Ok this time it was "only" a xxx website. And next time?

Sorry if a provider goes the way that he shut down some of his customer, because of a DDOS Attack it will be voulnerable also for other cyberterror things. And voulnerable means not on the technical way, but on the financial and political way.

So it would be interesting how Swisscom would solve this challenge in the future.

Adrian

why everone is talking only about swisscom?

Because they are the biggest Large target -> easy shot. Or was that a rhetorical question? ;-)

what about cablecom/upc, sunrise, thenet, init7, etcetc... what are you doing against that? would be interesting to see, what is everyone doing to prevent cyberterror?

The same, I must assume. (I.e.: get rid of the problem by null-routing the targeted IP). But I'm glad that 20min actually went forward with the story. Wouldn't have surprised me if the guy had to shop the story around.

(this might be probably an interesting topic for swinog-20...).

beside DoS attacks there are other possiblities. what if someone is nuking telehouse? what if someone putting fire into an exchange? what if someone breaks into an exchange and steals hardware armed/unarmed (already happend in if i'm not wrong chicago)....

Well, it will only happen if there is some profit to make and this is the easiest way to reach the goal. Cui bono?

this topic is sooo huuuge ,-)

Indeed.

cheers, Rainer

On Thu, Sep 03, 2009 at 08:33:48PM +0200, Adrian Senn wrote:

Ok this time it was "only" a xxx website. And next time?

Sorry but I think you would not think like this if you are a customer of an ISP that is under constant DDoS because of a single site. Yes it sucks that you can buy botnet DDoS for little money which are so big that they actually affect the ISP infrastructure and so all customers at once. But it also sucks that the owner of the attacked sites are unwilling to pay for the service which will protect them. Most of the time those sites don't have the money to get the connectivity and protection they need so should the unaffected customers pay for them? Are you willing to pay more?

Sorry if a provider goes the way that he shut down some of his customer, because of a DDOS Attack it will be voulnerable also for other cyberterror things.

The big question is, why was the customer DDoSed in the first place 99% of all customers are never DDoSed but suffer from the 1% that are and those 1% are normaly not even willing to pay more for the excess bandwith, the excess support time, or additional HW needed just for them. And sorry, this has nothing to do with cyberterror, this is just the good old russion buisiness network trying to blackmail or destroy some competitor. "cyberterror things" I think you watched too many 24 episodes.

And voulnerable means not on the technical way, but on the financial and political way.

Did you ever read the AGB of your provider? I think I never saw a clause mentioning that the ISP will protect you from DDoS and and other attacks. Normaly it is the opposide.

So it would be interesting how Swisscom would solve this challenge in the future.

What about the other ISPs? This is a global issue. Actually what about Microsoft and all those other big shot software comapanies distributing crap and providing the hotbeds for the botnets?

Claudio Jeker wrote: [..]

...

So it would be interesting how Swisscom would solve this challenge in the future.

What about the other ISPs? This is a global issue. Actually what about Microsoft and all those other big shot software comapanies distributing crap and providing the hotbeds for the botnets?

[short version of below story: join NSP-SEC, keep your own network clean, cooperate with other ISPs, that is what SWINOG is for ;) ]

Although it is always fun to blame M$, you are forgetting that little fact that a large amount of the working DDoS bots that are actually effective in contributing to large amount of DDoS traffic are hosted in nice fat datacenters with fat pipes and are generally of the nice LAMP pursuasion with Wordpress, PHPBB and various other oh so vulnerable software. Really, blaming M$ is far from correct.

All software is vulnerable in one way or another, be it commercial, be it "open source" (whatever flavor of that might mean). You can make fun so many times of those who have a large installed base, but anything which is installed widely will get enough attention by people that they will find a vulnerability.

The real answer to all of that is simply that when a vulnerability is known that people actually update their software (or otherwise mitigate the problem), and that is a really big problem as there are too many people on the net who don't know about these issues, don't care, or because of some weird policy can't update their software. As such there will always be vulnerable software, and as long as there is profit in finding these hosts, exploiting them and then abusing them, there will be botnets.

There is no real solution here. Microsoft is actually doing their best by forcing Windows Update, and even allowing it for pirated windows editions. That thus partially solves the Windows part, but not fully.

You of course don't need a vulnerability, just get the (stupid) user to execute something "Look, cool movie of X, just click here and start it" or "Please upgrade this and this!!! click here!" and voila, you have owned the box, it does not matter so much which operating system, as long as one provides the correct binary. One generally also does not care about having "root" or Administrator permissions, just being able to act as a normal user, pulling 1 page per 5 seconds of a host, multiply by the 1.000.000 bots you have et voila, DDoS is done.

Only thing ISPs can do is try and mitigate DDoS attacks.

Hosting providers can try to limit the amount of address space that they can be attacked from, as what they did in this case. But of course, smart DDosSers will just attack the infrastructure upstream or in a similar path as that site....

As such, the only thing that can be truely done is at the Access providers, which is where you will have hundreds and actually tens of thousands. Just like BCP38, which a lot of them don't implement yet, this is not easy to resolve as everybody has to do it and a lot won't.

One of the few solutions would be data sharing amongst ISPs and proper abuse notification and handling, but again you are talking about hundreds of thousands of ISPs.

I guess the only true way of solving it would be to have a 'trusted internet', aka one where only 'trusted' ISPs are connected to. Then the moment you get DDoSSed, disable the peerings to the non-trusted ones. You'll then have the trusted ones left, which you hopefully have a working relationship with and with whom you can resolve any DDoS attacking hosts (but that will be difficult if they only request X 'normal looking' requests from you, because you then can't distinguish them from normal clients...)

Of course this 'trusted' does not work for one reason: money. If you cut off the non-trusted ISPs and those are containing a big amount of eye-balls for you, then forget about it. Oh and not to forget this other thing called 'freedom on the Internet'.

This trusted-scheme might work on a country-level though. In a country like Switzerland, or The Netherlands, most of the players in the ISP field pretty much know each-other. This list represents SWINOG, which contains most Swiss ISPs, maybe it is time to setup something so that at least the Swiss ISPs have a proper abuse handling system. That way, when one of the Swiss ISPs get threated for a site they have, the threat can be restricted to hosts in Switzerland: attackers only be able to be inside the country and so can eyeballs (which is what for some media-forms one would need anyway). Of course, the people who count the money won't like this, as the eyeballs might be abroad too and the moment that you are allowing 1 site to be seen globally there is an attack vector for that ISP, and yes the attackers will figure out how to get to you if you have that.. as such we'll need to have it globally at one point for it to become truly effective. NSP-SEC is probably the first step to take for most ISPs, if you are there, then other steps will follow in due time...

Greets, Jeroen

Adrian Senn wrote:

Claudio Jeker schrieb:

...

Are you willing to pay more?

Shure im not.

s/Shure/sure/ ;)

[..]

It would be interesting to know the sources from where the DDOS Attack against Swisscom came. And was it over peerings or from an upstream provider. I know if you can't work together with the provider from where the traffic came, then you have already filled pipes.

Doesn't matter. The moment that you host site X in your network which you make available only for peering, and you also have site Y which is peering+transit, one can just attack site Y and you will go down.

Then you send a polite mail to the $ISP and say "I'll DDoS Y if you don't take care of X", and that is what happened in this case from what I upto now understand.

Nothing that really can be done about this, except of getting rid of all the bots.... and that is a very difficult problem.

Catching the people who are doing this is the proper way to go. This requires proper legislation and clueful people who can enforce those rules along with cooperation of ISPs.

The bad thing about all of this that in a way it will limit the freedom that people have on the internet, but if that is the only thing that can solve that problem, then so be it...

Greets, Jeroen

Norbert Bollow wrote:

Claudio Jeker jeker@networx.ch wrote:

...

Actually what about Microsoft and all those other big shot software comapanies distributing crap and providing the hotbeds for the botnets?

What kind of legal rule would provide an appropriate disincentive to software companies regarding this?

None.

Especially operating systems are made for running code on. Bots are just normal programs, fortunately they kinda behave in a weird way so that they can be detected. How is any software author going to protect against that. There is a way of course: require signed code for everything, and we all know what a public outcry it was when Microsoft requires drivers to be signed (which as everybody else knows stopped a lot of these random crashes and bluescreens as suddenly only working drivers where being used...). And then of course if M$ would push signed applications there is always the propaganda about 'freedom' and 'being restricted' etc. Nokia's S60 platform (and some others) requires signed binaries, iPhone does so, does that work for you or are you unhappy that you have to pay upward to 5000 eur to be able to play in the S60 game?

Operating Systems give us the freedom to deploy any kind of application, this though also allows any stupid person to simply click on that .exe in that email, or "download that new version of Flash" and other nice tricks. For these tricks there is not much any software author can do about, as from the OS point of view, people are just installing yet another normal program. Nothing special.

Fortunately for the authors of software the licenses applied to most "Open Source" software contain lines like[1]:

"... IN NO EVENT SHALL <copyright holder> BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES..."

which is more or less similar to what Microsoft has[2]:

"... Except for any refund elected by Microsoft, YOU ARE NOT ENTITLED TO ANY DAMAGES, INCLUDING BUT NOT LIMITED TO CONSEQUENTIAL DAMAGES, if the Product does not meet Microsoft’s Limited Warranty, and, to the maximum extent allowed by applicable law, even if any remedy fails of its essential purpose ..."

Aka, you are peeped, don't sue them for it. Which is good actually because how is the software author going to know that you are going to use their tool inside a medical appliance which is going to accidentally kill people because you are running some program on it? :)

As such, if there is anything law can do about it, then it is to deny Internet access to people who let their computers be infected as they do not properly upgrade their machines and/or let their machines be infected. A nice 'fine' scheme might be in order too, the money earned with that can then be invested in cleaning up the mess around the world. (This of course is never going to work either).

Something ISPs can do is setup 'quarantine networks', when they find a user is infected with something, put them in quarantine till they resolve the issue: http://www.quarantainenet.nl/?language=en;page=main-home Of course, that will cost a whole lot of helldesk calls and thus the price of the service will go up and it only cleans the local network, not all those hordes of bots on the other side of the planet...

Greets, Jeroen

[1] http://en.wikipedia.org/wiki/BSD_licenses [2] http://download.microsoft.com/documents/useterms/Windows%20XP_Professional_E...

Norbert Bollow wrote:

Jeroen Massar jeroen@unfix.org wrote:

...

Operating Systems give us the freedom to deploy any kind of application, this though also allows any stupid person to simply click on that .exe in that email, or "download that new version of Flash" and other nice tricks. For these tricks there is not much any software author can do about, as from the OS point of view, people are just installing yet another normal program. Nothing special.

I think that some worthwhile measures are possible:

• By default install programs from unknown/untrusted sources in a kind of sandbox where the amount of harm which a hostile program can do is limited by restrictions like "no access to any files on the disk outside the sandbox, except when access is explicitly requested by the user" and "no direct access to the network".

Most applications need network access nowadays, heck even Google silently installs a "updater" that starts providing them with more details of where you are today. (Yes, they might not transmit who you are, but who cares, they have a unique ID + software version + IP address, that is good enough to match you up to all the other data they have on file of you and then sell directly or summarized).

If 'real' applications do that, others will also just install some background process and connect to the Internet. Users will then just like those applications just press "ok, I am fine with that".

Education can solve that, but only in little bits.

This is actually more a user-interface/presentation-layer problem than a network/computer issue though. And as you can make a screenshot of those buttons and show them as an image, or what they used to do just popup a new one, and thus show that image, one can easily train people to start ignoring them.

• Ensure that functionality which the operating system provides for installing software can be used only in ways which make it very clear to the user that software is being installed.

People loved the Vista popups, guess where the above will go.

Although these ideas sound good, I don't think they will fly in practice as several attempts have already shown.

...

And then of course if M$ would push signed applications there is always the propaganda about 'freedom' and 'being restricted' etc.

As long as the administrations of computers are able to create signatures for any program which allows that program to be used (or used without the "sandbox" restriction that I'm suggesting) on the machines of which they are in charge, there is no problem regarding the aspect of freedom.

The 'administration' is the person who doesn't know about computers.

These people will then also just click what is told in the screen. Remember those nice "password protected zip files" in your mailbox with the nice virus in them? Or for that matter how pishing works?

"Please provide your Windows username and password so that we can provide you with this super fancy new WoW mount".

Furthermore, regarding the aspect of widespread distrust of MS and operating system software vendors in general (which is IMO not at all irrational), that could and IMO should be addressed by means of putting a vendor-neutral organization with strong transparency and due-process constraints in charge of approving programs for signatures for which the corresponding public keys are publicly distributed with the operating system.

There goes the freedom of the Internet. No sane computer user will ever accept that. The problem then also doesn't lie with that group of people (though some think they know everything and then it is even more fun when they get hit [which reminds me to rethink my setups once ;) ] )

Also, take as an example again Nokia S60 or Apple iPhone both use this scheme already and you know what happens: websites which can create the certificates for you (S60) and Jailbreaking (iPhone). Not even going to the simple thing of software bugs and exploitable vulnerabilities (in which case signatures don't really help) or even easier: "My Cool Beer Application", which is actually a very nice trojan but which is correctly signed by your single organization (who added some code to monitor all the users). And we of course all have heard how often applications are rejected from the Apple AppStore...

Don't forget that there is no such thing as a "neutral organization with strong transparency" every single one of them has an agenda, even the anarchists are organized and have a (couple of) leaders and do the rest of the anarchists truly know what they are up to and how they are doing silly things for in the end?

Greets, Jeroen