The Democratization of Censorship [Krebs is back]

Krebs on Security ^ | Sept. 16, 2016 | Brian Krebs

[snarkpup]

As many of you know, my site was taken offline for the better part of this week. The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor.

...

Today, I am happy to report that the site is back up — this time under Project Shield, a free program run by Google to help protect journalists from online censorship. And make no mistake, DDoS attacks — particularly those the size of the assault that hit my site this week — are uniquely effective weapons for stomping on free speech, for reasons I’ll explore in this post.

...

I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.

[snarkpup]

Welcome to the Internet of Insecure Things.

[Paladin2]

Mainard, is that you?

[sparklite2]

“Work?”

[Robert DeLong]

No it’s Maynard’s nephew.

[mkmensinger]

[stylin19a]

you rang ?

[palmer]

Ping to a good article. Krebs mentions that he protected his domain using Akamai (pro bono). Here's a page describing some protection: https://www.akamai.com/us/en/resources/protect-against-ddos-attacks.jsp but I don't know how they protected Krebs. Note that there are at least two protections: application layer and DNS request flooding protection. I don't know the attack on Krebs used one or the other or both, but if I had to guess it was not the DNS. But I don't know for sure and the article doesn't say.

Krebs now has his DNS at google:
Name Server: NS-CLOUD-D1.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-D2.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-D3.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-D4.GOOGLEDOMAINS.COM

I don't know if that is a new change to go with his new hosting or not. My guess is the DNS server was not attacked, but rather his web server (via IP).

[Paladin2]

Thanks. I knew my spelling was wrong but chose to power through...

[Travis McGee]

What comes after? It’s a hop skip and jump to this.

Alas, Brave New Babylon.

http://www.freerepublic.com/focus/f-bloggers/3058882/posts

[palmer]

Project Shield: https://projectshield.withgoogle.com/public/ Note that they do not (normally) protect blogs, but I guess they made an exception for Krebs. Ultimately they could be the overlords who decide whether your site is protected or not.

[Arthur Wildfire! March]

Thank you for the information. I just hope Trump can get the federal government’s encryption up to snuff in a hurry.

[palmer]

Looks like Google is protecting against IP attacks. DNS is not involved other than using Google's DNS servers to look up the IP. If the attackers attack Google's DNS they will probably fail since Google has a very wide footprint and can route DNS requests to servers that are not overloaded.

That said the point remains that Google gets to decide whose IP address is protected and whose is not. So even if I were denied a domain by CHICANN and used IP only, I could still be out of luck. This was a big DDOS attack and those are going to be relatively rare. And Krebs points out there are some solutions to the botnet problem behind the attack. But that doesn't preclude some nation from doing what his enemy did.

In other words, I think while Kreb's point that some average Joe botnet operator now has a lot of power is valid, I think the nation states like China will always have more power.

[Arthur Wildfire! March]

China’s Conquest of Internet, ICANN + Quantum Encryption

http://www.freerepublic.com/focus/news/3473008/posts

[palmer]

Looks like Google is protecting against IP attacks. DNS is not involved other than using Google's DNS servers to look up the IP. If the attackers attack Google's DNS they will probably fail since Google has a very wide footprint and can route DNS requests to servers that are not overloaded.

That said the point remains that Google gets to decide whose IP address is protected and whose is not. So even if I were denied a domain by CHICANN and used IP only, I could still be out of luck. This was a big DDOS attack and those are going to be relatively rare. And Krebs points out there are some solutions to the botnet problem behind the attack. But that doesn't preclude some nation from doing what his enemy did.

In other words, I think while Kreb's point that some average Joe botnet operator now has a lot of power is valid, I think the nation states like China will always have more power.

However, one thing that Krebs may be overlooking or is not commenting on here is that likely 100% of the cheap crap, specifically

There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or — in the case of routers — are shipped by ISPs to their customers.

is made in China. China is literally building an army of insecure devices waiting to enslaved and used by people like Krebs's enemy. China might just not care and might just want to corner the market like any other. And certainly the ISPs that hand this crap out deserve some blame. But it is quite plausible for China to enslave those junk devices themselves. The fact that other people in other countries do that already gives them a lot of cover.