Internet Policy] 'Smart' home devices used as weapons in website attack (was RE: [Chapter-delegates] Hack http://www.bbc.com/news/technology-37738823)

["Dave Farber" <farber () gmail com>]

Begin forwarded message:

> From: Suzanne Woolf <suzworldwide () gmail com>
> Date: October 23, 2016 at 2:13:51 PM EDT
> To: David Sarokin <sarokin () gmail com>
> Cc: "internetpolicy () elists isoc org" <internetpolicy () elists isoc org>, Glenn McKnight <mcknight.glenn () gmail 
> com>, ISOC Chapter Delegates <chapter-delegates () elists isoc org>
> Subject: Re: [Internet Policy] 'Smart' home devices used as weapons in website attack (was RE: [Chapter-delegates] 
> Hack http://www.bbc.com/news/technology-37738823)
>
> I may live to regret this, but….
>
> NB: I have no specific details on what happened to Dyn. I'm generally familiar with them (I know a lot of their 
> engineers, who are world-class, and I'm a very small-scale customer), and I know a few things about the DNS business 
> and how the internet works. I've been operating DNS services in networks large and small since the mid-1990s, and I 
> co-chair a working group in the IETF that reviews DNS-related topics such as best practices for DNS operators. So my 
> major qualification to comment may be that I do get to hear a wide variety of complaints about DNS.
>
> As a general observation, I'll say that there's actually quite a lot of redundancy built into the way Dyn and 
> services like it operate. The same is true of those they depend on, such as transit providers. (That's why we can 
> surmise that it takes a truly massive amount of traffic to cause problems for them, and why even under Friday's 
> challenges, the problems seemed to be localized in particular ways.) It's also possible today to have diversity of 
> providers for managed DNS services, and many businesses do. Many others don't, by choice-- because their risk 
> analysis doesn't support the additional cost and complexity, or because they have their DNS closely integrated with 
> their web content or other internet activities in ways that make it difficult to work with more than one provider.
>
> When I did business development for a company whose offerings included managed DNS, I and all of my major competitors 
> often counseled large customers with key dependencies on public-facing DNS to diversify in every way they could-- 
> services within one provider's offerings, multiple providers, and whatever expertise they needed to maintain in-house 
> in order to monitor their vendors and react to situations that might be overwhelming for one provider. Some did, some 
> didn't. 
>
> I'm the last person on earth to argue that the protocol, operations, software, and business models that support DNS 
> are perfect. DNS has, in fact, lots of problems that are specific to DNS as a naming system, to how nameservers work, 
> etc. (For instance, I've seen arguments that blockchain-based architectures would work better than hierarchical ones 
> based on client-server protocols in reducing vulnerability to denial-of-service attacks. But the arguments about 
> which functionality you're protecting-- creating names? updating mappings associated with them? lookups?-- get arcane 
> really fast, and I'm not sure I believe them.) There's a lot of interesting research to be done on such topics, to be 
> sure, and if you know people who might want to fund it I know people who might want to do it-- but in the meantime, 
> vulnerability to massive DDoS isn't specific to DNS or naming.
>
> To your direct question: I don't believe the takeaway here is that either the architecture or the business model 
> don't support "multiple paths for any given task" or are special in that they "invite attacks." DNS is *not* the only 
> service on the internet that faces a massive-scale DDoS threat, or faces a threat that has taken a big step up with 
> recent "innovations" such as the Mirai attacks on IoT nodes. The entire infrastructure is at risk, from DNS providers 
> through ISPs and CDNs and your favorite "cloud provider", because small, cheap, un-maintainable, almost unnoticeably 
> low-profile devices are enormously easier to add to the network than they are to fix, and enormously easier to 
> mobilize against others than to defend against. 
>
> It's a classic problem of asymmetric resource use, and the advantage right now is with the attacker. Which provider 
> or which service is being attacked (DNS, web hosting, CDNs, routing) is not trivial but is also IMO not the main 
> point.
>
>
> Suzanne
> (speaking for myself)
>
> > On Oct 23, 2016, at 12:44 PM, David Sarokin <sarokin () gmail com> wrote:
> >
> > McTim wrote: ...I think the policy implications are that security standards for IoT devices need to be implemented,
> >
> > I'm pretty sure everyone is on board with that one. But it seems there are implications at the nameserver end as 
> > well. The Internet is designed to be redundant, with multiple paths for accomplishing any given task.  If Dyn and 
> > others are becoming pinch points that are lacking this flexibility and redundancy, then it might be time to go back 
> > to the drawing board. There's no need to have this sort of Achilles Heel that just invites attacks. 
> >
> >
> >
> > > On Sun, Oct 23, 2016 at 11:04 AM, McTim <dogwallah () gmail com> wrote:
> > > Hi,
> > >
> > > Dyn is a world class DNS provider, anycast IIRC, loads of instances at/near many well connected peering points.  
> > > IIUC, they didn't "go down" completely in that there was reachability to some nameservers, but not to others.
> > >
> > > In terms of "system wide vulnerability", If folk like twitter use more than one DNS provider, THEN requests would 
> > > bounce to another service.
> > >
> > > DDOSes mean to overwhelm a server or servers, in this case hard to say what actual target was.
> > >
> > > I think the policy implications are that security standards for IoT devices need to be implemented, that is a tough 
> > > row to hoe when neither the buyer or seller of these devices care much about security.  Attitudes may change now 
> > > however.
> > >
> > > rgds,
> > >
> > > McTim
> > >
> > > > On Sun, Oct 23, 2016 at 8:45 AM, David Sarokin <sarokin () gmail com> wrote:
> > > > I was wondering when (or if) this list would start a conversation on this latest and greatest DDOS disruption? 
> > > > Thanks for the BBC post. The media are almost all focused on how babycams and thermostats are being hijacked for 
> > > > nefarious purposes. But I've seen very little actual insight about Dyn, and why it turned out to be such a 
> > > > system-wide vulnerability. Isn't there redundancy built into the network, so that if DNS service is blocked at 
> > > > Dyn, the request bounces to another service?  Was the DDOS targeting something other than DNS lookup?
> > > >
> > > > There are a lot of very experienced folk on this list. I'd love to see some discussion of this event -- and its 
> > > > policy implications -- that goes beyond what the press have been able to provide thus far. 
> > > >
> > > > Thanks, all....
> > > >
> > > > > On Sun, Oct 23, 2016 at 3:20 AM, Richard Hill <rhill () hill-a ch> wrote:
> > > > > Dear Glenn,
> > > > >
> > > > >  
> > > > >
> > > > > Thank you very much for this, which I am cross-posting to the Internet Policy list.  Such attacks have been 
> > > > > reported before, and this article provides a very good summary.
> > > > >
> > > > >  
> > > > >
> > > > > I love the quip at the end: "In a relatively short time we've taken a system built to resist destruction by 
> > > > > nuclear weapons and made it vulnerable to toasters," said Jeff Jarmoc, head of security for global business 
> > > > > service Salesforce.
> > > > >
> > > > >  
> > > > >
> > > > > Best,
> > > > >
> > > > > Richard
> > > > >
> > > > >  
> > > > >
> > > > > From: Chapter-delegates [mailto:chapter-delegates-bounces () elists isoc org] On Behalf Of Glenn McKnight
> > > > > Sent: Sunday, October 23, 2016 00:27
> > > > > To: ISOC Chapter Delegates
> > > > > Subject: [Chapter-delegates] Hack http://www.bbc.com/news/technology-37738823
> > > > >
> > > > >  
> > > > >
> > > > > 'Smart' home devices used as weapons in website attack
> > > > >  
> > > > >
> > > > > http://www.bbc.com/news/technology-37738823
> > > > >
> > > > >
> > > > >
> > > > > Glenn McKnight
> > > > > mcknight.glenn () gmail com
> > > > > skype  gmcknight
> > > > > twitter gmcknight
> > > > > .
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > To manage your ISOC subscriptions or unsubscribe,
> > > > > please log into the ISOC Member Portal:
> > > > > https://portal.isoc.org/
> > > > > Then choose Interests & Subscriptions from the My Account menu.
> > > >
> > > >
> > > > _______________________________________________
> > > > To manage your ISOC subscriptions or unsubscribe,
> > > > please log into the ISOC Member Portal:
> > > > https://portal.isoc.org/
> > > > Then choose Interests & Subscriptions from the My Account menu.
> >
> > _______________________________________________
> > To manage your ISOC subscriptions or unsubscribe,
> > please log into the ISOC Member Portal:
> > https://portal.isoc.org/
> > Then choose Interests & Subscriptions from the My Account menu.
>
> _______________________________________________
> To manage your ISOC subscriptions or unsubscribe,
> please log into the ISOC Member Portal:
> https://portal.isoc.org/
> Then choose Interests & Subscriptions from the My Account menu.



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20161024051356:2E9B0300-99CA-11E6-9283-9665ADF337F1
Powered by Listbox: http://www.listbox.com