Meet the Windows servers that have been fueling massive DDoSes for months:
A small retail business in North Africa, a North American telecommunications provider, and two separate religious organizations: What do they have in common? They're all running poorly configured Microsoft servers that for months or years have been spraying the Internet with gigabytes-per-second of junk data in distributed-denial-of-service attacks designed to disrupt or completely take down websites and services.
In all, recently published research from Black Lotus Labs, the research arm of networking and application technology company Lumen, identified more than 12,000 servers—all running Microsoft domain controllers hosting the company's Active Directory services—that were regularly used to magnify the size of distributed-denial-of-service attacks, or DDoSes.
For decades, DDoSers have battled with defenders in a constant, never-ending arms race. Early on, DDoSers simply corralled ever-larger numbers of Internet-connected devices into botnets and then used them to simultaneously send a target more data than they can handle. Targets—be they game companies, journalists, or even crucial pillars of Internet infrastructure—often buckled at the strain and either completely fell over or slowed to a trickle.
Companies like Lumen, Netscout, Cloudflare, and Akamai then countered with defenses that filtered out the junk traffic, allowing their customers to withstand the torrents. DDoSers responded by rolling out new types of attacks that temporarily stymied those defenses. The race continues to play out.
One of the chief methods DDoSers use to gain the upper hand is known as reflection. Rather than sending the torrent of junk traffic to the target directly, DDoSers send network requests to one or more third parties. By choosing third parties with known misconfigurations in their networks and spoofing the requests to give the appearance they were sent by the target, the third parties end up reflecting the data at the target, often in sizes that are tens, hundreds, or even thousands of times bigger than the original payload.
What should the response be to those who run misconfigured servers? Should we try to help them secure their servers (at their cost, of course) or should the servers be shut down?
(Score: 4, Insightful) by Ox0000 on Saturday October 29 2022, @07:55PM (3 children)
> Should we try to help them secure their servers (at their cost, of course) or should the servers be shut down?
Both: the servers are compromised and can no longer be trusted to not have any remnant malware. The servers must be shut down and new, fresh, non-compromised ones built from scratch.
That and a good, solid talking to about being a good citizen on the internet and taking security seriously.
(Score: 4, Interesting) by RS3 on Saturday October 29 2022, @09:22PM (1 child)
Good answer. I was going to take a cheap-shot at using MS server and the repercussions thereof.
I think the servers can be cleaned, but it's not easy. To be fairly thorough (and there's no 100% in this game) you'd need to scan them, not booted from the infected disks, and with several competing scanners.
That said, I'm very surprised at how long it takes to figure out where the DDOS and other malware traffic comes from. I guess I'm wishing the Internet's routers would help track and stop such traffic. Maybe that's being (finally) baked in- I don't know much about the 'net's routers.
(Score: 1, Informative) by Anonymous Coward on Saturday October 29 2022, @09:50PM
request string (upstream source/append current/send to downstream)
etc etc
this means full traceable sourcing.
VPN endpoints become the primary source for some requests, but how many of these DDoS attacks are running out of VPNs?
also could help with diagnosing blockages (look, 100 hops vs 50 last time..)
(Score: 2) by driverless on Sunday October 30 2022, @06:00AM
We should kill the man who caused the server to be put up, then slaughter the whole of his family and all his friends and relations, and then burn down his house. Finally, get Harris to go and sing comic songs on the ruins.
(Score: 4, Insightful) by Opportunist on Saturday October 29 2022, @08:25PM (4 children)
If they notice your shit causes undue stress on the internet, they simply take you offline 'til you can prove that you got your act together.
That's actually pretty standard for hosters around here.
(Score: -1, Flamebait) by Spectre of Janrinok's Dead Wife on Saturday October 29 2022, @08:58PM (1 child)
That needs to happen to janrinok before he completely ruins Soylent News.
(Score: 2) by Opportunist on Sunday October 30 2022, @08:17AM
I have a hunch I speak for the majority here when I say that nobody gives a fuck about your petty little vendetta, whatever the background may be.
And no, I don't want to know what it is.
(Score: 1) by Mezion on Sunday October 30 2022, @03:21AM (1 child)
In theory companies do this, however the articles I have seen seem to only be by specific request, allowing for it to go unnoticed/unblocked by many others.
I would think there would be a blacklist for this sort of thing, but I think this only exists for email. I understand this is slightly different method of poorly configuring a server, but similer reasoning for being blocked by others. People are quick to notice when their email server has been added to a blacklisted.
Wouldn't expanding what is done with email (providing and using automatic server blacklists) be the solution to this issue as well?
(Score: 2) by Opportunist on Sunday October 30 2022, @08:21AM
There's an easy fix for that: Affix the responsibility to the ISPs. Your customers are spam machines? Now you're responsible for it if you can't show that you tried to curtail it. They're spamming for weeks, you get fined.
That fixes this pretty fucking quickly.
(Score: 4, Insightful) by sigterm on Saturday October 29 2022, @09:05PM (1 child)
How about this: Name and shame.
These servers have been running UDP services exposed to the Internet for months or even years, and have been used repeatedly in large-scale reflection attacks, generating enormous volumes of data, and still no-one at these organisations seem to have noticed or cared.
And if public shaming doesn't help, their ISPs should enforce their Terms of Service, which are bound to include clauses regarding malicious, illegal, and/or disruptive activity.
(Score: 0) by Anonymous Coward on Sunday October 30 2022, @09:26AM
There is only one clear message to send: they need to be DDoSed.
(Score: 5, Informative) by fliptop on Sunday October 30 2022, @02:44AM
Not gonna lose any sleep over it, either.
To be oneself, and unafraid whether right or wrong, is more admirable than the easy cowardice of surrender to conformity