Your next DDoS attack, brought to you courtesy of the IoT

I disagree, I think legislation can go a long way to improving the situation. At its heart it doesn’t have to be complicated:

  • Any company selling an internet-connected device that includes proprietary software or firmware, must undertake to respond to reports of vulnerabilities in their code and to provide an update mechanism for patching these vulnerabilities. Companies may be held liable for damages caused by malicious use by non-owners of their hardware, if it can be shown that they had been made aware of vulnerabilities in the device and failed to act in an appropriate and timely fashion.
  • Companies that can’t, or prefer not to take on such responsibilities may instead release their code as open source. Such devices would still need a simple update mechanism built into them to receive certification.
  • It’s not super hard to work out where attack traffic is coming from; you can’t proxy a DDoS attack without DDoSing your proxy. Further down the line, once manufacturers have been made responsible for their part, I think it would not be unreasonable to use a mechanism similar to three-strike DMCA infringement notices for households that persistently generate malicious traffic.

I don’t think that’s particularly accurate. The efficacy of a DDoS attack depends on the number of internet connections that can be brought to bear on the target. Any progress that can be made in coercing any manufacturers to secure their devices will improve the overall stability of the internet. Any one negligent manufacturer will make things worse, but only by degrees. “One slip-up and we’re all fucked” just doesn’t apply here.

I’m going to go ahead and assume you’re not a quadriplegic, then. You shouldn’t be so disdainful, the future is actually pretty great.

I don’t know who those people were, but they weren’t networking experts. It’s well understood that there’s no magic bullet for DDoS attacks.

Now that we’ve seen DDoS attacks big enough to beat Akamai’s CDN, I would expect that to change rapidly. Until recently legislation such as I’ve suggested above would have been nothing but an inconvenience to large industry players, and any proposed bill would have died a lonely death. Now such legislation may be necessary to allow tech corporations to do business uninterrupted. I’m not a particularly optimistic person, but there’s an alignment of interests going on here.

Turns out the warnings were accurate then, doesn’t it?

True. But post here about how just a little bit of security awareness could have saved someone enormous grief and humiliation, and you’ll get accused of “victim blaming” before you know it.

Ummmm…if I were physically unable to check the cheese compartment in my refrigerator, I would think that the person who actually puts the newly purchased cheese in there, and who takes it out to help me serve and eat it, would be able to perform that little task.

2 Likes

In twenty or thirty years, we’ll find old archives of BB on some future internet-type-thing and read articles about how the “Internet of Things” will be hit by malware attacks that will make our internet-enabled house go haywire, and laugh and laugh, the way we do when finding old OMNI articles that poorly predicted the future.

3 Likes

I don’t know who those people were, but they weren’t networking experts. It’s well understood that there’s no magic bullet for DDoS attacks. […] Now that we’ve seen DDoS attacks big enough to beat Akamai’s CDN, I would expect that to change rapidly.

It was just people like you who expected things to ‘change rapidly’ now that DDoSes were taking down sites in the highly advanced year of 1999 when the ‘Information Highway’ was the most important thing in the world. There was no magic bullet proposed, just the expectation that things would have to happen because it was intolerable. Smart people would come up with something!

I don’t mean this in a bad way, we need optimists or things surely will never change, but so far the pessimists are way ahead on this one, and have been for 20 years. We do have much better mitigation tools, but the bad actors are always more motivated and cunning and have made the attacks worse in response. I would love to be proven wrong this time. If anything’s different it’s the involvement of automobiles this time - we do have a history of legislation and standards there, and those might leak over once people start DDoSing car driving/safety systems. Oops, was that a flash of optimism?

1 Like

The code for the botnet that took down Brian Krebs’ site was posted online over the last couple of days. Picking through the source code, the malware only uses 62 default user / password combinations to infect IoT devices. The largest non-reflective DDoS in history, and it only had to try 62 combinations to own all the devices used in the attack. This is a massive failure on the part of device manufacturers.

3 Likes

Wouldn’t it be great if your caregiver could check your fridge and pantry before coming to your place? Then they could do your shopping on the way to your house, instead of making two trips. What a concept! I was a bit surprised that someone would make me spell out how technology can be useful to the disabled, but I see in another thread that you can’t tell the difference between Trump and Hillary so I guess I shouldn’t expect too much.

I had a friend who could check his own fridge, but it might have been a five minute round trip. He would have loved this shit were he still around.

Ok, I guess I mistook your meaning then, sorry. You might be right that things could get a fair bit worse yet before anything gets done. Relax though, I don’t think “we might do something once people die on the roads” makes you guilty of optimism :wink:

I wouldn’t consider myself a great optimist either. But it’s been interesting for me, after learning about the world through an anglo-saxon lens, to come to Europe where corporate regulatory capture is less than total. I’d expect the EU or its member nations to do something about this problem before the US does.

6 Likes

Just NO. https://www.youtube.com/watch?v=LRq_SAuQDec

1 Like

Yeah, no, I work with people with disabilities, both physical and mental. If manufacturers care enough to make a magic, cheese-ordering fridge that isn’t going to immediately compromise vulnerable people’s security, fine and dandy. However, if it’s more +++out of cheese error: redo from start; your bank account now belongs to some shady Russians+++ then it’s probably not that useful. We’ll just go get some cheese from the shops ourselves. Especially if it’s a nice day outside.

6 Likes

This topic was automatically closed after 5 days. New replies are no longer allowed.