Is it confirmed yet that so-called IoT devices were the bots?<p>Bruce was on point if so, arguing a couple weeks ago that accountability needs to happen on the manufacturers:<p>"What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the Internet as part of the Internet of Things.<p>Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.<p>"<p><a href="https://www.schneier.com/blog/archives/2016/10/security_econom_1.html" rel="nofollow">https://www.schneier.com/blog/archives/2016/10/security_econ...</a> ("Security Economics of the Internet of Things")
Schneier wrote about related attacks just over a month ago in a post titled "Someone Is Learning How to Take Down the Internet" (<a href="https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html" rel="nofollow">https://www.schneier.com/blog/archives/2016/09/someone_is_le...</a>)
Irony alert:<p>> <i>"But technology providers in the United States could suffer blowback. As Dyn fell under recurring attacks on Friday, Mr. York, the chief strategist, said such assaults were the reason so many companies are pushing at least parts of their infrastructure to cloud computing networks, to decentralize their systems and make them harder to attack."</i><p>Pushing your infrastructure to cloud computing is not decentralization - it's centralization, and we're all doing it. Imagine if an attack like this was against AWS... we'd all be screwed.
We seem to be needing more concerted action on what is a consumer minimum standard for an internet connected device.<p>Consumer devices have to be <i>more</i> secure because if the low user skill level - and interest.<p>I am always reluctant to say "there should be a law against it" but frankly if we cannot mandate minimum standards of uogradbility and security for devices we will just keep handing over our devices to the first person to scan them.
It's fashionable to blame Russia these days, but what country manufactures the most IoT devices, and has the type of government that could mandate backdoor access?
> It is too early to determine who was behind Friday’s attacks, but it is this type of DDoS attack that has election officials concerned. They are worried that an attack could keep citizens from submitting votes.<p>> Thirty-one states and the District of Columbia allow internet voting for overseas military and civilians. Alaska allows any Alaskan citizens to do so.<p>I had no idea any states allowed voting online. I wonder if the general population will ever get access to that.
This seems so out of the blue, the last attack was targeting krebs for exposing extortionists. Who is being attacked this time and why?<p>There is a lot of talk of iot botnets but little to no evidence. This seems too vague and up in the air.<p>If all it takes is script kiddies and random extortionists to generate such large 1 Tbps scale attacks then we appear to be reliant on an unbelievably fragile base.<p>There is a growing realization of the need for more decentralization of services but these kind of attacks is going to drive more centralization if only Google scale companies can manage to stay up. I think this is drop everything and fix time for the IT profession.
Wikileaks tweeted:<p>"Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point. "<p>Link: <a href="https://twitter.com/wikileaks/status/789574436219449345" rel="nofollow">https://twitter.com/wikileaks/status/789574436219449345</a><p>If their claim is true, does anyone think, it will turn many sympathizers against them? I don't think attacking normal bushiness is a good thing to do.
So. Can we start talking about changing internet protocols to strengthen the integrity of internet network services against DoS attack?<p>Currently, the internet is very very open (as long as you don't live in certain countries). A baby monitor in Kansas can send arbitrary traffic to a router connecting a major financial services company in Hong Kong to an internet backbone. The idea, in a very hippy, world peace kinda way, is nice. But... probably not something we <i>need</i> to happen, much less should <i>want</i> to happen or allow, if good sense prevailed.<p>We have hacks in place that can prevent that particular situation from becoming too much trouble, but if you have enough baby monitors, something somewhere is going to choke. And really this is the point to me: you [as the network service provider] should not have to have carrier-grade infrastructure to avoid this scenario. If Casey Brogrammer wants to prop up a start-up on her DSL line (do people still have DSL?) she should be able to without fear of DoS. How do we do that?<p>I have no idea. But i'm betting it would require some rearchitecting of the internet and heavily modified protocols. Personally, I think the global BGP tables are gross (and, let's face it people, depending on RAM to perpetually increase in size while simultaneously decreasing in cost ad infinitum is not a realistic scaling mechanism), I think the many flaws in modern tcp/ip protocols are not designed with specific enough use cases in mind, and that the generalist design of the modern Internet has become more of a hindrance to efficiency and progress than a benefit. There is absolutely no requirement that we keep engineering ourselves into a corner, and IPv6 sure as shit isn't going to solve it.
Extensive commentary on this topic is in the update from Dyn - <a href="https://news.ycombinator.com/item?id=12759697" rel="nofollow">https://news.ycombinator.com/item?id=12759697</a>
"And in a troubling development, the attack appears to have relied on hundreds of thousands of internet-connected devices like cameras, baby monitors and home routers that have been infected..."<p>Is that really confirmed or just the reporter writing gossip.
Harold Martin held without bail (high risk of flight) accused of theft of 20 years worth of government (NSA) tools/data, Trump stating he will not concede the election, tens of millions of IoT devices used in DDOS attack, Assange (wikileaks originator) cut off from internet, DNC hacked and exposed.<p>A conspiracy theorists dream.
I wonder why companies affected by these IoT-enabled DDoS attacks don't sue the companies building those devices, as they currently often choose security over convenience when it comes to securing them. If you can forensically prove that a large fraction of the attack was carried out using a given type of device it should be possible to hold the manufacturer liable for the damage, at least if no reasonable measures were taken to secure it (using blank or default passwords on the device could count as gross negligence).<p>I even kind of wish that somebody would do this, as it would finally provide a strong incentive for the manufacturers to think about security.
Kind of makes me wonder - why let up? Can it be mitigated at all? Wouldn't they have done so by now. Be interesting if they just kept piling it on until they've got the whole internet on it's knees.
One of the Krebs articles mentioned an idea of a certification (similar to UL) which could be on products like DVRs and web cams. You can't ever certify something as completely secure of course, but the certification could indicate "firmware updatable", "no hard-coded default passwords" and "where there are passwords they are generated randomly and unique to each specific product" (not family of products). Maybe even "consumer can change all passwords to new randomly generated values". I can't say that all or even many consumers will care, but if ISPs stepped up and started emailing customers about suspicious traffic coming from their home networks indicating one or more devices may have been compromised, maybe a good number of consumers <i>would</i> start to look for that certification when they buy. Which is important because, let's face it, if insecure products don't actually <i>impact sales</i> then a lot of companies aren't going to care at all. You can try to punish bad behavior after the fact, but only if their government cooperates and even then I think many times they'd just fold up shop under one name and open again under another. You really have to address it at the point of purchase to affect company behavior IMO.
Worth noting that even of stories such as these (new media, tech heavy) coverage by traditional media end up on the home page of HN. Beyond this observation, it seems that this election cycle brought home the importance of journalism for many people.
Yet another thing to show us that IoT is a can of worms. Yes, the technology is very helpful, but from security perspective, are we ready for it yet? Why not make existing CCTV cameras and nanny monitors more secure before having IoT?
Are there any downloadable DNS lookup tables which could be used as hosts.txt or /etc/hosts in case of emergency?<p>I know that DNS is organized in root zones with hierarchical subqueries. A global hosts file which contains the whole IP space is sort of unfeasible because domain names change within seconds.<p>However, in face of the current attacks the DNS maintainers should seriously consider to offer downloadable hosts files so that we could use them temporarily to circumvent DNS queries in cases of further attacks.
Would longer, say, week long TTL along with some redundancy have prevented this problem? Can it be done now to prepare for next attack? That is, TTL shortened when making updates, etc., but then set to a week the rest of the time. Here's an article that I think could be useful:
<a href="https://medium.com/@brianarmstrong/youre-probably-doing-dns-wrong-like-we-were-6625efaed390#.1xnqip9w1" rel="nofollow">https://medium.com/@brianarmstrong/youre-probably-doing-dns-...</a>
Wikileaks seem to be claiming the attack for their supporters here: <a href="https://mobile.twitter.com/wikileaks/status/789574436219449345" rel="nofollow">https://mobile.twitter.com/wikileaks/status/7895744362194493...</a><p>Any evidence to support that?
Would longer, say, week long TTL along with some redundancy have prevented this problem? Can it be done now to prepare for next attack? That is, TTL shortened when making updates, etc., but then set to a week the rest of the time?
Given national security interests, we need new laws: 1. IOT devices should not ship with default passwords. 2. Internet infrastructure companies should not be allowed to get "too big to fail".
WL's Twitter has claimed it was WL supporters. Although no one can really confirm what's going on with them since the Ecuadorian embassy events the other day.
Since it's impossible to update many permanently-insecure "IoT" devices we may need laws to legalize gov't permanently bricking them.
Can't recall ever seeing the NY Times embed tweets in a story, is this a first?<p>edit: apparently it's because I mostly read the site within the app.
The U.S. has changed the rules of engagment to state that any cyber attack can be met with real military counterattack.<p>If the Russians are behind it, after being emboldened by Ukraine and Syria, the United States has to respond. I'm not saying all out war but I am saying we have to show the Russians that this affects everything we are about. It affects our businesses, our elections, and our way of life.<p>I am saying there should be military action and if that leads to war then so be it, everyone will think twice about this sort of thing again and we will all be safer because of it.
I think the main problem is that the Internet is decentralized. As it has no single owner nobody is responsible for mitigating the attacks and noone wants to pay for developing and implementing new protocols, installing new hardware.