One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 214244 |
| Date de publication | 2016-10-21 20:01:27 (vue: 2016-10-21 20:01:27) |
| Titre | Some notes on today\'s DNS DDoS |
| Texte | Some notes on today's DNS outages due to DDoS.We lack details. As a techy, I want to know the composition of the traffic. Is it blindly overflowing incoming links with junk traffic? Or is it cleverly sending valid DNS requests, overloading the ability of servers to respond, and overflowing outgoing link (as responses are five times or more as big as requests). Such techy details and more make a big difference. Was Dyn the only target? Why were non-Dyn customers effected?Nothing to do with the IANA handover. So this post blames Obama for handing control of DNS to the Russians, or some such. It's silly, and not a shred of truth to it. For the record, I'm (or was) a Republican and opposed handing over the IANA. But the handover was a symbolic transition of a minor clerical function to a body that isn't anything like the U.N. The handover has nothing to do with either Obama or today's DDoS. There's no reason to blame this on Obama, other than the general reason that he's to blame for everything bad that happened in the last 8 years.It's not a practice attack. A Bruce Schneier post created the idea of hacking doing "practice" DDoS. That's not how things work. Using a botnot for DDoS always degrades it, as owners of machines find the infections and remove them. The people getting the most practice are the defenders, who learn more from the incident than the attackers do.It's not practice for Nov. 8. I tweeted a possible connection to the election because I thought it'd be self-evidently a troll, but a lot of good, intelligent, well-meaning people took it seriously. A functioning Internet is not involved in counting the votes anywhere, so it's hard to see how any Internet attack can "rig" the election. DDoSing news sources like CNN might be fun -- a blackout of news might make some people go crazy and riot in the streets. Imagine if Twitter went down while people were voting. With this said, we may see DDoS anyway -- lots of kids control large botnets, so it may happen on election day because they can, not because it changes anything.Dyn stupidly uses BIND. According to "version.bind" queries, Dyn (the big DNS provider that is a major target) uses BIND. This is the most popular DNS server software, but it's wrong. It 10x to 100x slower than alternatives, meaning that they need 100x more server hardware in order to deal with DDoS attacks. BIND is also 10x more complex -- it strives to be the reference implementation that contains all DNS features, rather than a simple bit of software that just handles this one case. BIND should never be used for Internet-facing DNS, packages like KnotDNS and NSD should be used instead.Fixing IoT. The persistent rumor is that an IoT botnet is being used. So everything is calling for regulations to secure IoT devices. This is extraordinarily bad. First of all, most of the devices are made in China and shipped to countries not in the United States, so there's little effect our regulations can have. Except they would essentially kill the Kickstarter community coming up with innovative IoT devices. Only very large corporations can afford the regulatory burden involved. Moreover, it's unclear what "security" means. There no real bug/vulnerability being exploited here other than default passwords -- something even the US government has at times refused to recognize as a security "vulnerability".Fixing IoT #2. People have come up with many ways default passwords might be solved, such as having a sticker on the device with a randomly generated password. Getting the firmware to match a printed sticker during manufacturing is a hard, costly problem. I mean, they do it all the time for other reasons, but it starts to become a burden for cheaper device. But in any event, the correct solution is connecting via Bluetooth. That seems to be the most p |
| Envoyé | Oui |
| Condensat | #ddos #dyndns 100x 10x 2016 2016it 205 208 220 222 222208 @rikvduijn @swiftonsecurity @twitter ability about according address afford against aged all also alternatives always any anything anyway anywhere apparently are around attack attackers attacks baby bad because become being big bind bit blackout blame blames blindly bluetooth body botnet botnets botnot bruce bug/vulnerability burden but cache cached caches calling cameras can case cause changes cheaper checks china chips cisco clerical cleverly cnn com/pohphtqej6 come coming community company complex composition connected connecting connection contact contains control corporations correct costly counting countries crazy created customers data day days ddos ddosing deal default defenders degrades details determined device devices didn difference directly dns doing don down dropped due duijn during dvrs dyn echo effect effected either election email emails essentially even event everything evidently except exploited extraordinarily facing fail failures features filtersinteresting finally find firewall firmware first five fix fixing folder from fun function functioning general generated gets getting goes good government hacking had handing handles handover happen happened hard hardware has have having here home hours how iana idea imagine implementation incident incoming infect infected infections innovative insider instead intelligent internet involved iot isn isps its junk just kickstarter kids kill knotdns know known lack large last learn legitimate like link links little live long lot lots machines made major make manufacturing many match may mean meaning means might minor minutes mirai monitors more moreover most mostly move need needed never new news non not notes nothing nov nsd obama october offline old one ones only opendns opposed order other out outages outgoing outside over overflowing overloading own owners packages password passwords people persistent pic popular possible post practice primarily printed problem problems propagate protected provider put queries quickly randomly rather rcx real really reason reasons reclassified recognize record records reference refused regardless regulations regulatory remove republican requests respond responses retain retains rig rik riot rumor russians said schneier seconds secure security see seems self sending seriously server servers shipped short should shred side silly simple slower software solution solved some something sources spam spf starts states stays sticker strategy streets strives stupidly such swiftonsecurity symbolic take takes target techy than that them there these they things thought time times today took traffic transition troll truth ttl ttls tweeted twitter unaffected unclear united until used uses using valid van version very votes voting vulnerability wait want wants way ways well went what when which who why wifi wimo words work world would wrong years you:opendns your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.