Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Laws Won't Save Banks From DDoS Attacks

Soulskill posted about a year and a half ago | from the legislative-firewalls-are-less-effective-than-actual-firewalls dept.

Government 80

kierny writes "Rep. Mike Rogers (R-Mich.) should know better. The chairman of the House Intelligence Committee claimed to told NBC News that the Operation Ababil U.S. bank disruption DDoS campaign could be stopped, if only private businesses had unfettered access to top-flight U.S. government threat intelligence. Not coincidentally, Rogers is the author of CISPA (now v2.0), a bill that would provide legal immunity for businesses that share threat data with the government, while allowing intelligence agencies to use it for 'national security' purposes, thus raising the ire of privacy rights groups. Just one problem: Numerous security experts have rubbished Rogers' assertion that threat intelligence would have any effect on banks' ability to defend themselves. The bank disruptions aren't cutting-edge or stealthy. They're just about packets overwhelming targeted sites, despite what Congressionally delivered intelligence might suggest."

Sorry! There are no comments related to the filter you selected.

Locks keep out honest people... (4, Insightful)

Midnight_Falcon (2432802) | about a year and a half ago | (#43371971)

And laws stop honest people from doing something. Criminals, on the other hand, are criminals -- and conducting a DDoS attack cannot be stopped by policies and laws alone. There need to be both technical countermeasures, and political ones as well. In a "positive peace" the reasons for conflict are addressed and removed, while in a "negative peace" the only reason conflict is not happening, is well, the cost of the conflict to both sides.

These folks obsessed with a "negative peace" by making more laws should study history.

Re:Locks keep out honest people... (4, Insightful)

amiga3D (567632) | about a year and a half ago | (#43372019)

They feel like they must do something and do it right now. It's more important to appear to be doing something to fix the problem than to actually fix the problem.

Re:Locks keep out honest people... (3, Insightful)

ackthpt (218170) | about a year and a half ago | (#43372231)

Passing laws makes the powerless feel better. You've never heard "There oughta be a law"? What they really should be saying is "There oughta be trained people who know how to track down the criminals and convictions which show the laws already on the books are enforced."

Good luck enforcing laws overseas.

Re:Locks keep out honest people... (1)

steelfood (895457) | about a year and a half ago | (#43373747)

All the bad things will go away if they can just take away free will.

Re:Locks keep out honest people... (1)

davester666 (731373) | about a year and a half ago | (#43376567)

This is NOT about helping businesses from being DDos'ed, or hacked, or anything else.

This is about having businesses be able to legally give lots of juicy customer information to the gov't, preferably under the threat of tax audits of all the executives of said business instead of having to pay for the data like everybody else.

Re:Locks keep out honest people... (1)

ttucker (2884057) | about a year and a half ago | (#43374435)

They feel like they must do something and do it right now. It's more important to appear to be doing something to fix the problem than to actually fix the problem.

Too bad there is no possible way for them to actually figure out who is responsible for a DDOS attack, because the headers are spoofed. Also, why the fuck does DNS run on UDP?

Re:Locks keep out honest people... (1)

xenobyte (446878) | about a year and a half ago | (#43376673)

Too bad there is no possible way for them to actually figure out who is responsible for a DDOS attack, because the headers are spoofed.

Actually it's often easy because it's only Anonymous and similar that does DDoS for purely political reasons. Most DDoS are cybercriminals extorting money in some way or disgruntled customers seeking revenge, and both can be identified outside the attack itself using regular investigative methods.

Also, why the fuck does DNS run on UDP?

Legacy. It also runs on TCP now but started out UDP only.

Re:Locks keep out honest people... (1)

ttucker (2884057) | about a year and a half ago | (#43380941)

Actually it's often easy because it's only Anonymous and similar that does DDoS for purely political reasons. Most DDoS are cybercriminals extorting money in some way or disgruntled customers seeking revenge, and both can be identified outside the attack itself using regular investigative methods.

That certainly is the only way to find the source of DOS attacks now. In cases where the malefactor does not attempt extortion, or otherwise brag about their attack, this path of inquiry is impossible. Even when they do find this person, the sticky bit of proving guilt beyond reasonable doubt (remember the court of law) remains tenuous at best. Even if every router on the path of our spoofed packets kept exceptionally (unreasonably) detailed logs, the peer-to-peer nature of IP would require a subpoena for each hop! Add to this the fact that most of the packets come from botnet computers, and we have a law which is essentially unenforceable. Recall, a law is only useful if it can result in a court conviction.

Also, why the fuck does DNS run on UDP?

Legacy. It also runs on TCP now but started out UDP only.

It is true that they were able to get away with it through naivete, but why? How did nobody see the security implications of an untrustworthy DNS system? Furthermore, what was the real attraction to UDP for this application?

Re:Locks keep out honest people... (1)

slick7 (1703596) | about a year and a half ago | (#43375425)

How can the banksters be protected by laws when they are above the law?

Re:Locks keep out honest people... (2, Interesting)

teaserX (252970) | about a year and a half ago | (#43372273)

Locks also keep out lazy criminals. When you can't know who the criminals are that's a fair defense against most of them. This legislation seeks to more effectively determine who/where the criminals are. They can round up all of the car thieves in my neighborhood and it still be stolen if I leave it unattended and running. Legislation that provides consequences for banks that leave the "door" unlocked might be more effective than this "intelligence sharing" which does little to that end. Makell them to lock the doors. We may not even need anything further.

Re:Locks keep out honest people... (1)

WillgasM (1646719) | about a year and a half ago | (#43372479)

That analogy doesn't really apply to getting DDOS'd. That's like locking your lobby during business hours so the bad guys can't get in.

Re:Locks keep out honest people... (1)

teaserX (252970) | about a year and a half ago | (#43373265)

You're taking that too literally. There are measures they can take to directly defend against the DDOS ( CloudFlare comes to mind) that are more effective than any access to threat intelligence. That access will be abused by both the government and private business.

Re:Locks keep out honest people... (1)

WillgasM (1646719) | about a year and a half ago | (#43373483)

I get it. I'm just pointing out that there is actually very little that can be done to protect against a DDOS attack. I don't think it's a matter of negligence on the bank's part (or at least not in the same vein as traditional unpatched vulnerabilities).

Re:Locks keep out honest people... (1)

Midnight_Falcon (2432802) | about a year and a half ago | (#43373821)

I would argue that legislation that provides consequences for banks recklessly gambling with people's savings accounts, handing out mortgages they know will result in foreclosure, and executives vying for short-term profit and bonuses over long-term stability of the global financial system would increase consumer confidence and cause these DDoS issues to be abated more quickly than the measures you suggest.

Re:Locks keep out honest people... (1)

Synerg1y (2169962) | about a year and a half ago | (#43372369)

DDOS wouldn't be possible without a botnet, perhaps preventing the latter will prevent the former. Anti-virus, better session awareness from the OS, and good networking practices can all go a long way here.

Re:Locks keep out honest people... (1)

fustakrakich (1673220) | about a year and a half ago | (#43372503)

These folks obsessed with a "negative peace" by making more laws should study history.

They already have.. Those who die with the most marbles win.

Re:Locks keep out honest people... (1)

slick7 (1703596) | about a year and a half ago | (#43377097)

They already have.. Those who die with the most marbles win.

Those who die with the most marbles are still dead. FTFY

Re:Locks keep out honest people... (1)

phrostie (121428) | about a year and a half ago | (#43373199)

When DOS is outlawed, only outlaws will have C:\

oh wait, this is about DDOS?

never mind

Re:Locks keep out honest people... (1)

Mister Liberty (769145) | about a year and a half ago | (#43373249)

So today, in class, you guys 'n gals studied 'positive peace' and
'negative peace'?

Sigh -- if your only tool is a hammer etc.

Re:Locks keep out honest people... (1)

Midnight_Falcon (2432802) | about a year and a half ago | (#43373795)

Actually, about a decade ago for studying that topic personally....but yes, the overarching point being that Anonymous/other DDoSers out there are upset at banks and the international financial system. Their being upset comes from deep frustration in that, these banks and institutions brought the world to a global financial panic, yet the people inside them, directors, managers etc -- all made tons of money. Meanwhile, homes are foreclosed upon and Joe Schmo is footing the bill.

In a positive peace, something would have been done about the bank's malfeasance and groups wouldn't feel so motivated to resort to vigilantism through DDoS to settle their grievances.

Re:Locks keep out honest people... (0)

Anonymous Coward | about a year and a half ago | (#43373269)

I guess we should just get rid of all laws then, you half-wit.

Re:Locks keep out honest people... (1)

aklinux (1318095) | about a year and a half ago | (#43373937)

and the honest people weren't a problem to begin with. I keep trying to figure out how they plan to get criminals to submit to a background check before buying their gun in a back-alley or stealing it from someone down the street.

"I'm sorry, but there is a 5 day waiting period before you can steal that. We have to run a background check on you. Sorry, government regulations."

"Congressionally delivered intelligence" (0)

Anonymous Coward | about a year and a half ago | (#43371985)

Is there such a thing?

Re:"Congressionally delivered intelligence" (1)

amiga3D (567632) | about a year and a half ago | (#43372037)

NO

Re:"Congressionally delivered intelligence" (2)

ackthpt (218170) | about a year and a half ago | (#43372263)

NO

There actually is, but the main body of Congress routinely ignores it because the seat of their collective pants tell them to.

Representatives like Rogers like to get laws on the books with their names bandied about them, to show that they're not just fooling around, then they can get back to the business of whatever their big campaign donors want them to do. Circus and bread.

Re:"Congressionally delivered intelligence" (1)

khallow (566160) | about a year and a half ago | (#43372279)

This is beyond oxymorons. They're sadistically toying with our sanity to watch us break. It's seagulls and alka seltzers.

And laws helped cause it (5, Insightful)

MikeRT (947531) | about a year and a half ago | (#43371999)

In the name of fighting money laundering--an activity primarily associated with the War on Drugs--Congress passed a law requiring all transactions around $5k or more to be logged and sent to federal law enforcement. Paying in cash for everything is now being called a sign you might be a terrorist. Paying in cash is also *gasp* resistant to DDoS attacks. The coralling of most of our commerce into the hands of banks has effectively made banks a target that can cripple unrelated businesses. If we were mostly a cash society, it'd be no big deal. The worst a DDoS could do is delay the processing of your paycheck or an ATM withdrawal.

Re:And laws helped cause it (-1)

Anonymous Coward | about a year and a half ago | (#43372103)

I hope you don't see some kind of conspiracy to get us relying on electronic transactions. Because it's just the way of the world. Fucking retard.

Re:And laws helped cause it (1)

amiga3D (567632) | about a year and a half ago | (#43372125)

Not a bad comment until the last two words. He simply pointed out the inherent weakness of an all electronic banking system. Yes it's inevitable, just like crass comments from anonymous cowards seem to be inevitable.

Re:And laws helped cause it (5, Insightful)

amiga3D (567632) | about a year and a half ago | (#43372105)

The end result of all these wars is that individual liberty is collateral damage. The war on Drugs, on Terror, on Child Porn, etc., means that innocent people pay the price while the thing they war against never goes away. One unwinable war after another.

Re:And laws helped cause it (1)

steelfood (895457) | about a year and a half ago | (#43373725)

That was the point. You didn't thing this all happened by accident, did you?

Re:And laws helped cause it (1)

wisnoskij (1206448) | about a year and a half ago | (#43372315)

There simply is not enough cash for this to ever be an option. It does not matter what laws they enact, when only 2% of all US money is actually backed by physical currency you can never have a vibrant physical cash economy.

And is being used for market ing purposes (0)

Anonymous Coward | about a year and a half ago | (#43372505)

. Paying in cash is also *gasp* resistant to DDoS attacks.

Go to a car dealer and say "I'm paying cash"

They will then insist ( and lie - car dealers are liars and cheats - and scum fuckers) that you NEED to supply an SSN for the partriot act.

Lie

They do that so they can they run a credit check and try to sell you something more expensive.

ONLY when you are about to finish the transaction, do they need your name - ONLY your name to report to the Treasury Dept.

Car dealers are scum. They deserve to have their children die from cancer where they have to watch them rot every morning and cry out, "Daddy, why am I dieing?! Why does it hurt so baaaad" Only for their car dealer father or mother to say, "Because I"m in the car business and I'm scum and this is karma to watch you die and suffer needlessly"

That is my curse on the assholes - like car dealers - of the World.

Yes, Satan says, "You're a cruel Mother fucker!"

Re:And is being used for market ing purposes (0)

Anonymous Coward | about a year and a half ago | (#43373085)

They will then insist ( and lie - car dealers are liars and cheats - and scum fuckers) that you NEED to supply an SSN for the partriot act.

Lie

Truth.
http://www.irs.gov/pub/irs-pdf/p1544.pdf

If it's $10k or more in a YEAR, they have to report it. Not single sale, the entire year. And yes, they have to report your TIN (tax ID) which is your SSN. So legally they must get your SSN even if it's less than a single $10k purchase just in case you come back and buy something else later that year which puts it over the $10k total.

Let's focus on the important part (4, Funny)

quietwalker (969769) | about a year and a half ago | (#43372073)

... I don't think 'rubbished' is a legitimate word.

Re:Let's focus on the important part (1)

amiga3D (567632) | about a year and a half ago | (#43372149)

ask a brit.......

Re:Let's focus on the important part (0)

Anonymous Coward | about a year and a half ago | (#43372789)

> I don't think 'rubbished' is a legitimate word.

Oxford disagrees [oxfordlear...naries.com]

Re:Let's focus on the important part (0)

Anonymous Coward | about a year and a half ago | (#43374557)

I throw in The US National Firewall and Traffic Shaping Service, USNFTSS for short, in this legitimity crises.

RFC 3514 (0)

Anonymous Coward | about a year and a half ago | (#43372081)

I urge everyone to contact their congressperson and tell them to amend the bill to instead require the implementation of RFC 3514, which is a much more sensible solution to the problem than the one in the current bill.

Re:RFC 3514 (1)

khallow (566160) | about a year and a half ago | (#43372359)

That's a pretty good solution especially since it allows for efficient filtering of messages of precisely the sort that congressionally delivered intelligence are concerned about.

Sue Microsoft for willful negligence (1)

Animats (122034) | about a year and a half ago | (#43372095)

What's needed is a big lawsuit by a big bank against Microsoft for willful negligence. (Def: Intentional performance of an unreasonable act in disregard of a known risk, making it highly probable that harm will be caused.") Knowingly distributing operating systems which are known to be remotely exploitable to attack other systems fits that definition.

Microsoft's EULA doesn't protect them here. The victim is a third party, not their own customer, and not a signatory to the EULA. Nor does this require a class action. There are single banks big enough to take this on.

Re:Sue Microsoft for willful negligence (2)

SJHillman (1966756) | about a year and a half ago | (#43372237)

What the hell are you going on about? Odds are the DDoS is taking down the target network before a single packet reaches anything running Microsoft software. Actually, the reason it's a DDoS is because packets aren't reaching anything running Microsoft software (clients and servers). You'd be making a tiny bit of sense if you said Cisco, but that would be like suing the New York City because the roads can't accommodate every single person in the country visiting NYC at once.

Re:Sue Microsoft for willful negligence (3, Interesting)

amiga3D (567632) | about a year and a half ago | (#43372289)

I think he's talking about all those windows peecee's slaved into botnets because of their defective by design OS and are used in DDos attacks such as this. It all starts with malware ya know and Windows is the most pervasive form of malware on the planet.

Re:Sue Microsoft for willful negligence (1)

in10se (472253) | about a year and a half ago | (#43372349)

Not that the idea of a lawsuit against Microsoft is likely, but I think the OP is referring to the source of the attack - not the target. The point is that many DDOS attacks are created by zombie computers, many of which run Microsoft operating systems.

Re:Sue Microsoft for willful negligence (1)

peon_a-z,A-Z,0-9$_+! (2743031) | about a year and a half ago | (#43372471)

If we take this rhetoric one step further, are there not a lot of illegal (i.e. non-EULA applicable) copies of Windows that are part of this and are likely also used in the creation of said malware? I could see Microsoft argue that the root of the problem is software users not abiding by EULA and the blame would thus be shifted towards those who 'failed' to enforce software copyright, etc.

Re:Sue Microsoft for willful negligence (0)

Anonymous Coward | about a year and a half ago | (#43372681)

So if your car is stolen and used in a crime the makers of it should be held responsible?

Re:Sue Microsoft for willful negligence (1)

dgatwood (11270) | about a year and a half ago | (#43372929)

Depends. Is your car designed in such a way that makes it unusually easy to steal?

Re:Sue Microsoft for willful negligence (0)

Anonymous Coward | about a year and a half ago | (#43391463)

Depends, how old is the car? A 1990 car is less secure than a modern car, hell, even any car with breakable windows is inherently easy to steal.

Re:Sue Microsoft for willful negligence (1)

WillgasM (1646719) | about a year and a half ago | (#43372361)

Read that again. They're talking about Windows being a breeding ground for zombies that carry out these attacks. But yeah, stupid reasoning nonetheless. Trying to litigate our problems away is part of the problem, not the solution.

Re:Sue Microsoft for willful negligence (0)

Anonymous Coward | about a year and a half ago | (#43372597)

Not to mention if the windows lusers that have no grasp on security moved to another operating system. They would still unwittingly be allowing random malware to be installed on their systems.

Re:Sue Microsoft for willful negligence (0)

Anonymous Coward | about a year and a half ago | (#43372281)

You really need to do more research before talking. I'll give you a hint, it's not Microsoft Windows machines doing the attacking during these DDoS attacks, just google "itsoknoproblembro" and become enlightened. IF lawsuits did anything, let's sue the Universities for failing to teach jack shit about computer security and giving idiots the illusion that they can setup a website and not update their horrible CMS (Joomla and Wordpress, I'm looking at you!)

Because no deterrent is strong enough. (1)

flayzernax (1060680) | about a year and a half ago | (#43372131)

No matter how justified that deterrent is made (by creating it as a law). To stop the most determined people from doing what they will do.

Should banks be protected from attack? I would say in a perfect world were banks were innocent and served a purpose other then gambling on your own investment into them. Maybe.

But as it stands now, banks should be left out in the cold to defend themselves, and in ways that don't violate our laws. They need no more special justifications placed in our society for them.

Re:Because no deterrent is strong enough. (1)

jittles (1613415) | about a year and a half ago | (#43372305)

No matter how justified that deterrent is made (by creating it as a law). To stop the most determined people from doing what they will do.

Should banks be protected from attack? I would say in a perfect world were banks were innocent and served a purpose other then gambling on your own investment into them. Maybe.

But as it stands now, banks should be left out in the cold to defend themselves, and in ways that don't violate our laws. They need no more special justifications placed in our society for them.

What are you talking about? Murder is illegal. I haven't been murdered! Therefore the law is working!

Re:Because no deterrent is strong enough. (0)

Anonymous Coward | about a year and a half ago | (#43372871)

As far as I know it's not against the law for a business including a bank to share data about an illegal act with law enforcement, whether it is a physical act or happens on a network. They share the security camera footage with law enforcement when they are robbed at gun point or if a teller is assaulted. What threat data are they talking about sharing?

   

Re:Because no deterrent is strong enough. (1)

flayzernax (1060680) | about a year and a half ago | (#43379235)

Then why do we need to deliberate on new rules in this regard? What is so special about banks that we need to codify how they go about this? Is this new rule going to give them special permission to violate computer systems to collect this data?

Whats the catch22... or the article is just B.S.

Re:Because no deterrent is strong enough. (1)

flayzernax (1060680) | about a year and a half ago | (#43379251)

Yet people get murdered every day. It's a shame. But the deterrent for murder applies generally equally to all, or at least thats the principle. Technically grandmothers have no more deterrent applied to them then 30 year old single males.

Re:Because no deterrent is strong enough. (1)

flayzernax (1060680) | about a year and a half ago | (#43379863)

Also the reason you have not been murdered yet probably has more to do with your general niceness, averageness, location (not in a slum) etc.. but I know nothing about you to make such assumptions, the law has a lower bearing then many factors on whether you get murdered or not =P

Re:Because no deterrent is strong enough. (1)

jittles (1613415) | about a year and a half ago | (#43380293)

Also the reason you have not been murdered yet probably has more to do with your general niceness, averageness, location (not in a slum) etc.. but I know nothing about you to make such assumptions, the law has a lower bearing then many factors on whether you get murdered or not =P

Hah. I was just being facetious when I made that comment. But I do try to be courteous.

Re:Because no deterrent is strong enough. (1)

flayzernax (1060680) | about a year and a half ago | (#43381439)

I thought as much ;p You are a gentleman and a comedian!

Re:Because no deterrent is strong enough. (1)

Obfuscant (592200) | about a year and a half ago | (#43372391)

No matter how justified that deterrent is made (by creating it as a law). To stop the most determined people from doing what they will do.

The title is misleading because it implies that the law is intended to be a deterrent, but the summary makes it clear that the law being talked about deals with allowing the sharing of information about the attacks. So, it's not another law making DDoS illegal, it's a law allowing information about DDoS to be passed around.

Yes, another deterrent law would be useless. A law that allows those who are being attacked to share data about how they are being attacked is not.

But as it stands now, banks should be left out in the cold to defend themselves, and in ways that don't violate our laws.

Some of those banks have my money in them, and those that don't have FDIC/etc insurance that means their losses are covered by my tax dollars. So you are patently wrong about leaving them out in the cold. There are too many innocent parties that are harmed by attacks on banks for you to have such a callous attitude.

Re:Because no deterrent is strong enough. (1)

flayzernax (1060680) | about a year and a half ago | (#43379215)

Thanks for the clarification of the title, How come thats not legal already. AFAIK know and after working in the IT industry and with software like SNORT publishing blacklists with comments like "spammer, ddosser" is perfectly legal for anyone.

As far as your right to want the money you invested in your great gambling casinos of the new world order, great for you, I have a differing opinion, and I doubt we'll ever see eye to eye on that. I never believed banks were for security when I was a kid, and after watching the world for 30 years still think banks are an insecure means of holding wealth. Better to own stock or property, rather then a piece of paper that can be traded by people with vastly more power then you.

So while its your right to lobby for the protection of your FDIC banks and your tax money to be spent that way its my right to call it a bullshit way of doing business. Especially for the little people who get swept under the rug as regimes and currencies change, lookin at European banks right now. Brazil and or Argentina last 2 decades ago... I would rather my tax money not go to giving banks more protection. They need to harden up and play fair with the rest of the world if they want business as usual.

Re:Because no deterrent is strong enough. (1)

flayzernax (1060680) | about a year and a half ago | (#43379541)

I guess the better question then is. Should banks have more priorty with law enforcement hunting DDOSers then netflix. Or a single youtuber?

In my opinion all 3 parties should have the same priority. The best argument you could make for changing that priority is severity of attack as in how damaging it is to how many parties. In this case your argument for special protection rings true, but it should also ring true if those DDOSers are targeting something other then a bank. So the fact that it is a bank by its very nature should not arbitrarily bump its priority. It should require an evaluation that is egalitarian and just.

Therein lies the rub ... (3, Informative)

gstoddart (321705) | about a year and a half ago | (#43372211)

Not coincidentally, Rogers is the author of CISPA (now v2.0), a bill that would provide legal immunity for businesses that share threat data with the government, while allowing intelligence agencies to use it for 'national security' purposes

These people want this information shared for their own purposes.

This has nothing at all to do with protecting banks from DDoS -- it's about ensuring government access to all of our data. If they can get private industry to hand them data they can't collect on their own then they can circumvent other laws.

I agree with the assessment that no law is going to make this kind of attack hitting from all over the world (and probably on zombie computers) go away.

These people just want the total surveillance world that scares the rest of us.

Re:Therein lies the rub ... (0)

Anonymous Coward | about a year and a half ago | (#43374389)

Dude, take off your tinfoil hat.

Banks already have access to whatever data they need if you are doing something "wrong". I will say that the threat info they want to exchange are the equivalent of firewall logs, blacklists and whitelists. I'm not going to get into specifics but this isnt additional transaction history or usage or anything like that. This is an industry wide attempt to bolster security. Period. You might not give a shit, but when I want my money, I want it NOW. Not later, and I don't want my financial info compromised, and in the hands of criminals when the govt could have given me a blacklist of suspect IP's to block.

If not intel... (1)

Livius (318358) | about a year and a half ago | (#43372269)

If terrorist surveillance information isn't enough, then the banks will have only one logical next step: operate their own armed aerial drones.

Disconnect infected subscribers (0)

Anonymous Coward | about a year and a half ago | (#43372297)

Why don't ISP redirect internet users with infected PCs to a quarantine page stating the problem? It might even educate them.

Laws (1)

fustakrakich (1673220) | about a year and a half ago | (#43372299)

Laws without respect and/or a gun won't protect you from anything.

It goes without saying, but I'll say it anyway, Many laws, like CISPA, RICO, etc., deserve no respect, and sometimes it takes a gun to remove them from the books, or to keep them from being put there in the first place when majority rule fails.

DUH! (0)

Anonymous Coward | about a year and a half ago | (#43372387)

Because criminals don't obey laws. Also, the location of the client, the server and/or the person pressing the keys determine which of who's laws apply.

Laws don't stop anything (0)

Anonymous Coward | about a year and a half ago | (#43372431)

they may limit it, but people will always kill, people will always steal, people will always defraud, people will always do drugs.. etc

I'm So Embarassed (1)

Farmer Pete (1350093) | about a year and a half ago | (#43372469)

I'm ashamed to say that Rogers is my congressman. I've even voted for him several times. As much as I'd like to vote for someone who excels in all areas, to bad our choices are normally choosing between an idiot and a half-wit.

CDN DDoS Protection (0)

Anonymous Coward | about a year and a half ago | (#43375273)

This bank must not be utilizing a CDN. Distributed denial of service attack can be mitigated by a distributed CDN.

Re:CDN DDoS Protection (0)

Anonymous Coward | about a year and a half ago | (#43377909)

A CDN is not a good defense against a DDOS anymore. The current wave of DDOS against the financial institutions is not a simple throw a bunch of machines at it. Every attack is a little different. It appears as though an institution is attacked for a few days and then it stops. The attackers learn a little and then change the attack a little. It is like they are testing things out. Looking for the weak spot. At some point, our government needs to actually do something about it instead of using it as an opportunity to gather info about its own citizens.

Improve infrastructure, don't inact laws to prolif (2)

tanawts (786512) | about a year and a half ago | (#43376411)

Given that a lot of these problems stem from inherent design flaws with our current Internet protocols, perhaps we ought to start improving upon the 20 and 30 year old protocols we've been relying on. Fundamental scale and design flaws will continue to empower bad people to do bad things so long as it continues to be nearly effortless. BGP, DNS, IPv4... You can only build on a foundation for so long before its age and brittleness beings to cause serious problems.

Re:Improve infrastructure, don't inact laws to pro (0)

Anonymous Coward | about a year and a half ago | (#43379927)

Thats kind of hard to do when the world is in a permanent state of global recession because the money banking and currency systems we developed are just as flawed. Justify spending all that money rolling out a new global infrastructure built on new technology learned from lessons past, but with its own unique new bugs and complexity issues.

Its ironic isn't it that banks are complaining about this then. But this only affects the banks access to consumers, their real internal infrastructure is much more guarded and modern the closer you get to the balance sheets, unless of course they deliberately want the records to disappear, then a good old fashioned fire works just fine on electrical hardware the same as it did on paper for their purposes and throwing it all in the landfill were its not likely to ever be scrutinized or investigated.

Re: Improve infrastructure, don't inact laws to pr (1)

tanawts (786512) | about a year and a half ago | (#43380175)

I'm not sure that we have a choice. "Because its hard" is probably not going to be a sufficient excuse with respect to the critical mass we are heading toward. If everything that the world has invested in standing on top of the Internet is so important, than all that important stuff is going to need to experience the growing pain of adapting to new redesigned transit protocols. The alternative seems to be a sheer cliff.

Re: Improve infrastructure, don't inact laws to p (1)

tanawts (786512) | about a year and a half ago | (#43380223)

To put it another way. The wolf does not adhere to the laws of the little pigs. If your tired of him blowing your house down, you need to stop thinking about patching holes in your straw house. Reenforcing reeds isn't a scalable solution. You need to start building the houses with bricks.

Laws CAN help... (0)

Anonymous Coward | about a year and a half ago | (#43376691)

Using the ancient outlaw principle we can get at the DDoS'ers. I'm referring to making laws that takes away all rights and legal protection for those declared outlaws, thus making it legal to hunt down the actual people and do with them as you please. As most DDoS'ers basically are cowards (hiding behind spoofing, not even making a statement about the motivations behind the attack) this will go a long way. Throw the spammers in with the DDoS'ers and we'd have a real chance at cleaning up the Internet by removing the trash the hard way.

Amazon & Microsoft manage to do it, thus... ap (0)

Anonymous Coward | about a year and a half ago | (#43377875)

Investing in one of THESE is a big help:

DDoS Appliances:

http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22DDos+Appliance%22&btnG=Search&gbv=1&sei=KYw7UI-4FsXs6wH3uIDoDw [google.com]

Because DDoS/DoS CAN be stopped (Microsoft & Amazon are setup PERFECTLY vs. it in fact, read on below on that note)!

---

Microsoft Windows NT-based OS settings vs. DoS:

Protect Against SYN Attacks

FROM -> http://msdn.microsoft.com/en-us/library/ff648853.aspx [microsoft.com]

A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.

To protect the network against SYN attacks, follow these generalized steps, explained later in this document:

Enable SYN attack protection
Set SYN protection thresholds
Set additional protections

Enable SYN Attack Protection

---

The named value to enable SYN attack protection is located beneath the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

Value name: SynAttackProtect

Recommended value: 2

Valid values: 0, 1, 2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

---

Set SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

These keys and values are:

Value name: TcpMaxPortsExhausted

Recommended value: 5

Valid values: 0?65535

Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

Value name: TcpMaxHalfOpen

Recommended value data: 500

Valid values: 100?65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

Value name: TcpMaxHalfOpenRetried

Recommended value data: 400

Valid values: 80?65535

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.

---

Set Additional Protections

All the keys and values in this section are located under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are:

Value name: TcpMaxConnectResponseRetransmissions

Recommended value data: 2

Valid values: 0?255

Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

Value name: TcpMaxDataRetransmissions

Recommended value data: 2

Valid values: 0?65535

Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

Value name: EnablePMTUDiscovery

Recommended value data: 0

Valid values: 0, 1

Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack.

Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

Value name: KeepAliveTime

Recommended value data: 300000

Valid values: 80?4294967295

Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

---

Lastly, of course, there IS the "null-route" option (you need to have a network with multiple IP addresses, ala multi-homed servers BEFORE your production ones since this must be done "upstream" of them though - plus, many routers have this functionality built in, so that is another way to 'blackhole' such attacks) noted here:

http://en.wikipedia.org/wiki/Null_route [wikipedia.org]

The route command can do the job, per the specs/requirements noted above!

This use of the route command, however, is a MANUAL & slow/stodgy method, since it is commandline driven...

(However: A script or program using a listbox COULD automate this, given the data for the originating attack IP addresses).

---

* Hope that helps...

Microsoft &/or Amazon - they have such TREMENDOUSLY POWERFUL setups for monitoring + alerting them to DoS/DDoS, they can start "shutting down" IP address sources of packets for DDoS easily, & way, Way, WAY before it's time to "panic" - it's the reason WHY "Anonymous" & the like can't "take them down" (& yes, they HAVE tried)...

For some material on what they do? See here (MS):

---

Microsoft: We're not vulnerable to DDoS attacks

http://www.networkworld.com/community/blog/microsoft-were-not-vulnerable-ddos-attacks [networkworld.com]

PERTINENT QUOTE/EXCERPT:

"At Microsoft we have robust mechanisms to ensure we don't have unpatched servers. We have training for staff so they know how to be secure and be wise to social engineering. We have massively overbuilt our internet capacity, this protects us against DoS attacks. We won't notice until the data column gets to 2GB/s, and even then we won't sweat until it reaches 5GB/s. Even then we have edge protection to shun addresses that we suspect of being malicious."

---

&/or

---

Why attackers can't take down Amazon.com:

http://money.cnn.com/2010/12/09/technology/amazon_wikileaks_attack/ [cnn.com]

PERTINENT QUOTE/EXCERPT:

"So Amazon (AMZN, Fortune 500) has spent years creating and refining an "elastic" infrastructure, called EC2, designed to automatically scale to handle giant traffic spikes... But Amazon's entire business model is built around handling intense traffic spikes. The holiday shopping season essentially is a month-long DDoS attack on Amazon's servers -- so the company has spent lavishly to fortify itself."

INTERESTING STUFF - Hope the read helps those of you dealing with DDoS/DoS attacks...

APK

P.S.=> Others on the page note the usage of CDN - to distribute loads & "attack surface area" which helps also...

... apk

"Congressionally delivered intelligence"? (1)

Rambo Tribble (1273454) | about a year and a half ago | (#43378065)

"Military intelligence" just met its match in the oxymoron sweepstakes.

Typical politispeak (1)

thoughtlover (83833) | about a year and a half ago | (#43386097)

This is coming from the guy that boasted on Twitter how much money he received from lobbyists that support CISPA... A truly devoted corporate **ahem** civil servant. It's no surprise that 2 out of 3 people would rather have a colonoscopy than the current congress.

http://boingboing.net/2013/03/23/congressman-boasts-on-twitter.html [boingboing.net]

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?