Sign in or Join FriendFeed
FriendFeed is the easiest way to share online. Learn more »
Alex Scoble
Alex Scoble
There is no defense against Denial of Service (DOS) attacks. The bad guys can always throw more bandwidth at the attack than you can.
August 6 - Comment - Share
Can a DoS attack be traced? - Dave "Freedom 35"
The datacenter really needs to handle this in their routers and packet filtering. Expecting web sites to deal DDOS attacks won't work. - Todd Hoff
Just tuning in right now - is Twitter down from a DOS attack? - Dean "Karnatos" Michaud
Twitter (web) is back up. - Dave "Freedom 35"
A DOS is very hard to trace since it's typically done with a zombie network. And you can't route your way out of a DOS attack. - Alex Scoble from IM
There are ways to defend against DDOS attacks. Generally, you run out of CPU before you run out of bandwidth. - Wirehead
No, there really isn't any way to defend against a DOS these days. - Alex Scoble from IM
A lot are accomplished with broadcast and other techniques that can be stopped at the router. - Todd Hoff
I disagree, Alex. - Glen, Bespectacled Elder
That's crazy! - Kelby
And as pointed out by Mashable - the trending topics on twitter were "Tweet Created" and "Twitter Zombies" - guruvan (Rob Nelson)
they are just shutdown their system to make us talk about them. - abdellah
DoS attacks can be traced, but are rarely used, Distributed DoS attacks originate from so many different points there is no point in tracing the sources - guruvan (Rob Nelson)
Well, you want to see how good your DOS defenses are? Put up a website saying "Our systems are able to withstand a DOS attack so do your best" and see what happens. :) - Alex Scoble from IM
Entities having large zombie nets are difficult to defeat in a DDoS attack. Unless you're the ISP, they have more than you do. - guruvan (Rob Nelson)
Google is probably very DDOS resistant because of how distributed their stuff is, but most places can't duplicate that defense. And it's possible for a zombie net to be able to chew up more bandwidth than an ISP has - Alex Scoble from IM
And I guarantee you that friendfeed is just as vulnerable to a DOS attack as Twitter is. - Alex Scoble from IM
And you'll notice that I'm not differentiating between DOS and DDOS, because a DDOS is a DOS and is now the most common type of DOS. - Alex Scoble from IM
Alex - that worries me the most about FF. :) - phil baumann
Depends on the class of DOS, but bandwidth exhaustion DDOS attacks are certainly one of the hardest to defend one's self from. - ax0n
I suggest you all take the time to tour the rest of the Internet! Remember there's more than AOL...I mean Twitter out there! - ‘-.-’ Tutivillus Grift
Yeah, ax0n, that's what I'm saying. :) - Alex Scoble from IM
I don't give two poos about Twitter being down - but broadly speaking, can't good IPSes doing packet inspection mitigate this shit (if the attack is not too high-octane in its own available bandwidth, that is.) Although as Wirehead said, you'll be melting CPUs before anything else, I'd think. - Anthony Citrano
Here is some research. http://nms.lcs.mit.edu/papers... I'm not fond of words such as impossible, or technical discussion that lacks technical detail. - Jason Wehmhoener
Well, let's just say it's a lot harder for a service provider to make it impossible to do a DDOS than it is for an attacker to make it impossible to use your service. :) - Alex Scoble from IM
I can't post a new thread on FF - ERROR! - Liza
But yes, the title of this thread should be "For most of the world, there is no defense..." Large organizations like Google can do some things to defend against DOS attacks, like run behind distributed server farms...but 99.9% of the world is not Google. - Alex Scoble from IM
Then again, this is probably why a lot of people are interested in cloud computing. If distributed systems are the best defense for a DOS, then cloud computing would be a great way to run public web based services. - Alex Scoble from IM
If these DDOSes are coming from zombie machines, those machines are probably prone to infection, which means you need your own botnet to attack the zombies and install your own botnet software on them. Whoever makes a botnet that uses DDOSes as a way to find more machines will eventually grow the biggest botnet out there. ;) - Amit Patel
Heh yeah, and you are starting to see more sophisticated zombie attacks that harden the zombies that they take over to make it harder for other zombie attackers to take over their zombie nets. - Alex Scoble
just boot your machine in safe mode with networking and run Spybot Search & Destroy, Malwarebytes Anti-Malware, and your anti-virus scans - if it's not cleaned out by that then you might as well re-install windows (which is a good idea from the start since you never really know if you got rid of any rootkits) sometimes it's quicker to reinstall windows than to go through all that - Chris Heath
Yeah, that doesn't defend you from a DDOS attack though. That just cleans out malware if your PC has become a zombie and is part of a DDOS attack. :) - Alex Scoble from IM
Actually there are companies that sell protection against DDoS. It works. - Leo Laporte
Agree with @Jason here is another link to share for DDoS Attack/Defense Taxonomies http://www.lasr.cs.ucla.edu/ddos.... I think the key to remember is that the DDoS attacks evolve over time. I can see even clouds being vulnerable in that conceivably one can use linked clouds to launch large enough attacks to overwhelm a single vendors ability to scale. Has not happened yet but possible. - Altan Khendup
There is tremendous vulnerability if they can take Twitter down. - rob
Twitter just isn't that large, or that distributed. I'm impressed if they can take down Facebook, or Google. (it seems that Facebook was suffering at the same time, and my suspicion is from the same attack - but maybe not) - guruvan (Rob Nelson)
Does anyone know at this point who is responsible for the attack? This would require a huge bot-net and some serious bandwidth. - Angus Burton
Great FF conversation here about outages, cause, impacts, etc. ----> http://ff.im/6fF0t - Susan Beebe
Yeah, Alex... I was commenting in reference to the hardening of the zombies - Chris Heath
There is a defense, employing a network element which can route around obstacles: carrier pigeons. http://crankypm.com/2009... - DGentry
There's a denial of service attack that can be used against pigeons...requires a shotgun and someone who knows how to use it :) - Alex Scoble from IM
DGentry: There's a follow up to that IP over Carrier Pigeon, IP over Tanks. Paint the 0s and 1s on the side of a tank turret, and such. Helps to defeat Alex's DoS attack on the pigeons. At least to DoS it you need a bigger gun ;) - guruvan (Rob Nelson)
Chris Heath: more simple way of defeating rootkits: Run the machine as a Virtual Machine, and always roll back to a clean snapshot on reboot. I've employed that method for a long time. Defeats rootkits, viruses, stupid users, and all that. Works for any OS you can run in the VM. - guruvan (Rob Nelson)
Still not 100% effective. There are ways to take control of the host machine that is running a VM. - Alex Scoble from IM
Nothing is 100% effective, short of sealing the machine 1 mile underground in a concrete-filled missle silo. - guruvan (Rob Nelson)
And FWIW: I have not yet heard any significant news of bare-metal hypervisors (which replace the host OS and which I was referring to above) being compromised (but it will come, or is here already and quiet) - guruvan (Rob Nelson)
Which breaks rule #1 Must meet business needs - Alex Scoble from IM
Ahh, sorry, when you say VM I think of the more traditional VMs running on a traditional OS - Alex Scoble from IM
LOL. Yes - but it does make the point of what must be done to truly secure a machine. There is no such thing as 100% security with any remaining functionality - guruvan (Rob Nelson)
I mostly meant things like VMWare ESXi (which doesn't even use a traditional OS for management purposes any more. (ESX is a bare-metal hyper visor, but uses a RH variant as a management box) - guruvan (Rob Nelson)
Yeah, that stuff is pretty sweet. - Alex Scoble from IM
And ESXi is free I believe. If the virtual hardware would just run a video game, I'd run everything like that ;) - guruvan (Rob Nelson)
Great point Rob (bringing up virtualization) -- and for anyone interested in this stuff, Hak.5 has done a lot of virtualization in season 5 http://www.hak5.org/categor... They get into ESX and ESXi in the later half of the season but virtualization is often a topic for one of their segments. - Chris Heath
@guruvan (Rob Nelson): there is the alleged Blue Pill hypervisor root kit. http://bit.ly/JCmmP - Nick Lothian
Not to mention the experimental (allegedly) work of installing viruses on things like graphics controllers - Alex Scoble from IM
I wouldn't doubt if it was completely real, Alex. You read about the Apple keyboard bit? - Matthew Horton
No, I missed that one...got a link? - Alex Scoble from IM
Granted it's not done remotely yet - http://www.engadget.com/2009... - Matthew Horton
@Alex Scoble: most DDOS attacks aren't designed to use up your bandwidth - they generally hit others limits a long time before that. The most common type of attack opens up lots and lots of connections to your website at once. That makes your webservers fall over. For added variety some hold the connections open, so they appear just like a slow web browser, making it harder to detect. - Nick Lothian
Yep, but if an attacker so chooses, they may rent out a botnet from various individuals and jam your internet connections as well. - Alex Scoble from IM
And Matthew, that keyboard hack is crazy awesome. - Alex Scoble from IM
The biggest mistake that any designer, engineer or programmer can make is to forget about layer zero in the OSI model...the user layer. - Alex Scoble from IM
My bad...I meant layer eight. - Alex Scoble from IM
If you ever hear a designer/developer/programmer/engineer say "a user would never do that", fire them on the spot. - Alex Scoble from IM
Alex, why is it that CERT website dont get DoS'ed ? - Peter Dawson
This website? http://www.cert.org/ - Alex Scoble from IM
Alex - if the virus that's designed to hit the graphics controller doesn't have access to the correct host OS, it's going to write to the VMs graphics controller. Which just won't do much. - guruvan (Rob Nelson)
Nick: The Blue Pill is an attack on a Windows machine that has virtualization in the processor - it converts the running Windows into a VM and becomes the bare-metal hypervisor on the fly. Using an actual hypervisor defeats that. (though it is a pretty impressive attack) - guruvan (Rob Nelson)
@guruvan (Rob Nelson): I'm not sure. http://www.zdnetasia.com/news... says "The researchers claimed Xen hypervisors could be subverted by compromising flaws in Xen software to gain access to Domain 0, Xen's privileged administrative domain. Once that administrative domain is compromised, the virtual system controlled by the hypervisor is compromised." - Nick Lothian
At least now we're getting a better idea of what happened Thursday. Though it's intriguing how it was aimed at just one person who had different services each of which were affected. - George Hall (Australia)
i'm not following george... did I miss something? - Chris Heath
Yep, Chris...the fact there's a pro-Georgian blogger who wrote on all the affected services. Seems all his pages were targetted. A bit more of the Russian/Georgian cyberwar. There's at least a few articles/posts about that across the net. Though, I summarized it at http://geehall1.posterous.com - George Hall (Australia)
Twitter, Facebook, LiveJournal, YouTube, Google attack was not a botnet, just tons of people manually clicking spam ... related to pro-Abkhazia activist blogger Cyxymu. This is the theory of Bill Woodcock, research director of Packet Clearing House, a nonprofit that helps network operators when they come under attack. CNET (4:32 pm PDT) seems to be the main source of this story, which travelled to The Register (12:49 am GMT = 7:49 pm EDT), AP (9:37 pm EDT), SF Gate (6:55 pm PDT), New York Times, and Mashable. http://ff.im/6gLmO - Mitchell Tsai
erro not so you can block the suspisious ip addresses / country - Maurice Walshe
Alex, I when I said CERT I meant this site http://www.us-cert.gov - Peter Dawson
You _can_protect your site against DoS attacks. Tier 1 ISPs offer DDoS protection using CiscoGuard appliances (see http://www.cisco.com/en...) + BGP + GRE tunnels. They deflect extortion attempts every week for banks and other sites. - Paul Lindner
Very interesting stuff, Paul. Thanks for the link. I wonder how long it will be before the bad guys find a way to shut those Cisco boxes down and make them cry to mama. It's like a grand game of cat and mouse. - Alex Scoble from IM
eh Paul, some of em systems are also vectors for DNS posioning and route hijacking.. ant that a DoS too ? - Peter Dawson
Peter: Yes, DNS poisoning can be a DoS attack, as well as route hijacking. Typically those are done to deny users access to a given site or service. Occasionally those are used to hijack a service, which has the effect of DoS, but not the primary intention (the primary intention is often to change the message that web site visitors would see, or perhaps to collect sensitive data such as passwords or financial information ) - guruvan (Rob Nelson)
@GuruVan, " change the message " is more like "man-in-the-middle", thats a totally different vector !! - Peter Dawson
Not quite Peter. MiTM is usually executed differently than a straight hijacking. (though the data collection I mentioned is usually a MiTM attack) - guruvan (Rob Nelson)
off course, MiTM is executed differently !! Hey, anyway feel free to jump onto my FF bandwagon.. http://friendfeed.com/cloud-d... f:)- - Peter Dawson
I may be simplistic but couldn't these hackers just doing something worthwhile with their talent? - Kevin J Hatton
They are often affilliated with elements of organized crime in various countries - Alex Scoble from IM
Or affiliated with seedy people who don't like ketchup on burgers - Jeff (the マクダジ of FF)
yeah but remember, in some countries they (hackers) have to protect their young sisters from being sold - so they (hackerS) use their talents to keep the family together. Its an't always what you think it is ! - Peter Dawson
Okay, but are those guys 'hackers' or 'crackers'? AFAIK they're crackers.. no? - Thierry R. Andriamirado from email
They are both. :) A cracker is a black hat hacker. - Alex Scoble from IM
Or h4XX0r$ ;) ( or god forbid, the evil and feared script kiddies ) - guruvan (Rob Nelson)
Interesting analysis of Twitter's network: http://www.blyon.com/blog... - Todd Hoff