DDos or how we lost our games to a Lizard

Also, in related news, LizardSquad is in the process of attempting to take over the TOR network by means of spinning up a MFT of Tor Relay nodes (~ 3000) using Google Cloud Services. I think there's around 8000 Relay Nodes now. Once you have over 50% of the TOR Nodes, you essentially control the network. However, there are measures to minimize this possibility by limiting new nodes to 20Kbps traffic for a few days (3?).

Sources:
https://twitter.com/kaepora/status/548530922422026240/photo/1
http://www.businessinsider.com/report-lizard-squad-attacking-tor-2014-12
 
Some additional information from earlier today about XBL and PSN from the Anonymous group on Twitter.


AnonProtection_XBL_PSN.png
 
These guys need to have a more organised messaged rather than just try to piss off as many people as possible.

That's just the thing, the group LizardSquad doesn't have any real message. They claim they do, but that's a lie. They may create some silly nonsensical message as a false justification for their script-kiddie stupidity. The real sad part is the online news site eat it up and give them the desperate attention they're seeking. They're too immature to have any pertinent message to share.
 
Who is this "Anonymous Group"? Are they hackers, or people who are involved in fixing the problems? Their messaging is confusing.
 
Interesting article I saw on GAF in relation to this: http://www.eurogamer.net/articles/2011-02-21-the-boy-who-stole-half-life-2-article

It's a short article about the kid who stole half life 2 in 2004. Not directly related to recent DDOS, but it's amazing how smart these kids are.

Anyways Destiny was unplayable most of yesterday for me, but it came up in the early morning about 3 AM (just in time for Xur) and was fine until I went to bed several hours later. Not sure about today, I'll try soon.
 
Not surprising that they're scornful of Sony.

Also, its not at all clear that MS and Sony are/were being attacked with same ferocity. The original attacks were on Sony.
 
Speaking about fixing things, here is what the Anonymous group has said about things on Twitter, when they were targeting LizardSquad last night and this morning.


View attachment 515

Not claiming that I am very proficient in DDos stuff, but that tweet is just dumb. Its not like there is a firewall patch/update that can fix a ddos attack.
DDos is about overwhelming the target with traffic, not about exploiting a security issue on the target or sneaking past a firewall rule. To be successful its enough to generate enough data so that link to the target systems/data centers are saturated, thats it.

People on here talk about weak cpu in the gen of consoles and low bandwidth, its just the same with the internet. The routers/switches are the weak cpus and the links to/from data centers are the bus speed. Its just about clogging that system.
The real fix is to fix the spoofing,

As for MS doing better than Sony, sure why not. Sony is renting their servers/infrastructure I believe, while MS is using its own Azure cloud, so they probably got more expertise directly available. While Sony might have to go to RackSpace, Akamai etc who ever they have deals in place with.

Some info about DDos from Cloudflare, its a nice primer for anybody interested.

https://www.cloudflare.com/ddos

And if more ISP's followed BCP 38, it would also help, then again there are consequences :D
BCP 38 is an old spec, its from 2000, https://tools.ietf.org/html/bcp38

Then again coming from the cheap ass networking world, enabling it, just means that the ISP is enabling DoS on their own edge equipment :D
 
Last edited:
Who is this "Anonymous Group"? Are they hackers, or people who are involved in fixing the problems? Their messaging is confusing.

The trouble with unofficial groups is the users, message, and purpose comes and goes but the name stays the same.

In this situation, the Anonymous group are hackers working to restore the online systems for XBLive and PSN. They set out targetting the DDoS systems that LizardSquad (script-kiddie DDoS group) was using. They (Anonymous) may also have been in positions to adjust certain network routers and firewalls to further mitigate the attacks. Though from their other tweets, it seems like they were able to knock out a portion of the botnet used by LizardSquad.

It's not rare to see hacker groups attack other hacker groups as their purpose and actions conflict one another.
 
  • Like
Reactions: NRP
Yeah, these groups are all so loosely organized. There's not even one such thing as "anonymous" I'm sure. It's all like 4th hand information we get.

Apparently the reason DDOS works is because the internet is based on an old protocol from the 70's (TCP/IP). As long as it's based on that (and it's implied changing it would be a monumental effort unlikely to happen) DDOS will be impossible to fully stop apparently. The only foolproof way is to make users sit in a queue while it's verified they are legit, which of course makes the cure as bad as the disease.

That info is probably completely wrong and somebody will correct me.
 
If all border routers verified that packets emerging from within their networks have IPs corresponding with the range assigned to it (and nuked packets that don't match), IP spoofing would be a significantly less powerful tool. It would make it harder to hide the location you're sending from, and it would make packet amplification attacks harder as well.
 
http://www.dailydot.com/technology/lizard-squad-hackers/

Some tier 1 isp routers have been hacked and used to send traffic of 1.2 terabits per second.

That is not correct, the size of the DDoS is claimed to be 1.2 Terabits.
They claim to have hacked some routers and core network components.

I have not seen anything about what kind of DDoS attack this is, but to create a 1.2 terabits you have quite a big botnet or something that really amplifies.

BoardBonobo mentioned in another thread about some google maps plugin for WP/Drupal that might be a source.
Looking at akamai for DDoS attack types, most of it is SSDP (UPnP) and then NTP etc.
http://www.stateoftheinternet.com/t...al-ddos-attack-sources-types-and-targets.html

Speculating wildly, based on that article in the dailydot and the akamai info, I would guess that they are doing multiple types at the same time.
And stretching even further, by believing that they have hacked core network equipment close to Sony and MS. I would guess that they are doing snmp amplification attacks with local network equipment where MS & Sony servers are located.
This has a twofold reaction, the servers gets a lot of extra traffic and the routers/switches also get bogged down with collecting and sending the data to the servers. Ie you saturate the links going to the servers and slow down the network equipment by taxing the cpu with extra work.

IMHO the only, if any, sophistication in this attack, is the coordination of multiple attack types if that is what is going on....

And the line about big enough budget, well anybody can do anything with big enough budget.

My solution would be to put up a big reward so that somebody would inform on their best friend and then send spec ops team to kill them as a deterent for the next group that wants to do this.
Might not be very feasible, but if they can ask for big enough budget, I can add any means is fair :p

Now please let me login to PSN so I can upgrade gjallarhorn :D
 
X-Live was down maybe a little over an hour for me yesterday in the middle of watching Youtube.

After Live was back up, it had kicked back to the Youtube sign-in app on X1 a couple of times since, but Live was up for the other apps.

An annoying thing about the Youtube app is you have to go to a PC or other device to re-authorize my X1 to sign in when it kicks you out. I wish there was a way for me to enter my account info for Youtube on the X1 since it uses a different email than my Live account.

After re-authorizing, it was good to go.
 
If all border routers verified that packets emerging from within their networks have IPs corresponding with the range assigned to it (and nuked packets that don't match), IP spoofing would be a significantly less powerful tool. It would make it harder to hide the location you're sending from, and it would make packet amplification attacks harder as well.

Yes, BCP 38, but the big question is, can the border routers handle the extra workload without bogging down and basically doing a DoS on themselves.
BCP 38 wants it even further out, if I interpret it correct, on DSLAM, CMTS and Edge switches, lots of old, not very powerful equipment out there....
 
Yeah, these groups are all so loosely organized. There's not even one such thing as "anonymous" I'm sure. It's all like 4th hand information we get.

Apparently the reason DDOS works is because the internet is based on an old protocol from the 70's (TCP/IP). As long as it's based on that (and it's implied changing it would be a monumental effort unlikely to happen) DDOS will be impossible to fully stop apparently. The only foolproof way is to make users sit in a queue while it's verified they are legit, which of course makes the cure as bad as the disease.

That info is probably completely wrong and somebody will correct me.

Correction coming up, no not really.

But, yes, TCP/IP is old, but its old proven technology. Would you want somebody to design some new protocols and some people to implement it in software and deploy it on hardware worldwide? Assuming that we can reuse all the network equipment and computers and its just a OS patch and firmware upgrades? Lovely new code, probably free of any bugs....

If we go down that route, I want to be in on the consulting gig to do it and the following cleanup work :D
I probably should invest in a popcorn and soda making factory at the same time...
 
the weird thing is, when PSN back online for me, its still offline for 90% of my friend in my country. Only me + 1 friend able to online. I have tried disconnect and connect from US and Asia account, both take long time to connect but i can online, while my friends cant.
 
Yes, BCP 38, but the big question is, can the border routers handle the extra workload without bogging down and basically doing a DoS on themselves.
Sounds like something that could be pipelined quite easily within the router, it could be handled separately to the actual routing. In any case, problems like these are meant to be solved and not just thrown aside because they might be difficult or inconvenient. It should be obvious to anyone that internet terrorism is a problem growing by leaps and bounds; everyone from nation states waging low-intensive conflicts to organized crime doing it for profit, down to sociopathic individuals banding together and doing it purely for the lulz (except when stupid egomaniac and narcissist Kim Shithead rewards them financially for their despicable behavior.)

It's not going to work having reliable internet services when the pipes at end users are getting to the point of being able to shove tens, sometimes hundreds of megabits per second into the network. Round up a few thousands or tens of thousands in a botnet and you can sink or at least seriously disrupt just about anything if you know what you're doing.

We're going to HAVE to take steps to plug up the IP spoofing hole, at least as best as we can. We HAVE to shut down packet amplification vectors, including open DNSes, time servers and so on. If the operators of these services won't comply, then they must be forcibly disconnected from the net for the sake of all the rest of us. The same goes for zombie devices, by the way, up to proactively disconnecting entire ISPs if they don't deal with their zombie problem or allow botnet or malware C&C servers to reside inside their network.

Otherwise we're gonna get fucked, big-time, again and again, and it's just going to get worse as time goes on.
 
Sounds like something that could be pipelined quite easily within the router, it could be handled separately to the actual routing. In any case, problems like these are meant to be solved and not just thrown aside because they might be difficult or inconvenient.

In my experience its more that people have no clue about BCP 38, but its my opinion that we need hardware upgrades to do it. Because a lot of the stuff out there is so old and admins are scared of what will happen if they put the extra burden on it.
It just comes down to getting people to pay for the performance, all the way from the owners to the bean counters all the way down to us, the end users.
 
Last edited:
Back
Top