cooperation from almost all.
Best assistance comes from Russia ("The user has been terminated"...) and Brazil, whose CERT actively pursues each report, and worst assistance is from Turkey, whose CERT will block your emails if you report anything, and TurkTelekom will do likewise.
You need to remember that ISP's hate these cyber-vermin almost as much as we do since, apart from the nuisance value, they eat up bandwidth.
To-date, we've successfully reported 126,795 such parasites, who hit us about 1200 times a month. Additionally, there's an amplification botnet that sprays us from all the addresses from between 10 and 30 class-B domains (all spoofed) per day, which keeps our SYN/ACK detector busy.
Don't be negative, monitor your logs, and do report every single infraction. If nothing else, it means the cyber-filth has to work harder, to keep botnet numbers topped up.
I'm mentioned before that it's time to bring back network blacklisting. There are several large networks that are just fine hosting organized crime.
If you think this is a bad idea, you don't know about AGIS in the 1990s. Criminals were big business for them. When portions of their network were registered with blocklists (usually MAPS), they rotated legitimate customers to those addresses and declared war against blocklist maintainers. AGIS was huge and these focused RBLs took out significant parts of the Internet. AGIS organized DDoSes, lied to the press, lied to Congress, and spread misinformation in their war. They had the full resources of organized crime on their side. The Internet survived only because a large number of networking peers agreed to halt AGIS traffic.
Blacklisting is less than useful.
Blacklists contain thousands of entries, so you can't just enter each one as a firewall rule.
Also, these lists change from one day to the next, which would entail a lot of maintenance to stay up to date.
It makes much more sense to check the content of each query against a list of known hack queries, then add a firewall rule and report it if it turns out to be malicious.
At my employer, I'm in an e-mail group for IT maintenance notifications. We receive e-mails weekly from our main ISP that identify vulnerabilities detected in great detail. They get the attention of "we need to fix that one of these days". Therein lies the problem.
Well, we all know what this is - the article says a huge percentage of the IPs were brand new addresses; so it has to be the recent flood of IoT devices people are buying in droves. These folks will not have a clue as to what is causing the problem, even if they got a call from the ISP. What needs to happen is the government is going to have to step in and make a law that requires all device manufacturers put in configurations to assure, that these can't be hacked within seconds like they are now. The industry will be livid, because the clueless customers won't know how to get around the configurations to make the device work, but tough. That is just the way it is!
My last brand new router was fortunately setup this way, and they even gave me the wi-fi password, so I wouldn't have to make one up. I believe the cloud side of the remote administration was turned off by default - this is the way to sell device properly. It shouldn't delay too many customers, because most of them will NEVER use the features that make a router vulnerable, so why leave them wide open with standard user ID 'admin', and no password wide open for attack? That is just silly when it isn't that hard to do things the right way.
I'm seeing big increases in malware delivery attempts at levels that I have never seen in 20 years, an attack like this looks normal. Worldwide Covid reactions are changing how many people work and cracking the door for attacks, thefts, and malware deliveries - we need to start working on a new Internet, what we have today is effectively broken, filled with spam, malware, and everyone's personal data being sold from one company to another.
", filled with spam, malware, and everyone's personal data being sold from one company to another."
The only problem is that a lot of this is being done by 'Legitimate' companies who attempt to pay their taxes (however small teh accountants manage to make them). Biggest culprit as far as I can see is Marketing.
<anonymous so I don't get DDoS'ed for blaming Marketing>
Comcast Business does this. They phoned me a few years ago to say that a couple of my devices might be participating in PnP amplification. They were Axis security cameras that that needed an update. I shut off PnP permanently and patched them.
Then there's lots of other ISPs that don't care at all what their customers do. I block them at the router so fail2ban doesn't get bogged down.
Presumably it would not be difficult for ISP’s to have a group on their proxy which they put infected sources into. That then redirects them to a landing page, and restricts access to everything but Malware/AV vendor domains. The landing page could have a message directing them to resources to clean/check their devices, and a way of confirming that they’re clean.
Each time they are put in this group, it takes a bit longer before they can get access to the internet again. That should quickly encourage them to deal with infected / vulnerable device. It would also stop people selling vulnerable IOT devices eventually, if this was enforced by law on all ISPs...
Seen a noticeable uptick in the last year r so of fake tcp syn packets, generally low rate level to avoid firewalls and using different source addresses in the same subnet to again avoid firewall rules. Used to come in at much higher rates and from single ip in subnet (stopped by firewall) but it appears over the last year or so they have become more sophisticated so as to avoid detection and blocking.
If that is happening to a large percentage of internet facing server out there then it ends up being a substantial dos attack on someone. I'd doubt the majority of owners of servers/websites etc even notice. Any port can be targeted but obviously standard port 25/80 seem to be favourite.
I now have a script that detects and blocks these attacks (by counting tcp syn packets from a single ip and by subnet) and blocking them for 24 hours when they pass a threshhold. Usually blocked within a minute or two. Obviously have to be careful not to block legit address so only counts ip addresses with more than 2 resends and has automated and manual white lists.
No doubt the game will change again as it always does.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
