Let’s talk about DDoS

I’ve been reading today a bunch of articles concerning the most recent DDoS attack with references to previous attacks like the one on Krebs Security, but I didn’t see anywhere a discussion about the actual responsibility behind the proliferation and severity of these attacks.

I remember that back in the days when DDoS wasn’t this cool, in order to bring down a network all you had to do was to generate a large volume of ICMP requests and within seconds the target network’s bandwidth would have been saturated. Those that were smarter didn’t even hit the target directly but actually a node down the route which would have caused prolonged bandwidth saturation.

Nowadays the vast majority of the DDoS attacks don’t even get to reach their target because the affected ISP’s immediately null route the targeted IP’s in order to  mitigate the damage as soon as possible. However, little people understand that it’s the ISP’s that are literally responsible for today’s DDoS attacks together with the software and hardware vendors.

Let’s talk about the ISP’s first. Out of personal experience I know that 7 out of 10 ISP’s lock the hardware they provide their clients with so that the customers can’t tamper with the settings. In 9 out of 10 cases, the ISP’s setup their very own firmware version which uses the same password across all devices. Finding out the root password, or cracking it on one device means having access to all devices from that very same ISP. If the ISP has 5 million customers and 2 million of them use same routers with exact same firmware and password, if you get to sniff or crack one of them then you can potentially engage an attack with 2 million routers. That’s not just clear proof of a lame provider, but also clear proof of idiot technicians that operate like this. I have two separate ISP’s because one only could not guarantee my bandwidth needs and neither of them gave me direct access on my router or IPTV box. They both told me that if I needed anything configured on the router like NAT, port forwarding etc. I had to call them (inside business hours to get it done).

Both routers and the IPTV box run some form of Busybox with the telnet port open. Just by using an insecure protocol like telnet shows how lame they can be.

Furthermore even if the ISP’s would have resolved this issue by either providing hardware that’s highly secured they should still anticipate and filter such attacks by cutting the cord at the root. Let me tell you something, one of the ISP’s I use has all it’s IP’s blacklisted for spam and this happens simply because they don’t establish filters within their gateways to prevent the abuse of open relays. If they don’t patch themselves against spam, how could one expect them to protect against DDoS.

Every technician knows that the ISP uses gateways to relay the traffic from it’s customers to the open internet and it’s pretty obvious that those gateways can be configured to filter specific traffic. They are doing a pretty good job at implementing internet censorship by blocking specific sites under the order of lame ass governments, but they can’t filter a DNS or NTP amplification attack? Let’s face it, they have the tools and they have the possibility to detect and filter attacks so that they don’t go outside their networks. They also have the tools and possibility to automatically identify the customers that are propagating such attacks and notify them to patch their devices if needed, but do they want to do that?

Probably not. Why not? Well doing the job right has certain costs and it’s not the cost of the hardware and software that matters for them, but actually the cost of good technicians that can make the hardware and software run like clockwork.

Enough about the ISP’s, let’s talk about the hardware vendors. You’re well aware about the Samsung Note 7 scandal right? Well the Samsung Note 7 scandal occurred simply because the vendors nowadays are trading quantity for quality. The vendors produce in bulk tons of models of hardware, each one with similar specifications that differ very little. With a huge market saturation and models that come out like fungus after a short rain the vendors don’t really have where to sell obsolete hardware so they find a collaborative ISP and provide them with obsolete hardware at very low pricing.

Obsolete hardware and questionable business practices from both the ISP’s and vendors are a nasty mix when it comes to mitigating attacks.

And this is not the only nasty mix because software vendors play a major role in this equation as well. Just think about it that 25 years later after countless exploits and attacks we’re still deploying operating systems that don’t come with a fucking basic firewall setup. Neither of the operating systems I use didn’t raise up a firewall to filter specific potentially dangerous connections when I set them up. Each and every single time I had to raise and configure a firewall manually. Come to think of it, the installation packages for various software such as webserver, database server and such could easily detect and alter the firewall config to prevent blocking that software and blocking attacks against it at the same time. It can all be done with a shitty script and a fingerprinting loop, but there must be a true will to do so.

Imagine that all those routers, IP cameras and baby monitors used in those attacks had a shitty firewall that would have restricted NTP and DNS queries to the local network or at most inside the local ISP’s network and imagine that from the beginning all those devices would have had randomly generated passwords instead of default firmware ones. Also just imagine that the ISP’s serving bandwidth for those devices would have had specific detection and filtering rules on their gateways to detect and block any amplifications attacks.

Would yesterday’s DDoS have been as successful as it was? I really doubt it.

I kept telling people that the human factor is a machine’s highest vulnerability and I still stand by this idea as the DDoS attacks that everyone complains about are nothing, but the presence of the human factor in this equation.

Before I end this I must mention one more thing as there’s another variable that hasn’t been taken into consideration by those that discussed the specifics of yesterday’s attack. The attack affected specific sites simply because they were using the same DNS service. Back in the old days such attacks would have had no success because the DNS networks weren’t centralized and everyone was using it’s very own DNS servers. With the evolution of technology and with a need to reduce latency people gave up self hosted DNS services for third party services that makes them much more vulnerable to DDoS attacks than ever before. Yet, the centralization wouldn’t have been such a problem if the implementation of the DNS provider counted with a specific redundancy setup that would have dropped the DNS control from centralized to self hosted as soon as a timeout longer than a specific amount of time would have occurred. Fixing the DNS protocol to withstand DDoS attacks is possible, but just as in the case of the ISP’s and vendors, there must really be true will to do it.

On most forums where I’m active I see people seeking server providers with DDoS protection and/or some form of peering or redundancy that could insure that they are always online and this makes me ask myself often if we’ve wasted 25 years for nothing given that by now every single provider should have DDoS protection and some form of bandwidth redundancy as a default service.

A lot of people I know have been sharing an article which claimed that through the attacks someone has been learning how to take down the entire internet, but none of them had the courage to actually admit that whoever is behind those attacks is much smarter than the people that are supposed to be preventing the attacks from reoccuring each time at a much larger scale and with a much larger impact.

Every second of downtime costs money and every bit of bandwidth costs money so someone’s loss must be someone’s gain right?