1) (Mainly) the huge increase in upstream capacity of residential broadband connections with FTTH. It's not uncommon for homes to have 2gbit/sec up now and certainly 1gbit/sec is fairly commonplace, which is an enormous amount of bandwidth compared to many interconnects. 10, 40 and 100gbit/sec are the most common and a handful of users can totally saturate these.
2) Many more powerful IoT devices that can handle this level of attack outbound. A $1 SoC can easily handle this these days.
3) Less importantly, CGNAT is a growing problem. If you have 10k (say) users on CGNAT that are compromised, it's likely that there's at least 1 on each CGNAT IP. This means you can't just null route compromised IPs as you are effectively null routing the entire ISP.
I think we probably need more government regulation of these IoT devices. For example, having a "hardware" limit of (say) 10mbit/sec or less for all networking unless otherwise required. 99% all of them don't need more than this.
nick32661123 [3 hidden]5 mins ago
Seems more likely that residential modems will be required to use ISP-provided equipment that has government mandated chips, firmware, etc to filter outbound traffic for DDoS prevention.
DaSHacka [3 hidden]5 mins ago
Why should they be required to have hardware in their own network to filter that out when the ISP is obviously receiving all of their traffic anyway?
spatley [3 hidden]5 mins ago
Seems pretty clear that the US needs strict regulation on any device connecting to the internet.
* no default password *
* no login if not on the local wifi or wired ethernet *
dehrmann [3 hidden]5 mins ago
I'd rather the industry standardizes on some sort of guest network and proxy/hub. It could even ship with hardware from ISPs. Separating the network buys you a lot of security, and running everything through a proxy makes it easier to inspect data and creates a standard hook for using abandonware.
DaSHacka [3 hidden]5 mins ago
Many manufacturers are already moving there of their own accord. I really don't think we'd need some legislation to fix this problem.
Groxx [3 hidden]5 mins ago
I'm honestly kinda curious why nobody's blocking these IPs from sending data near the source.
Like, I can come up with plenty of possible reasons, and reasons why it could potentially be very bad if ISPs started cracking down on this, but I don't actually know any reasons.
Are any talking about why / why not? It seems like this whole insecure-IoT-device thing would probably dry up pretty quickly if people's internet was cut off when one was detected. They can then turn around and lambast / sue / etc the company that sold it, putting pressure on the source of the problem. Right now there's no reason for sellers to do anything at all to ensure security, afaict.
So... not actually arguing in favor of it, but definitely curious about any stated ISP / core networking system's stated reasons.
Mindless2112 [3 hidden]5 mins ago
> “The outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff,” Dobbin said. “We’re now in a situation where ISPs are routinely seeing terabit-per-second plus outbound attacks from their networks that can cause operational problems.”
ISPs are starting to feel the pain, so perhaps in the near future they will do something about it.
dloy [3 hidden]5 mins ago
Perhaps, or perhaps not. Maybe if we held them accountable they would?
MartijnBraam [3 hidden]5 mins ago
This does happen, but it seems to depend on the ISP. In the Netherlands I've seen ISPs block the internet connectivity when they've detected infected devices, sometimes they send a letter before blocking and some ISPs seem to dump your internet connection in a captive portal. In all these cases it's been enough to call the ISP after finding the problem and you're connected again minutes later.
kibbel [3 hidden]5 mins ago
A large part of the article is dedicated to this, noting how disruptive it is to other services and customers, and listing a few countermeasures (detection and blocking at the ISP level, detection and blocking at the router level, and educating customers on not buying vulnerable IoT trash).
Groxx [3 hidden]5 mins ago
Not really? At best it's "DDOS prevention sellers are having trouble" and "ISPs say they're doing fine". The vast majority of the article is talking about the various kinds of malware causing this, and how some have been "fixed" by stopping the individuals running it (which clearly doesn't work very well, new ones just fill the void).
Or this:
>“The crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,” Dobbins continued. “A lot of network operators are learning that lesson now, and there’s going to be a period ahead where there’s some scrambling and potential disruption going on.”
Uh. No. That's gross negligence if they are only starting to think about it now - the trend has been clear for over a decade, and the IoT threat has been obvious since day 1 and even blasted over public news for the past few years. Their status is pretty much only one of: incompetent, malicious, or they have had plans but haven't acted on them fast enough or strongly enough for [some reason], and that reason isn't something I've seen. Surprises happen, prevention costs money and time, and there are plenty of reasons why everyone isn't already prepared for everything, so I think "incompetent or malicious" is pretty rare.... but what are those reasons?
bombcar [3 hidden]5 mins ago
There's no economic incentive for YOU (as the proximate ISP) to do anything about it, it would cost money, and cost you customers.
Any idea why they don't fix it?
Groxx [3 hidden]5 mins ago
Yes, you generally see this kind of thing start from the pain-feelers and move up the chain to the pain-causers.
So why hasn't that happened? These are clearly damaging to many, and ISPs are apparently doing next to nothing to prevent it, and it has been extremely clear for a while now that it's going to just become a bigger and bigger problem.
martinald [3 hidden]5 mins ago
Of course there is. If you've got all your internet egress tied up with DDoS attacks from your network it is a big problem.
bombcar [3 hidden]5 mins ago
I think we’re just starting to see attacks that big - which might start some practical mitigations (or they’ll just upgrade transit).
TZubiri [3 hidden]5 mins ago
> They can then turn around and lambast / sue / etc the company that sold it, putting pressure on the source of the problem
Or just unplug the culprit. But the key seems to be that the device continues working. Ideally you would just shutdown or disconnect the device. If fridge is infected, the fridge can still fridge, but it no longer has internet privileges.
quantummagic [3 hidden]5 mins ago
Any device that participates in a DDOS needs to be recalled by the manufacturer, mandated by law. Make it potentially economically crippling to sell a vulnerable device, and security will be taken very seriously. Frivolous uses of tech, won't be worth the risk.
DaSHacka [3 hidden]5 mins ago
This just in: every computer manufacturer forced to recall every single computer model they've ever sold because some users use weak passwords.
I can't wait for all of them to switch to IOS-ified devices incapable of installing alternative operating systems or programs, as that would be the inevitable end solution for all these manufacturers if this was implemented.
quantummagic [3 hidden]5 mins ago
Maybe that's a good thing; relying on users to choose good passwords is a cop-out. Systems should be safe-by-default. And owners losing their system if it participates in a DDOS, would add to the incentives to stop the nonsense. It persists because perpetrators, and those who unwittingly abet them, feel no consequences.
HN.zip
1) (Mainly) the huge increase in upstream capacity of residential broadband connections with FTTH. It's not uncommon for homes to have 2gbit/sec up now and certainly 1gbit/sec is fairly commonplace, which is an enormous amount of bandwidth compared to many interconnects. 10, 40 and 100gbit/sec are the most common and a handful of users can totally saturate these.
2) Many more powerful IoT devices that can handle this level of attack outbound. A $1 SoC can easily handle this these days.
3) Less importantly, CGNAT is a growing problem. If you have 10k (say) users on CGNAT that are compromised, it's likely that there's at least 1 on each CGNAT IP. This means you can't just null route compromised IPs as you are effectively null routing the entire ISP.
I think we probably need more government regulation of these IoT devices. For example, having a "hardware" limit of (say) 10mbit/sec or less for all networking unless otherwise required. 99% all of them don't need more than this.
* no default password * * no login if not on the local wifi or wired ethernet *
Like, I can come up with plenty of possible reasons, and reasons why it could potentially be very bad if ISPs started cracking down on this, but I don't actually know any reasons.
Are any talking about why / why not? It seems like this whole insecure-IoT-device thing would probably dry up pretty quickly if people's internet was cut off when one was detected. They can then turn around and lambast / sue / etc the company that sold it, putting pressure on the source of the problem. Right now there's no reason for sellers to do anything at all to ensure security, afaict.
So... not actually arguing in favor of it, but definitely curious about any stated ISP / core networking system's stated reasons.
ISPs are starting to feel the pain, so perhaps in the near future they will do something about it.
Or this:
>“The crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,” Dobbins continued. “A lot of network operators are learning that lesson now, and there’s going to be a period ahead where there’s some scrambling and potential disruption going on.”
Uh. No. That's gross negligence if they are only starting to think about it now - the trend has been clear for over a decade, and the IoT threat has been obvious since day 1 and even blasted over public news for the past few years. Their status is pretty much only one of: incompetent, malicious, or they have had plans but haven't acted on them fast enough or strongly enough for [some reason], and that reason isn't something I've seen. Surprises happen, prevention costs money and time, and there are plenty of reasons why everyone isn't already prepared for everything, so I think "incompetent or malicious" is pretty rare.... but what are those reasons?
Any idea why they don't fix it?
So why hasn't that happened? These are clearly damaging to many, and ISPs are apparently doing next to nothing to prevent it, and it has been extremely clear for a while now that it's going to just become a bigger and bigger problem.
Or just unplug the culprit. But the key seems to be that the device continues working. Ideally you would just shutdown or disconnect the device. If fridge is infected, the fridge can still fridge, but it no longer has internet privileges.
I can't wait for all of them to switch to IOS-ified devices incapable of installing alternative operating systems or programs, as that would be the inevitable end solution for all these manufacturers if this was implemented.