Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday March 22 2016, @04:47AM   Printer-friendly
from the commence-speculation dept.

Last week, several major eCommerce sites in Switzerland were targetted by DDoS attacks (German). As far as I have been able to discover, no one knows who was behind the attacks[*]. One might have thought the attackers would identify themselves and demand ransom to stop the attacks, but apparently not. Anyhow, I should hope that no company would be stupid enough to pay, since that would just put them on the list of "suckers" to be targetted again.

This past weekend, it was Swedish government sites, among others.

Today, I have come across two sites that I cannot reach: dilbert.com and an EU governmental site about a minor software project. Dilbert is definitely the target of a DDoS attack; I cannot confirm this for the .eu site, but it seems likely.

Here are a few random thoughts from a non-expert:

- Why would anyone bother with attacks, without claiming credit or demanding ransom? The same reason kids throw rocks through windows? Showing off capability for potential paying customers? Something else?

- If the second (demonstrating capability), isn't this stupid? They've provided ample motivation to disable these attacks, or at least seriously filter them, thus reducing their impact in the future attacks.

- The current DDoS attacks are apparently NTP-reflection attacks (send spoofed queries to vulnerable NTP servers, which then reply to the victim), and similar DNS-based attacks. Is it possible to eliminate these attack vectors, just as Poodle and Heartbleed have been largely eliminated? I.e., issue patches, offer free tests, even blacklist noncompliant servers? Or are the affected protocols so broken that this is not possible?

The whole situation is strange - it seems like there are a lot of missing pieces to the puzzle. I'd be interested in hearing opinions from other Soylentils - what do you think?

[* My German is rusty, but the first-linked story references the "Armada Collective". -Ed.]


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by dyingtolive on Tuesday March 22 2016, @04:51AM

    by dyingtolive (952) on Tuesday March 22 2016, @04:51AM (#321414)

    That one might be politically motivated and unrelated, given how much of a obviously-in-the-closet a Trump supporter Scott Adams is.

    I can't claim for sure, but mere mention of Trump seems to draw the vicious out of their holes.

    --
    Don't blame me, I voted for moose wang!
    • (Score: 3, Funny) by aristarchus on Tuesday March 22 2016, @05:32AM

      by aristarchus (2645) on Tuesday March 22 2016, @05:32AM (#321431) Journal

      mere mention of Trump seems to draw the vicious out of their holes.

      But why would Scott Adams DOS himself?

      • (Score: 0) by Anonymous Coward on Tuesday March 22 2016, @05:39AM

        by Anonymous Coward on Tuesday March 22 2016, @05:39AM (#321436)

        Where's the proof his site was every DOSed? It loads just fine.

        • (Score: 0) by Anonymous Coward on Tuesday March 22 2016, @06:01AM

          by Anonymous Coward on Tuesday March 22 2016, @06:01AM (#321441)

          I think this is the relevant part of the FA:

          Here are a few random thoughts from a non-expert:

          I, for one, welcome our new random non-experts!!! May the websites they go to never be DOSed!

      • (Score: 2) by dyingtolive on Tuesday March 22 2016, @06:26AM

        by dyingtolive (952) on Tuesday March 22 2016, @06:26AM (#321445)

        I get what you're saying, and I totally agree with your joke. I have no love for Trump and the more I read from Adams, the more I feel I wouldn't like him if I knew him. That being said, violence at his events and protests are probably only fueling him, if anything at all, regardless of their source. Honestly, I'd say it's as plausible as anything that nutcases on either side of the fence are actually responsible for said violence at this point. People are being exceptionally irrational at this point in time, and it wouldn't surprise me, if his site were indeed a target for something like that, that it would be a target for that reason.

        At this point, I have equal parts assumption that the person who modded me flamebait is a angry Trump supporter as much as I assume that it's an angry person on "the other side" who's automatically suspecting I'm some kind of modern-era Nazi.

        --
        Don't blame me, I voted for moose wang!
      • (Score: 3, Funny) by TheGratefulNet on Tuesday March 22 2016, @06:27AM

        by TheGratefulNet (659) on Tuesday March 22 2016, @06:27AM (#321446)

        But why would Scott Adams DOS himself?

        uhm, maybe he couldn't find a cp/m disk?

        --
        "It is now safe to switch off your computer."
        • (Score: 2) by aristarchus on Tuesday March 22 2016, @08:04AM

          by aristarchus (2645) on Tuesday March 22 2016, @08:04AM (#321458) Journal

          But why would Scott Adams DOS himself?

          uhm, maybe he couldn't find a cp/m disk?

          Very funny! No, really, actually very funny! But in defense of my question, if it was just Adams attacking himself, it could hardly be a Distributed Denial of Service attack, could it? Or only if he was very determined.

    • (Score: 0) by Anonymous Coward on Tuesday March 22 2016, @02:05PM

      by Anonymous Coward on Tuesday March 22 2016, @02:05PM (#321604)

      There were a bunch of upvoted comments linking dilbert comics on slashdot yesterday. Isn't it possible the site was DDOS'd, but it wasn't maliciously done?

    • (Score: 2) by Capt. Obvious on Tuesday March 22 2016, @02:55PM

      by Capt. Obvious (6089) on Tuesday March 22 2016, @02:55PM (#321647)

      He's not in the closet about it at all. He's said a bunch of times that he thinks Trump would be the best president, and that saying anything to make that happen is something he would do.

      Which is too bad. Because his blog used to have non-Trump news on it.

      • (Score: 2) by dyingtolive on Tuesday March 22 2016, @03:24PM

        by dyingtolive (952) on Tuesday March 22 2016, @03:24PM (#321673)

        I recall he claimed he doesn't endorse or support Trump in other blog posts, or at least did early on. Maybe he's given up on it now. I usually didn't agree with his older stuff, but I appreciated that it was a starkly different point of view. It's just tiring to read it now.

        --
        Don't blame me, I voted for moose wang!
        • (Score: 2) by Capt. Obvious on Tuesday March 22 2016, @05:08PM

          by Capt. Obvious (6089) on Tuesday March 22 2016, @05:08PM (#321725)

          He claimed that he did not endorse or support Trump, while writing blog posts:

          A) About how much more convincing he is if he claims not to endorse or support Trump.

          B) About what a great president Trump would be

          C) About how Trump is going to win in a landslide

          All while mocking people who dislike Trump.

  • (Score: 1, Insightful) by Anonymous Coward on Tuesday March 22 2016, @05:33AM

    by Anonymous Coward on Tuesday March 22 2016, @05:33AM (#321432)

    I feel this issue of DNS amplification attacks goes beyond fixing specific software implementations and rather speaks to a larger problem we currently face: The stateless UDP protocol allows by its very design packet forgeries (that cannot be easily detected through analysis of a single packet) which leads to DNS amplification attacks. Both the NTP and DNS protocols use UDP and are vulnerable to this. Adding in fixes to bandaid the problem fixes these two specific implementations, but the real issue is the ability to send forged UDP packets unabated throughout the internet. Any program or protocol that uses UDP without consideration to this issue could become the next attack vector for an attack like this. I doubt the software engineer designing around UDP is fully versed in just how vulnerable the protocols is to attack. As far as I am aware to detect a forged UDP packet you need to have a clear idea of the route the packet itself took. If it came in from china with a low TTL (probably didn't bounce out the continent) but says its from the US, its prolly forged. How do you do the same from one datacenter to another when all the traffic is going across similar backbones, passing through similar transit networks, etc. I'm not a network engineer so I can only speculate at what can be done but I know enough to say that UDP itself should be considered when talking about the insecurity regarding DDoS amplification attacks. The question I have is who should be obliged to mitigate this issue? Is it the software engineer? The network protocol designer? The network engineer him/herself? The ISP's themselves? It doesn't seem anyone has taken up that mantle just yet, otherwise attacks like this would be a thing of the past. There is always going to be someone running old software on the internet or some software thats not been designed properly. If the protocol itself allows for these kinds of attacks by default (if the developer doesn't account for them), then its hard to say its the fault of software developers for not considering every attack vector beforehand. Sure we know now, but the DNS, NTP system's weren't designed and implemented yesterday.

    Am I way off base here?

    • (Score: 3, Interesting) by mth on Tuesday March 22 2016, @09:21AM

      by mth (2848) on Tuesday March 22 2016, @09:21AM (#321487) Homepage

      I think it would be fairly easy to stop this problem at the sender's ISP. If an ISP router sees packets being sent with a source IP address that doesn't belong on its network, it should drop or deny those packets. I don't know why this isn't done though, is it lazyness or is there a technical reason this is more difficult than it sounds?

      • (Score: 4, Informative) by VLM on Tuesday March 22 2016, @12:29PM

        by VLM (445) Subscriber Badge on Tuesday March 22 2016, @12:29PM (#321558)

        I used to work in that environment

        1) Its political. You're our upstream, you put in filters if you're so hot about filters and "best practices" and hippie RFCs. No its your network full of powned machines, you put in filters on your routers. You owe us one because we pay you. No you owe us one because I advertised your ip space on your word before we got the LOA from legal so you filter. It doesn't really matter if you filter on the ISP's router or the customer's router therefore all answers are wrong and worth fighting about.

        2) You seem to think we don't. We did, for our known problem customers. We had guys who would try to take previous provider IP space with them to us (no no) and god knows how many times I/we blocked some idiot from advertising RFC1918 address space in BGP or even better a 0/0 route. And there were some guys we knew personally or by reputation so they had a very light hand, but they get powned sometimes too. And then there's the mass in the middle who just kind of shuffled thru life.

        3) Related to number 2 above its a technological problem in that to make a very long story, very short, router vendors "MOSTLY" don't dedicate fixed CPU horsepower to filtering individual ports, so its the kind of game where filtering the crap out of all the customers isn't affordable at a technical CPU power level, but we could do minimal filtering for the low risk customers and filter the hell out of the nightmare customers, at significant tradeoff. In the "really old days" like 90s keeping BGP stable was a stereotypical "press your luck" game of CPU and memory... things run great right until they don't. And after the n-th time of emergency upgrades, you start not intentionally hitting your thumb with a hammer by giving the CPUs etc as little to do as possible. Even just stuff like listing giant monolithic config files has a certain cost. Imagine if the entire linux kernel had to be one extremely long .c file. That's how routers are. And we had some routers with 100 or so customers connected to them.

        4) Related to number 3 above, oh given an infinite budget its technologically possible. But everyone thinks they're a better admin than they really are, so would you pay an extra $50/month for a connection that filters the hell out of people who have no idea what they're doing? That's kind of a hard sell to the boss. So if you filter everyone, you'll be too expensive and go out of business, and if you segment it out as an addon service, you'll get your customers who buy it fired.

        5) You'll just get windows machines that are powned (but I repeat myself) which don't have to address spoof to generate tons of traffic. A natural effect of consolidation of the industry. What do you think happens when your security groups expand because you've gone from 10000 little garage scale webhosters to like 10? Naturally internal attacks are going to be 1000x more likely than in the old days. So filtering on the border is becoming less important as the border to area ratio shrinks. The days of the DOS or attack across boundaries is shrinking, just like capitalism in general. Someday they'll be the one ISP and the one webhoster (same?) and they'll be only one BGP AS number and never again a cross company border attack. Well not in practice but in theory we're working to get there ASAP.

  • (Score: 3, Interesting) by anubi on Tuesday March 22 2016, @05:39AM

    by anubi (2828) on Tuesday March 22 2016, @05:39AM (#321437) Journal

    These days, a new webmaster can pull in a bunch of software that interferes with people's ad-blockers, then the whole business site simply disappears!

    For what its worth, your link to Dilbert.com works OK for me.

    However, in a similar vein, I can no longer see GHI electronics. [ghielectronics.com].

    Every time I hit on it, it simply says the "The connection to www.ghielectronics.com was interrupted while the page was loading."

    Having a website that does not work for me certainly does not bolster my confidence.

    Maybe they are checking if I am running the latest software? Trying to push an ad that NoScript is blocking? Guess I will never know.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    • (Score: 1, Interesting) by Anonymous Coward on Tuesday March 22 2016, @06:24AM

      by Anonymous Coward on Tuesday March 22 2016, @06:24AM (#321444)

      That's what I got from S/N while everyone (except bradley13 and I, apparently) was asleep.

      I got a 500 from Dilbert in the same timeframe.

      -- OriginalOwner_ [soylentnews.org]

      • (Score: 0) by Anonymous Coward on Tuesday March 22 2016, @08:11AM

        by Anonymous Coward on Tuesday March 22 2016, @08:11AM (#321460)

        Yes, the site was malfunctioning ~21 hours ago (instead of the expected discussion threads, a "nothing to see here, move along" message was shown) and after it came back up, I was no longer logged in!

  • (Score: 3, Interesting) by looorg on Tuesday March 22 2016, @07:47AM

    by looorg (578) on Tuesday March 22 2016, @07:47AM (#321456)

    From what I can gather from the articles about the DDOS attack in Sweden it seems to mostly be various newspapers that got taken out, possibly also then other companies that are unfortunate to have the same hosting companies. From the historical perspective this has happened before and have usually been in relation to some perceived slight versus the Pirate Bay or the Julian Assange case. This time they initially screamed it was the Russians (Sweden has a historical bogeyman fetish vs Russia, It does seems a lot of the hijacked computers was from Russian which of cause means nothing really - if it was a Russian sponsored cyberattack they sure did pick weird targets and didn't cover their tracks very well). After that it seems to have been a DDOS-response to the outing in media of various users for some "alternative media" (read right wing and/or xenophobes depending on your perspective) sites such as www.avpixlat.se, www.friatider.se and part of some old user database for the webforum www.flashback.se. But from what I know that wasn't exactly something that happened recently so it was quite a delay in response then.

    The status now seems to be media and government in unison saying it's an attack of freedom, free-speech and all that is wonderful in live; like some "news" site being down for a few hours was a threat to the nation. Various government agencies seem to be trying to pawn the case off on each other, probably cause they know what a turd it is and it will be a nightmare to investigate and it won't amount to anything. The interesting thing is that if you look at the homepages of the various news sites that was hit none of them are frontpage newsing the attack anymore - yesterdays news already.

    It's a bit odd tho that all these media companies and news papers are private and commercial entities that all make tons of money but I guess they don't want to invest any of it in server security, instead they go for the old 'attack on free speech' and want the government to somehow bail them out.

    • (Score: 2) by mth on Tuesday March 22 2016, @09:37AM

      by mth (2848) on Tuesday March 22 2016, @09:37AM (#321492) Homepage

      It's a bit odd tho that all these media companies and news papers are private and commercial entities that all make tons of money but I guess they don't want to invest any of it in server security, instead they go for the old 'attack on free speech' and want the government to somehow bail them out.

      Newspapers making tons of money? Most are struggling with paper subscriptions going down and unable to make much money online.

      • (Score: 2) by looorg on Tuesday March 22 2016, @10:49AM

        by looorg (578) on Tuesday March 22 2016, @10:49AM (#321525)

        If this had been a few small and independent city newspapers I might have agreed. But these are more or less the largest newspapers in the country. Add to that that most of these papers are owned by one of the two Scandinavian newspaper/media monopoly/giants Bonniers or Schibsted. They are not poor. They are making money hand over fist.

    • (Score: 0) by Anonymous Coward on Tuesday March 22 2016, @10:14AM

      by Anonymous Coward on Tuesday March 22 2016, @10:14AM (#321506)

      Also I suspect the newspapers are after government money to "improve their infrastructure", at least from the articles they wrote.
      Mostly they have nobody but themselves to blame for having huge, image-heavy, bloated websites.
      If they just had a simple text-only static website I doubt it would have been all that hard to withstand (admittedly it helps less/you'd need to be able to redirect to AWS or similar if it's an amplification based attack).

      • (Score: 3, Informative) by mth on Tuesday March 22 2016, @10:36AM

        by mth (2848) on Tuesday March 22 2016, @10:36AM (#321521) Homepage

        The summary claims they are being hit by a flood of UDP packets, not HTTP requests. While I don't like bloated website designs either, I don't think you can blame those in this case.

  • (Score: 3, Interesting) by bradley13 on Tuesday March 22 2016, @08:17AM

    by bradley13 (3053) on Tuesday March 22 2016, @08:17AM (#321461) Homepage Journal

    MartyB Thanks for noting the Armada Collective. That information was apparently added to the story after I read it. As it turns out, it appears to have nothing to do with this particular set of attacks. The 20min.ch article references another article from inside-it.ch [inside-it.ch]. According to this source article, those blackmail demands were sent to various banking sites, not to the eCommerce sites affected by the recent DDoS attacks. According to the article (my translation):

    "We have not information that the DDoS attack on various online shops are connected with the threats in the name of Armada Collective."

    That was possibly a second, separate set of attacks that either never happened, or that were not successful enough for anyone to notice.

    --
    Everyone is somebody else's weirdo.
  • (Score: 1) by Axllent on Tuesday March 22 2016, @09:11AM

    by Axllent (5917) on Tuesday March 22 2016, @09:11AM (#321482)

    There could be lots of reasons for such attacks. Why do people shoot at tin cans? Practice, testing, maybe to prove something to someone else? It doesn't have to be a big public "oh look at me" or a "pay us or else" reason necessarily.

    • (Score: 0) by Anonymous Coward on Tuesday March 22 2016, @06:57PM

      by Anonymous Coward on Tuesday March 22 2016, @06:57PM (#321771)

      I'm reminded of Hanlon's Razor, one version of which goes "Never ascribe to malice that which is adequately explained by incompetence."

      I'm remembering an event in 2008 when Pakistan's gov't-owned telecom company got an order to block YouTube.
      Their guy's new configuration did a pretty good job of blocking the site for the entire world [google.com] for over an hour.

      -- OriginalOwner_ [soylentnews.org]

  • (Score: 1, Interesting) by Anonymous Coward on Tuesday March 22 2016, @11:48AM

    by Anonymous Coward on Tuesday March 22 2016, @11:48AM (#321543)

    id ddos the fuck out of them, in order to hide my primary attack in the traffic.

    ddos is a smokescreen