ISPs Fear Monster 40Gbps DDoS Attacks Attacks getting more sophisticated, while resources getting strained... Tipped by Revcb 
Several readers write in to note that Arbor Networks has released their 2008 Worldwide Infrastructure Security Report, which picks the brains of roughly seventy engineers from tier 1 and 2 ISPs. Engineers were asked 90 questions about everything from backbone capacity to their workloads, and for the fourth straight year noted that the majority of their security resources and time are spent fighting DDoS attacks, which broke the 40Gbps threshold this year. Engineers say this year truly strained security resources at major ISPs: In the last four surveys, ISPs reportedly spent most of their available security resources combating distributed denial of service (DDoS) attacks. For the first time, this year ISPs describe a far more diversified range of threats, including concerns over domain name system (DNS) spoofing, border gateway protocol (BGP) hijacking and spam. Almost half of the surveyed ISPs now consider their DNS services vulnerable. Others expressed concern over related service delivery infrastructure, including voice over IP (VoIP) session border controllers (SBCs) and load balancers. Breaching the 40Gbps mark nearly doubled last year's DDoS threat, and Arbor warns that should it double again next year, many ISPs will be woefully unprepared to handle the threat. As is usually the case, ISP security departments say they're dealing with increasingly sophisticated threats while they deal with "fewer resources, less management support and increased workload."
|
  mrchrisOut and aroundPremium
join:2002-10-01
North Babylon, NY | Pull them off This is what you get for NOT educating people (enough) about the threats of the internet. Knock off those botted and spam relaying users until they clean their mess and secure their systems. | |
|  |  pspcrazyAnime Freak
join:2008-02-06
San Diego, CA | Re: Pull them off My site is fairly large and when we were ddos'd we simply couldn't do anything but pay 2-3k more for something we shouldn't need. They need to figure out a MANDATORY method to prevent computers from being bots, and quick. This is a serious issue which shouldn't be going on anymore. It's 2008 and we're still dealing with issues from 2000.
Many sites will simply go out of business when they ddos them for longer then 2-3 days. Luckily for me it lasted only 1 day. | |
| | | patcat88
join:2002-04-05
Jamaica, NY
kudos:1 | Re: Pull them off Computer license, otherwise you get an internet appliance. | |
| | | | KearnstdElf WizardPremium
join:2002-01-22
Mullica Hill, NJ | Re: Pull them off said by patcat88:Computer license, otherwise you get an internet appliance. id say allow them up to an iMac, that way they get a real computer do use things like word or open office on but still present a much lower danger to the internet then the typical customer using windows.
*im not promoting Mac, but lets just say ive encountered people already while working in ISP support who dont even have XP servicepack 1. i wish we had a way to sense that and lock them out of anything but windows update when they are that far behind.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports | |
| | | | |  rawwhidePremium
join:2000-09-03
The Sticks
 ·AT&T DSL Service
| Re: Pull them off Most people just need »www.webtv.com/pc/
No need for any real computing from a PC or a Mac!!
They want online without the hassle to secure themselves then they get Webtv then. 
--
TinFoilers UFO Union of America!!
TinFoilers UFO Union Local 101... | |
| | | | | |  wxbossThis is like Deja vu all over again.Premium
join:2005-01-30
Fort Lauderdale, FL | Re: Pull them off said by rawwhide:Most people just need » www.webtv.com/pc/No need for any real computing from a PC or a Mac!! They want online without the hassle to secure themselves then they get Webtv then. Then your tv will be flooded with unsolicited, risque lingerie ads - oh, wait a minute...what was that website again. 
--
"A study in the Washington Post says that women have better verbal skills
than men. I just want to say to the authors of that study: Duh."
--Conan O'Brien | |
| | | | | | | | Lol, WebTV. They still offer that? People actually use it?
*looks around in confusion*
*comes back after a few minutes of research*
You do realize that someone will manage to enslave the WebTV's too? Even if they don't, no one should have one of those stupid things. Desktops/Laptops are so much better. They do more, anything you want, in fact. | |
|
| | | | pspcrazyAnime Freak
join:2008-02-06
San Diego, CA | Even macs are included in the whole bot net problem, so don't try to play that card They are less but that's because less people out there use them. | |
| | | | | |  BloodRosesAeolus, your daughter flies.Premium
join:2003-03-17
Louisville, KY | Re: Pull them off Macs, and any *NIX machine in general is an overall bigger target because it's more likely to be connected to a broadband connection, and the stability and versatility that a *NIX system offers is much more powerful.
Rootkits, rather than viruses, have been our major problem and they are more or less universal across systems.
--
Faerie Blessings,
Stephanie - www.GlitterFaerie.com | |
|
| | | | | said by patcat88:Computer license, otherwise you get an internet appliance. Kind of....
An appliance will only keep your site active while blocking the threat. The main point here is the bandwidth used. Even though you may be blocking them, the traffic coming to your appliance still goes over your pipe (aka, still being charged for it). The only thing an appliance would be good for (NOTE: in THIS situation) would be to just drop the traffic. That way you are only sending data over your pipe once (in, but not out). Hence, only have to pay half the price it would have cost you. | |
| | | | |  birdfeedrPremium,MVM
join:2001-08-11
Warwick, RI
kudos:5 | Re: Pull them off said by utahluge:said by patcat88:Computer license, otherwise you get an internet appliance. Kind of.... An appliance will only keep your site active while blocking the threat. The OP's intent, unless I'm mistaken, is to require licensing for running a computer on the internet, otherwise all you can use to browse or access is an internet appliance. | |
|
| | | | | said by patcat88:Computer license, otherwise you get an internet appliance. Once you outlaw computers, only outlaws will have computers... or something like that... | |
| | | | | patcat88
join:2002-04-05
Jamaica, NY
kudos:1 | Re: Pull them off said by GamerGeek:said by patcat88:Computer license, otherwise you get an internet appliance. Once you outlaw computers, only outlaws will have computers... or something like that... Outlaws (people who would get computer license, or illegally have one) are few compared to the sheep (joe six pack with internet appliance). | |
|
| | | | said by pspcrazy:My site is fairly large and when we were ddos'd we simply couldn't do anything but pay 2-3k more for something we shouldn't need. ...and you all want bill-by-the-byte...
Ok, maybe not all. BUT, I have been saying for quite some time now. People didn't believe me when I said that DDOS would be a problem with bill-by-the-byte. The above quote is only a sample of what I was talking about. I wish the report would have asked about how many times their sites have been DDOS attacked and how much it cost them.
Maybe now some of you will wake up (especially after being attacked). Its the combination of customers that cannot reach your site, the cost of your bandwidth, and then your reputation (word of mouth (or type) is very strong). In all reality, a simple virus could bring down unprepared sites/companies.
Education people. I admit, I did not educate my brother well enough. Just the other day I was helping him with his computer and when I realized his computer IP was an external, I stopped to check the firewall. Guess what? His firewall was turned OFF! I stopped everything I was doing to turn it on and only allow minimal exceptions. I even went as far as to give him a spare router/firewall I had lying around.
ISP's shouldn't be the 'police' of their users. BUT, if they offered their users opt-IN to spam protection, that would be wonderful! Just throttle the user and have an auto-generated email saying what is going on. That way they are not completely cut-off and then the ISP can either open it back up or assist (tell where to go to get help) the customer based on what the customer wants. | |
| | | |  espaethDigital PlumberPremium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2
 ·Clear Wireless
| Re: Pull them off said by utahluge:said by pspcrazy:My site is fairly large and when we were ddos'd we simply couldn't do anything but pay 2-3k more for something we shouldn't need. ...and you all want bill-by-the-byte... Ok, maybe not all. BUT, I have been saying for quite some time now. People didn't believe me when I said that DDOS would be a problem with bill-by-the-byte. The above quote is only a sample of what I was talking about. I wish the report would have asked about how many times their sites have been DDOS attacked and how much it cost them. Hosting providers already have usage-based billing, and most have an exception process for denial of service attacks where the traffic is excluded from your bill.
The expense that pspcrazy is likely talking about is a DDoS filtering service like ProxySheild from Gigeservers. | |
| | | | | pspcrazyAnime Freak
join:2008-02-06
San Diego, CA | Re: Pull them off With the addition of the bandwith that gets used up in the first hour of the attack, for me with a gigabit port it adds up fast :| Personally I hate caps because it'll cost people that are bots, and they'll never know since it's mostly non technical people who become bots in the first place, so they won't hit their caps either way. | |
| | | | | |  MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12 | Re: Pull them off said by pspcrazy:With the addition of the bandwith that gets used up in the first hour of the attack, for me with a gigabit port it adds up fast :| Personally I hate caps because it'll cost people that are bots, and they'll never know since it's mostly non technical people who become bots in the first place, so they won't hit their caps either way. It's pretty easy for an ISP to tell if a user is a zombie. While I doubt an ISP will patrol this on their own, if a user suddenly uses 10x the bandwidth of last month, it's pretty trivial to figure out why when they call in asking what their overage charge is for. | |
|
| MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12 | said by mrchris:This is what you get for NOT educating people (enough) about the threats of the internet. Knock off those botted and spam relaying users until they clean their mess and secure their systems. I agree. I think the ISPs are worried they'll be responsible for cleaning the infected PCs, which would be an astronomical resource drain and open them up for all kinds of liability though. | |
| | | | | Re: Pull them off said by Matt:said by mrchris:This is what you get for NOT educating people (enough) about the threats of the internet. Knock off those botted and spam relaying users until they clean their mess and secure their systems. I agree. I think the ISPs are worried they'll be responsible for cleaning the infected PCs, which would be an astronomical resource drain and open them up for all kinds of liability though. But think of the bandwidth they'd save | |
| | | | wxbossThis is like Deja vu all over again.Premium
join:2005-01-30
Fort Lauderdale, FL | Re: Pull them off said by S_engineer:said by Matt:said by mrchris:This is what you get for NOT educating people (enough) about the threats of the internet. Knock off those botted and spam relaying users until they clean their mess and secure their systems. I agree. I think the ISPs are worried they'll be responsible for cleaning the infected PCs, which would be an astronomical resource drain and open them up for all kinds of liability though. But think of the bandwidth they'd save Just kick Asia off the Internet . They're big enough to create their own little intranet and then their bots can duke it out with each other.
--
"A study in the Washington Post says that women have better verbal skills
than men. I just want to say to the authors of that study: Duh."
--Conan O'Brien | |
| | | | | patcat88
join:2002-04-05
Jamaica, NY
kudos:1 | Re: Pull them off 95% of japan uses IE. Nobody knows what Firefox is. | |
| | | | | | kherrPremium
join:2000-09-04
Collinsville, IL | Re: Pull them off Firefox ...... that's an airplane, right ??? | |
| | | | | | |
|  jester121Premium
join:2003-08-09
Lake Zurich, IL | Yeah, if only US ISPs could tell the rest of the world what to do...  | |
| | | | and killing their connection when attacks or spam are detected from their connection. | |
|
DMNTD
join:2002-10-19
Austin, TX | wait... how does this matter? They are to content police FIRST the MAFIAA demands it..screw security. | |
|  fireflierCoffee. . .Need CoffeePremium
join:2001-05-25
Limbo | More money! ISPs shouldn't be too upset by this. Since the addition of caps and overages seems to be the in thing these days, it just means they'll get more money from customers whose machines have been hijacked and zombified. . .
Add throttling to that and you've got an instant and nice steady additional overage income without saturating the backbone.
--
Tradition: Just because you've always done it that way doesn't mean it's not incredibly stupid. --despair.com | |
| | rawwhidePremium
join:2000-09-03
The Sticks Reviews:
·AT&T DSL Service
| Re: More money! Yep. Eventually ISP's will start to lose customers because they cant afford the overage fees from being zombified..
--
TinFoilers UFO Union of America!!
TinFoilers UFO Union Local 101... | |
| | jester121Premium
join:2003-08-09
Lake Zurich, IL | ISPs don't get overage revenue from attacks coming from "out there" (meaning the internet at large). At least try to stay on topic. | |
| | | | | Re: More money! said by jester121:ISPs don't get overage revenue from attacks coming from "out there" (meaning the internet at large). Wrong. When you're downloading a web page, or an ISO, or watching Youtube, or listening to internet radio, the packets are 'coming from "out there"'. On a direct internet connection, there is no way, short of DPI (Deep Packet Inspection), that the ISP can tell whether it's something you requested or not. I remember years ago when Sympatico first proposed caps+overages (5 gig down + 5 gig up). Somebody mentioned that during one of the worm attacks (Code Red, or NIMDA, I forget which) his firewall blocked 3 gigs of port-scans on port 80 in 10 days. And no, he did NOT have a web-server running.
Note that I said "direct internet connection". If an ISP puts its customers behind a NAT, then
•the customers will only get the traffic they requested
•direct P2P becomes impossible without an intermediate server providing STUN functionality
•the ISP can get by with fewer IP addresses
1) Most ISP customers (the ones who don't use P2P) will be happy.
2) The MAFIAA will be happy
3) The ISP will be happy
The ISP can even market it as a "basic firewall". | |
| | | | SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:3 | Re: More money! said by Walter Dnes:The ISP can even market it as a "basic firewall". That would appear to be a fantastic solution to a few problems. A feature rich NAT router / firewall that an ISP could sell services from. It could be programmed for USA traffic only, or even interest group white lists that could be sold as a service. It would also solve the address space problem faster than IPV6 is going to.
said by wxboss:Just kick Asia off the Internet . They're big enough to create their own little intranet and then their bots can duke it out with each other. I have done that with my e-mail server and is highly effective. About 90% of my spam originated from foreign addresses. I imagine they keep sending it, but it falls through a crack in the floor just outside the front door. This would be another good reason to have zone features available for sale. I can't believe they are all included in the regular base price. These are the good old days, enjoy the WWW while it is still alive.
The DDOS problem needs to be attacked at the global level, the closer to the end user the better. As soon as an IP is black listed ( by computerized detection ) then the internet simply stops relaying traffic for that IP. Yet another fabulous reason to have neighborhood routers. As soon as the revenue stream is discovered by some marketing nerd at Verizrunner,T&TCox, it will take over.
--
I spent most of my money on Women and Beer, and the rest I just wasted ! | |
| | | | jester121Premium
join:2003-08-09
Lake Zurich, IL Reviews:
 ·voip.ms
| I was referring to the attacks Karl quoted, and which were the focus of the article -- DNS, BGP hack attempts, and spam. Those aren't directed at customer lines, they're attacking the ISP infrastructure. My bad, should have been clearer....
Other than mom-n-pop small time ISPs, no one's put customers in non-routable subnets since the AOL days, if that even qualifies (I was never clear on how close they actually got to providing an internet connection as opposed to an "online service with browser access").
It's been awhile since we saw Code Red type worm behavior running rampant (though I still see the occasional Slammer worm poking at the firewall); it will be interesting to see how ISPs with caps treat that traffic. | |
|
| | Seriously guys Come on, damn skiddies. This is the kind of shit that makes the Internet no fun. Soon it'll start affecting people who use the Internet for nothing more then checking their E-mail, when their VoIP phone goes down, or they somehow hit a bandwidth limit by downloading 20MB a month. It's not funny, especially to the victims. Most of the world already relies on the 'net. I pay my bills on line through my banks website. If my Internet was to go down for the rest of the month because of a damn skiddie using my computer for malicious reasons, all my bills would be late, and I'd be pissed off. Now if you and your friends wanna team up and waste your bandwidth, I really don't care. But when you use malware and affect more then just yourself and the target of a DDoS, it's gone way too far. DDoSing in general is just stupid, but when you affect more then yourself, your friends, and a couple targets, it's causing big problems.
Put short, skiddies, stop being fucking idiots, and get a life. Mmkay?  | |
| | | | Re: Seriously guys said by Snowy :Put short, skiddies, stop being fucking idiots, and get a life. Mmkay? Unfortunately, this is no longer done by mere skiddies. You're talking about criminal mobs, who would have no compunction gunning you down if you got in their way.
Current DDOS attacks are often done by criminals to extort "protection" money, or because they were paid by an unethical rival of your company.
Password-sniffing trojans are planted by criminal gangs to collect credit-card numbers and bank website credentials/passwords.
That all adds up.
Add to that IBR ("Internet Background Radiation") from various worms.
And don't forget all the P2P clients trying to connect to you, because the previous guy on your dynamic IP address was running P2P. | |
|
| | opendns.com I am on vz fios on the action tec router. I wonder if opendns.com is the way to avoid vulnerable ISP DNS systems | |
| | | Hehehe I'm busy uploading HD Video to Vimeo... just doing my part to help bog down the internet  . As soon as more digital cameras and HD camcorders get online, there is going to be a serious bandwith issues all over the place. You find out just how bad your upload bandwidth sucks. Its useless when it comes to HD video, even when coded with X.264. | |
| | | | A REAL Solution I'd like to make an analogy: Anyone, and I mean anyone, can get a drivers license. It doesn't mean they have taken the time to learn correct driving techniques, how to check tire pressure, when to adjust speed in inclement weather...or for that matter even give a shit that their ignorance might just kill you the next time they drive down the road.
The same is true of a vast, global, demographic of "computer" users. I'd like to propose a solution that would not prevent DDOS, but would certainly have an impact on this form of criminality.
I've run computers since the earliest days of the internet. Packet inspecting hardware routers were the earliest form of defense, and still are. As soon as the first reliable software firewalls became available I was on board.
If operating system developers and software firewall developers collaborated in developing code that informed a server as to the level of protection that the machine had ,or did not have, the server could then allow or deny access, by that machine, based upon it's threat level.
I realize there is little that can be done to stop the machines who's ignorant and/or doesn't give a shit owner has already allowed it to become a bot.
But from the point forward of implementing this type of self-checking system, it would not take the ignorant of this world very long to figure out that if they want access to internet then they best step up to the mark!
Regards,
Bubbaleone | |
| | |  yaplejPremium
join:2001-02-10
White City, OR | Re: A REAL Solution Its already out there. Its called NAC(Network Access Control) from Cisco, or NAP(Network Access Protection) from Microsoft. Both work with software on the PC, the access layer hardware, and a server to validate if a PC meets security policies before being allowed on a network. Its normally used for enterprise networks.
--
Open Source WAN Accelerator
»trafficsqueezer.sourceforge.net/ | |
| | | | | | Re: A REAL Solution yaplej, thanks for that info. What I'm talking about is initiating systems like these on a global infrastructure, not just private enterprise nets.
I love that the internet has always been a bastion for the freedom of speech, that from the beginning every effort has been made to not impose restrictive regulations on it's use.
However, there comes a time when the activities of a criminal minority begin to impinge upon the rights of the law-abiding majority, to such an extent, that there is no solution except much tougher regulation.
Regards,
Bubbaleone | |
|
| | | | said by bubbaleone:If operating system developers and software firewall developers collaborated in developing code that informed a server as to the level of protection that the machine had ,or did not have, the server could then allow or deny access, by that machine, based upon it's threat level. I don't think that would work. You're trusting the machine to truthfully report its condition. What makes you think that Russian mobsters wouldn't get trojans to make the computers under their control lie about themseles? Remember, we're talking about drug-pushers/extortionists/credit-card-identity-thieves/etc.
I'll give you an analogous situation. There are idiot webmasters whose websites "do not support other browsers". If I run the usaer-agent add-in for Firefox, I can set it to lie to webservers, and claim to be IE7. And Firefox actually does work on a lot of these sites.
Another example is when the a**holes at MSN deliberately looked for Opera7 and sent it a broken style-sheet, when Opera could render the regular IE style sheet just fine. See »www.theregister.co.uk/2003/02/06···browser/ Opera got around that by sending a fake user agent ("Oprah") to the webserver.
Same principle here. If you don't fully trust the remote machine not to be hostile, how can you trust a status report from that machine? | |
|
| | Zombied! Most ISP's can detect and stop the user from these types of attacks.
One day my net goes down, I phone rogers. Rogers tech said there is a zombie on your computer. We Have noticed it for 2 hours. So I tell them to turn my net back on so I can find out which one of my computers has it. Also to find out the Origianl IP addresses that it was taking ques from and report them back to rogers. They reluctantly did so. I find the Zombie on my wifes machine and check the logs and pick out the IP's. Remove the zombie and report back to rogers less then an our later. They did their scan and they were happy.
Note: This was before rogers started being morons. When they had good techs all over the place. | |
| | | Oh not this again ... Since day one of Our [the general public] Internet there have been probs of security and since it was rejected by DOD for this insecure reason. Nobody bothered to upgrade the code with an encryption or security bit and now we have a major problem.
As long as there will be crappy OS's like Winblows we will keep on having probs.
As long as there's bad coding, bugs, vulnerabilities, mistakes and "nut behind keyboard" we will keep on having same problems.
But the worst of all: as long as there's greedy, abusive, manipulating, rip-off, ad pushing, spamming, war mongering, fear spreading, suppressive big business idiots then we WILL keep on having these probs.
All this lip service I see here if not doing squat. Something actually has to be done as a collective! When we all get together and push them idiots off Our Internet as well as fix the code then and only then we will be much happier.
Ä | |
| | | | Re: Oh not this again ... All this lip service I see here if not doing squat. | |
| | | | "All this lip service I see here if not doing squat."
Oldtimer, I don't hear anything in your reply that is anything but "lipservice". | |
|
| |
|
|
·
