The full story is admittedly lengthy, clocking in at over 8000 words, but worth the time to understand how botnet wranglers make money siccing their zombie device armies on unsuspecting targets. The sources that pointed Krebs to Anna Senpai’s identity were involved in using botnets on behalf of shadowy clients, unleashing them on security companies protecting lucrative Minecraft servers that host thousands of players. When their online gaming is obstructed — say, by repeated and annoying DDoS attacks — players leave, giving servers an incentive to jump ship to whichever security provider can ensure protection…in this case, providers that arranged for the botnet attacks in the first place.
Interestingly, this type of attack is not unprecedented. According to documents leaked by National Security Agency whistleblower Edward Snowden, the NSA and British intelligence services used a system dubbed “QUANTUM” to inject content and modify Web results for individual targets that appeared to be coming from a pre-selected range of Internet addresses.
The Network Time Protocol (NTP) Reflection attack exploits a timing mechanism that underpins a way the internet works to greatly amplify the power of what would otherwise be a small and ineffective assault.
The OpenNTPProject can help administrators determine if their servers are vulnerable.
Bitcoin users have echoed that suggestion. “One note of warning: don’t trust any online wallet,” read a comment on a recent Guardian feature. “The two biggest ones have already been robbed. Use your own wallet on your own computer and back it up on a USB stick.”
“Remember, you don’t have to keep your Bitcoins online with someone else: you can store your Bitcoins yourself, encrypted and offline,” said Ducklin at Sophos.
But the DDoS protection vendor said the high packet-per-second (pps) rates, which averaged 32.4Mpps, were of more concern, especially for those operating at the ISP level. That’s because “most mitigation equipment tends to be limited by pps capacity, not Gbps”, the report read.
CloudFlare CEO Matthew Prince tells a harrowing story of warding off the internet attack after Spamhaus hired him—which is certainly true—but warns us of existential threats to the net still lurking out there, like lost Soviet nukes:
This would be so terrifying if it weren’t advertising. Prince, of course, is in the business of selling protection against online attacks. And his company is, as far as I can tell, pretty good at this business. But he’s also clearly in the business of scaring people: in his blog post today, he warns that the Spamhaus attack “may prove to be relatively modest” compared to what comes next. Bigger nukes, I suppose.
Here’s an another excerpt on the latest DDoS kerfuffle that made a lot of news recently.
So what’s the answer? Short of shutting down all 27 million resolvers, the Open DNS Resolver Project and others such as DNS service providers Afilias recommend the implementation of source address validation. An IETF RFC, BCP-38, exists that spells out how to use source address validation and build such an architecture to defeat IP source address spoofing.
According to the article one component to implementing this requires cooperation from ISPs who may not see this as a priority.
The group went on detail how it knocked the front door down (only Amazon.com’s front page was offline), with a large “botnet” or network of thousands of computers working together.
Interesting. Looks like a distributed denial of service (DDOS) on the grand daddy of the data center and cloud computing industry. Amazon was down for only 49 minutes. It will be interesting to hear the inside baseball techie talk as to how this happened and how Amazon recovered.
Part of the Transmission Control Protocol TCP specification RFC 1122 allows a receiver to advertise a zero byte window, instructing the sender to maintain the connection but not send additional TCP payload data. The sender should then probe the receiver to check if the receiver is ready to accept data. Narrow interpretation of this part of the specification can create a denial-of-service vulnerability. By advertising a zero receive window and acknowledging probes, a malicious receiver can cause a sender to consume resources TCP state, buffers, and application memory, preventing the targeted service or system from handling legitimate connections.