Someone Is Learning How to Take Down the Internet

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.

First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it's overwhelmed. These attacks are not new: hackers do this to sites they don't like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it's a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.

Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.

The attacks are also configured in such a way as to see what the company's total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they've got to defend themselves. They can't hold anything back. They're forced to demonstrate their defense capabilities for the attacker.

I am unable to give details, because these companies spoke with me under condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent, persistent, and complex."

There's more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.

Who would do this? It doesn't seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It's not normal for companies to do that. Furthermore, the size and scale of these probes -- and especially their persistence -- points to state actors. It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.

What can we do about this? Nothing, really. We don't know where the attacks come from. The data I see suggests China, an assessment shared by the people I spoke with. On the other hand, it's possible to disguise the country of origin for these sorts of attacks. The NSA, which has more surveillance in the Internet backbone than everyone else combined, probably has a better idea, but unless the US decides to make an international incident over this, we won't see any attribution.

But this is happening. And people should know.

This essay previously appeared on Lawfare.com.

EDITED TO ADD: Slashdot thread.

EDITED TO ADD (9/15): Podcast with me on the topic.

EDITED TO ADD (10/6): More.

Posted on September 13, 2016 at 2:09 PM • 170 Comments

Comments

TomSeptember 13, 2016 2:15 PM

"What can we do about this? Nothing, really." - Well there is one thing you can do. Don't put any critical command & control infrastructure (say, for managing power transmission) in a position where it requires the internet to function.

AJWMSeptember 13, 2016 2:32 PM

What Tom said.

And dig your old dial-up modems out of storage. ;) (You do still have land lines, right?)

Ricky Don't Lose That NumberSeptember 13, 2016 2:38 PM

Troublemakers of the week:

183.60.244.37
123.125.67.148
220.181.51.103

jerSeptember 13, 2016 2:41 PM

If the attackers' intent was to not get the pattern in the attacks noticed, then they failed.

If their intent was to test the extremes of different systems, they apparently took quite a methodical approach and disregarded the possibility of an intelligent response, or didn't change the test plan according to intermediate results.

BobSeptember 13, 2016 2:42 PM

The thing is... if China or Russia decided to "take down the internet"... and did it from their own infrastructure... they'd be cut off from the rest of the net... all of them... the whole country. period. You think the "great firewall" is pretty big? wait till you piss off every single large ISP out there! You'll be unplugged.

On the other hand, if it's done much more underhandedly and less obvious, you never know...

Random Guy 17September 13, 2016 2:42 PM

An attack on a service is best done by an attacker that doesn't need that service. You don't pull the plug on the power company that supplies your own home/business.

With that in mind, a closed, not highly Internet enabled country makes the most sense- like China.

Very interesting stuff.

JonSeptember 13, 2016 2:52 PM

The thing is... if China or Russia decided to "take down the internet"... and did it from their own infrastructure... they'd be cut off from the rest of the net... all of them... the whole country. period. You think the "great firewall" is pretty big? wait till you piss off every single large ISP out there! You'll be unplugged.
If they're planning to take down the Internet, unplugging them or them being unplugged is the least of anyone's problems because if it is a nation-state, doing something like this would really only make sense to do if it's coordinated with a real world attack.

BartSeptember 13, 2016 3:03 PM

Why don't you tell us what you mean with "some of the major companies that provide the basic infrastructure that makes the Internet work"?

My feeling says it's either

* CloudFlare or similar. In that case we're fine.
* Level3 or similar. In that case we're fine.
* *.root-servers.net. That won't take down "the internet" though, just DNS resolution. However, since so many services depend on that, people who don't know how to use the internet without DNS, like 99% of its user, would be shut off. Still, you would still be able to reach any server by IP.

I guess I should take the link to VeriSign as a hint that it's root-servers.net. Too bad that these articles have to be so vague all the time because of the "anonimity" excuse. That doesn't help anyone, it just spreads FUD.

PaulSeptember 13, 2016 3:03 PM

Bob: It’s not as simple as “just unplug the bad guys.” A DDoS attacker takes advantage of the infrastructure of others by staging the attack from compromised machines. Even if human actors are in China or Russia or Fooland, the attacking machines & networks can be located anywhere in the world, even — especially — inside the country of the target.

The call is coming from inside the house, as it were.

MAD-DogSeptember 13, 2016 3:25 PM

Let's assume the attack to take down the internet comes from EastAsia.

If it goes down, how many deaths and serious injuries can we project, aside from carpal tunnel?

Right: Hardly any to none. So, let's take a deep breath and try to calm down.

Now, if the location of the attack cannot be determined, simply turn off the power to the trans-ocean cables all at once, or the one most highly suspected for example, EastAsia. Problem solved locally.

In anycase, let's remember the ultimate defense/retort is to simply pull the plug.

As for prevention, I would suggest the old but reliable doctrine of M.A.D.:

Mutially Assured Destruction.

And remember we have always been at war with EastAsia so let's not freak out by a few alarming action reports.

KevinSeptember 13, 2016 3:33 PM

Are we sure that this isn't the NSA or DoD who have been playing around? What better way to defend our internet than know what it's weaknesses are? Far fetched? Would you really put it past these guys? NSA is accountable to no one.

Also, what better way to get additional Federal funding than to get the rumors started that our internet is under attack. Cyber funding has skyrocketed since StuxNet found its way into the wild!

FUD - fear, uncertainty, and doubt -- mean more money

tlhonmeySeptember 13, 2016 3:43 PM

Don't discount the USA as the source of the attacks. I definitely remember a certain president saying he wanted an "Internet Kill Switch" just in case something like the "Arab Spring" happened here... Was headline news a few years ago, pretty easy to find.

Clive RobinsonSeptember 13, 2016 3:44 PM

@ Bruce,

If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS).

Hmm in the past all it's required is a rodent with sharp teeth, or misconfigured boarder protocols.

Likewise when talking of "tangible" physical attacks as was seen with power transformers, if you know what to aim at a few cheap rounds of ammunition used on a choke point will do. Heck even low grade Romanian gypsies stealing cable to sell as scrap have brought down telecommunications infrastructure very well and much more permanently.

As for "intangible" information attacks then DDoS attacks are just the current flavour of the month being seen. There are other much better ways that State Level attackers could use (think attacks against backbone routers for instance by a nice piece of APT payload).

Thus I would suggest that they are not "attacks" as such, but "black box testing" to enumerate for other much more effective attacks.

The reason I say this is DDoS attacks are grossly inefficient. Whilst they might be cheap for "bot herders" the result is that the botnet gets compromised and it's control channel etc identified and neutered. Further DDoS attacks are distance sensitive, the further the attacking host is from the target host the easier it is to reduce or limit the effects of a DDoS attack.

If you want a real world analogy think of a DDoS attack as being like "covering fire" it uses an incredible amount of resources to achieve very little, in that the opponent just keeps their head down whilst it is happening. A sniper however is very resource efficient taking just one or two rounds to permanently eliminate an opponent.

A major use of covering fire, is to keep the enemies head down in their slit trenches etc whilst members of your forces come up on their flank and at an appropriate signal run across close to the slit trenches chucking in fragmentation grenades etc.

And I suspect that these DDoS attacks are the equivalent of "covering fire" to get in APT payload etc.

Rubens KuhlSeptember 13, 2016 4:06 PM

Verisign is the registry for .com and .net domains, not the registrar; the registry is indeed the most critical infrastructure in the value chain because it's one publishing DNS delegations, but the registrar is the one interfacing with registrants and then possibly updating the information stored in the registry.

WhiskersInMenloSeptember 13, 2016 4:08 PM

There are good and bad parts to this.

A distributed attack implies a footprint of one or more exploited flaw.
It also implies a command and control system.

This is one place where the hoarding of defect knowledge by a TLA
has value. Some sample of these compromised machines can be inspected
and the vermin identified and solutions developed.

Some defects facilitate abuse and others allow forensic inspection.

I would be happy to see bug fixes for old and musty operating systems
escape from special fee update sites from time to time.

I am modestly pleased with the Windows 10 update policy but less so with
their snooping and data gathering tricks. The optimist in my wants to
believe that some at M$ are using the army of Win10 machines to assist
in squashing these distributed collections of compromised machines. Not
actively but statistically. A vendor or TLA could patch them and thus
disconnect them from central command as part of the patch process.

There are two classes of hardware -- cheep inexpensive machines handed down
and running old crud without a license as it were. A second would be the
infrastructure machines like big routers and server clusters.

The inexpensive small machines are the pawns and outnumber the command and
control systems by orders of magnitude. They may prove easier to patch
and fix than the valuable command and control machines.

One recent criminal act: The false "Paramount Issues DMCA Takedown
On Ubuntu Linux Torrent" is step backward in the distribution of
an improved OS compared to WinXP and older Win-cruft for old limited
CPU power machines.

A critical problem with bot farms is the distributed computation power.
Some bitcoin work is being done on compromised hardware. That is a bad
symptom. That army could be turned (if it is not already) to attack
validation keys that enable vendors to validate and install bug fix
updates.

If and only if (IFF) agencies near and far chartered with security pay
attention to reality and IFF law makers get good advice and pass quality
law that encourages responsible research and product responsibility
will we avoid a disaster.

Consider a four year old modern phone made by a company with home offices
on one side of a DMZ seperating it from a nation with troubling intentions.
Such devices are too expensive to discard and too powerful to be allowed
un-patched on the internet or cell phone networks.

Law: Failure to patch older hardware should be grounds to halt the import of new
hardware. It is in the national (all nations) interest to hobble business
plans that profit from planned obsolescence of product by neglecting
the maintenance of software. Phones, Smart TVs, DVD players with Smarts,
routers, modems....

DanielSeptember 13, 2016 4:09 PM

@Kevin

My thought exactly. We know that the government engages in "stress tests" of the financial system and the banking industry. So it would be expected that they would do the same thing with the internet. I'm deeply puzzled by Bruce's insistence that this must be a foreign actor. Someone say recently, "security researchers came to the conclusion that attribution was hard, then they promptly forgot it." This essay seems more evidence of that.

ab praeceptisSeptember 13, 2016 4:16 PM

Two remarks re. the blog entry:

There are, somewhat simplified, three perspectives, namely the technical perspective, the political perspective, and the commercial perspective. Our problems are to a considerable degree self-inflicted by allowing commercial and political perspecties and interests to dominate decision making.

Example in case: A techie would, of course, vote for a redundant approach (which was, after all, the very idea behind the internet). Commercial interests, however, prefer other approaches, particularly those that enable them build quasi monopolies. That's why .com and .net are basically dependant on a few (or even just one) company/ies.

That same cardinal sin was repeated with PKI, namely with the dreaded CAs. Result: a major cluster f*ck.


Second remark: I take much of what B. Schneier quoted here as being (mis)guided by an almost religious believe in technology (that is more or less centered across the ocean).

Putting on my intelligence hat, I's quickly come to the conclusion that a) "cyber intelligence gathering" is just one of many way and b) that that way leaves traces and makes lots of noise.

Why run a major ddos attack when I can gain much information by having a room cleaner to tell me the exact model and other information about critical devices? Why running a ddos, when I can simply and cheaply rent a server at a colocation and find out quite a lot the boring old way (like walking in, being excited by the oh so super hich-tech equipment and being shown around by a friendly colo technician? Even cheaper, many colos, some of them running quite critical infrastructure, proudly show their equipment even on their web pages.

Having worked in a major colo I know the situation from the other side, too. Background checking personel only goes so far (and in some legislations is severely limited by legal restrictions). Getting your techies to be tight-lipped is relatively easy. Getting them to stay tight-lippen when having a beer with colleages, however, is next to impossible.
Another problem is customers. As management you have a find a balance between PR/marketing and being security minded. Often not at all easy.
Plus you have service people for your equipment coming and going, and so on.

Are the goons in washington betting a lot on cyber intelligence? Sure. Do the Russians, too? I have grave doubts. show is worth little in Russia, tangible and real results is what is desired and expected.

Finally, stop dreaming! One doesn't need to run major ddos and ci attacks to find out. Intelligently and professionally analyzing OSs, cisco and juniper boxen and the like will reward you with way more easy to open doors that massive ci gathering.

Ergo SumSeptember 13, 2016 4:29 PM

@Clive...

And I suspect that these DDoS attacks are the equivalent of "covering fire" to get in APT payload etc.

Sounds about right, but if you discount Russia, and that's a big if...

Why would nation state do this, especially China and the US, when most of the hardware, including network, comes prepackaged with malware already? Maybe the "cover fire" is for activating the malware instead and we are at the brink of cyberwarfare for real.

Bill StewartSeptember 13, 2016 4:36 PM

It's so easy for a well-funded Bad Guy to hide - use stolen credit cards to buy other stolen credit cards from The Usual Suspects, use those to buy cloud time on multiple servers, use those to deliver malware through ads you also bought with hard-to-trace money, and build yourself a spare bot army that sits there quietly while you use your other bot army to do some test attacks.

"Mutually Assured Destruction" is a two-player game; it's different in a three-or-more player version where Eurasia rents some servers in Eastasia to attack Oceana and get them to retaliate, with everything laundered through shell corporations, actual corrupt Nigerian officials, competing Russian crime syndicates, and the occasional Balkan-region teenage hacker who only exists on paper.

"US Government Stress Tests"? That's not how any of the legitimate US government agencies would work (and the Treasury didn't run bank stress tests by actually making half their new mortgages default, either.) I'm not saying that there aren't illegitimate Internet activities going on, but the spooky agencies are much more interested in comprehensive eavesdropping than in DDoS.

EvilKiruSeptember 13, 2016 5:40 PM

@AJWM: AT&T is doing away with DSL in favor of Uverse, so no, I no longer have a landline, but my phone bill dropped by over thirty bucks.

Sancho_PSeptember 13, 2016 5:48 PM

I appreciate these attempts.
Curiosity is the very basic system of nature, the driving force behind evolution.
Hopefully the tests will bear fruits and the system will improve.
Hint: Monopoles are the beginning of the end.

Russia and China, yeah, together they’ve invented the Internet, just to harm the US!

”It reminds me of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.” (@Bruce, my emphasis)
Hilarious! You made my day!

Btw., cutting “them” from the Net is similar to cutting your hands off.
OK, probably with the Net it will take some hours more to realize.

@Bill Stewart (“legitimate US government agencies”):
I can hear ya, from the Bay of Pigs to Athens, from Tehran to …

DBMSeptember 13, 2016 6:46 PM

Well, if you read the Versign report summarizing Q2 2016 DDOS Attacks, there is a map on page 12, showing that the vast majority of attacks came through from the USA, Germany, and Great Brittain. China, Russia, Brazil, and N.Korea hardly have any presence.

Sacco VanzettiSeptember 13, 2016 7:13 PM

I hope America's foreign archenemies wait to destroy the Internet till we're done downloading the files they got that prove US democracy is fake, in case it didn't work when they poisoned Hillary.

https://uploadfiles.io/7dc58
PW: GuCCif3r_2.0

Jim NSeptember 13, 2016 8:07 PM

@ Bill Stewart

"actual corrupt Nigerian officials, competing Russian crime syndicates, and the occasional Balkan-region teenage hacker who only exists on paper."

..and that Romanian masterhacker who can't hack, otherwise dubbed '1.0', but allegedly had hacked Hillary's emails when that allegation was deemed benevolent.

So consider this, what would we do without internet (after internet)? There is certainly life A.I. We'd all go back to watch the TV and listen to radio, with antennas.

My InfoSeptember 13, 2016 8:37 PM

@WhiskersInMenlo

There are two classes of hardware -- cheep inexpensive machines handed down
and running old crud without a license as it were. A second would be the
infrastructure machines like big routers and server clusters.

Sounds like another middle manager taken in by slick IT consultants and salesmen. That second class of hardware -- let me explain -- it has a sleek metal frame that mounts neatly in a rack and it comes with a premium 24x7 valet-service on-site on-call technical support contract, but deep down inside, when it comes to the actual chips -- and even the actual software that runs on the chips -- it's the Same Old Shit, otherwise known as S.O.S. When it comes to computer chips, you'll never know the difference between cheap shit and expensive shit unless something goes wrong, and with all that VIP-level support, it doesn't matter anyway. The chips are CZ and you've got some salesman with cuff links dazzling you with all this technical talk about the 4 C's and several bullet points about why his brand is better than the competition.

John SmithSeptember 13, 2016 9:52 PM

Clive Robinson's comment:

"...And I suspect that these DDoS attacks are the equivalent of "covering fire" to get in APT payload etc."

In that vein, careful calibration of DDoS attacks could be preparation for DNS cache poisoning/MITM attacks on certain targets.

During l'affair Snowden, Edward warned Laura Poitras et al. to conceal, as much as possible, their internet locations: if NSA knows where you are, in the IP sense, it knows how best to attack you.

Agent JSeptember 13, 2016 11:21 PM

@Marshall

I don't think growing vegetables is going to help at all.

People are dumb, panicky dangerous animals ...

Clive RobinsonSeptember 14, 2016 12:43 AM

@ DBM,

...Q2 2016 DDOS Attacks, there is a map on page 12, showing that the vast majority of attacks came through from the USA, Germany, and Great Britain...

I suspect that it might have a lot to do with "home broadband".

Afterall it's known that many "service provider" provided DSL etc routers have built in WAN side back doors for "service technicians" to reconfigure them remotely... With the majority of computers on the LAN side being unpatched Win OS's with one or two low end AV solutions on them.

If you think about it as an attack surface, it's a handfull of vast monocultures. So from an attacker's point of view it's quite a desirable target as a single attack type gets you tens of thousands of zombies for a botnet etc.

keinerSeptember 14, 2016 1:21 AM

...yeah, but on the other hand: Training keeps you fit! These internet "service" providers are all fat cats without much resistance to threats.

Maybe Apple should look for some billions in its deep pockets to preserve the infrastructure it so hardly depends on (or to be correct: the users of its hardware trash so hardly depend on).

Just saying.

SpookySeptember 14, 2016 1:36 AM

The economic damage caused by a multi-day global outage would probably be on the order of 100s of billions to trillions. Sadly, most businesses do not have a Plan B that doesn't involve some form of non-local network access (even smaller retail shops still upload their daily transactional snapshots to corporate headquarters). For medium- to large-sized companies, perhaps the decision to run their entire shop on VOIP, SaaS and Amazon AWS will need to be revisited. :-)

If the internet were unavailable for an entire week (and cell networks proved utterly incapable of handling the traffic surge, even for simple SMS and voice comms) we'd be reduced to POTS, broadcast radio, television and local ham operators. And the postal service. Let that one sink in for a few seconds...


Cheers,
Spooky

Clive RobinsonSeptember 14, 2016 1:37 AM

@ John Smith,

During l'affair Snowden, Edward warned Laura Poitras et al. to conceal, as much as possible, their internet locations: if NSA knows where you are, in the IP sense, it knows how best to attack you.

I'm still surprised at how few people picked up on the implications of that comment. It's perhaps better said "If I own the upstream node from you, I own your traffic". The main implication is the likes of the NSA strive to own the network switching/routing nodes, not individual leaf nodes.

So as an owner of a leaf node, it does not matter how much you instrument your systems, you will not see NSA droppings on your systems. As we now know the likes of SSL has not been much of an impediment to their activities due to implementation defects.

However if you do become a person of sufficient interest, ownership of the upstream node to a target alows a tailored approach to dropping RAM only malware onto your system. Then using that as a bridge to get sufficient information on the system internals, put a real low level exploit in the likes of ROM on I/O devices, where all but the most expert of searchers with specialised equipment will not find it.

As I indicated at the time sending "Tweedle Dee and Tweedle Dumb" up from GCHQ in Cheltenham to the London Offices of the Guardian was a real mistake. It alowed the Guardian to subsiquently show to the world the areas of hardware on motherboards where they had removed and destroyed components.

It was confirmation of what sort of real low level attacks were possible (and actually known about by "old hands"). Which if people remember back then there was a lot of "head in sand" behaviour with "Bad-BIOS" denials. With such tricks later being shown to be used commercialy by the likes of Lenovo to put persistent malware on their systems that would survive a full hard drive wipe etc...

And people wonder why I still build systems using old CPU's with real old fashioned UV-ROMs and have no Flash ROM or other "electricaly alterable" ROM...

Bong-Smoking Primitive Monkey-Brained SpookSeptember 14, 2016 1:56 AM

@Clive Robinson,

"head in sand" behaviour with "Bad-BIOS" denials.

Sir! Please! Bad-BIOS to you. It's Good-BIOS to me :)

And people wonder why I still build systems using old CPU's

Yea! Old CPUs! I manufacture new ones and make them look old. That 486 you get isn't really what you think it is :)

Flash ROM or other "electricaly alterable" ROM...

Hopefully another schmuck whistleblower won't publish a paper that leeks my electrostatic subversion tool! I can charge a hair-comb just right, and bring it next to your computer to infect it. We can alter your ROM by modulating the ambient humidity of your device. Try to air-gap that one ;)

Matthew SkalaSeptember 14, 2016 2:20 AM

Linode, where I do some virtual-server stuff, experienced a series of attacks fitting the profile Bruce describes over the Christmas-to-New Year's period 2015/2016. They're not a huge player, but maybe big enough to be targeted by the kind of attacker he implies.

SpookySeptember 14, 2016 2:28 AM

@ Clive,

And people wonder why I still build systems using old CPU's with real old fashioned UV-ROMs and have no Flash ROM or other "electricaly alterable" ROM...

You know, I was reasonably happy with my trusty 286 in college; everything was rendered in a soothing shade of amber. So long as our standard unit of informational currency continues to be text, every computer produced since the 1960s should be capable of adequately consuming that data for your ongoing edification and enjoyment. Also, symmetric crypto is still possible on those old beasts.


Cheers,
Spooky

Clive RobinsonSeptember 14, 2016 3:04 AM

@ Spooky,

Also, symmetric crypto is still possible on those old beasts.

This is where I realy show how old I am...

Back when Byte Magazine was the number one computer mag to get, they published an article on RSA public key. Within a couple of days I'd written a 256bit version in Z80 assembler to run on a Microsoft CP/M card for the Apple ][.

As for PC's yup I remember amber screens, they were so much nicer on the eye than erie green of the "glass tty's" still prevelent in data centers of the time.

For my sins locked up in the safe is an Amstrad PPC640 "portable" computer with 8086, 640K ram, dual 720k floppies and a 2400baud modem and "pull up" LCD panel with a strange yellowy green colour. As I've mentioned before I still use it occasionaly for generating OTP pages on a dot matrix printer with two part stationary...

Peter GalbavySeptember 14, 2016 4:06 AM

20 years or so ago I remember standing up in a RIPE meeting and asking how IPv6 is going to provide diverse routeing via BGP to those that don't want to live in a hierarchically routed world. The academics couldn't understand why we, the commercial world, would want this in the brave new world of IPv6. This is one of the many reasons IPv6 failed and we are stuck with IPv4 (and no easy to get address space anymore).

The worry about state-actor attacks like this is somewhat like that; Many don't quite "get it" and believe that the individual parts that they are not interested in are not critical to others. You stop the cat videos flowing and you have as much of a problem as if you block consumer bank accounts. Some here will worry about the power station or the sewage systems being attacked while not noticing the traffic lights and cameras not working anymore.

Also, amazing what damage you can do with a pair of insulated wire-cutters and knowing which road junctions to go fibre cutting at. Only other accessories required are hi-vis clothing and some traffic cones or barriers. No one will ask a thing.

Too Long Didn't ReadSeptember 14, 2016 6:03 AM

TL;DR the comments. What if it's a helpful srite, what wants to improve the internetz. What if I have a friend, and he knows how to do things, and knows the internet is weak, but wants it to be strong. He probes, he scans, he DDOS's these various points, testing the other points along the way is just a natural consequence and I think is being read into more than needs to be. Things are getting stronger, revisiting the folks appears to show that the improvements are working! Everything is so gloom and doom in security, just chill and lets see what happens.
If it were a nation-state, which I again think too much credit is given to, a few guys with mild coordination/discipline could do what "nation states" do, DOS is an unsophisticated tool, if I were a "nation state" I'd use something worse in addition to DOS.

Martin MarcherSeptember 14, 2016 6:05 AM

China or Russia would be my first guesses.

I'm sorry to be nitpicking but why isn't the United States a possibility here?

PhSeptember 14, 2016 7:36 AM

"in Q2 2016, attacks continued to become more frequent, persistent, and complex."

DNS Root letters also got a lot of unnatural traffic in that period.
up to 17 Gb/s/letter of TCP SYN and ICMP flood

http://root-servers.org/news/events-of-20160625.txt

I wonder if that was part of it.

As an old skool hacker, i wonder if i will see the root dns go down in my lifetime, it used to be the summun for hackers, but i guess they gave up after a few reasonable tries.

r / agent rngSeptember 14, 2016 9:19 AM

@Clive, All

While I'm sure you realize this @Clive, for anyone else who's listening his dotmatrix printer would still be vulnerable to a simplified version of the 3d printer dual side-channel leak I'd assume.

It's also likely QUITE A BIT louder accousticly and electromagneticly too.

War GeekSeptember 14, 2016 10:04 AM

First an observation: NANOG folks have noticed this before, typically the threads boil down to ways to do mandatory uRPF or postulations about reputation based filtering for the ISPs that refuse to do uRPF.

Second on the this is really not new point is its especially not new for China.

I worked at a large operations center who among their customers included the uplinks for a number of USAF bases. As I was on the night shift my team spent a lot of time fielding weird problem requests escalated by the more prominent customers out of the CNS group. One such call was a clockwork monthly call we got for years starting in 2002 from a 'Hong Kong government IT' staffer. Every month he would ask the same thing, can we, the ISP for the same nuclear bomber USAF base, ask the USAF IT staff to stop filtering IP packets coming from their HK networks.

I had to find polite ways to say 'No' even though both ends of the phone knew it was a farce.

Yet they kept calling because they were waiting for the one time someone wasn't thinking.

The Chinese really don't care if we spot them, they think that overall they will eventually find the stupid and get through anyway.

AegeusSeptember 14, 2016 10:12 AM

@Clive: Does the "covering fire" metaphor actually work in cyberspace? A DDOS attack makes the server unusable for everyone, attackers included. You can't lay down covering fire if your allies are running in front of your own bullets.

Maybe you could make it more of a headache for the defenders to figure out what happened - their access logs show a trillion connections from the DOS attack and one connection from a more sophisticated attack, so it gets lost in the shuffle - but a good search tool should be able to sort through all the "haystack" to find the needle within. And in any case, this would only serve to cover your tracks, not to open up a path for attacks that wouldn't otherwise succeed.

BadtuxSeptember 14, 2016 12:05 PM

I have hosts on three different major hosting companies. One has seen major attacks that took down large parts of their infrastructure for several days at the end of last year, and is having to quadruple their pipes to deal with continuing attacks. They are baffled because the attacks don't comport with any of the previous attacks they've ever seen, which is where an attack is against the hosts of a specific domain that the attackers want to take offline, but, rather, the attacks are against the hosting company's infrastructure and they've received no -- zero -- communications about who the attackers are and what their demands are, something they've received in the past when people tried to take down a specific domain and resorted to attacking the infrastructure as part of their campaign to do so.

The second is under near-continuous attack because of their scale, but they, too, have seen parts of their infrastructure temporarily taken down by attackers who figured out how to trigger various scaling mechanisms rapidly and overload their control plane. They've hardened those mechanisms and added throttles to prevent the backlogs of requests that overloaded their control plane, but again, nobody took credit for the attack.

The third has thus far been spared the majority of the attacks, but their control plane also got attacked. Luckily they'd already implemented mechanisms to deal with an attack on their control plane, but they did have their DNS servers taken offline for a couple of hours by the attack, which meant that their customers who used their DNS servers (rather than DNS servers hosted elsewhere) went offline from the perspective of most of the Internet. Again, nobody took credit for the attack or made any demands.

All of these companies have had attacks against specific sites that have become controversial for one reason or another, but those are typically accompanied by demands from non-state actors. This is the first time they've simply been silently attacked.

My prediction is that things are ramping up for a major attack at the end of this year, when the majority of senior staff at most of these companies take a vacation between Christmas and New Years, where there will be concerted attacks on at least one of these infrastructure companies that will take down a large swathe of the Internet for at least several hours. What to do about it... I know that at least one of these infrastructure companies is making contingency plans, but of course am not privy to the exact plans. As for the root servers going offline, there are contingency plans for that too that should keep their customers working in many cases at least on a short term basis. Still, it's worrisome that we still have zero communications from non-state actors about any of these attacks -- which tends to back up the supposition that it's a state actor doing this.

Mark StaffordSeptember 14, 2016 1:07 PM

Deliberately proactive...

So here's an interesting little snippet. I understand from a retail ISP that they know for a fact that only about 30% of domestic addresses in the UK have Malware protection, because they can see traffic to/from those providers, even though this same ISP give away subscriptions of one vendors offering.

That's the equivalent of having 70% of traffic on your road system as malicious, but targeted take-overable malicious. Imagine every truck in a country free and able to head straight into a city all at once. That's what a DDOS is. (Which we technologists should start to use these analogies and not talk "DNS" this or "TCP" that)

There is a reason we ask that cars/trucks are tested regularly to make sure they are fit to be on our roads, as well as the users of those vehicles being licensed. Those roads have capacities and traffic is managed (again I know that's a whole can of worms).

Either we apply that to the internet OR we allow those ISP's to have policing of end user access and block those that are ignorant or have malpractice. ISP's the UK cannot immediately block an end-point (currently) at source. So any traffic is free to do its stuff unhindered.

yoshiiSeptember 14, 2016 2:18 PM

Please comprehend...

The US Government Establishment and/or it's Attache` has already historically (within the recent 5-10 years) publicly acknowledged that it/they have technological interest and research in how to accomplish an "OFF SWITCH" for the Internet (DARPANET).

Please stop aggravating geopolitical nodes of information sharing with insinuations and accusations that all efforts are malicious and/or originate from nations other than the USA.

And of course it is worth mentioning that the USA is a big place with many different organizations and affiliations and credos (or lack thereof).

Too many false assumptions spread like malware destabilizes international relations.

Z.LozinskiSeptember 14, 2016 3:43 PM

Ciaran Martin, whose title is Director General Cyber at GCHQ, gave a public speech yesterday in Washington DC. It makes interesting reading. Especially in the context of Bruce's comments.

One area he focuses on is how the UK telecoms and ISP industries are co-operating with GCHQ on mitigating potential attacks. He specifically calls out defending SS7 and BGP - where the weaknesses are due to an outdated trust model.

He also mentions a pilot scheme scaling DNS filtering to the entire UK to automatically block traffic to "known malware and bad addresses". And he also makes the point this has to be opt-in to deal with consumers' privacy concerns.

The whole speech is well worth reading. The first paragraphs are a standard diplomatic speech - but much is refreshingly honest.

https://www.cesg.gov.uk/news/new-approach-cyber-security-uk

Just this guy, you knowSeptember 14, 2016 3:59 PM

The salient point is that it's happening now and now, oh, ten years ago. What else is happening now? Oh right, another round of DRAMA at ICANN't, where they're lobbying to get to rule themselves "transparently" while at the same time repeately proving to world+dog that they are not trustworthy. They're just wannabe oligarchs. Which is one reason why the critters in senate and congress oppose it so much. But whatever happens, since ICANN't is still a California corporation, subject to PATRIOT act, NSLs, and whatnot else, it's all for show.

So it makes eminent sense that other parties say things like, "oh right, things may or may not change, but let's at least make sure we know how to turn the whole thing on its head." For whatever reason, like taking it out at a crucial point and providing a more viable alternative. No matter the reason, the capability is undeniably useful, but the timing is conspicuous.

And whoever they are, they're in a good position for such shenanigans, because in either case the political supports of the current critical infrastructure are simply too weak to withstand any headwind at all. So we have structural failures at layer nine, and they are unfixable given all publicly contemplated options.

And yes, far too often the techies get blindsided by the political games, or completely misinterpret what's going on, or outright refuse to see what's happening right under their noses. So this trainwreck will go right on and continue to wreck itself.

I do have an alternative. Get Barry to call me, he has my number. If you care.

Clive RobinsonSeptember 14, 2016 5:02 PM

@ Badtux,

My prediction is that things are ramping up for a major attack at the end of this year, when the majority of senior staff at most of these companies take a vacation between Christmas and New Years

My guess if it is to be towards the end of the year and the perps want to cause major impact, it would be the first shopping day after thanksgiving "black friday". It would be major news worthy and would give rise to tabloid titles such as "Blackout Friday" etc. It would cause a fair degree of economic damage at the bottom of the economy and cause quite a bit of distress in those hunting for that special bargin.

Just a thought September 14, 2016 8:34 PM

I don't know if it's been mentioned yet but....I think if this is true then it's just staging. I'm sure most people aren't going to be OK with a foreign entity being in charge of the Internet as is being suggested by potus. The usual problem reaction solution trick the government does. So create a problem garner reaction offer a solution.

Jim NSeptember 14, 2016 9:10 PM

@ Just a thought,

"So create a problem garner reaction offer a solution."

I doubt the exiting POTUS suggested that US is in control of the entire internet, though I agree this seem more like a publicity stunt and an recurring event over many years.

Clive RobinsonSeptember 15, 2016 12:21 AM

@ Z.Lozinski,

He specifically calls out defending SS7 and BGP - where the weaknesses are due to an outdated trust model.

It's funny you should mention "outdated trust model" and GCHQ together.

I'm sure quite a few UK Members of Parliament (MPs) now understand the concept of "outdated trust model". Having being told by civil servants for decades that "the Wilson Doctrine" was specificaly designed to keep their privileged communications confidential against the UK IC, thus they need not concern themselves with privilege/confidentiality/secrecy. It must have come as quite a bit of a shock to be told that it was compleatly and utterly ignored by GCHQ virtually from day one...

The MPs must further have been gauled about GCHQ's supposed clearing of the use of certain Microsoft products, that stored the MP's documents, emails etc via foreign countries such that they to became "legitimate traffic" for both GCHQ and other nations ICs to hoover up on mass.

And at the end of the day there is now no trust in the mind of a sensible informed individual[1] when it comes to the ICs. Not just of foreign states --that's almost a given--, but the home nation as well.

Whilst the idea of a "Great British Firewall" (GBF) is a seductive idea it's actually a throw back to "Old Imperialist Thinking".

That is it's just more old "Pull up the draw bridge and keep out 'johnny foreigner'" people are castigating the likes of Donald Trump for. The GBF has been suggested and sensibly rejected in the past a number of times. I suspect that it's been dragged out of the cupboard yet again because our current government is now under the control of Theresa May PM off of the back of the "Brexit vote". She is/was the driving force behind a great deal of very poor legislation including "the snoopers charter" and the European Court of Human Rights has been frequently and quite sensibly opposed to what appears to be her "ideals, mores and morals".

The GBF would actually have been illegal previously because EEC and EU legislation uses the term "any person legal or natural" when talking about "free trade/movment". Which in effect means not just "Johnny foreigner" but all companies their agents and similar along with their "goods and services" tangible and intangible. Thus those outside the EU would set up European Shell Companies in compliant "blind eye turning" countries of which there are several as the Apple Tax Evasion scandle has quite clearly shown.

Thus even if the GBF had been legaly possible it would have created the information equivalent of the physical problems "The Schengen Area" agrement created that has lead to the impossible to manage Sangatte and similar issues.

The truth of the matter is "choke point security" which all Firewall systems are, are a bad idea if you can not 100% guarantee there are no other ingress/egress points.

Thus the GBF could be looked on as a "decrepit fence around a nuclear waste dump", not something you would sanction unless you had no other choice. And the truth is that the proper solution is "clean up the mess" not "put an impossible to secure fence around it". Because if you don't you just "build in future debt" that due to complexity will grow as a power law.

Thus the reality is a GBF would not realy solve any of the issues just mitigate them slightly short term. Further the cost would escalate to the point that it would be yet another unneeded tax on economic growth, as well as being a crippling impediment to productivity thus businesses would either become stagnent or move, with the latter being the favoured path by most businesses (think about why Apple setup it's European operation the way it did).

So rather than "hide the mess" behind a GBF the correct solution is "clear up the mess as quickly as possible".

But... All of the above issues assume an "honest system" running the GBF, the problem is there are no "honest systems" when governments are involved due to various "capture mechanisms". Our current western IC is out of control and not subject to the level of trustable oversight needed to keep it honest or trustable. Leaving aside the idea of turning "poachers into gamekeepers" there is no incentive for the IC to behave honestly, therefore they can not by definition be trusted.

But it realy does not matter if the IC actually runs the GBF or not. The steps needed to make the GBF work favour the IC more than the GBF, thus they benifit tremendously either way.

[1] "The reasonable man on a Clapham Omnibus" definition that was once much loved as a test by the legal proffession.

tyrSeptember 15, 2016 1:50 AM


@Clive

I'll bet at some point May decides to investigate
buying the GF of China because it works the way
her mindset does.

Malice is unnecessary when stupidity is around.

Z.LozinskiSeptember 15, 2016 3:54 AM

@Clive,

You've made the obvious conclusion that this is a step towards a Great British Firewall (GBF). I'm going to disagree (in part) and agree (in part) with some of your conclusions on the implications.

First to disagree. Any major ISP already has to put in place defences against a variety of attacks. And they share information about what they see. The problem is usually the smaller, cost-focused, ISPs. They are the ones that would benefit from GCHQ saying "here is your next set of problems: apply this set of rules" . Much like GCHQ's security recommendations to UK businesses - they are nothing anyone here would quibble with - but for many small and medium companies they are valuable, if only they would implement them!

And to agree. The UK courts have been willing to order ISPs to implement technical measures to protect the commercial interests of media companies. It is a short step for those courts to see the GBF as a mechanism they can use to block content that is not illegal, but commercially or politically undesirable. (e.g. The UK celebrity injunction fiasco; some of the odd uses of the EU Right to be Forgotten).

I would also think, from an intelligence point of view, that's it's preferable to have the world's nutjobs on the open internet where you can keep an eye on them, as opposed to having them develop the technical skills to go into the dark web. And I'm aware this conflicts with my own views on privacy.

Your point about the EU is interesting. There was clearly something in the air on Tuesday, as that was the same day the the EU proposed its Directive on Copyright in a Single Digital Market. The net seems to be (Art. 13) that major OTTs will be responsible for policing on-line copyight. It's being reported on /.

Article 13 "Use of protected content by information society service providers storing and giving access to large amounts of works and other subject-matter uploaded by their users"

http://ec.europa.eu/transparency/regdoc/rep/1/2016/EN/1-2016-593-EN-F1-1.PDF

Ross Anderson's BCS Lovelace Lecture earlier this year on The Challenges of Scale also makes some interesting points in this area, about the implications of scale on both the intelligence community and the major digital companies (Apple, Google, Facebook).

http://academy.bcs.org/content/2016-lecture

A logical consequence of Ross' presentations would be the Over The Top providers implementing protection mechanisms like that proposed by GCHQ. (e.g. So you can't post malware links to someone's FB timeline.) Then you get into the debate on whose values prevail on the internet, as Facebook recently found out with Nick Ut's 1972 photo of a Vietnamese girl fleeing a napalm attack.

Finally, I'm going to disagree with you about "the sensible informed individual on the Clapham onmibus". I've been very disappointed with lack of public debate over the Snowdon affair, apart from in Germany. Somehow the Overton Window of acceptable political discourse has moved to a point that was unthinkable only a few years ago with regards to surveillance. The only people concerned seem to be the security community, who observe backdoors are a Bad Idea, and that if you collect data online it becomes a Target (e.g. the US Office of Personnel Management - now if ever data belonged on paper in a double locked safe ...).

But it still leaves the question, how best to secure the vast majority of technology users who don't understand security.

Mike PerrySeptember 15, 2016 7:05 AM

The fix for critical services like banking and hospitals is to get them off the Internet. There's no reason why everyone should be there. Those with particularly needs should have their own networks and severely limit who is on them. That makes sense for security now, independent of any DDOS attack.

And if the source is China—which is likely—come up with ways to cut almost all traffic into and out of China. And by that I meant something that could be as drastic as a giant guillotine cutting fiber cable. Install those cutoffs as close to China as possible, but if a country refuses to have the cutoff, include them in the exclusion. Keep in mind that you don't have to cut all traffic into and out of China. Just enough for that DDOS attack to fail.

And to state the all too obvious, come up with multiple ways to communicate that are not dependent on the Internet. That'd include HF radio, satellite phones, and any independent systems the military have. Plan how to use them in advance.

Don't forget those scenes in Independence Day when, with all other communication schemes shut down by the aliens, the U.S. military resorted to HF radio and CW. Sometimes the best technology is the least sophisticated and least complex, particularly when the entire system is a transmitter/receiver at each end. For HF, nothing else matters but the ionosphere and the time of day.

Exohmin CrendravenSeptember 15, 2016 8:12 AM

Please accept this hat that I made for you!

I spent a lot of time in its making, and an entire roll of aluminum foil.

I believe that if you wear it daily it will really help you.

Artist formerly known as ArtSeptember 15, 2016 8:22 AM

Seriously?
What is there to defend? Access to claptrap like this?
It is a shame that 23 years into the era of common home internet use, it has had not one iota of net positive effect on the use of written language.

Z.LozinskiSeptember 15, 2016 8:41 AM

@Mike Perry,

You have made me realise that one of the problems, ironically, is IP. We talk about how monocultures are a Bad Thing from a security perspective. And yet IP, and specifically IPv4, has become so pervasive that (in security terms) it is a monoculture.

One of the consequences is that everyone who needs remote access to anything (e.g. previously the dedicated dial-up console accesses) now use IP.

I don't think disconnecting any company from the internet is likely to be helpful. Have a look at the TeleGeography maps of global interconnection to see how interconnected countries networks are. Secondly, US companies' supply chains are closely integrated with companies in China.

MileSeptember 15, 2016 8:51 AM

"China or Russia would be my first guesses." - oh move along, automatically blaming Russia or China is so past century propaganda.
"It reminds me of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on" - exactly, a US Cold War program. There is an impressive list of bad-guy-things which in reality is done by US more readily and on a larger scale than any other country labeled "bad guys". US is violating freedoms and privacy of their own citizens. US is killing foreign civilians daily. US is making deals with terrorists. US threw the first atomic bomb, and US will be the first to perform major strike on the internet, as soon as the right excuse is created, as always. They are always trying to hard to make you believe that there is "US" and "them", and it is working.
I'm not some fan of Russia either, but if I am to make a judgement based on evidence over doctrine, US deserves a place among top suspects.

r / agent rngSeptember 15, 2016 10:10 AM

@Art,

Really? You don't recognize that language even outside of the CE has been a moving target?

Maybe I articulated that enough for your particular articularity.

DanSeptember 15, 2016 10:17 AM

Internet still uses old concepts and that freedom of thinking and its ingenuity pays back as usual in bad ways; instead of dynamic ips, use fix ones, make it linked to a precise person or company, like a phone number; make it all secure - meaning that only certain ip addresses can go into certain sites; i know that everyone will start yelling about privacy; there is no privacy even now so calm down; all security issues are coming mainly from the fact that potentially any user can do anything; well, if you need to use a site, certify your identity, that's all. Than, it's up top the software to see which one did what. End of worries.

billSeptember 15, 2016 10:29 AM

Seems like only yesterday that we were all able to live just fine without the Internet. In some ways I long for those days.

Jim NSeptember 15, 2016 10:33 AM

@ Dan

You're making it too easy to for bad actors to impersonate someone else. And let's not forget a user must be able to protect themselves from site operators because the trust model has issues of its own. There are a few countries that have had bad examples of this.

sinipSeptember 15, 2016 10:57 AM

Ah those pesky Russians and Chinese at work again. I mean, don't they have something else to do, like battle falling economy, improve democracy and human rights, build more H-bombs, dope more athletes (wait, US does that too but "legally"), or so? :-))

CharlesSeptember 15, 2016 11:36 AM

Let's remember that although human intelligence is (somewhat) easy, there are many things that slip past even the most intelligent and well trained humans. These attacks could very well be information gathering for big data analysis, where very small sets of sparse data are being gathered to find 0-day methods, methods not known to humans, even the creators of the systems under attack (Cisco comes to mind for some odd reason...) Sometimes a cigar is just a cigar.

AmalSeptember 15, 2016 11:47 AM

Agree with Mile - one of the primary suspects is the NSA themselves.
If there is one agency which has superpowers to launch attacks of any kind it is definitely the NSA. And we know from the Snowden incidents how little conscience these guys have to violate any human rights and they have no back-off to perform the most evil of actions when they, in their divine rightness, deem this "necessary".

Green SquirrelSeptember 15, 2016 12:54 PM

@Clive - it is very, very, very rare that I disagree with you but:

And I suspect that these DDoS attacks are the equivalent of "covering fire" to get in APT payload etc.

I read a lot of things saying something similar to this but I still dont believe it. DDoS attacks are noisy, simplistic and blunt objects. All it does is set off alarms on the victim and trigger response processes. It is not an effective way of covering a more subtle attack.

The problem I have with this mindset is that it takes a real world analogy and misapplies it to the cyber-realm.

One of two situations is likely to exist:

1) The victims have good technical security (IPS, SIEM, Fireeye, Resilient etc, etc etc). If so, the DDoS wont stop any of these functioning, and if anything, will just draw attention to their alerts at a time of heightened panic.

2) The victims dont have good technical security - in which case the DDoS isn't needed, just APT them to death.

Neither support the value in running a DDoS to mask any other attack.

BSeptember 15, 2016 1:35 PM

It's sadly not surprising that a sizable portion of the moronic parrots posting comments all have the same entirely predictable, knee-jerk, banal objection to Bruce's comments pointing to China or Russia as the most likely suspects, borne out of nothing more than some sort of delayed adolescent, quasi-knowing but utterly uninformed, emotional bias against the US [government] combined with a clear lack of reading comprehension.

Please, before one more of you posts another variation on your repetitive theme: reread the article.

Bruce does not rule out any other actor being responsible, he simply says that in his *informed* opinion--i.e. that thing none of you has--China or Russia are most likely.

And as he also clearly states, he has information--as do the people he talked to who pointed at China--that he cannot share publicly.

So please those with the same biased disposition who haven't chimed in yet: save the rest of us from another "waaaahh!!! Why did you rule out the NSA!?!? Waaaahh!!" comment.

ab praeceptisSeptember 15, 2016 2:08 PM

Green Squirrel

I think you are wrong. The main two reasons being your assuming that the usual protection mechanisms still work (for everything except the DDOS) and the nature of a DDOS attack. There *is no* real protection, just some rather half-hearted mitigation. Once the traffic arrives at your firewall and other protection devices the damage is already done (and the costs incurred). Any protection whatsoever would need a propagation system (with all the caveats like trust problems).
Moreover, looking closer you will notice that all that equipment has a max pps limit, beyond which its working (or not) becomes undefined. Depending one the device that may translate to "pass everything" applied or to "cut off everything"

Plus the human factor. Important example: Most attacks can be mumble-jumble explained away ("one customer has [done stupid or evil thing]. The problem is solved now. Apologies") but not DDOS. Each and every customer will notice that and quite probably the problem will also be mentioned in blogs, gazettes, etc.

Plus, while single customers might use massive protection schemes (like cloudflare) that's hardly an option for a provider, e.g. a hoster. Just look at the prices of "protected bandwidth".

MileSeptember 15, 2016 3:07 PM

@B As we all know, and as article itself confirms, attacks could be made to seem to come from anywhere on the world, and I'm sure a great deal of hackers use Chinese IPs and servers. All I am saying is, the way he puts it "China or Russia would be my first guesses." sounds more like the text is aimed at average brainless yellow press reader, the sort of stuff you add to article on purpose to inspire cheeky discussion like the one we have now, in order to increase number of page hits. He should have avoided publishing such assumption without basing it on something more solid than "state actors" (so we know it's a state? Must be China or Russia) and "It's not normal for companies to do that" (like big companies are known to do normal stuff). Lets face it, "China or Russia would be my first guesses" sounds like a line out of black&white American movies.
All this makes me feel a bit disappointed in CodeProject, the newsletter that brought me to this page, as they even gave this article a headline.
Btw B, you're the only one here who is calling people "moronic" and makes crying baby sounds in comment box, so maybe you're the one who should contemplate on his "delayed adolescence."

freeSeptember 15, 2016 3:13 PM

Schneier is a textbook example of US sponsored terrorism. All he does is spit out war propaganda so that people believe that evil actors everywhere are trying to attack them. This is the most basic tactic used by state terrorists in order to control their populations. Make them feel afraid (i.e. terrorize them) and then pretend to protect them and presenting themselves as divine saviours. Or "experts" in "cybersecurity"

Gerard van VoorenSeptember 15, 2016 3:32 PM

@ Skipresto,

Careless talk costs lives. Many on here just showing off their knowledge to the enemy.

They (whoever they are) invested a lot of money, tested a weapon and don't know what to do with it? It doesn't make sense. They know exactly what to do with it, when and why.

@ Amal,

Agree with Mile - one of the primary suspects is the NSA themselves.

I don't think so. But are they ultimately responsible? Quite so. Not only the NSA but all IC and related parties I mean. Let me explain. Where do these DDOS'es originated? Weak security on personal computers mostly so malware gets easily installed. Could this have been solved? Of course, it's only a matter of willing to do so. The current trend is that there is no willingness (just read some of Bruces blog articles). So the IC's are at least partly responsible. I don't think however that this attack is an NSA job.

@ Andy, Clive,

If it was Russia, it could be a test run for Nov. 8th.

My guess if it is to be towards the end of the year and the perps want to cause major impact, it would be the first shopping day after thanksgiving "black friday".

Let me add another date, October 1. That's the day that China will join the SDR.


About a technical solution, there isn't one that I know of against DDOS in the current environment but of course IPFS (and similar) could deal with the single point of failure problem. Maybe it's time for a true p2p internet.

WooSeptember 15, 2016 3:37 PM

Sounds more like North Korea. You need someone with minimal internet connectivity. China and Russia are too connected.

Alex79September 15, 2016 3:48 PM

I'm sure it's Russia, because Putin's government now more and more brainwashes russian citizens, telling them that Iron Curtain was a good thing, that Internet is a product of the devil, a scientific and cultural progress is against God (or against "Russian spirit"), the West is rotting in sins, so Russians should restore Iron Curtain for themselves, to become isolated from "dirty, alien and sinful" Western culture again. It's a wild mix of Soviet principles and orthodox christianity in its most conservative form.

ab praeceptisSeptember 15, 2016 3:55 PM

Alex79

Thank you so much. Thanks to your brillant "logic" I've finally succeeded in spotting the most dangerous and evil cyber-warlords of all: The Amish in the united states of a part of a part of america.

Of course, the millions upon millions of pious us-americans and the poles are evil hackers, too.

Marcos MaloSeptember 15, 2016 4:29 PM

@r / agent rng
Aha! It's grammar prescriptivists that want to take down the Internet!

SomeOtherSquirrelSeptember 15, 2016 7:15 PM

"These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down."

since there're certain organisations out there that try to crash whole nations i've got some questions:

- how big is the chance to calculate/estimate the possible crackdown point from the data they've already acquired?

- given the fact that it would cost billions of $ if they're efforts were successful...could it trigger a new economic crisis?

and last but not least the creepiest question:

- what would happen if they manage to take down some of those root servers on a certain -religiously and/or conspiracy theory- predicted day? think of the possible psychological impact that it would have on those groups...O_O

so long says
some other squirrel

PS: sry for my bad english...i'm tired as hell ._.

GrauhutSeptember 15, 2016 7:19 PM

@Gerard: We have seen a show of force from a silent attacker.


China? No, too much alibaba traffic to lose.

Russia? They work targeted and a ddos stops targeted work, you never know which packet will get lost.

US? No, its their toy.

Some kind of "would like to be the great invisible hand"... A NGO?

Bong-Smoking Primitive Monkey-Brained SpookSeptember 15, 2016 7:43 PM

Thilenth everyone! It wath jutht uth all along. Thmall fire drill, that'th all.

@sinip,

I'd like to have a bit of the same thing you're smoking now. Looks simply awesome. :-)

I'm your Huckleberry ;)

SomeOtherSquirrelSeptember 15, 2016 7:51 PM

i wouldn't call it NGO...name it VEO (although it seems that they're not 'that' violent as long they're able to use their soft-power tactics...)

PS: the western nation states are the target not the culprit...but anyway...i'm just a squirrel...so where are my nuts? :p

Jim NSeptember 15, 2016 8:11 PM

@ Grauhut

You're certainly right the big brothers would rather we be connected to the net all day so they can watch our every single move, but a little FUD wouldn't hurt their cause atleast in terms of funding and making us give up more freedom. :)

GordonSeptember 15, 2016 11:01 PM

@Green Squirrel

One of the resources that DDoS exhausts is 'eyes on glass'. It's all very well having great tools properly configured and effective processes for utilizing them and responding to threats but if the attention of the competent staff is diverted to other matters apparently more critical to the ability of the business to continue to generate revenue then those tools won't be of much use no matter how brightly they are lit up.

By the time the analysts return from DDoS mitigation detail the APT has already played out its 'false positive' cover.

MattSeptember 16, 2016 5:02 AM

Why not just block China and other states that are suspected of this activity from the internet? These rogue countries are able to block their citizens from accessing it.

sinipSeptember 16, 2016 6:05 AM

@Matt
I'm pretty sure USA could do it for its own citizens, but if you haven't checked the facts lately, USA doesn't own Internet any longer. :-) Actually, considering the quantity of Chinese equipment on Internet backbones, it could be USA on the "receiving" end of the stick, this time. If it doesn't behave.

JRSeptember 16, 2016 8:05 AM

"China or Russia..." It amazes me that our governments fear mongering still lingers with everything we know. Anytime a politician wants to make sales commission on an arms deal, just throw out China or Russia as a threat.

This is most likely our own government, as people are finally realizing that this country isn't as free as we thought it was, the elite are abusing their power, using our troops to fight conflicts we started so they can line their pockets, and at some point, an uprising may occur to take back this country from them.

JeffSeptember 16, 2016 11:10 AM

Why are you assuming it's Russia or China ? it could be the US doing tests to prevent such attacks

Gerard van VoorenSeptember 16, 2016 12:20 PM

@ Grauhut,

Russia? They work targeted and a ddos stops targeted work, you never know which packet will get lost.

I don't think one excludes the other and I also don't think that "Russia" is one entity, like the US isn't.

I am speculating / probably bullshitting from here on:

When China joins the SDR at October 1, that's the biggest financial event of the year. We are talking about IMF. If the DDOS tests are as alarming as Bruce wants us to believe that must have a good reason. I can't think of a better reason than a financial one (a racket).

What, except for "blowing up nukes/nuclear power plants" is the biggest impact an internet blackout can make? My monkey brain tells me it's not being able to make financial transactions. If that happens for a considerable period of time, right at the moment that China joins the SDR, it could result in a wave of panic. If this panic is enough wide spread it could result in bank runs all over the world which leads to a collapse of the entire financial system.

The questions are who benefits from this and how do they benefit from the crash.

Clive RobinsonSeptember 16, 2016 12:38 PM

@ B,

So please those with the same biased disposition who haven't chimed in yet: save the rest of us from another "waaaahh!!! Why did you rule out the NSA!?!? Waaaahh!!" comment.

First of sauing "same biased disposition" not only destroys your argument but kind of makes you look like a troll - something you might want to think about when next you post.

Secondly, as I've indicated many times before, the atribution problem is not resolvable, unless you have 100% vision over every link in the chain. As this is not possible even for the NSA all you are left with is "assumptions" or "hunches", none of which meets the "beyond reasonable doubt" bar. Worse it usually does not meet the lesser "balance of probability" bar either.

Thirdly the "attribution game" in the US is most easily clasified as at best a game of "follow the leader". First we had all the noise about "China APT" whilst wiser heads were pointing out other nations including Russia where at it. Now it's Russia's turn in the barrel, it will in due course be somebody elses turn at some point. However the most notable element is that the nation chosen for the attention at any given time has abundently clear political overtones to do with how certain US Agencies perceive "foreign relations".

A simple examination of history shows that both China and Russia were doing what they were doing long befor their turn in the barrel and will carry on regardless just the same during and after the US Gov has turned the spotlight on another "Axis of neo-evil".

It's fairly safe to predict that Iran or Similar on the US S41t list will be the next in the barrel. The only question that is realy pertinent is which US entity will provide the lead for others to follow.

Mean while the earth will keep turning, the sun will rise and set tommorow and almost as asuradly every one will carry on with their games regardless of who the US select next for barrel squatting. The only thing that will change is that more and more countries IC's will develop their own cyber capabilities. Including the "Independent Repubic of Tooting" that some kid in his back bedroom has decided now exists as a nation (or should do so).

JoeSeptember 16, 2016 1:45 PM

I can't see how taking down Verizon would take down the internet. Maybe if you took down all of the root name servers then you might take down some of the DNS system but most isps cache a lot of this data. The internet was designed to not have a single point of failure.

However if you had a botnet big enough you could repeatedly overwhelm a few key routes and trigger something like a BGP flood, that is how I would do it at least.

Joe

David CameronSeptember 16, 2016 2:15 PM

Hmmmmm That sounds like going back to the 70s which were definitely the good ol' days. Sounds good to me.

GrauhutSeptember 16, 2016 6:12 PM

@Gerard: I think China entering the SDR basket is a singular event already booked in.

Have a look at recurring worldwide financial events like the "triple witching hours" four times a year.

If some org manages to get the worldwide financial internetworked markets out of sync by lights out on such a day we would see real fun...

Clive RobinsonSeptember 16, 2016 6:35 PM

@ r,

it's the would burners tilting at the wind mills.

Hmm "would burners" sounds like "witch finder generals" or "Spanish Inquisition" not a man on a broken down old cart puller fighting the giants his befuddled old mind sees the mills as.

MarcSeptember 16, 2016 6:44 PM

Is part of the reason that a DDoS attack is impossible to block because the source IP addresses can be forged? If so, why is this even allowed?

If it was not allowed, then as a first step couldn't an attacked site at least cut off access from the country or countries where most of the attack was coming from? Just as a first step. And then proceed to block the routes which most of the attack was coming from?

Eventually, couldn't at least some source IPs be knocked offline by their ISP until they get a clean bill of health? Is this unrealistic?

rSeptember 16, 2016 7:50 PM

@Clive,

Two things, both this and I could do irreparable harm to the coming parables:

One, I saw a garfield comic when I was young that said "diet is die with a little t at the end."

Two, it could be all the peanut butter on my diet.

Third, we already know that I suffer from the overlapping problem of reading too much and at the same time not reading enough.

Should I leave well enough alone?

MaybeSeptember 16, 2016 7:51 PM

Could be manipulating traffic flow for the purposes of unmasking Tor users, by making packets drop on the destination end and watching for changes at the entry nodes.

rSeptember 16, 2016 8:14 PM

@Clove (Because we all know IT's true.)

Wood burners, depending on the perspective are a thing of the soon to be distant past. Not that they're entirely inappropriate in this day and age but we have better things... Wind mills for those who missed the @Sancho_Panza rant (of mine) is a reference to what P=NP would label as mouth breathers. Ideas (and other unfortunate ventures) travel on the winds.

For the most part I'm of the camp that no idea is a bad idea, just like how guns don't kill people.

JimSeptember 16, 2016 9:58 PM

DDoS can't completely be stopped because it can be the same as legitimate traffic, just a very big volume of it. Hitting refresh over and over again in your browser on a web page is like a very tiny DDoS in theory, though in practice each packet will be set with a fake source address and set to make the server respond with as many bytes as possible.

A reflection attack uses packets first sent to another server or resource first, but with each packet's original source set to the target's address, so that the first server thinks it is being asked to reply to the target, and amplifies and reflects the original requests as it does this. A NTP reflection attack works the same way, only it uses packets originally only a few bytes in size, reflected at time servers with a query that produces the largest possible amount of bytes for each reply.

DDoS is basically abusing normal operations of the internet so that servers produce very large amounts of data in response to very small queries. While pretending to be B, send 64 bytes to A, producing 64,000 bytes directed at target B.

Google for Work's online business mail, contacts and calendar service went down yesterday for many people, no word yet why, but also there were problems in some areas reaching their public DNS. A few different DNS services have been some what unresponsive for certain locations over recent days.

Jim NSeptember 16, 2016 10:17 PM

@ Gerard van Vooren

" If that happens for a considerable period of time, right at the moment that China joins the SDR, it could result in a wave of panic. "

It's classic hump and dump, which is jacking up public expectations so interested parties can dump a substantial holding. The expectations that "internet" may (though may not) crash is enough to jack up expectations of the crash so any minimal selling triggers a vast sell-off. We've seen this both ways over the course of the years both on the way up and down, but lately it touches home because the stockmeister game has been mostly involved with techs.

But let's not forget in order to profit, the actor needs to have access to a vast holding, and there are only a few players in the world big enough to real-ize your version of the "bullshit".

JimSeptember 16, 2016 10:42 PM

I should add that Microsoft for instance tried changing their version of the command line CMD to limit the maximum values of byte size and wait for response times in packets that could be sent to other systems. Someone can just replace this modified CMD with an older or customised version if they wanted to though. I don't imagine many malicious actors would use a microsoft operating system for a DDoS anyway, unless there was some advantage for the particular goal they were trying to achieve.

Cloudflare provides DDoS mitigation for many online providers of content, including those annoying CAPTCHA things if it appears you might be behind some kind of proxy or VPN. They keep increasing the complexity of CAPTCHAs as bots increasingly become more capable of learning to read and recognise how to defeat them.CAPTCHA aims to slow multiple requests from the same address in order to beat or frustrate abuse like DDoS. Other mitigation strategies include gateways or firewalls configured to ignore or drop packets once they exceed certain thresholds.Attackers find new ways to slip past, abuse or mitigate such counter measures.

DDoS is generally a very unsophisticated attack, though on occasion you do see people capable of much more sophisticated DDoS attacks where only one actor using a single device can overwhelm comparatively quite large systems, it's still mainly aimed at knocking stuff off-line or making it unavailable, or frustrating and occupying the time of administrators. It's unfortunately often hard to prevent, easy to execute, and if deployed by a skilled adversary can be impossible to trace.

Jim NSeptember 16, 2016 11:45 PM

@ yoshii,

"The US Government Establishment and/or it's Attache` has already historically (within the recent 5-10 years) publicly acknowledged that it/they have technological interest and research in how to accomplish an "OFF SWITCH" for the Internet (DARPANET). "

As I remember, this was put forth by the POTUS in response to "arab spring" which had withered into ISIS recruits accordingly. The Occupy Movement, no relation to ISIS, spurred a lot of discussions around civil liberty and disobedience, which the POTUS had mitigated well.

I think we see a lot of ex-Occupy participants in the Bernie camp, which is making a comeback, but ultimately Hillary is the better candidate for her party. It will be kind of interesting how this election play out. I think Hillary will win if she isn't replaced.

JimSeptember 17, 2016 2:08 AM

I have noticed a few people have complained lately that they couldn't access the internet in my local area, and I'm wondering if it was an equipment failure, maintenance work or some other problem. A few different DNS services were largely unavailable from my local area and I had to reconfigure systems and routers so people could connect to the internet normally.

The problem occurred across multiple ISPs, but a lot of the local infrastructure is owned by a single Telco who sells wholesale access to other providers.For a couple days at least, using a VPN was a simple solution without having to reconfigure my own routers and systems and then later have to reconfigure them again. Probably time to run a few network and performance tests again as I haven't really needed to in a while.

A.SimmonsSeptember 17, 2016 9:45 AM

> If it goes down, how many deaths and serious injuries can we project, aside from carpal tunnel? > >Right: Hardly any to none. So, let's take a deep breath and try to calm down. >

Depends how long, how widespread and how comprehensive the outage was.

I'm afraid you have a slight failuyre of imagination if you think such an attack couldn't cause deaths. Consider: walk through the process that leads to a can of baked beans being on the shelves of your local supermarket. 20 years ago, those logistics and stock control systems would have run over leased lines, ISDN or whatnot. Nowadays... not so much. Run that thought experiment forward a week or two and I think you'd find the bodies starting to pile up more quickly than you might expect.

Ron RoystonSeptember 17, 2016 10:49 AM

Verisign delivers "two of the Internet's thirteen root nameservers" and "also offers a range of security services, including managed DNS, distributed denial-of-service (DDoS) attack mitigation, and cyber-threat reporting." ¹

DDoS attacks on DNS servers potentially takes down the Web traffic, not Internet traffic; Internet communication occurs without DNS via IP addresses, not domain names. The distinction is important.

DNS servers are identified by IP addresses which can be virtualized/shared/forwarded by machines in different continents at nearly the speed of light. DDoS ingress behavior can be detected by ISP's.

My name is Ron Royston. I am Cisco CCIE# 6824 with over 17 years of network engineering experience. I have never heard of the author of this alarmist post. Technology fundamentals seem to be misunderstood and/or glossed over.

I would be happy to create a DDoS mitigation system for Verisign or anyone else using commercially available systems or from scratch. My rates are very fair.

¹ Source Wikipedia

John Wayne's Evil TwinSeptember 17, 2016 11:30 AM

"I have never heard of the author of this alarmist post."

Not surprising, Ron, since he doesn't write too many articles for High Times.

AlexSeptember 17, 2016 11:57 AM

There're no details in this article, but a guess that Russia or China can be behind this which is suspicious. Maybe the whole article is a lie? Who would behefit of accusing Russia or China. We all know.

ab praeceptisSeptember 17, 2016 1:05 PM

Ron Royston

DDoS attacks on DNS servers potentially takes down the Web traffic, not Internet traffic; Internet communication occurs without DNS via IP addresses, not domain names.

Pretty much every piece of that statement is to be doubted or plain wrong.

- Web traffic can perfectly well, and often is, working by IP (without DNS)
- Internet communication can, often is, and usually *should* work through DNS.
- The credo you spread is bad engineering practice and a major factor in keeping us in IPv4 (Note: I'm no fan of IPv6, absolutely not, but I am a big fan of good engineering practice and of freedom, particularly the freedom to change a provider, to restructure an internal network, etc).

The usual argument for that (what you write) is "performance" and (often) goes like this: "the communication itself costs ca. 30 ms single trip, but the name lookup costs 150 ms. I'm not gonna waste valuable time when I know the IP anyway!" - and is BS.

Simple reason: DNS isn't performed for each packet but once front-up. Moreover virtually every layer involved has a cache of frequently used fqns/ips. And, of course, the application usually performs the lookup only once in the first place.

IgnorantSeptember 17, 2016 3:58 PM

This I still don't understand: On almost all routers and switches, the operator knows the valid ranges of IP addresses on one side or the other. Yet no one seems to block the bad ones. Packets from Poughkeepsie should never come out of a router from China no matter how traffic is routed.

PhSeptember 19, 2016 6:04 PM

@Ron Royston

"DNS servers are identified by IP addresses which can be virtualized/shared/forwarded by machines in different continents at nearly the speed of light."

Please have a read about how and why (security) ROOT DNS works.
https://en.wikipedia.org/wiki/Root_name_server
http://root-servers.org/

Furthermore you can mitigate all you want if your pipelines are filled and the entropy is large enough so no net neutral ISP can filter it.
You need mitigation AND big pipelines to stand a chance.

Last tip, boasting not knowing Bruce only shows your inexperience, but you already admitted that, just over 17 years. Most experts have 30+ years and thus a solid understanding of the basics.
(I do hope you know the EFF?)

oh, and ab praeceptis is correct with his DNS explanation.
webtraffic is internet traffic (usually specific ports, but not strictly).
DNS lookup is separate from the traffic. It only means an extra step if you give the application a name instead of a number.

bsosSeptember 19, 2016 10:09 PM

Interesting paranoid article : Paranoids have a fatal tendency to look for the enemy in the wrong place.

Ron JoystonSeptember 20, 2016 1:51 AM

Ron Royston, likely Verisign probably doesn't need any DDoS mitigation help, but there probably are some Cisco customers waiting for some patches.

xuanSeptember 20, 2016 8:41 AM

How to end the DDoS attacks?
Stemming the activity of the botnet at source.
How to get it?
ISPs should require manufacturers of access routers that install their customers, and set up mechanisms to implement mitigation activity originating DoS LAN and WAN destination.
Currently many of the residential routers already implemented but not enabled

Excuseme for my English

¿Como acabar con los ataques de DDos?
Frenando la actividad de los botnet en origen.
¿Como conseguirlo?
Los ISPs deberian obligar a los fabricantes de los routers de acceso que instalan a sus clientes, a implementar y configurar mecanismos de mitigación de actividad DoS con origen la LAN y destino la WAN.
Actualmente muchos de los routers residenciales ya lo implementan aunque sin activar

DKSeptember 20, 2016 9:32 AM

I have a very good feeling the 'stress testing' is being done by China. Right now China is flexing it's muscle as a country and will soon be challenging America for global dominance (they already have). From banking, manufacturing, military and technology - China is challenging us on every front. Also, I have very good reason to believe that China has massive data center infrastructure here in the United States so even if we cut off mainland China from communicating the attacks can still happen from within America. In fact, a friend of mine believes Chinese hackers are buying homes here in America, turning them into mini-cluster data centers and running attacks from our own neighborhoods. These guys are really good, organized, well funded and smart. We have a real problem on our hands.

TheRadicalModerateSeptember 22, 2016 11:49 AM

"Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains."

But caches (either full or partial) of the TLDs will continue to work, correct? So a DDoS attack against TLD infrastructure isn't very good for wreaking havoc for the couple of days necessary to mount whatever the next step is. It's only good if you can sustain the attack for weeks or months, which seems unlikely.

JonathanSeptember 22, 2016 5:39 PM

Someone hit Brian Krebs' site with a monster DDoS attack over the last day. Prior to that, an even larger attack (>1.1 Tbps) hit ovh.net.

This might be a nation state. But considering the nature of DDoS'ers (basically, vandals looking for easy attention), it could also be someone who created a massive botnet (IoT devices?) and is testing it.

Ryan CarboniSeptember 22, 2016 5:43 PM

@ Peter Galbavy :

For some reason IPv6 protocols don't replace checksums with Reed-Solomon encoding. It doubles packet overhead, and those 4 byte CRCs are a waste when modern hardware could be more efficient than a CRC. CRCs are still vulnerable to false positives as well.

There was no effort to ensure IPv6 compliant routers use larger MTU sizes as well.

IPv6 was doomed to fail.

Jim NSeptember 22, 2016 7:10 PM

All these "someone and something" talks are making me extremely nervous about our democracy and freedom. They must hate our freedom. :(

Donald Taylor September 23, 2016 9:51 AM

And what of Iran?

Lay people tend to think in egocentric terms rather than of beneficence.

Why would being able to pull the plug be useful? In case of coordinated attack perhaps. If I were going to launch ordinance, or a small focused operation ie 9/11 I'd want to be able to shut down a country (or the world) for a period of time. Limit C&C, blackout all news for a period, jam HAM radio. These would all be very useful to a state actor or covert org.

Ransom or protection schemes could be a financial motive for a criminal org as well.

Steve NewcombSeptember 23, 2016 10:45 AM

Let a new kind of block-chain-based internet be built, for use by those who are willing to take responsibility for their own physical and cyber security, and who are also willing to eschew all anonymity and deniability with respect to their activities. It could be something like the fraternity of diamond merchants in Antwerp, in which each member's word is his/her bond. (For example, Trump-esque reneging on commitments would not be tolerated.)

The U.S. military already has something like this, including an oath (that, for example, Ed Snowden violated), but we can't all be military/government. Let us all fervently hope that it's never going to be necessary to extinguish the public/private distinction in cyberspace. We need more cyberspaces. One is clearly not enough -- not for the military, and not for critical private infrastructure, either. This is a strategic issue.

Let the existing internet stand, so that its (frankly essential) black market and slum can still exist. It can remain an information highway choked with billboards, full of hiding places, but alongside an internet of personal responsibility, the existing internet would become strategically subcritical.

rSeptember 23, 2016 1:42 PM

@Mr. Newcomber,

Do you work for NASA? Are they intending to send your ass into deep space? You sound like you're not of this world.

Snowden violated his military oath, let me baulk at you. #1, the FIRST OATH is to the constitution it is the second part that alludes to the SCROTUS. #2 the oath of officers is what eschews from purity of the enlisted oath. Was Mr. IT Ends-now subjected to some sort of CIA oath? Was he a civilian contractor? Does he have civil liabilities to the companies that he worked for? Does that super-cede his obligation to his countrymen?

And what about his obligation to himself and god?

Can you spell conscionable?

Which oath did he take first? when does that first dedication dissolve? Does it dissolve?

army.mil/values/oath.html

Call me a radical, label me a prole. I don't buy into your bs. It could've been done better yeah sure, just don't be bitter about it - if you didn't want to get shot at you wouldn't have signed up.

NikkoSeptember 24, 2016 3:00 AM

China doing some tests to break the Internet? LOL

Easy to use a bunch of dedicated servers rented in China to do these Attacks!
Do you really think that anyone who is doing kind of visible highly illegal attacks would not hide the source of his attacks?

If it comes from China, you can bet is it not the Chinese, but someone who impersonates himself as a Chinese.

You should know. A hacker will never perpetrate from his real IP.

LouiseSeptember 24, 2016 8:23 PM

Glad someone summarizes what I observed for a couple years!

One newsworthy DDOS of 2014:

DDoS Attack Hits 400 Gbit/s, Breaks Record
http://www.darkreading.com/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787

took place just days in advance of Fadi Chehadé's visit to Beijing:

ICANN CEO to Meet with Chinese Internet Industry Leaders in Beijing
13-Feb-2014
http://www.agip-news.com/news.aspx?id=33010&lang=en

Fadi Chehade, President and CEO of ICANN Visited CNNIC With His Senior Team
http://english.cnic.cas.cn/ns/es/201302/t20130222_99138.html

Later, in 2014, attended the 2014 World Internet Conference in Wuzhen, east China's Zhejiang province:

ICANN President: More than 75 percent of the top-level domains have implemented DNSSEC
http://en.gmw.cn/node_61960.htm

and, last year, was adamant:

China key to global Internet governance: CEO of ICANN
http://www.chinadaily.com.cn/world/2015wic/2015-12/14/content_22710065.htm

It is too much of a coincidence to believe the record-breaking DDoS attack days in advance of Fadi Chehadé's visit to Beijing ISN"T s show of military might that would normally manifest as a military parade for visiting dignitaries.

Chehadé apparently received the welcome of a high-level dignitary, with that infamous display of DDoS might. The announcement, therefore, that Chehadé would, upon retirement from ICANN - co-chair the High-Level Advisory Committee (HAC) of the Wuzhen Initiative didn't surprise me, though it shocked many:

The Firewall Awakens: ICANN's exiting CEO takes internet governance to the dark side
http://www.theregister.co.uk/2015/12/18/ex_icann_ceo_will_work_with_china/

Clinton den HeyerSeptember 25, 2016 3:55 AM

If it's a DDoS attack on the 13 dns root servers of IPV4 then it's not the first time it's happened. In terms of testing limitations of current resilience there have been a couple of notable times in the not so distant past where botnets have been assembled and active that have been capable of shutting down the Internet as we know it easily. Conficker springs to mind. Moving into IPV6, whatever the reason for the above article, the fact that we still only have an evolved(and evolving) architecture and no central governance for the Internet should be warning of its instability enough.

J. OquendoSeptember 26, 2016 4:23 PM

Disappointed in this article. The quickest way to take something offline is to hijack their BGP sessions, something which ALL nation states know how to do well. Cratfing large denial of service attacks disrupts commerce for everyone. I doubt nation states are going to shoot themselves in the foot, when it is so much simpler to just use hijacked networks, to advertise false routes. I disagree with this article

QuestionerSeptember 26, 2016 8:06 PM

What would the effects be on the US election if the internet was crippled or disabled during the election itself?

david the greatSeptember 27, 2016 12:35 PM

From Paul...-----------------------------------------------------------------
""Bob: It’s not as simple as “just unplug the bad guys.” A DDoS attacker takes advantage of the infrastructure of others by staging the attack from compromised machines. Even if human actors are in China or Russia or Fooland, the attacking machines & networks can be located anywhere in the world, even — especially — inside the country of the target.

The call is coming from inside the house, as it were.""
____________________________________________________________________________

By "fooland" I believe you should mean US and its own people , obviously who this article is laced with rhetoric for and designed to stimulate. human actors will always allow you to see that they have emerged from exactly where you are convinced to think (WANT them politically) to to emerge from. The problem you have is that you are not bound geographically or even IP (everyone knows it's easy to pick on china's NAT effe'd up infrastructure), only politically and US has already proven itself Impotent in those terms in every aspect.

Robert LaValleySeptember 29, 2016 9:32 AM

Mr. Schneier, have you been following the "largest DDoS attack in history" being conducted against OVH? At first, I wondered who OVH was and why they would be targeted. Then, I saw that they host WikiLeaks. Assange was supposed to release a statement a couple days ago and he did not. The only news regarding Assange has been that Sweden is ramping up pressure on Ecuador to turn Assange over to the British. Russia, or China, you say? How about CIA, or NSA?

SS NNOctober 14, 2016 9:25 PM

"We don't know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses."

DON'T fall for the state propaganda....there is only ONE organization that has an
interest in doing this...let me help you here...C.I.A. The deep state is getting
VERY nervous right now. This agency is also amoral and utterly disloyal.

Sean ReynoldsOctober 21, 2016 12:26 PM

If DNS is vulnerable then Browser makers or Router Makers should take it upon themselves to create a backup of Host to IP addresses. At the very least if we just do it for the individual handfuls of sites we each visit, then it would be less disruptive. With this simplistic first step approach we still wouldn't be able to visit a site we've never been to but it would make the impact of a DNS DDoS attack rather minimal.

Asking QuestionsOctober 21, 2016 2:03 PM

Questions:

1. Is today's DDoS attack on DYN related to what this blog post is reporting, or is it entirely separate?

2. If it is related, and if a nation-state is involved, why on earth would China want to do this? Russia would make more sense, particularly with Zhirinovsky's comments in the news today. But still, it's hard to conceive of a nation-state trying to draw this much attention to itself - and, potentially, retribution - right now.

3. If it is related, and if a nation-state is not involved, then who is behind this, and why?

BartOctober 21, 2016 2:38 PM

If this was supposed to be "the big strike", then I'm not impressed.

This falls under "CloudFlare or similar" (see my post above). As I said, "we're fine". And we are. I'm here, writing this comment on your blog. And using cached DNS lets me access everything.

MadZombieOctober 21, 2016 4:30 PM

Now that America has turned control of the internet to the UN. Can you imagine if the UN decided to place sanctions on America's internet?

Clive RobinsonOctober 21, 2016 5:22 PM

@ MadZombie,

Now that America has turned control of the internet to the UN

Err no they have not handed over the control of the internet. What they have done is similar to what the ITU does for "spectrum usage" and "standardization".

Individual nations have sovereignty over the Internet within their domain/jurisdiction, not the UN. Further the international links will for now remain on a peering basis, so the UN could not order Spain to cut off it's link to Cuba, any more than the US could a couple of years ago.

Even if the UN could via Security Council sanction say a country was to be ostracized, it would not work any better than oil embargoes or other economic sanctions of the past such as with South Africa during apartheid.

But in the case of the US it would currently not be possible due to the "all roads lead to Rome" issue. Currently most of the Internet peering is done through the US, so to cut the US off would break a large number of the major trunk networks, thus break it for hundreds of other countries. It's this "all roads" issue that puts the US and other Five-Eye nations in a commanding position when it comes to Internet surveillance. If you have a quick Google you will be able to find a map of all the commercial sub-sea cables that form the Intetnet backbone. You will note the commanding position that America, Australia and England have. Likewise the satellite links. They form "choke points" through which nearly all nation to nation traffic must pass, which is one major reason the Five-Eyes can monitor Tor traffic, where as other nations can not.

gordoOctober 21, 2016 5:56 PM

US INTERNET REPEATEDLY DISRUPTED BY CYBERATTACKS ON KEY FIRM
By Raphael Satter and Frank Bajak
AP Writers | Oct 21, 2016 6:35 PM EDT | (London AP) --

BROAD EFFECTS

Jason Read, founder of the internet performance monitoring firm CloudHarmony, owned by Gartner Inc., ... said Dyn provides services to some 6 per cent of America’s Fortune 500 companies. ... .

HACKERS CLAIM RESPONSIBILITY

Members of a shadowy hacker collective that calls itself New World Hackers claimed responsibility for the attack via Twitter. They said they organized networks of connected "zombie" computers that threw a staggering 1.2 terabits per second of data at the Dyn-managed servers. ... .

THE VULNERABLE INTERNET

The U.S. Department of Homeland Security is monitoring the situation, White House spokesman Josh Earnest told reporters Friday. ... .

Bruce Schneier said last month that ... "Someone is extensively testing the core defensive capabilities of the companies that provide critical internet services."

http://hosted.ap.org/dynamic/stories/D/DISRUPTIVE_CYBERATTACK?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2016-10-21-17-26-28

Weiheng HuangOctober 21, 2016 8:36 PM

I hope these attacks came from china, as you know we chinese people can not visit many websites like you foreiners do, and it is really pleasing to learn than one day you foreiners will taste of the same inconveinence.
-Weiheng "tough guy" Huang, Heyuan, Guangdong Province, P.R.China

ab praeceptisOctober 21, 2016 9:15 PM

"dyn DDOS"

I'm amazed by the sheer idiocy that seems to have infested much "security research".
Some are - earnestly! - hoping for manufacturer associations establishing standards and to then educate the "I don*t care f*ck. It makes bling and it's cheap!" customers to look for those "seals of good security".

Oh yes, right. That already worked so well with them plastic router/modem boxen, which, if I may for a second disturb the cozy "security reasearch" dream bubble of some, are the first protection wall that should keep bad guys away from our fridges and toasters.

Now, let's climb up to a higher league, where "security researchers" don't quote tabloids but actually have an idea of what they are talking about. What will they find? That we still do not have realiable secure operating systems and software stacks for the very f*cking core of the internet and server farms and ...

Now, might there be a reason for that? Something like maybe that safe and secure systems need much more than industry associations and "security seals"? Something like a hell of an effort and lots of brain and expertise, maybe?
Well, what do Mr. K. and other "security researchers" think? How probable and realistic is the assumption that we lack the resources and experienced developers to secure the very core but that we will properly take care of securing toasters and fridges of Mr. and Mrs. Doe?

But then, maybe Mr. K. is smarter than it first seems. Maybe that's the reason he suggests the industry assoc. plus "standards" plus funny seals.

Oh, and btw: Do you know a country whose secret service does *not* spy on its citizens and does *not* welcome any and all opportunities to cardiac arrest a potential foes networks and systems?

Maybe that's the most realistic answer to the question why the Chinese corps produce that crap as well as why us-american corps resell that crap and why, besides some comforting noise, the governments just don't manage to create properly working solutions ...

Joe BrownOctober 21, 2016 10:41 PM

Ipv6 assigned to each and every person on the network is the only way to fix this. These attacks are US goverment induced. Look for the push to v6; its not a terrible thing at the end of the day. People lose privacy with this but the network gains control, which is needed. Trust me, it's the USA doing this.

JonhiettOctober 22, 2016 1:48 AM

Sounds like the job of a rogue nation such as North Korea. Maybe its caged population are starting to get restless and are accessing more than they should! Naughty Naughty! I think Kim Jong Un would love this to become reality! Just a hunch....

RatioOctober 22, 2016 2:50 AM

Currently most of the Internet peering is done through the US, so to cut the US off would break a large number of the major trunk networks, thus break it for hundreds of other countries.

Hundreds of other countries?

(Also, s/most of/a lot of/.)

Clive RobinsonOctober 22, 2016 5:45 AM

@ Ratio,

Hundreds of other countries?

Yup, it depends on how you decide what is a country or not, but the last time I looked it was arond the mid point between 250&300 countries with a number of break aways pushing it up.

And most of the "non local" traffic goes via one of the "eyes" and often via the US as well.

This is due to the way the Internetwork of internetworks formed, much like the web of a spider with the US sitting in the middle.

This physical model is changing, all be it slowly, and is expected to take a lifetime or two to become sufficiently devolved, depending on investment and technology.

The question thus arises as to what the Corporates and Politicos will do in that period to stop the obvious dilution of their current defacto power over the backbone and infrastructure and content systems like the DNS and social networking etc.

Currently the only way to get away from the "eyes" is by drawing the curtains on your traffic to protect the content via difficult to implement correctly strong encryption techniques. However through the routing and the attendent traffic analysis, the "eyes" will see where your traffic goes and draw assumptions from that which could prove terminally detrimental to you, your family and their endeavors.

Denying the Political and Corporate "eyes" their current power in the future will be difficult and will be fought on all levels and they have many advantages including control of "guard labour" and the allegiance of "authoritarian followers" who are raised from birth to have a fervent belief in their particular form of "exceptionalism" purchesed at the expense of nearly everyone else.

It is a tangled web spun from well over three hundred years of trying to evade such power. As there are now few places you can move to where such power is not prevelent, perhaps it is time to either acquiesce or stand and fight, but neither is what the majority want, let alone care to think of.

D WilsonOctober 22, 2016 10:24 AM

I'm interested to learn more about the potential for DNS poisoning. Also, theories that Dyn attack may have been a white hat demonstration. Any links you can provide would be appreciated.

WalterOctober 22, 2016 1:04 PM

Actually there is something you can do about it at the hardware level.
A patent of mine from years ago covers it. The patent pertains to cellular but if you read it carefully you will see the reference to ethernet and other protocols.

It's quite stoppable. Look at the Ethernet and other collision avoidance back off algorithms. It's quite obvious that in Robert Metcalfe's patents and algs that he implemented the features to permit doing this just never implemented or published the algorithm.

My patent is currently in Google portfolio (from when they ate Motorola). They just need to implement it.

The deal with the backoff alg. is that it will cause backoff commands to quickly be pushed back to the source local LANs effectively denying them decent access to the internet.

The problem is that few have ever implemented dynamic traffic based changes to the backoff time value so it tends to be a constant. There is no evidence that Bob Metcalfe viewed it as a constant when he designed it.

See: US Patent 6,754,501

RikkitikkitaviOctober 22, 2016 4:51 PM

Or could it be our own people doing it to blame ohh...the Russians (who our leaders so desperately want war with)? After all our local AF reserve kc135 unit was practicing refuelling the very naval group thats off Syria now, back in June off the East coast. Oh and said squadron deployed to Qatar two weeks ago.

I don't believe in coincidence.

Rikki

bobstOctober 22, 2016 8:15 PM

oh wow... so I suppose that giving away control on the internet probably wasn't a good idea after all...

Jim W.October 23, 2016 3:20 AM

Russia and China, sure. Let's see. Put "Your tax dollars at work" and "Ultra-sophisticated clandestine internet dirty tricks" together and what do you come up with? Why, it's Michael Aquino's favorite employer, the NSA!

This would be the agency hatched in 1947 to control "intel" related to the Roswell crash (and related MILDEC, "Military Deception") that has never done a single honorable or honest thing in its entire existence but instead has gobbled up untold trillions of public funds while managing a completely unconstitutional and unsupervised global network of bribery, extortion, lying and spying. Oh, and underground bases and it goes on and gets darker. Plenty of good material has been published on these topics for decades, just that it's not all boob-tube mainstream.

Our US society does not have a "2 party system" nor a democracy. That went away in steps: 1913, the post-WWWII "national security" hairballs, the JFK assassination, the still unprosecuted 9/11 crime, etc. We have a rogue and criminally led One Party system controlled by Usual Suspects. These tie into the top financial and corporate interests - and "intelligence agencies" - in our world. This illuminati mafia hairball hates Truth and, thus, internet openness with a passion. Currently, this element is desperate to think that anyone other than Hitlery will be elected next US President, because "any other guy" might concede to certain powerful USG "White Hat" element demands for long-overdue "mass arrests" of key criminals in high positions in our private and public sector and some return to a semblance of lawful constitutional behavior in our nation; including ending the false flag war parade and the mind-boggling ongoing unprosecuted looting of the Treasury (esp. via Pentagon budgets).

Here's a related article which links to this one - http://yournewswire.com/usa-internet-kill-switch-cyberwar-russia/. An excerpt from it;

"Mainstream media may be under government control, but damaging leaks, disseminated via the Internet, continue to hamper Hillary Clinton’s election campaign. As insider rumors continue to spread that devastating leaks, serious enough to ruin the ruling party’s chances of re-election are still to be released, the idea of an “emergency” justifying an Obama administration employing their top-secret Internet killswitch and declaring martial law are not far fetched. The groundwork – including excuses and convenient scapegoats – has been prepared.

DavidOctober 23, 2016 10:45 AM

Good article. This kind of sentence is extraneous and should be deleted: "First, a little background." You don't need that kind of transition to prep readers. Just give the context.

Dean GalleaOctober 23, 2016 11:44 AM

As far as removing the cause rather than the symptom - apology to Frank-N-Furter - it seems to me than more effort needs to be made to shut down the IoT devices that have been - or can be - botted. The IP addresses of those involved in the attack can certainly be used to locate the source router (through ISP cooperation), and then selectively investigate the homes of businesses to ID those vulnerable devices, creating a blacklist. It should then be possible for individuals to run a publicly-made-available script inside their network to list those devices they may own, with a bounty of sorts to encourage removal. I, for one, would embrace the opportunity getting rid of any botted devices among the 41 or so I have in my home, to create a more-secure national infrastructure.

gordoOctober 23, 2016 10:53 PM

How masters of cybercrime exploit net's achilles heel to extort ransoms
The Observer 23 Oct 2016
Jamie Doward

“While this particular attack may not have been motivated by extortion, a new model of ransom-based attacks, infrastructure ransom as a service, could be on the horizon,” said Thomas Pore, director of IT at Plixer, a malware response company. “An infrastructure outage, such as DNS [denial of service], against a service provider impacting both the provider and customers may prompt a quick payoff to avoid larger financial impact.”

http://www.pressreader.com/uk/the-observer1702/20161023/281522225624494

---

Hackers Sell $7,500 IoT Cannon To Bring Down The Web Again
Thomas Fox-Brewster FORBES STAFF OCT 23, 2016

In what is a first for the security company, RSA discovered in early October hackers advertising access to a huge IoT botnet on an underground criminal forum ... . “This is the first time we’ve seen an IoT botnet up for rent or sale, especially one boasting that amount of firepower. It’s definitely a worrying trend seeing the DDoS capabilities grow,” said Daniel Cohen, head of RSA’s FraudAction business unit.


The seller claimed they could generate 1 terabit of traffic. ... . For $4,600, anyone could buy 50,000 bots ... , whilst 100,000 cost $7,500. ... .

Cohen said he didn’t know if the botnet for hire was related to Mirai.

http://www.forbes.com/sites/thomasbrewster/2016/10/23/massive-ddos-iot-botnet-for-hire-twitter-dyn-amazon/#44462877c915

Michael HollowayOctober 29, 2016 7:35 AM

@Daniel
@Kevin

Re: I'm deeply puzzled by Bruce's insistence that this must be a foreign actor. Someone [said] recently, "security researchers came to the conclusion that attribution was hard, then they promptly forgot it."

Agreed. All through the G8 era state actors were practicing hiding their tracks.

Right now the DNC is eager to create a boggyman - the assertion that it's the Russians has become accepted truth. But we forget that the Pentagon's Cycber Warfare release (of all their tools) was likely an inside job.

Plus, the scale is changing - botnets are designed to spread themselves; add to that the recent increase in speed of the 3W due to large screen HD.

Best to go with, 'I don't know'.

Michael HollowayOctober 29, 2016 7:48 AM

@Daniel
@Kevin

Re: I'm deeply puzzled by Bruce's insistence that this must be a foreign actor. Someone [said] recently, "security researchers came to the conclusion that attribution was hard, then they promptly forgot it."

Agreed. All through the G8 era state actors were practicing hiding their tracks.

Right now the DNC is eager to create a boggyman - the assertion that it's the Russians has become accepted truth. But we forget that the NSA's Cycber Warfare release of their tools (https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html) was likely an inside job.

Plus, the scale is changing - botnets are designed to spread themselves; add to that the recent increase in speed of the 3W due to large screen HD.

Best to go with, 'I don't know'.

Clive RobinsonOctober 29, 2016 1:52 PM

@ Michael, Daniel, Kevin,

Re: I'm deeply puzzled by Bruce's insistence that this must be a foreign actor.

As I've said on a number of occasions (SPE hack etc) there is no public evidence to make any kind of atribution.

It's also incredibly easy to show how just how easy it would be to hide the exfiltration of data by routing it to some data sink that has an IP address of a Russian / Chinese / Israeli / French / German / UK server. But the routing path goes through a router that you own and you secretly copy it or redirect it to another server.

Thus even if you had access to the data exfiltrating, if you did not have the ability to see right to the destination server all you could say is the data left for that IP address, not that it arrived.

Further even if you "owned" the gatway router immediately upstream of the server you could not say anything other than the data went there. Thus somebody could have hacked into the server and just sent the data to /dev/null, or forwarded it onto another server after re-encrypting the data etc.

But even if you 100% owned every node along the data path, you still could not see if somebody was tapping the data off via a passive data diode etc.

Thus it's realy silly to pretend that working at the layers below 7 in the computing stack you can make a hard attribution as to where the data has gone.

However if your "methods and sources" are in layers 8 and above where the human factor resides then you can make an attribution that person X working for entity Y handled the data. It may also be possible to say that individual Z used the data for a particular function.

Whilst I can believe that the NSA can and may do own many of the backbone and ISP border routers, I doubt that they own even a fraction of the servers or other leaf node devices to make even an approximate estimation of where the data actually went.

Now Bruce has said on one occasion in the past he has seen convincing evidence. Depending on what Bruce actually considers convincing, it would probably have to be from a HumInt not SigInt source, unless it could be shown from other independent SigInt that the data had actually been acted upon by entity Z (that is they had actually carried out some action based on the data, not just that the data is sitting on a hard disk somewhere).

Attribution is indeed a hard problem, and when seen from below layer 7 it is impossible to say anything for certain because of the passive data diode or owned intermediaye router issues.

I hope that helps.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.