[HN Gopher] TP240PhoneHome Reflection/Amplification DDoS Attack ...
___________________________________________________________________
TP240PhoneHome Reflection/Amplification DDoS Attack Vector
Author : leohonexus
Score : 169 points
Date : 2022-03-09 13:16 UTC (9 hours ago)
(HTM) web link (www.akamai.com)
(TXT) w3m dump (www.akamai.com)
| api wrote:
| I'm really concerned that DDOS attacks are going to lead to the
| death of the open Internet and its balkanization and isolation
| behind walled gardens. If you look at where Cloudflare and some
| of the big clouds are going with their private networks, private
| backplanes, and "secure your traffic by putting it all over our
| network" zero trust plans it seems to be going that way.
|
| If open peering and the open Internet are to survive I think
| serious work needs to be done to fight DDOS attacks. It needs to
| be an effort analogous to the "war on spam" in the late 1990s /
| early 2000s. Unfortunately that war was sort of lost; e-mail is
| in practice barely an open protocol anymore and almost all e-mail
| is handled by a few giant companies that can leverage big data to
| filter spam. If you try to DIY a mail server you'll be
| simultaneously hit by spam and have to constantly fight mistaken
| filtration by larger e-mail providers who tend to distrust small
| mail servers by default.
|
| If the open Internet succumbs to DDOS "spam," we will lose
| something really huge and important. It would be the ultimate
| casualty of what so far has been almost a law (with very few
| exceptions): all open systems are destroyed by abuse if they
| become sufficiently popular.
|
| We also can't just leave it to the free market because the only
| solution the market will likely come up with is walled gardens.
| It's the easiest to engineer solution and the easiest to
| monetize.
| adrian_b wrote:
| > If you try to DIY a mail server you'll be simultaneously hit
| by spam and have to constantly fight mistaken filtration by
| larger e-mail providers who tend to distrust small mail servers
| by default.
|
| I have managed my own e-mail server for around 20 years.
|
| Filtering spam has never been a problem.
|
| On the other hand your second problem has indeed existed, i.e.
| with various large e-mail providers which either blocked
| completely my e-mail messages without signalling any error, or
| they delayed for 1 day or 2 my messages, or they required many
| resendings of a message until really passing it to the
| destination.
|
| Fortunately such cases seem to have become much more seldom
| during the last couple of years.
| wiredfool wrote:
| I've seen hideously inconvenient email pauses between
| Office365 and a massive NGO, so it's not just little mail
| servers.
| smasher164 wrote:
| It's interesting that you say that, because we've already sort
| of balkanized around ISPs. However, CDNs and DDOS protection
| popped up around services that ISPs couldn't provide. Maybe the
| dream is for ISPs to provide these services as well, making it
| more tenable for regular users to self-host.
| throw0101a wrote:
| > _If you look at where Cloudflare and some of the big clouds
| are going with their private networks, private backplanes, and
| "secure your traffic by putting it all over our network" zero
| trust plans it seems to be going that way._
|
| All the networks of the Internet are already private, just like
| the networks of AOL and CompuServe were private back in the
| day: your ISP's network is private, YouTube's network is
| private, AWS' network is private. It's just that those private
| networks agree to talk to each other.
|
| Otherwise your ISP would have to re-create YouTube and
| Reddit/forums and eBay/marketplace and..., and YouTube would
| have to buildout (inter)national network to connect their video
| services to people's homes.
|
| Just like AOL and CompuServe had to build out information
| services _and_ a connectivity infrastructure back in the day.
|
| Now each of the previously walled gardens (messaging, forums,
| marketplaces, connectivity, etc) is done by its own entity,
| each taking a slice of the monetary pie for the service(s) they
| provide.
|
| The Internet is a 'network of networks', but it is also an
| agreement: an agreement for everyone to talk to everyone else.
| api wrote:
| I think that's kind of semantic. The agreement is what I'm
| talking about. It makes the Internet open. I can just send
| you a packet. That's what's in danger here.
| [deleted]
| dschuetz wrote:
| We're approaching the limits here, I think.
| zaik wrote:
| Why would there be a theoretical limit?
| pickledcods wrote:
| because that value is a physical limit
| black_puppydog wrote:
| How so? If I find a vector that triggers the remote system
| to `cat /dev/random | netcat $target` then there's no limit
| for how much traffic my refelection generates, no?
| nostoc wrote:
| I assume by limit OP means the remote system's bandwidth.
|
| at 4 billion to 1, there's in practice very little
| difference between CVE-2022-26143 and what you describe.
| Both will be capped at the same number by the bandwidth
| available to the offending system.
| pickledcods wrote:
| look at the binary, it's an overflow value. Like it
| didn't fit the spreadsheet.
| nathanyz wrote:
| Limit would end up being when you send 1 byte of traffic to a
| box and that box amplifies it to whatever its own max
| outbound bandwidth rate is.
|
| This seems like it would exceed that in many cases, since 1
| byte in => 4.2 gigabytes out. Which is roughly 33.6 gbps. Not
| sure many of these vulnerable boxes actually have that amount
| of outbound bandwidth to utilize.
|
| (Please feel free to correct my quick math if I messed it up)
| jwilk wrote:
| Why do you want to send everything in one second?
| nathanyz wrote:
| This is a good point, but then you need more boxes to
| perform the DDOS as the reason they are effective is
| overwhelming the packets per second or bandwidth per
| second of the receiving networks. So it definitely does
| allow for a sustained attack by a single box with limited
| outbound bandwidth, but that blunts the usual reasoning
| for why the amplification is so dangerous.
|
| Another interesting impact of this is that the higher the
| amplification, the more likely it is noticeable by the
| server that is being abused. I mean if you clog the
| outbound network for a company they will notice and try
| to resolve immediately. Versus some milder amplification
| where it can go under the radar, or at least the business
| impact urgency radar of a company much longer.
| supertrope wrote:
| At least it was a 32-bit integer, not 64
| _joel wrote:
| Now that's a ping of death!
| operator1 wrote:
| Does anyone have any data on what networks or organizations were
| on the receiving side of these attacks?
| londons_explore wrote:
| Tracking down these systems is easy, so these issues can normally
| be solved pretty easily.
|
| Thats because typically any amplification vector doesn't allow
| the source IP of the amplifier to be spoofed. So as soon as a
| DDoS attack begins, a sample of the packets can be taken to get a
| list of the amplifiers used. Those can then be tracked down and
| patched to no longer act as amplifiers.
| LinuxBender wrote:
| Let's get started! [1][2] You wanna take the odd numbered IP's
| and I take the even? _Just kidding I am way too lazy for this_
|
| [1] - https://www.shodan.io/search?query=mitel
|
| [2] - https://www.shodan.io/search?query=mivoice
| treesknees wrote:
| Your comment underestimates the task of remediation. Sure, we
| can very easily get a list of DDoS source IP addresses. Any
| decent network operator can get a list of flows matching some
| DDoS criteria and generate a report of IP addresses.
|
| In the case of this TP240 attack, you're talking about ~2600
| independent businesses across the world. Assuming you are able
| to determine the actual source of the traffic and work with a
| vendor to patch it, you're still tasked with somehow getting
| 2600 businesses to patch their systems or modify firewall
| rules.
|
| In the case of the memcached amplification attack, Cloudflare
| saw upwards of 5800 source IPs in the attacks, and Shodan
| reported nearly 88000 IPs responding on port 11211 [1].
| Tracking down the owners of 88k installations across public
| clouds, businesses, probably some residential networks, is a
| monumental task. There's nothing easy about it.
|
| [1] https://blog.cloudflare.com/memcrashed-major-
| amplification-a...
| wtarreau wrote:
| > you're talking about ~2600 independent businesses across
| the world. Assuming you are able to determine the actual
| source of the traffic and work with a vendor to patch it,
| you're still tasked with somehow getting 2600 businesses to
| patch their systems or modify firewall rules.
|
| You can be sure that by only null-routing their entire
| C-class, adjacent customers will loudly complain to the
| operator who will quickly identify the source and disconnect
| it. The best way to deploy fixes on the net has always been
| to first disconnect them. This way you don't have to convince
| anyone, it's done the other way around. Typically the CEO
| will instantly throw all the phones to the trash to get the
| net opened again.
| treesknees wrote:
| In general that's not really an option.
|
| Unless you have coordination with the network operators on
| which those amplifiers are sitting, your null-routing of
| the amplifier in your own network isn't going to stop it
| from attacking other targets. If the amplifier is something
| like a DNS server, then your collateral damage isn't just
| "adjacent customers", it's potentially thousands of other
| users and resolvers on your own network. If those
| amplifiers are on a cloud service provider like AWS, you're
| going to potentially inflict even more pain onto your own
| paying customers who will no longer be able to communicate
| with AWS. You will essentially perform the DoS they were
| aiming for.
| egberts1 wrote:
| unless the amplifier mechanism is widespread.
| DFHippie wrote:
| Concerning this particular vector:
|
| > Approximately 2,600 of these systems have been incorrectly
| provisioned so that an unauthenticated system test facility
| has been inadvertently exposed to the public internet
| Nextgrid wrote:
| We need proper liability laws for malicious traffic.
|
| You are liable unless you can pass off that liability to
| someone else. So the ISP would be liable by default, and would
| have an incentive to filter their customers, or require them to
| abide by certain rules, pass some audits, provide proof of
| insurance or post a large deposit.
|
| You could have insurers who in exchange of automated security
| scans will insure you, solving the problem for end-users at a
| reasonable cost.
|
| This will actually encourage internet users (both consumers and
| businesses) to take security more seriously.
| hombre_fatal wrote:
| Litigation seems too heavy handed for these kinds of attacks.
|
| A major issue here is how your smart toaster or MiVoice box
| can be spamming the internet and there's no real way to
| realize it for most people.
|
| Since you pitched a controversial solution, let me make one
| that's probably even more controversial: maybe bandwidth is
| too cheap. Maybe the problem would fix itself without legal
| hell if your C&C'd smart toaster / VoIP box had an impact on
| your ISP bill instead of being folded into your unlimited
| bandwidth billing.
| sp332 wrote:
| It could be easily solved by the operator, but that doesn't
| mean it's easy for the victims to get the operators to fix
| their stuff. These amplifiers are already run by people who
| ignored the software manufacturer's directions. What are the
| odds they will actually install the new version that's harder
| to abuse?
| amalcon wrote:
| Usually[0] contacting the operator's ISP and informing them
| of the situation will get said ISP to contact said operator.
| All that outbound traffic does represent a cost to the ISP,
| after all. A call from your ISP usually gets a bit more
| respect than a call from some random person.
|
| [0]- In the US; I don't know about anywhere else
| toast0 wrote:
| It really depends on the ISP. After spending some time
| trying to get phishing sources taken down and not getting
| anywhere, I wouldn't be hopeful about DDoS (reflection)
| sources being taken down either. When I was running servers
| that were getting DDoSed frequently (but thankfully for
| short intervals and not with tons of bandwidth), trying to
| get chargen servers or wordpress servers fixed didn't even
| seem like an option. Just make sure _my_ servers wouldn 't
| fall over, or at least would fall over gracefully.
| bombcar wrote:
| In the past what usually happens is the ISP disconnects you
| until you prove you've fixed whatever it was (sometimes
| they're nice and block just part of the connection, or give
| you a warning).
|
| Surprisingly enough, the ISP often has no real way of
| contacting anyone; the easiest is to cut the connection and
| wait for a complaint.
| beeforpork wrote:
| On the bright side, we're lucky they did not use a 64-bit int.
| frays wrote:
| Is it just me, or does it seem crazy that we all just accept that
| private businesses are obligated to protect themselves from
| state-sponsored hacking? Imagine if Wal-Mart had to fund a
| private air force and patrol over their stores in order to combat
| foreign bombers coming in and everyone was like, "Yeah, that's
| just how it goes."
|
| Isn't a primary responsibility of government to protect its
| citizens and businesses from other states' militaries?
| YetAnotherNick wrote:
| Yes, it's walmart responsibility to protect their customers.
| It's their responsibility that their supply chain is not hacked
| to say distribute poison, it's their responsibility that the
| cameras they use in store are theirs and only they have access,
| it's their responsibility that the card I use in their terminal
| is safe. The example you gave won't be hurting the people,
| otherwise yes if they want to gain trust in dangerous land they
| have to ensure safety of people.
| ActionHank wrote:
| I feel like it more broadly boils down to, if you put it on
| the internet you are responsible for securing it.
|
| If you can't or don't want to secure it, don't put it online.
| jameshart wrote:
| 23 people were killed and 23 more injured in a Walmart in El
| Paso in 2019 in a mass shooting. Is it your position that
| Walmart has sole responsibility for failing to prevent those
| deaths?
| MereInterest wrote:
| In principle, that's what the NSA would be doing. When DES was
| developed and standardized in 1976, the NSA had input in
| selecting some of the constants that were chosen for it [0]. It
| wasn't until the late 80s when independent development of
| differential cryptanalysis [1] came out, and people realized
| that the DES constants were deliberately chosen to be resistant
| to this attack.
|
| The NSA has since turned away from this responsibility, and has
| done the exact opposite. When Dual_EC_DRBG was developed [2],
| there was a similar choice of constants, with the final values
| having been chosen by the NSA. In this case, rather than
| protecting against a attack method known only by the NSA, the
| constants were chosen to allow an attack method known only by
| the NSA.
|
| [0] https://en.wikipedia.org/wiki/Data_Encryption_Standard
|
| [1] https://en.wikipedia.org/wiki/Differential_cryptanalysis
|
| [2] https://en.wikipedia.org/wiki/Dual_EC_DRBG
| helloooooooo wrote:
| Or maybe the choice of Dual EC DRBG constants are intended to
| protect against a new cryptanalysis technique known only to
| the NSA
| vengefulduck wrote:
| I highly doubt it. Dual EC DRBG basically works by
| encrypting your seed value with a NSA provided public key.
| It's kinda amazing how blatant the back door is.
| ruined wrote:
| internal documents leaked by Snowden and reported by the
| NYT confirmed the intent of the program
|
| https://en.m.wikipedia.org/wiki/Bullrun_(decryption_program
| )
|
| stop simping for the nsa
| kube-system wrote:
| The US government does do quite a bit to protect their citizens
| from electronic attacks. There are organizations like CISA and
| NIST that do a lot of work to help prevent attacks, and the FBI
| and DOJ do a lot of investigate and enforcement work after the
| fact.
|
| For example:
|
| https://www.fbi.gov/investigate/cyber/partnerships
|
| https://www.cisa.gov/stopransomware/ransomware-guide
| [deleted]
| Cthulhu_ wrote:
| Depends. Do you want the government to control the internet?
| mschuster91 wrote:
| Indeed. We definitely need laws to hold companies accountable
| for their IT-related activity.
|
| For one, we need to hold commercial vendors accountable - that
| means especially to refuse to provide security updates for the
| reasonably expected life time of a piece of software or
| hardware.
|
| But especially, we need the companies using IT systems to be
| held accountable. The magic word is "defense in depth" - the
| scenario of the post we're talking about is a piece of
| equipment that was not supposed to be reachable from the
| Internet and despite that knowledge it _was_ made accessible to
| the Internet. Seriously, _anyone_ caught exposing dangerous
| stuff to Shodan should be fined to hell and back. Or to
| continue using your military comparison: most governments have
| laws that call for harsh punishment for "aid to the enemy" or
| similar. Time to update the law to the new digital world.
| dahfizz wrote:
| A failure to defend yourself is not aiding the enemy. That is
| insane.
|
| The government provides for the common security. That's one
| of it's most fundamental jobs.
|
| Imagine if your house was destroyed by a Russian drone and
| you were thrown in jail for not having enough "defense in
| depth" against drone strikes.
| mschuster91 wrote:
| > A failure to defend yourself is not aiding the enemy.
| That is insane.
|
| Let's say you are the leader of a border post, and you
| leave your post unmanned allowing the enemy in - of course
| you will be held accountable.
|
| Exposing stuff to the Internet _despite the manufacturer
| warning against it_ is at least grossly negligent and
| should be punished.
|
| We are at war with Russia and China on a nation-state level
| and on top of that we also have cybercrime gangs.
| dahfizz wrote:
| > Let's say you are the leader of a border post, and you
| leave your post unmanned allowing the enemy in - of
| course you will be held accountable.
|
| Yes! Because if you are a member of the state operated
| defense force, then defense is your responsibility. The
| state is responsible for defense.
|
| If on the other hand, you are a civilian who just happens
| to own property near a border, you have absolutely zero
| obligation to defend the border yourself. The same is
| true for businesses near a border.
|
| > We are at war with Russia and China on a nation-state
| level and on top of that we also have cybercrime gangs.
|
| Man, if only society had a way to form some sort of
| governance body which could provide defense against other
| nations and provide some sort of justice system to
| protect against and punish crimes. Oh well, I guess its
| every man for themselves -\\_(tsu)_/-
| jameshart wrote:
| "We are at war with Russia and China on a nation-state
| level"
|
| Not aware of any country in the world that is currently
| in a declared state of war with Russia and China.
| Macha wrote:
| Likewise, if I sell... garden fencing, and the military
| decides to buy it as just another customer, how liable
| should I be if it's easily bypassed?
| wyattpeak wrote:
| > Let's say you are the leader of a border post
|
| Let's not say that. Suggesting that civilians have
| defence duties on par with members of the military is
| ridiculous.
| [deleted]
| [deleted]
| make3 wrote:
| maybe one day when the people in charge are at least somewhat
| technically litterate
| g_p wrote:
| Many private businesses already are expected to protect
| themselves from state (and similar capability) physical
| interference and attacks, especially if they are in the supply
| chain of critical infrastructure. It's one of the things you
| have to do effectively to earn profits in that sector.
| gostsamo wrote:
| It is just you. In the physical world a military can observe an
| attack, can announce that it is not cool, and can drive a tank
| through most intruders.
|
| Now ask yourself this question, would you like to give your
| military the full access to your infrastructure together with
| command and control capabilities to do with your devices and
| the software on them as it pleases according to the situation?
| If you actually think that in fact you are not okay with 24/7
| monitoring and management from a centralized government
| institution, you should own up to your desires and get your
| defense together.
|
| Of course, this is a simplistic and extreme scenario. Much of
| the missed part is about availability and basic institutional
| capability for military cyber operations, but the fundamental
| question is: when one demands something from the government,
| what exactly they wish to give up as a consequence of the
| proposed solution.
| freeflight wrote:
| What I find much more crazy is how this is made out as _"
| state-sponsored hacking"_, even tho the article doesn't mention
| with a single sentence who or what the attackers are.
|
| In that context instantly jumping to "state-sponsored!" strikes
| me not only as a needless, but particularly _dangerous_
| escalation.
|
| It's like people forget that "cyber" is most of all
| asymmetrical and attribution is usually more of a guessing game
| than an exact science.
|
| Yet nearly every larger hack is very quickly labeled as some
| kind of _" state sponsored offense!"_ to serve foreign policy
| narratives, and most of all; Excuse the incompetence that often
| enabled such attacks in the very first place.
| jameshart wrote:
| Well stated.
|
| We also have a tendency to conflate the requirements on
| software systems with respect to security threats as being
| somewhat similar to the requirements on other kinds of
| engineering with respect to safety and environmental threats,
| and I think that does a disservice to the vastly different
| scope of responsibility involved.
|
| When I see people arguing that software engineers need to treat
| security as seriously as, say civil engineers treat structural
| stability when designing a bridge, or mechanical engineers
| treat vehicle crash safety, I agree to an extent, but I also
| think it's worth considering:
|
| Most bridges are not designed to actually survive being
| deliberately attacked with the kinds of weapons nation states
| can bring to bear on them. When militaries get involved,
| bridges tend to fail.
|
| Likewise, civilian car safety testing does not make cars that
| are able to survive attacks that nation state actors can carry
| out with things like tanks, mines, or drones.
|
| We need to be realistic in our expectations for what level of
| military threat civilian systems can reasonably be expected to
| deal with unaided.
| tyingq wrote:
| I guess it depends on the analogy, and whether physical
| location means anything for the internet. Piracy of commercial
| ships, for example.
| rocqua wrote:
| That is also very much a problem where states are expected to
| intervene.
| tyingq wrote:
| It seems similar to me. They sometimes intervene, but often
| don't.
| avereveard wrote:
| so, china's internet? because that's what you're actually
| asking when you ask a policed internet.
| black_puppydog wrote:
| Sorry but Walmart has cameras, guards, and most importantly
| locked windows and doors.
|
| Just because nobody has figured out (or bothered to invest
| into) building the equivalent of basic security doesn't mean
| it's the state's responsibility.
|
| It _is_ the government 's responsibility to make sure companies
| take _their_ responsibilities of protecting their customers '
| data, and the internet more broadly from the impact of the
| company's decisions.
| temp8964 wrote:
| How can Walmart defend itself from foreign government's
| attack, with cameras, guards, and most importantly locked
| windows and doors?
|
| Defending internet infrastructure from foreign government's
| attack is not "basic security".
| actually_a_dog wrote:
| You're missing one thing though: North Korea doesn't rob
| Walmarts. Expecting private entities to be able to stand up
| to the kind of attack a hostile nation state can muster is
| unrealistic, and, quite frankly, probably a drag on the
| economy.
|
| Besides, what ever happened to "provid[ing] for the common
| defense?"
| mschuster91 wrote:
| The correct equivalency would be the roads leading to the
| Walmart. If a Walmart were blocked by people pointlessly
| driving on the road to make the Walmart effectively
| unreachable, police would intervene and clear the road of the
| noise.
| goodpoint wrote:
| There is no such thing as a "correct equivalency".
| sp332 wrote:
| I think the question is about foreign government operations.
| If North Korean agents threw up some graffiti on a Wal-Mart
| and stole some soda, the private security would not be
| expected to handle the situation on their own. Even if the
| stakes seem low, that's an international incident.
| cge wrote:
| I think a somewhat comparable scenario could be: it's
| reasonable to expect that Walmart should defend against
| most counterfeit currency on their own. But should they be
| expected to defend against counterfeit currency made with
| state-level resources, such as supernotes with the same
| paper, ink, printing process and security features, where
| there's no guarantee that _any_ reasonable detection method
| will work? This is, interestingly, something that has been
| linked to North Korea as well
| (https://en.wikipedia.org/wiki/Superdollar).
| Cthulhu_ wrote:
| That's... a very weird, reaching argument to make. And also
| not an international incident, since it's just some
| graffiti, not espionage or assassination or whatever. I'm
| not sure what point you're trying to make here.
| Steltek wrote:
| It doesn't seem that far reaching. There's a difference
| between "foreign citizen action" and "foreign government
| action". If another government comes to your territory,
| to break your laws and deprive one of your businesses of
| their property or rights, that's a big deal. But because
| it happens online, it's given a pass and pushed on to
| private individuals to deal with.
| ehnto wrote:
| The original argument is that it's weird private
| businesses have to protect themselves against state
| actors such as foreign governments. The equivalent would
| be if Walmart was expected to protect itself while a
| foreign governments special forces raided their stores.
|
| Of course I'm not sure that's how it's playing out
| anyway, as I'm certain that the relevant three letter
| agencies are interested in foreign state actors digital
| incursions, it's just a very delicate situation and not
| as simple or clear cut as the Walmart example.
| theamk wrote:
| I am pretty sure that it does not matter who stole the soda
| - North Koreans or locals. Either way it is up to store
| security to catch them and hand over to police. Police may
| then hand NKs over to someone else, but this doesn't change
| what store security must do.
| dahfizz wrote:
| > this doesn't change what store security must do.
|
| There is no _must_ here. The police _must_ deter and
| punish crime. A private entity _may_ hire security if
| they find the police to be ineffective at stopping
| certain crimes. If walmart was robed while the security
| guard was off duty, it is still the police's job to
| investigate and arrest the criminal.
| jameshart wrote:
| Honestly, ignoring the state actor part of this, even if a
| bunch of local kids run up and graffiti the outside of a
| Walmart, I don't think we tend to regard it as a
| fundamental failure of Walmart's duty to secure their
| business, or a failure of their architects and security
| staff to do basic diligence or follow best practices to
| allow it to happen.
|
| It's just a criminal act, of which Walmart are the victim,
| and it's the state's job to find and prosecute and deter
| that kind of thing from happening again.
| user-the-name wrote:
| BigComrade wrote:
| wilde wrote:
| We rolled over to state-sponsored election meddling. There's no
| way we're going to care about this.
| kevincox wrote:
| While your logic is solid and I do think this would be ideal I
| struggle to see how this would work.
|
| Dropping bombs on a walmart store is clearly unwelcome, sending
| traffic to walmart's website? Much less clear. You can guess
| based on the traffic pattern but the only way to really know is
| to ask walmart if this is welcome traffic (not just a burst
| because some new product came out). Especially since many cases
| are DoS with encrypted TLS traffic that looks much like any
| other traffic to an outside observer.
|
| However much of the protection is threat of retaliation ("if
| you drop bombs on us we will flatten your country"). So maybe
| that is the solution here, the government should treat these
| attacks as real threats and punish those responsible.
| marcosdumay wrote:
| Well, a government could start by mandating that internet
| peers authenticate their packages, and cutting the access of
| bad actors.
|
| People can't do that, and it's a very basic defense.
| kevincox wrote:
| "Mandate private companies protect their customers" sounds
| very different than "the government should protect
| everyone" even if the result is similar.
| teddyh wrote:
| Start by mandating BCP38 (RFC2827).
| asplake wrote:
| What stops that? (Both its widespread implementation and
| making it mandatory)
| marcosdumay wrote:
| You mean what that protects against?
|
| It provides the first part of my post, authenticating the
| packages.
|
| The second part is cutting out misbehaving connections.
| On this case on the article, it would be trivial, and
| governments should be on the ISP shoulders making them
| make call everywhere and cutting some of their clients.
| But there are many attacks where the ISPs don't have
| enough information to act if they implement something
| like BCP38.
| StartupMemoryLn wrote:
| See: https://blog.cloudflare.com/cve-2022-26143/
|
| or: http://archive.today/TX3t7
| jgrahamc wrote:
| 220 billion percent! And other scary numbers!
|
| Coordinated disclosure:
| https://blog.cloudflare.com/cve-2022-26143/
|
| Info for Cloudflare customers:
| https://blog.cloudflare.com/cve-2022-26143-amplification-att...
___________________________________________________________________
(page generated 2022-03-09 23:00 UTC)