UK lotto players quids in: Website knocked offline by DDoS attack The UK National Lottery has apologised for a website outage that left money in the pockets of punters unable to play games on Saturday evening. “We're very sorry that many players are currently unable to access The National Lottery website or app. Our 46,000 retailers are unaffected,” it said on Twitter before adding “please …
how big this DDoS attack was. I mean, you would have thought that the National Frottery would have some serious digital seige mitigation in place; so to knock the site out, there must have been a good few hundred Gbps traffic behind it, suggesting a pretty substantial botnet.
I'm guessing that this is unlikely to be a competitor (those postcode lottery people seem too nice ;)), so a reasonable assumption is that this is one of those botnet-for-hire attacks. I'm also guessing that this didn't cost the instigator that much either, so it is a bit concerning to anyone running a site that may be viewed as controversial - which is pretty much any site with content on it, these days.
The problem with DDoS is that you can only combat it from one step higher.
If you're DDoS'd, you need to implement a filter on the data coming in BEFORE it comes down the line. And with Distributed, those filters are more complex than you might think (i.e. millions of random web requests from random IPs would do it, but how do you distinguish real users?).
Pretty much, that's your first port-of-call, and the end of your worrying. The upstream then has to work out where it's coming from and try to filter from source, if that's possible, or just swallow the traffic for you. It matters not what YOU have in-house, that's always capable of being overwhelmed. It's what your upstream partners have, as they are the ones collating packets from millions of smaller connections into one big bundle for you, and they have to fix it there, not just blindly send it to you.
No amount of technology can really solve that issue, while it's still possible to generate a genuine web request from a genuine user's compromised PC, as that genuine user, it's impossible to distinguish no matter you put in the way of cookies, authentication, behaviour-tracking, etc.
It's cheap to tell 1,000,000 computers that you don't own, to all access a website at the same time. The people who own the computers are paying for the resources. It's not cheap to run a website capable of dealing with 1,000,000 extra visitors without noticing.
As time goes on, the problem isn't going to change much except in scope. We can only hope that backhaul transit increases in sizes proportional to the average home broadband user. While it takes, what? 10-30 compromised home fibre connections to flood a 1Gbit leased line now, if that scale doesn't increase at the same rate at both ends then it becomes even easier to swamp a connection.
(it's wishful thinking that larger connections would grow at a faster rate than home ones, however).
What happens when every user has uncontended gigabit? You better hope that every ISP becomes good at filtering, or that every backhaul and datacenter start offering 100Gbit as the basic business leased line / the interface to the cheapest server they rent out.
To be honest, servers in datacentres would be my worry. It's pretty standard to get only 100Mbit or 1Gbit networking. Most servers running in datacentres, therefore, could be taken down by a single fibre home-user with a grudge quite quickly if there was no mitigation. And paying to have every single blade / VM / whatever to have 100Gbit connectivity and necessary switching/upstream for that sounds expensive
Ignore the top prize, you'll never win that and even if you do it's just a statistical anomaly but the odds of winning any prize are about 20:1 which while bad is not very bad.
Another view is that according to the many worlds interpretation of quantum physics every ticket you buy will win the jackpot, the problem is being in the right universe. It could be argued that when you buy a ticket a version of you will become rich, let's hope it's the version here.
@ Martin an gof "Premium Bonds...At least the capital is safe"
Only if you exclude inflation. While you can get back the investment capital you lose the stake which is the investment income that capital generates.
Mines the one with Martin Lewis's PB analysis in it.
I think the odds of winning a EuroMillions jackpot ( and lets face it, we don't really care about the chump change smaller prizes ) are so slim that one probably has as much chance of finding a winning ticket lying in the street as buying one.
In fact I think I'm more likely to be crushed by a meteorite than win that Jackpot, although I bet if either of those happened they would happen on the same day. Typical.
This is of course assuming that it's not all a confidence trick. I mean those adjudicators, you know, the ones with the clipboard and name badge, who would oversee the machines and tick their little clipboard when a ball popped out, all to give the impression it's all legit.
Honestly people are so gullible and have a naive childlike sense of fairplay.
Guess what folks, as an example, do you think the Royal familys of this world got to where they are by "fair play" ?
Please do not use the Camelot marketing department's word 'play' - which implies that the lottery is a bit of fun, not serious. For many, reasonably well off, el-reg readers that might be true, but I have seen people at my local newsagent gambling money that it was plain that they could not afford -- it is harmful.
People are taken in by the con that they will get rich - the adverts try to convince people that they will be more lucky than their neighbour - clearly that cannot be true.
Would you make an investment that returned 25% of your original stake ? That is what you are likely to get when gambling on the lottery.
This DDOS has saved many people money that they could not afford to loose.
You have to be 18 to play it therefore that makes you an adult, and as an adult you have the right to make your own decisions. The major part of being an adult is learning to make your own decisions and taking the consequences of those decisions. It wouldn't matter if you banned the lottery tomorrow, the sort of people pissing money up the wall on scratch cards would simply go play the "fruities" up the arcade or in the pub. Or worse, they'd get seriously into booze or drugs and screw themselves up that way. You can't save everyone, sure you can tell them their stupid or confused but when the craving strikes, nothing stops it and it needs feeding.
You can scream at a heroin addict all you like that they're f**king stupid to pump that sh*t into their veins but when the craving strikes no amount of shouting or advice will stop the horrendous craving that will drive them to rob, steal or kill to supply the addiction, they're no longer addicted to the drug, they're addicted to the addiction. Same with the "lottery junkies", it wouldn't matter if they won £10,000 tomorrow, they'd simply head to a casino as opposed to the corner shop to play the "scratchies".
You can't help some people, no matter how hard to want to or how hard you try, some people are destined to screw themselves up. What you can do though is to remove those they are hurting from them, take them somewhere safe and teach them that addiction is a bad thing, the kids or dependants, offer them a chance at a decent life.
Trust me. Once a junkie ( of anything ) always a junkie. It never stops 'til the day they pop their clogs.
You clearly haven't got a clue what you are talking about and I find mindless rants from mindless users like you particularly offensive.
I hate posting anonymously like you have done as I believe if you have something to say, you should have the balls to own it.
However in this instance I wish to maintain the anonymity of my son.
Who is currently in a gambling clinic.
Over the weekend I had wondered if there was some kind of problem that I hadn't figured out, because the volume of spam attempts* dropped to almost zero. May sound weird but it can be a sort of barometer for overall net status. Normal Service resumed shortly after 7pm on Sunday.
Hence the possibly brief existence of a theory, plus correlation, causation, and musings thereof, that it's (part of?) the same botnet.
.
* not counting the solo compute instance thing hosted in France repeatedly trying smtp 'auth login' regardless of the server response. I suppose I could block it but the futility is just so cute, I'm keeping it as a pet.
So. It's my money, I'm an idiot, if I choose to do it once a week then that's my problem not yours.
What does bug me is how insecure their site have been for years. For a long time their password policy was just numbers and letters (because they didn't want to have the hassle of supporting account lock outs). Now you can use special characters yet they STILL don't have Two-Step verification available.
"
Now you can use special characters yet they STILL don't have Two-Step verification available.
"
I don't see why that's necessary. AFAICS there's no money to be made by hacking into your lottery account, so why should it be a target? There's no more need for 2 factor verification than your El-Reg account
It's an idiot tax in more ways than one. Because there's more than one type of idiot.
In theory I have no problem with a non-profit lottery for people who want to dream of winning. You're buying the dream of what you'd do if you won the big one. Fine. Except that the national lottery pays back 50%. So scale back your dreams.
The rest of the money, after Camelot has taken its big cut,* goes to "good causes." Some of which occasionally actually do some beneficial things. But mostly they pay for giant statues made of dog turds or something like that. These were the sort of projects, pre-Thatcher, that were funded by the gov't via an arts council or some such. Things that, if they turned out to be a massive waste of money, caused the responsible minister to get pilloried (and maybe voted out at the next election).
In pre-Thatcher days, the money for "good causes" came out of taxes, which meant the rich paid some of it (relative proportion depending on the flavour of gov't in power). But the rich don't play the lottery to any great degree. If they do, it's a far lower proportion of disposable income than the poor: the rich are already living their dream, the poor are buying lottery tickets so they can dream about becoming rich. Essentially, we've shifted a large proportion of the burden of paying for "good causes" onto the poor. Tax cuts for the rich made possible by an idiot tax on the poor.
It's also allowed government ministers to evade all criticism for the shitty "good causes" that do get funded, because it's now the lottery commission's fault and nothing to do with gov't. Of course, that didn't stop Tony Fucking B-liar from ramming his thumb on the scale to get the Millennium Dome so he could bask in the glory (and instead was deservedly shamed).
So it's a double con. It's shifted more of the cost of these "good causes" onto the poor and allowed gov't ministers to avoid criticism for the shitty ones whilst still being able to fraudulently claim credit for any good ones.
*Camelot takes a big cut. Remember when Branson offered to run the lottery as a non-profit? He was turned down but no real reasons were ever given. If the gov't had secret evidence that he was too risky to run the lottery they should also have prevented him running his other businesses, so they didn't have any. That decision stinks of bribery and corruption. Backhanders from Camelot are the only real explanation for not letting Branson take over.
But hey, if you want to be an idiot, go for it. It might be you that's an idiot.
@handleoclast re: "Remember when Branson offered to run the lottery as a non-profit? He was turned down but no real reasons were ever given."
ISTR Branson's proposal to take over the Lottery was trumped by Camelots contract renewal bid to generate much more revenue and, after their cut, still hand over more (than Branson would have managed) to the Lottery Fund.
But I upvoted the rest of your post.
I justify it by figuring that, as long as I spend less than the £40M-odd that Sustrans got from the National Lottery for the National Cycle Network (insert your own preferred charity), then I’m still a winner, of sorts.
And I do win the occasional tenner or so, although I’m pretty sure that I’m “down” on my personal investment overall! At £1 a week, it was a harmless flutter, but now that tickets are more expensive, it is a bit less so.
ISTM that DDos attacks could be prevented by ISPs, either at the exchange or even in the customer's WAN router. It is not difficult to recognize DDos packets and block or throttle at the *originating* end.
It would also be possible to send letters to subscribers of infected systems which if ignored will result in a fine or termination of service.
Firstly I would challenge the assertion that "It is not difficult to recognise DDoS packets" which is not true of all DDoS attack techniques. Secondly, ISPs are more likely to blacklist a target of a DDoS if it threatens their other customers rather than mitigating DDoS attacks for their customers - particularly if the customer has not specifically paid for DDoS protection. Most would be unwilling to put filters on routers at their end for the duration of an attack (which can be quite short) and putting it on a customer's device does nothing to stop volumetric attacks. Cloud mitigation can be effective, but is expensive "always-on." Trying to notify those responsible for the millions of compromised devices used in botnets and then fining them if they don't fix it is... ambitious.
"Trying to notify those responsible for the millions of compromised devices used in botnets and then fining them if they don't fix it is... ambitious."
So back in my Telewest days we got blacklisted for being a source of Spam. Our SMTP servers got blacklisted because we weren't conforming to some RFCs. Why can't a similar principle work with botnets. Make ISPs responsible for keeping their networks clean (i.e. cutting off customers with unsecured devices being used for bad things) and if they don't then all their traffic gets blacklisted.
I do realise the internet is much bigger and more difficult to control then 20 years ago but the principle seems good to me.
Whatever will the saddo gambling addicts do to get their fix? Never mind, I'm sure that a fine upstanding comany such as Ladbrokes can help them piss away their families' rent/mortgage/groceries money.
Don't forget folks, it's not your fault for pissing away all your money on this bullshit, it's everyone else's fault for not stopping you!
I only play the lottery when it's a guaranteed jackpot win of more than 24 million... Once it passes that mark, it has to be won the following draw.. so even if no one gets all 6, it gets shared between 5+ Bonus and so forth.
You might get a smaller amount, but the chances drop from 45 million to 1, down to around 15 million to 1... or roughly what it was before they added an extra 10 numbers to make it harder.
Interesting that there was a mass shooting by an alleged madman, in Vegas, next to a giant pyramid, on the 32nd floor where 23 guns were found, the very next day. Looks to me like a coded message, "join us, or else"
But then again, what do I know
"Remember, you don't believe in false flag terrorism, you're in control of your own destiny"
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
