I agree with showing how poorly secured websites are and how easily our information is distributed even when we think it's private.
What I don't agree with is their use of DDoS attacks against sites like cia.gov.
DDoS attacks are pointless. All they point out is how a site has limited resources for dealing with so many concurrent connections.
Sites should deploy onto an infrastructure they feel is adequate to deal with the expected load plus some additional room for growth and spikes.
I'm sure the cia.gov doesn't get hit very hard on a normal day so they didn't go crazy on infrastructure which is understandable. A DDoS proves nothing and prevents people from accessing data.
If you're going to hack, please wear a white or grey hat.
When Anonymous attacked Visa and Mastercard via DDoS (in retaliation to them cutting off Wikileaks donations), Anonymous did actually succeed in stopping the online verification systems for both companies (SecureCode, or something, and Verified by Visa). In that case, the DDoS attacks did more than just take the site down; they financially hurt their target, which was probably the aim to begin with.
I'm not justifying the attacks and I agree that they are the wrong way to go about this business, but it would be naive to suggest that the DDoS attacks are a minor inconvenience.
DDoS's have a monetary impact, yes. However, what the parent is saying is that all infrastructure has limits in terms of bandwidth, etc. The point is that it's not the same class of "attack" vs. finding an exploit. The latter is more in line with the "strive for more secure sites". The former, not so much.
Then we need to fix the infrastructure so that the current generation of attacks don't work. To just say, "oh, well bandwidth is limited so there's always going to be an attack" is not useful. Think of ways you can structure the infrastructure so that it can do filtering further out, or detected spoofed connections, or detect anomalous request patterns. There are solutions, we need to find them and implement them, not just tell people not to do it or claim it's a "weak" attack. It's a strong attack if it takes minimal effort to cause maximal damage. In the real world, that's what matters. There's the idea that we're playing a game and that there are behaviors that are good form or bad form. However, when it comes down to it, what works is what works.
You'd still have to pay for all the computing time to remain available during the attack. Its probably not worth it to try to stay up in that kind of storm.
mentat, I wasn't saying don't protect ourselves against this. However, harnessing a big enough bot network you can always overcome these measures. Finding an exploit is different, and especially for financial institutions inexcusable to a certain level.
Maybe. Look back through his(?) comment history, and you'll see that the point where he was autokilled/hellbanned (around nine pages back) was, while a very downvoted (and nonsensical) comment, not actually malicious. Before that, he had a few comments which were downvoted maybe two or three times (you can tell by the color). It's probable that he was autokilled/hellbanned because those caused his average comment karma to drop too far, as well as making his karma negative, though I am not aware of the exact criteria.
At this point, he seems like a false positive based on his recent comments. It's a pity that there's no real procedure for being unhellbanned, even if the user discovers that they are, other than starting a new account.
Even starting a new account doesn't work (at least it didn't in a previous instance where I notified a false positive). You also need to use a proxy. So to phillijw, email PG or start a new account using a proxy :)
DDoS attacks are pointless. All they point out is how a site has limited resources for dealing with so many concurrent connections.
This point was raised a few months back in relation to PayPal and Visa getting DDoSed because of Wikileaks: DDoS attacks could be the new digital age version of a protest, a disruption of normal activities to draw attention to a particular cause (whether or not that cause is worthy is secondary). In that sense, DDoS attacks are very relevant.
There is a need to develop systems that aren't subject to DDOS (at least the current generation). It used to be very easy to DOS anyone's network stack (think SYN flooding). If people hadn't shown that it was an issue by doing it, the Internet would still be running on stacks that were trivial to undermine many different ways. Saying that something is easy to do and has a tremendous impact is an engineering problem statement. Demonstrating it shows that it's also a business problem. This is how things get fixed, when people get tired of being instantly knocked of the Internet by .4% of the LulzSec DDOS capacity. The Internet still has some basic problems, ignoring them won't make it go away.
See, is there a practical way to "fix" the problem behind a DDOS? More specific attacks (slowloris, SYN flood, ping of death, smurf, and a laundry list of other stuff) can be fixed by simply introducing changes to the infrastructure that makes such things possible.
But a DDOS attack is, at heart, nothing more than a brute-force attack - flooding a single website / IP with so much traffic that it can't respond. No matter how much fancy technology you add, if you have a 100Mbps link, and someone's sending 1Gbps of data at you, you're out of luck.
And, yes, I realize that there are companies that specialize in protecting against DDOS attacks - generally, they move content to a CDN and use some intelligent filtering to drop packets (i.e. people that request multiple times in succession, etc.). But this still is reliant on the fact that their connections are large enough that they can actually process all this data.
If a large country decided to use all it's available Internet bandwidth to DDOS, there's not much anyone can do about it.
In short: DDOS attacks will likely always be around - they might require higher bandwidth (country-scale or thereabouts), but it's not "fixable".
So let's think about how traffic gets onto the network and what steps might make sense to limit that. I have some "crazy" ideas about this including per device reputation enforced as close to the device as possible. Yes, if we say that anyone with any sort of device can send data to anyone then this will be a problem. There are other options including different sorts of "darknet" type things. Are there no "outside the box" type solutions that you can think through the tradeoffs for? I think the underlying assumption you're working with, that anyone anywhere on the network should be able to drop an unlimited amount of data onto the link headed to me as a rule of how things must forever work needs to be justified.
Yes, that would be a valid solution - authenticate every device, or provide a per-device reputation. But this has a couple of problems that I can think of:
1. Per-device reputation removes the concept of anonymity. If I can look up the "reputation" of the device that sent me a packet, I can track it perfectly too.
2. Authenticating every device (beside the practical challenges) is very inconvenient. What happens if I move countries? Buy a new phone? Or a new network card?
And there's more issues that I won't list :)
Problems aside, I agree with the statement: "the underlying assumption [...] that anyone anywhere on the network should be able to drop an unlimited amount of data onto the link headed to me [...] needs to be justified".
I think the most practical solution to this would simply be forcing ISPs (through legislation would be best) to look a little closer at their traffic. If I'm running an ISP, and I see a computer making 100 requests/second to a single website for more than a minute, I'm immediately thinking "DDOS". Yes, there's privacy issues, but most ISPs already do some sort of traffic shaping (see: Sandvine), so it shouldn't be that much of a stretch.
It'd need the help of browsers or OS's (depending on where in the stack you put the logic), but one idea might be to require requests/packets to be signed by something that proves a sufficient amount of CPU work has been done (ala bitcoin). If the site comes under attack, they could turn this on (presumably with a middle-man service that can take high bandwidth) and up the amount of work required to reach the destination. This would no doubt slow things for the legitimate users, but it could make things much more difficult for the attackers.
This really doesn't solve the DDOS problem though. It's throwing more CPU time and bandwidth at a scenario that already requires both of those. It can slow a small group of script kiddies making a thousand requests to your server per second, but it doesn't stop an actual distributed attack using a botnet or large numbers of machines.
If you're adding the signatures, you presumably need to spend CPU time to authenticate it, and bandwidth to send the data, plus the actual content. Why not just have the middle-man soak up the extra requests, cache the data, and fan it out that way?
A long time ago I read/watched something about a group that works with ISPs around the world to nail down the source of DDoS attacks and stop them, but I don't remember anything else.
When I tried freenet it was so slow that it would compare unfavorably to a website being DDOSed, so that's perhaps a bad example. As far as bittorrent goes, it is entirely possible to DDOS the distribution of the contents of a single .torrent: DDOS every computer seeding it. Might take more effort than DDOSing a commercial site, or it might not, depending on how much downstream the seeds have.
DDOS attacks are terribly hard to stem. I remember Softlayer having a Cisco Guard they claimed helped against DDoS attacks, but it seems to cut off and block a good amount of legitimate traffic as well.
I think the point of their DDoS attack on cia.gov was in response to the US's statements that cyberwarfare would be responded to with actual warfare. They're just poking the beehive to see what it will do.
But clearly that's not what they want to do, they're not claiming that their intentions were moral or ethical, just that their having fun happens to have some arguably positive impact at times.
What I don't agree with is their use of DDoS attacks against sites like cia.gov.
DDoS attacks are pointless. All they point out is how a site has limited resources for dealing with so many concurrent connections.
Sites should deploy onto an infrastructure they feel is adequate to deal with the expected load plus some additional room for growth and spikes.
I'm sure the cia.gov doesn't get hit very hard on a normal day so they didn't go crazy on infrastructure which is understandable. A DDoS proves nothing and prevents people from accessing data.
If you're going to hack, please wear a white or grey hat.