[AusNOG] The shape of DDoS to come
Jake Anderson
yahoo at vapourforge.com
Fri Oct 28 07:57:05 EST 2016
Speaking of cleaning it close to the source.
Generally this stuff is coming from end users. Perhaps ISP's should take
up some role in this fight, carrying attack traffic does them no favours
either.
How many have implemented rfc2827 or similar?
Perhaps some automated method of reporting compromised hosts or hosts
participating in attacks, get enough reports and the ISP might do something.
Really what it all boils down to is at some point there needs to be a
mechanism to get broken devices off the internet, and ISP's are the only
group with the power to do that short of government.
Govt could create a dept who received reports, worked with ISP's to ID
compromised hosts while maintaining every-bodies privacy and generally
being a smoothly run operation.
That won't happen though, they will try and pass the buck onto ISP's to
do the whole thing, mandating deep packet inspection and all and
generally make a mess of it I'd bet.
On 27/10/16 20:57, James Braunegg wrote:
>
> 3). Business model's will likely need to change or volumes will need
> to be better supported; there are various ways to solve this from
> routing most services through ddos protection or perhaps just
> outstripping ddos volumes by having so much surplus capacity it isn't
> a concern (whilst this may not often be feasible or economical) it
> seems that is the way things are moving. Buy Scale, Build Scale, or
> eat the ddos.
>
> Yum…. Yum… Yum Packets for Dinner anyone ??
>
> With the price of international IP transit from major carriers around
> the world below $0.40 cents per mbit the cost of bandwidth has dropped
> a lot….The only costly part to the equation is brining unwanted dirty
> traffic back to Australia.. (but why do that) much easier to clean
> unwanted traffic as close to the source as possible if you have the
> technology.
>
> On a side note….What I do find interesting is I saw no abnormal
> traffic on large global peering exchange graphs during this attack….. ie
>
> https://ams-ix.net/technical/statistics and
> https://www.de-cix.net/en/locations/germany/frankfurt/statistics
>
> So where did the traffic come from……
>
> Kindest Regards
>
> *James Braunegg
> **P:* 1300 769 972 | *M:* 0488 997 207 | *D:* (03) 9751 7616
>
> *E:*james.braunegg at micron21.com <mailto:james.braunegg at micron21.com>
> | *ABN:* 12 109 977 666
> *W:* www.micron21.com/ddos-protection
> <http://www.micron21.com/ddos-protection> *T:* @micron21
>
> Follow us on Twitter <http://www.twitter.com/micron21>for important
> service and system updates.
>
> M21.jpg
>
>
> This message is intended for the addressee named above. It may contain
> privileged or confidential information. If you are not the intended
> recipient of this message you must not use, copy, distribute or
> disclose it to anyone other than the addressee. If you have received
> this message in error please return the message to the sender by
> replying to it and then delete the message from your computer.
>
> *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of
> *Phillip Grasso
> *Sent:* Thursday, 27 October 2016 6:58 PM
> *To:* Peter Tiggerdine <ptiggerdine at gmail.com>
> *Cc:* ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] The shape of DDoS to come
>
> I am guessing (e.g. no real analysis done here) if we 'normalize' the
> size of this attack, it probably isn't too dissimilar to previous DDoS
> volume to backbone sizes.
>
> We'll probably need a multilateral approach to solving or at least
> mitigating the severity of the attacks;
>
> 1) Sure would be nice if IoT or whatever they want to call themselves
> devices were secured and regularly patched etc, but that's an uphill
> battle in itself. There should be an effort to put some form of
> minimum certification and open set of libraries the manufactories
> could get to patch / push updates if not already existing.
>
> 2). Network need to get more intelligent and coordinated. Detection
> and a trusted method to share attack vectors so that response could
> happen faster and improve detection.
>
> 3). Business model's will likely need to change or volumes will need
> to be better supported; there are various ways to solve this from
> routing most services through ddos protection or perhaps just
> outstripping ddos volumes by having so much surplus capacity it isn't
> a concern (whilst this may not often be feasible or economical) it
> seems that is the way things are moving. Buy Scale, Build Scale, or
> eat the ddos.
>
> On 27 October 2016 at 12:15, Peter Tiggerdine <ptiggerdine at gmail.com
> <mailto:ptiggerdine at gmail.com>> wrote:
>
> Reading both articles seems to give a lot of "creative license" to
> the term IoT. This is the problem with journo's today, facts from
> credible and verifiable sources seems to be not a requirement
> anymore. At least Ars mentioned it in the article, but it begs the
> question why print it?
>
> DVR and IP cameras aren't IoT. We've had both of those long before
> the term IoT existed.
>
> Unpatched home routers are likely to make up the bulk of the traffic
>
>
> Regards,
>
> Peter Tiggerdine
>
> GPG Fingerprint: 2A3F EA19 F6C2 93C1 411D 5AB2 D5A8 E8A8 0E74 6127
>
> On Thu, Oct 27, 2016 at 10:45 AM, Nick Stallman
> <nick at agentpoint.com <mailto:nick at agentpoint.com>> wrote:
>
> Yes there is.
> There are a few keywords to focus on however.
>
> Like 'part'. Technically if just a single IoT device was part
> of the attack then the media will say it was a IoT attack.
>
> And 'device'. If you start calling security DVR's IoT devices
> (arguably they aren't, they are a server) then yep a few
> thousand of them took part.
>
> I could be wrong but my impression was the bulk was
> traditional DDoS and not mostly IoT.
>
> On 27/10/16 11:17, Peter Tiggerdine wrote:
>
> Is there any evidence to suggest that IoT devices played a
> part on this DDoS? My understanding is we're still dealing
> with the same problem as ever; unpatched/secured
> desktops/routers/switches which when you consider how
> accessible large amounts of bandwidth is explain the
> increase in DDoS size.
>
> Most IoT devices don't enough CPU power to contribute more
> than 1K sustained. Doesn't mean there's not alot to be
> done in the security space with IoT, just means there's
> better targets with greater return.
>
> Regards,
>
> Peter Tiggerdine
>
> GPG Fingerprint: 2A3F EA19 F6C2 93C1 411D 5AB2 D5A8 E8A8
> 0E74 6127
>
> On Thu, Oct 27, 2016 at 9:54 AM, mike at thebibers.com
> <mailto:mike at thebibers.com> <mailto:mike at thebibers.com
> <mailto:mike at thebibers.com>> <mbiber at ipv6forum.com.au
> <mailto:mbiber at ipv6forum.com.au>
> <mailto:mbiber at ipv6forum.com.au
> <mailto:mbiber at ipv6forum.com.au>>> wrote:
>
> IPv6 with mandatory IPsec Authentication through
> filtering engines?
>
> Michael Biber
> IPv6Now
> 6now.net <http://6now.net> <http://6now.net>
> 0412058808 <tel:0412058808> <tel:0412058808 <tel:0412058808>>
>
>
> On 27 Oct 2016 10:03 AM, "Paul Wilkins"
> <paulwilkins369 at gmail.com <mailto:paulwilkins369 at gmail.com>
> <mailto:paulwilkins369 at gmail.com
> <mailto:paulwilkins369 at gmail.com>>> wrote:
>
> After Mirai's 1.2Tbps, which is pretty much
> unmitigateable,
> perhaps time for the industry to realise that IoT
> means we've
> arrived at a new age of DDoS. If this is the shape
> of things
> to come, where do we go from here?
>
> Kind regards
>
> Paul Wilkins
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> <mailto:AusNOG at lists.ausnog.net
> <mailto:AusNOG at lists.ausnog.net>>
> http://lists.ausnog.net/mailman/listinfo/ausnog
> <http://lists.ausnog.net/mailman/listinfo/ausnog>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> <mailto:AusNOG at lists.ausnog.net
> <mailto:AusNOG at lists.ausnog.net>>
> http://lists.ausnog.net/mailman/listinfo/ausnog
> <http://lists.ausnog.net/mailman/listinfo/ausnog>
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> --
> Nick Stallman
> Technical Director
> Agentpoint Pty Ltd
> The Real Estate Web Developers
> Melbourne | Sydney | Miami
> nick at agentpoint.com <mailto:nick at agentpoint.com>
> www.agentpoint.com.au <http://www.agentpoint.com.au> |
> www.zooproperty.com <http://www.zooproperty.com> |
> www.ginga.com.au <http://www.ginga.com.au> |
> www.business2.com.au <http://www.business2.com.au>
>
> Business2.com.au <http://Business2.com.au> is a real estate
> agent information website that helps you understand Portals,
> Technology and comes with FREE tools to help your Agency
> become an online success!
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20161028/3dccf9ac/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2683 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20161028/3dccf9ac/attachment.jpe>
More information about the AusNOG
mailing list