DDos or how we lost our games to a Lizard

These amplification attacks rely on spoofing ... why the fuck in this day and age can we still spoof our IPs with so many ISPs? Routers should have been designed long ago to allow them to do ingress/egress filtering by default (they can do it, but it takes scarce resources). The problem is perverse incentives ... on average DDOS's don't generate losses for the big networks and ISPs so they aren't in a hurry to solve it.
 
changing the password at least make the internet modem a bit harder to hack from the most basic script kiddie.
Turn off web configuration, there's no reason to have it enabled for regular joe schmoes, then it doesn't matter what your password is because you have to be on your own private network to try and get past it, and if some baddie's having physical access to your devices you've already lost anyway. :p They could just do a hard reset on your modem/gateway and restore default password that way if you changed it...
 
These amplification attacks rely on spoofing ... why the fuck in this day and age can we still spoof our IPs with so many ISPs? Routers should have been designed long ago to allow them to do ingress/egress filtering by default (they can do it, but it takes scarce resources). The problem is perverse incentives ... on average DDOS's don't generate losses for the big networks and ISPs so they aren't in a hurry to solve it.

theres a very simple reason why, IP addresses are portable, routing can be very asymmetric a simple multicast style Reverse Path forward check is fraught with danger. its very easy to backhole Multicast traffic on large networks let alone the internet, you would break legitimate traffic.

Other solutions exist but i dont know if they can scale to these DDOS sizes.
 
the problem is the modem still accessible from WAN although the setting already set to Local-only.
for example for my adsl modem, the telnet still run through WAN.

default firmware just not good :(

theres also some modem that use special port that always open.

ars have good article about modem security a while ago but i did not bookmark it.
 
theres a very simple reason why, IP addresses are portable

Smaller and smaller blocks can move around, but that's not really a problem. The ISPs know what IPs they route traffic too, or they couldn't route it in the first place ... all the data necessary for the filtering is present in the routers. A tiny subset of their customers will have multiple upstream links with internal routing and they should just be contractually obliged to do egress filtering. For the vast majority of people on the internet it's trivial for the ISPs to do ingress filtering, there is no reason to let me spoof ... they don't let me multicast to begin with.
 
If ya think DNS and NTP amplification is bad, SNMP has GIGANTIC theoretical amplification factors... hold on to yer butts.
 
Dont use WPS it is unsecure. last time i read it on ars technica and tried it myself in a shopping mall.
The PIN-variety of WPS, if left enabled after setup, is subject to brute force attack. But not the other varieties of WPS, nor if you disable WPS after setup. It's there to get your router up and running, not really meant as a long-term security solution for the router.

Turn off web configuration, there's no reason to have it enabled for regular joe schmoes,

There are remote root exploits that don't require remote (web) configuration to be enabled. That's just another one :yep2:
 
There are remote root exploits that don't require remote (web) configuration to be enabled. That's just another one :yep2:
These sort of exploits aren't likely to be stopped by a custom password, tho. They rely on fundamental flaws in the firmware.
 
These sort of exploits aren't likely to be stopped by a custom password, tho. They rely on fundamental flaws in the firmware.

Changing the admin password will, for many SOHO routers, change root because 'admin' is actually root. So he exploits relying on default root passwords will be defeated by changing the password.

Some custom firmware will let you have separate root and admin accounts for control of the router, so you'd want to make sure both weren't the default passwords, or easily guessable ones
 
but even worse, some modem also have hidden port that can be accessed with default (undocumented) password that still active even after disabling the web access and changing admin password.

there were 3 or more article series from ars techinica about this issue. its just unbelieveable how bad is the security practice of consumer grade internet modem.

i think some of the editor also promised about making "best practice" for inernet security. but it was months ago and it is quite normal for arstechnica to take their sweet time to write article :/ (if they do will make it)
 
Well it went down yesterday around lunch time in the UK, so applying the drama queen multiplication system I guess you can call it 3 days.
 
3 days or not, these attacks are really starting to get on my tits.

Do they seriously have nothing better to do?
Is this their way to be seen and hopefully picked up by big tech companies as their new 'wizards'?
Can't they just go for a bloody job interview like everyone else without the need to disrupt everyone else's services?

And of course, can't these big tech companies protect themselves better? Sony especially seems to be entirely in the hands of anyone who is willing to attack them and shut them down for days.

The whole thing is getting very old very fast.
 
Well it went down yesterday around lunch time in the UK, so applying the drama queen multiplication system I guess you can call it 3 days.

2 days then, and i will be back tomorrow to add my drama queen 3rd day!

And to quote my original post
What are the options, how does the big providers of games and services avoid stuff like this in the future, where the damage can only increase.

I think both Sony and Microsoft (maybe nintendo as well) needs to incorporate some kind of offline mode, many games run on different servers anyway, Destiny has it's own servers, it just the sign in that is missing. The weird thing is, GT6 updated just fine, and registered my login, maybe i was lucky or maybe GT6 has it's own online mode.
 
I figured out yesterday that I could still play Terraria as long as I yanked the ethernet before booting the PS4. Way too many blocking network calls in the PS4 operating system if you ask me.
 
Xbox Live has been problematic too for the past couple of days. It seems no one has their shit together.
 
Its not as easy as it sounds to just stop this. Mainly because if you start dropping traffic, you also drop to much legitimate traffic.
And when you start looking at what traffic to drop, your hardware just can not cope with the checks its just to much traffic to check.

So you need to go after the sources, which is ofcourse not that easy since its amplification attacks mostly. Ie the whole bot net sends something to a bunch of servers and asks for tons of info and fakes the return address to be Sony or MS instead of the machine requesting the info.
 
Its not as easy as it sounds to just stop this. Mainly because if you start dropping traffic, you also drop to much legitimate traffic.
And when you start looking at what traffic to drop, your hardware just can not cope with the checks its just to much traffic to check.

So you need to go after the sources, which is ofcourse not that easy since its amplification attacks mostly. Ie the whole bot net sends something to a bunch of servers and asks for tons of info and fakes the return address to be Sony or MS instead of the machine requesting the info.

But for some reason Microsoft seems better at "fixing" these things. So there must be other ways to handle problems like this.
More spare servers that aren't known but only spin up when the main servers are down? Aggressive rotation of IP addresses. Servers spread over many providers? Sony seems so weak and vulnerable, i have very little confidence in them learning anything from when they were down for 23 days :-/

Imho it's getting to a point where there needs to be a way more robust offline mode that doesn't strip every feature of the games that rely on a online connection. I can live without Trophies, the PSN shop, hell even without party mode. But gimme my GT6 online connection when i want to try the new Vision GT Mazda, let me play the daily in Destiny, to much stuff break because of the always on requirements.

Ohh and i expect to get the offline time added to my paid subscription.
 
But for some reason Microsoft seems better at "fixing" these things. So there must be other ways to handle problems like this.

Speaking about fixing things, here is what the Anonymous group has said about things on Twitter, when they were targeting LizardSquad last night and this morning.


AnonProtection.png


FYI: Xbox Live has been fine for me the entire day Friday, however I have not been purchasing items and I might just be in an area they fixed first. Right now MS says there may be some issues with purchasing and multiplayer games (5:56 pm EST). However, their status page isn't as quick to update once things are working. https://support.xbox.com/en-US/xbox-live-status
 
Back
Top