back to article Battle of the botnets: My zombie horde's bigger than yours

DDoS attacks more than doubled in the last quarter of 2016 compared to the same period the year before. Although the infamous Mirai IoT botnets accounted for many of the most severe attacks, the biggest single assault came from a different zombie network, according to a new study by Akamai out Tuesday. Attacks greater than …

  1. Brian Miller

    Previous Reports

    Take a look at the Akamai report page in sequence:

    "IoT botnet attacks are real and present threats."

    "300 Gbps attacks become more common."

    It's gone from "real and present" to "common." The solutions to this problem are not with the government. The ISPs are going to have to band together, and block access. Somebody wants their connection turned back on? Take care of your problem first.

    1. Lee D Silver badge

      Re: Previous Reports

      So creating another type of DoS for the customers that are paying for the service, and the potential for making it look like someone should be blocked and thus getting them kicked off the Internet "for larks".

      It's not a plan that would work long-term.

      The real issue is that computer security is still just a bolt-on, rather than inherent to a design.

      Personally, as an ISP, I'd be flagging data for all customers, and providing them with some kind of stat portal/alert system for them to use. My old ISP used to warn if it detected ANY traffic on port 139 (even intercepting web pages to tell you). There's no reason you can't do that and warn with "Your connection is recorded as being seen as part of a botnet", yes, possibly intercepting HTTP until people get the message.

      But even voluntary users won't stop DDoS happening. Only computer security.

      The further we go down the road, the more a DDoS just looks exactly like a certain service/website became popular, and it's impossible to categorise a particular packet at the ISP end as malicious, without being the target of it all. How do you distinguish a million computers accessing Windows Update from a million hacked computers trying to DDoS Windows Update with the same kind of packets with the same kind of information? You can't.

      The fix is to stop programs and devices being "on the network" and "able to do everything" by default. Every home router has the equivalent of "iptables -A OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT" as their only outgoing rule. If you just knocked that down to having to authorise devices, you'd knock a load of stuff off (e.g. IP cameras that can go online but don't need to). Give only basic web access to devices by default, and you cut out a load of NTP etc. attacks and it's as simple as "this device is requesting NTP on the day you installed it, do you want to allow that?" to make it work as expected. And then any LATER change is suspicious and by which time the users will have forgotten what to do about it. Hell, include IP/DNS whitelisting for the necessary items, just like software firewalls do, and you can make sure the CCTV can talk to the mobile transcoding service but not spam people with emails, or Microsoft with pretending to be Windows Update or whatever.

      "accept all" is the problem here, and it's been stupid since day one to trust the internal network so implicitly on a consumer-level home network.

      1. Brian Miller

        Re: Previous Reports

        ... The real issue is that computer security is still just a bolt-on, rather than inherent to a design. ... "accept all" is the problem here, and it's been stupid since day one to trust the internal network so implicitly on a consumer-level home network.

        Here's the problem with white-listing: "yes" "yes" "yes" "yes" "yes" "yes" "yes" "yes" "yes" etc.

        People are putting vulnerable devices on the "DMZ" of their home router, because they think they want to access their IP camera from their phone, or whatever. The home routers don't have any ability to manage their rule sets to something like, "DMZ, but only for addresses from a Verizon cell phone."

        Until then, stuff will be tossed out into the DMZ, and that's it, with less attention to security than when it came from the manufacturer, because the really don't know any better.

  2. Anonymous Coward
    Anonymous Coward

    >The top three source countries for DDoS attacks were the U.S. (24%), the U.K. (10%), and Germany (7%)

    Interesting, I hadn't heard that on the BBC...

    1. Anonymous Coward
      Anonymous Coward

      Think "who has the highest number of insecure systems directly attached to the Internet?" That would be the US. Even with our sub-standard broadband offerings, there is still room to capture and control direct-attached systems and pwn their bandwidth. I would wager 95%+ of those systems do not actually need to be directly attached, rather the owner or ISP is too cheap/stupid to provide a proper router with all the ports fire-walled off until the user requests them opened. It's like TalkTalk, but on a nationwide (and ISP agnostic) scale. Lots of muggle Internet users all happily directly connected and serving their botnet masters, so long as they can get to the "gun show" and "faux news" websites, there is nothing amiss. Ignorance is blessed [sic]. And the ISPs don't do anything to help.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like