Schneier on Security - Cyberpeace€¦ · Every quarter, Verisign publishes a DDoS trends report....

9/20/2016 Someone Is Learning How to Take Down the Internet - Schneier on Security

https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html 1/37

Blog >

Someone Is Learning How to Take Down the InternetOver the past year or two, someone has been probing the defenses of the companies that run criticalpieces of the Internet. These probes take the form of precisely calibrated attacks designed todetermine exactly how well these companies can defend themselves, and what would be required totake them down. We don't know who is doing this, but it feels like a large nation state. China orRussia would be my first guesses.

First, a little background. If you want to take a network off the Internet, the easiest way to do it is witha distributed denialofservice attack (DDoS). Like the name says, this is an attack designed toprevent legitimate users from getting to the site. There are subtleties, but basically it means blastingso much data at the site that it's overwhelmed. These attacks are not new: hackers do this to sitesthey don't like, and criminals have done it as a method of extortion. There is an entire industry, withan arsenal of technologies, devoted to DDoS defense. But largely it's a matter of bandwidth. If theattacker has a bigger fire hose of data than the defender has, the attacker wins.

Recently, some of the major companies that provide the basic infrastructure that makes the Internetwork have seen an increase in DDoS attacks against them. Moreover, they have seen a certainprofile of attacks. These attacks are significantly larger than the ones they're used to seeing. Theylast longer. They're more sophisticated. And they look like probing. One week, the attack would startat a particular level of attack and slowly ramp up before stopping. The next week, it would start at thathigher point and continue. And so on, along those lines, as if the attacker were looking for the exactpoint of failure.

The attacks are also configured in such a way as to see what the company's total defenses are.There are many different ways to launch a DDoS attack. The more attack vectors you employsimultaneously, the more different defenses the defender has to counter with. These companies areseeing more attacks using three or four different vectors. This means that the companies have to useeverything they've got to defend themselves. They can't hold anything back. They're forced todemonstrate their defense capabilities for the attacker.

I am unable to give details, because these companies spoke with me under condition of anonymity.But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular toplevel Internet domains, like .com and .net. If it goes down, there's a global blackout of all websitesand email addresses in the most common toplevel domains. Every quarter, Verisign publishes aDDoS trends report. While its publication doesn't have the level of detail I heard from the companies Ispoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent,persistent, and complex."

There's more. One company told me about a variety of probing attacks in addition to the DDoSattacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes thedefenders to respond, and so on. Someone is extensively testing the core defensive capabilities ofthe companies that provide critical Internet services.

Schneier on Security

https://www.schneier.com/blog/

https://www.verisign.com/assets/report-ddos-trends-Q22016.pdf

https://www.schneier.com/



Who would do this? It doesn't seem like something an activist, criminal, or researcher would do.Profiling core infrastructure is common practice in espionage and intelligence gathering. It's notnormal for companies to do that. Furthermore, the size and scale of these probes and especiallytheir persistence points to state actors. It feels like a nation's military cybercommand trying tocalibrate its weaponry in the case of cyberwar. It reminds me of the US's Cold War program of flyinghighaltitude planes over the Soviet Union to force their airdefense systems to turn on, to map theircapabilities.

What can we do about this? Nothing, really. We don't know where the attacks come from. The data Isee suggests China, an assessment shared by the people I spoke with. On the other hand, it'spossible to disguise the country of origin for these sorts of attacks. The NSA, which has moresurveillance in the Internet backbone than everyone else combined, probably has a better idea, butunless the US decides to make an international incident over this, we won't see any attribution.

But this is happening. And people should know.

This essay previously appeared on Lawfare.com.

EDITED TO ADD: Slashdot thread.

EDITED TO ADD (9/15): Podcast with me on the topic.

Tags: cyberwar, denial of service, essays, Internet, VerisignPosted on September 13, 2016 at 2:09 PM • 121 Comments

Comments

Tom • September 13, 2016 2:15 PM

"What can we do about this? Nothing, really." Well there is one thing you can do. Don't put anycritical command & control infrastructure (say, for managing power transmission) in a position whereit requires the internet to function.

AJWM • September 13, 2016 2:32 PM

What Tom said.

And dig your old dialup modems out of storage. ;) (You do still have land lines, right?)

Ricky Don't Lose That Number • September 13, 2016 2:38 PM

Troublemakers of the week:

183.60.244.37123.125.67.148220.181.51.103

jer • September 13, 2016 2:41 PM

https://www.lawfareblog.com/someone-learning-how-take-down-internet

https://tech.slashdot.org/story/16/09/14/1820246/someone-is-learning-how-to-take-down-the-internet-warns-bruce-schneier

https://threatpost.com/bruce-schneier-on-probing-attacks-testing-core-internet-infrastructure/120608/

https://www.schneier.com/cgi-bin/mt/mt-search.cgi?search=cyberwar&__mode=tag&IncludeBlogs=2&limit=10&page=1

https://www.schneier.com/cgi-bin/mt/mt-search.cgi?search=denial%20of%20service&__mode=tag&IncludeBlogs=2&limit=10&page=1

https://www.schneier.com/cgi-bin/mt/mt-search.cgi?search=essays&__mode=tag&IncludeBlogs=2&limit=10&page=1

https://www.schneier.com/cgi-bin/mt/mt-search.cgi?search=Internet&__mode=tag&IncludeBlogs=2&limit=10&page=1

https://www.schneier.com/cgi-bin/mt/mt-search.cgi?search=Verisign&__mode=tag&IncludeBlogs=2&limit=10&page=1

https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html



If the attackers' intent was to not get the pattern in the attacks noticed, then they failed.

If their intent was to test the extremes of different systems, they apparently took quite a methodicalapproach and disregarded the possibility of an intelligent response, or didn't change the test planaccording to intermediate results.

Bob • September 13, 2016 2:42 PM

The thing is... if China or Russia decided to "take down the internet"... and did it from their owninfrastructure... they'd be cut off from the rest of the net... all of them... the whole country. period. Youthink the "great firewall" is pretty big? wait till you piss off every single large ISP out there! You'll beunplugged.

On the other hand, if it's done much more underhandedly and less obvious, you never know...

Random Guy 17 • September 13, 2016 2:42 PM

An attack on a service is best done by an attacker that doesn't need that service. You don't pull theplug on the power company that supplies your own home/business.

With that in mind, a closed, not highly Internet enabled country makes the most sense like China.

Very interesting stuff.

Jon • September 13, 2016 2:52 PM

The thing is... if China or Russia decided to "take down the internet"... and did it fromtheir own infrastructure... they'd be cut off from the rest of the net... all of them... thewhole country. period. You think the "great firewall" is pretty big? wait till you piss offevery single large ISP out there! You'll be unplugged.

If they're planning to take down the Internet, unplugging them or them being unplugged is the least ofanyone's problems because if it is a nationstate, doing something like this would really only makesense to do if it's coordinated with a real world attack.

Bart • September 13, 2016 3:03 PM

Why don't you tell us what you mean with "some of the major companies that provide the basicinfrastructure that makes the Internet work"?

My feeling says it's either

* CloudFlare or similar. In that case we're fine.* Level3 or similar. In that case we're fine.* *.rootservers.net. That won't take down "the internet" though, just DNS resolution. However, sinceso many services depend on that, people who don't know how to use the internet without DNS, like99% of its user, would be shut off. Still, you would still be able to reach any server by IP.

I guess I should take the link to VeriSign as a hint that it's rootservers.net. Too bad that these articleshave to be so vague all the time because of the "anonimity" excuse. That doesn't help anyone, it just



spreads FUD.

Paul • September 13, 2016 3:03 PM

Bob: It’s not as simple as “just unplug the bad guys.” A DDoS attacker takes advantage of theinfrastructure of others by staging the attack from compromised machines. Even if human actors arein China or Russia or Fooland, the attacking machines & networks can be located anywhere in theworld, even — especially — inside the country of the target.

The call is coming from inside the house, as it were.

tank • September 13, 2016 3:07 PM

Look towards the Mecca

Andy • September 13, 2016 3:11 PM

If it was Russia, it could be a test run for Nov. 8th.

MADDog • September 13, 2016 3:25 PM

Let's assume the attack to take down the internet comes from EastAsia.

If it goes down, how many deaths and serious injuries can we project, aside from carpal tunnel?

Right: Hardly any to none. So, let's take a deep breath and try to calm down.

Now, if the location of the attack cannot be determined, simply turn off the power to the transoceancables all at once, or the one most highly suspected for example, EastAsia. Problem solved locally.

In anycase, let's remember the ultimate defense/retort is to simply pull the plug.

As for prevention, I would suggest the old but reliable doctrine of M.A.D.:

Mutially Assured Destruction.

And remember we have always been at war with EastAsia so let's not freak out by a few alarmingaction reports.

Kevin • September 13, 2016 3:33 PM

Are we sure that this isn't the NSA or DoD who have been playing around? What better way todefend our internet than know what it's weaknesses are? Far fetched? Would you really put it pastthese guys? NSA is accountable to no one.

Also, what better way to get additional Federal funding than to get the rumors started that our internetis under attack. Cyber funding has skyrocketed since StuxNet found its way into the wild!

FUD fear, uncertainty, and doubt mean more money



tlhonmey • September 13, 2016 3:43 PM

Don't discount the USA as the source of the attacks. I definitely remember a certain president sayinghe wanted an "Internet Kill Switch" just in case something like the "Arab Spring" happened here...Was headline news a few years ago, pretty easy to find.

Clive Robinson • September 13, 2016 3:44 PM

@ Bruce,

If you want to take a network off the Internet, the easiest way to do it is with adistributed denialofservice attack (DDoS).

Hmm in the past all it's required is a rodent with sharp teeth, or misconfigured boarder protocols.

Likewise when talking of "tangible" physical attacks as was seen with power transformers, if youknow what to aim at a few cheap rounds of ammunition used on a choke point will do. Heck even lowgrade Romanian gypsies stealing cable to sell as scrap have brought down telecommunicationsinfrastructure very well and much more permanently.

As for "intangible" information attacks then DDoS attacks are just the current flavour of the monthbeing seen. There are other much better ways that State Level attackers could use (think attacksagainst backbone routers for instance by a nice piece of APT payload).

Thus I would suggest that they are not "attacks" as such, but "black box testing" to enumerate forother much more effective attacks.

The reason I say this is DDoS attacks are grossly inefficient. Whilst they might be cheap for "botherders" the result is that the botnet gets compromised and it's control channel etc identified andneutered. Further DDoS attacks are distance sensitive, the further the attacking host is from thetarget host the easier it is to reduce or limit the effects of a DDoS attack.

If you want a real world analogy think of a DDoS attack as being like "covering fire" it uses anincredible amount of resources to achieve very little, in that the opponent just keeps their head downwhilst it is happening. A sniper however is very resource efficient taking just one or two rounds topermanently eliminate an opponent.

A major use of covering fire, is to keep the enemies head down in their slit trenches etc whilstmembers of your forces come up on their flank and at an appropriate signal run across close to theslit trenches chucking in fragmentation grenades etc.

And I suspect that these DDoS attacks are the equivalent of "covering fire" to get in APT payload etc.

jer • September 13, 2016 4:06 PM

@Clive Robinson: Did you assume just there that these were /not/ attacks on DNS or BGP?

Rubens Kuhl • September 13, 2016 4:06 PM



Verisign is the registry for .com and .net domains, not the registrar; the registry is indeed the mostcritical infrastructure in the value chain because it's one publishing DNS delegations, but the registraris the one interfacing with registrants and then possibly updating the information stored in the registry.

WhiskersInMenlo • September 13, 2016 4:08 PM

There are good and bad parts to this.

A distributed attack implies a footprint of one or more exploited flaw.It also implies a command and control system.

This is one place where the hoarding of defect knowledge by a TLAhas value. Some sample of these compromised machines can be inspectedand the vermin identified and solutions developed.

Some defects facilitate abuse and others allow forensic inspection.

I would be happy to see bug fixes for old and musty operating systemsescape from special fee update sites from time to time.

I am modestly pleased with the Windows 10 update policy but less so withtheir snooping and data gathering tricks. The optimist in my wants tobelieve that some at M$ are using the army of Win10 machines to assistin squashing these distributed collections of compromised machines. Not actively but statistically. A vendor or TLA could patch them and thusdisconnect them from central command as part of the patch process.

There are two classes of hardware cheep inexpensive machines handed downand running old crud without a license as it were. A second would be theinfrastructure machines like big routers and server clusters.

The inexpensive small machines are the pawns and outnumber the command and control systems by orders of magnitude. They may prove easier to patch and fix than the valuable command and control machines.

One recent criminal act: The false "Paramount Issues DMCA Takedown On Ubuntu Linux Torrent" is step backward in the distribution of an improved OS compared to WinXP and older Wincruft for old limited CPU power machines.

A critical problem with bot farms is the distributed computation power.Some bitcoin work is being done on compromised hardware. That is a badsymptom. That army could be turned (if it is not already) to attackvalidation keys that enable vendors to validate and install bug fixupdates.

If and only if (IFF) agencies near and far chartered with security pay attention to reality and IFF law makers get good advice and pass quality law that encourages responsible research and product responsibility will we avoid a disaster.



Consider a four year old modern phone made by a company with home officeson one side of a DMZ seperating it from a nation with troubling intentions.Such devices are too expensive to discard and too powerful to be allowed unpatched on the internet or cell phone networks.

Law: Failure to patch older hardware should be grounds to halt the import of newhardware. It is in the national (all nations) interest to hobble businessplans that profit from planned obsolescence of product by neglecting the maintenance of software. Phones, Smart TVs, DVD players with Smarts,routers, modems....

Daniel • September 13, 2016 4:09 PM

@Kevin

My thought exactly. We know that the government engages in "stress tests" of the financial systemand the banking industry. So it would be expected that they would do the same thing with the internet.I'm deeply puzzled by Bruce's insistence that this must be a foreign actor. Someone say recently,"security researchers came to the conclusion that attribution was hard, then they promptly forgot it."This essay seems more evidence of that.

ab praeceptis • September 13, 2016 4:16 PM

Two remarks re. the blog entry:

There are, somewhat simplified, three perspectives, namely the technical perspective, the politicalperspective, and the commercial perspective. Our problems are to a considerable degree selfinflicted by allowing commercial and political perspecties and interests to dominate decision making.

Example in case: A techie would, of course, vote for a redundant approach (which was, after all, thevery idea behind the internet). Commercial interests, however, prefer other approaches, particularlythose that enable them build quasi monopolies. That's why .com and .net are basically dependant ona few (or even just one) company/ies.

That same cardinal sin was repeated with PKI, namely with the dreaded CAs. Result: a major clusterf*ck.

Second remark: I take much of what B. Schneier quoted here as being (mis)guided by an almostreligious believe in technology (that is more or less centered across the ocean).

Putting on my intelligence hat, I's quickly come to the conclusion that a) "cyber intelligence gathering"is just one of many way and b) that that way leaves traces and makes lots of noise.

Why run a major ddos attack when I can gain much information by having a room cleaner to tell methe exact model and other information about critical devices? Why running a ddos, when I can simplyand cheaply rent a server at a colocation and find out quite a lot the boring old way (like walking in,being excited by the oh so super hichtech equipment and being shown around by a friendly colo



technician? Even cheaper, many colos, some of them running quite critical infrastructure, proudlyshow their equipment even on their web pages.

Having worked in a major colo I know the situation from the other side, too. Background checkingpersonel only goes so far (and in some legislations is severely limited by legal restrictions). Gettingyour techies to be tightlipped is relatively easy. Getting them to stay tightlippen when having a beerwith colleages, however, is next to impossible.Another problem is customers. As management you have a find a balance between PR/marketingand being security minded. Often not at all easy.Plus you have service people for your equipment coming and going, and so on.

Are the goons in washington betting a lot on cyber intelligence? Sure. Do the Russians, too? I havegrave doubts. show is worth little in Russia, tangible and real results is what is desired and expected.

Finally, stop dreaming! One doesn't need to run major ddos and ci attacks to find out. Intelligently andprofessionally analyzing OSs, cisco and juniper boxen and the like will reward you with way moreeasy to open doors that massive ci gathering.

Ergo Sum • September 13, 2016 4:29 PM

@Clive...

And I suspect that these DDoS attacks are the equivalent of "covering fire" to get inAPT payload etc.

Sounds about right, but if you discount Russia, and that's a big if...

Why would nation state do this, especially China and the US, when most of the hardware, includingnetwork, comes prepackaged with malware already? Maybe the "cover fire" is for activating themalware instead and we are at the brink of cyberwarfare for real.

Bill Stewart • September 13, 2016 4:36 PM

It's so easy for a wellfunded Bad Guy to hide use stolen credit cards to buy other stolen creditcards from The Usual Suspects, use those to buy cloud time on multiple servers, use those to delivermalware through ads you also bought with hardtotrace money, and build yourself a spare bot armythat sits there quietly while you use your other bot army to do some test attacks.

"Mutually Assured Destruction" is a twoplayer game; it's different in a threeormore player versionwhere Eurasia rents some servers in Eastasia to attack Oceana and get them to retaliate, witheverything laundered through shell corporations, actual corrupt Nigerian officials, competing Russiancrime syndicates, and the occasional Balkanregion teenage hacker who only exists on paper.

"US Government Stress Tests"? That's not how any of the legitimate US government agencies wouldwork (and the Treasury didn't run bank stress tests by actually making half their new mortgagesdefault, either.) I'm not saying that there aren't illegitimate Internet activities going on, but the spookyagencies are much more interested in comprehensive eavesdropping than in DDoS.

EvilKiru • September 13, 2016 5:40 PM



@AJWM: AT&T is doing away with DSL in favor of Uverse, so no, I no longer have a landline, but myphone bill dropped by over thirty bucks.

Sancho_P • September 13, 2016 5:48 PM

I appreciate these attempts.Curiosity is the very basic system of nature, the driving force behind evolution.Hopefully the tests will bear fruits and the system will improve.Hint: Monopoles are the beginning of the end.

Russia and China, yeah, together they’ve invented the Internet, just to harm the US!

”It reminds me of the US's Cold War program of flying highaltitude planes over the Soviet Union toforce their airdefense systems to turn on, to map their capabilities.” (@Bruce, my emphasis)Hilarious! You made my day!

Btw., cutting “them” from the Net is similar to cutting your hands off.OK, probably with the Net it will take some hours more to realize.

@Bill Stewart (“legitimate US government agencies”):I can hear ya, from the Bay of Pigs to Athens, from Tehran to …

Marshall • September 13, 2016 6:05 PM

and learn to grow vegetables

Simba • September 13, 2016 6:45 PM

Let's send the air force and bomb them.

DBM • September 13, 2016 6:46 PM

Well, if you read the Versign report summarizing Q2 2016 DDOS Attacks, there is a map on page 12,showing that the vast majority of attacks came through from the USA, Germany, and Great Brittain.China, Russia, Brazil, and N.Korea hardly have any presence.

Sacco Vanzetti • September 13, 2016 7:13 PM

I hope America's foreign archenemies wait to destroy the Internet till we're done downloading the filesthey got that prove US democracy is fake, in case it didn't work when they poisoned Hillary.

https://uploadfiles.io/7dc58PW: GuCCif3r_2.0

Jim N • September 13, 2016 8:07 PM

@ Bill Stewart

https://tailpuff.net/

https://uploadfiles.io/7dc58



"actual corrupt Nigerian officials, competing Russian crime syndicates, and the occasional Balkanregion teenage hacker who only exists on paper."

..and that Romanian masterhacker who can't hack, otherwise dubbed '1.0', but allegedly had hackedHillary's emails when that allegation was deemed benevolent.

So consider this, what would we do without internet (after internet)? There is certainly life A.I. We'd allgo back to watch the TV and listen to radio, with antennas.

My Info • September 13, 2016 8:37 PM

@WhiskersInMenlo

There are two classes of hardware cheep inexpensive machines handed downand running old crud without a license as it were. A second would be theinfrastructure machines like big routers and server clusters.

Sounds like another middle manager taken in by slick IT consultants and salesmen. That secondclass of hardware let me explain it has a sleek metal frame that mounts neatly in a rack and itcomes with a premium 24x7 valetservice onsite oncall technical support contract, but deep downinside, when it comes to the actual chips and even the actual software that runs on the chips it'sthe Same Old Shit, otherwise known as S.O.S. When it comes to computer chips, you'll never knowthe difference between cheap shit and expensive shit unless something goes wrong, and with all thatVIPlevel support, it doesn't matter anyway. The chips are CZ and you've got some salesman withcuff links dazzling you with all this technical talk about the 4 C's and several bullet points about whyhis brand is better than the competition.

John Smith • September 13, 2016 9:52 PM

Clive Robinson's comment:

"...And I suspect that these DDoS attacks are the equivalent of "covering fire" to get in APT payloadetc."

In that vein, careful calibration of DDoS attacks could be preparation for DNS cache poisoning/MITMattacks on certain targets.

During l'affair Snowden, Edward warned Laura Poitras et al. to conceal, as much as possible, theirinternet locations: if NSA knows where you are, in the IP sense, it knows how best to attack you.

Agent J • September 13, 2016 11:21 PM

@Marshall

I don't think growing vegetables is going to help at all.

People are dumb, panicky dangerous animals ...

Clive Robinson • September 14, 2016 12:43 AM



@ DBM,

...Q2 2016 DDOS Attacks, there is a map on page 12, showing that the vast majority ofattacks came through from the USA, Germany, and Great Britain...

I suspect that it might have a lot to do with "home broadband".

Afterall it's known that many "service provider" provided DSL etc routers have built in WAN side backdoors for "service technicians" to reconfigure them remotely... With the majority of computers on theLAN side being unpatched Win OS's with one or two low end AV solutions on them.

If you think about it as an attack surface, it's a handfull of vast monocultures. So from an attacker'spoint of view it's quite a desirable target as a single attack type gets you tens of thousands ofzombies for a botnet etc.

keiner • September 14, 2016 1:21 AM

...yeah, but on the other hand: Training keeps you fit! These internet "service" providers are all fatcats without much resistance to threats.

Maybe Apple should look for some billions in its deep pockets to preserve the infrastructure it sohardly depends on (or to be correct: the users of its hardware trash so hardly depend on).

Just saying.

Spooky • September 14, 2016 1:36 AM

The economic damage caused by a multiday global outage would probably be on the order of 100sof billions to trillions. Sadly, most businesses do not have a Plan B that doesn't involve some form ofnonlocal network access (even smaller retail shops still upload their daily transactional snapshots tocorporate headquarters). For medium to largesized companies, perhaps the decision to run theirentire shop on VOIP, SaaS and Amazon AWS will need to be revisited. :)

If the internet were unavailable for an entire week (and cell networks proved utterly incapable ofhandling the traffic surge, even for simple SMS and voice comms) we'd be reduced to POTS,broadcast radio, television and local ham operators. And the postal service. Let that one sink in for afew seconds...

Cheers,Spooky


@ John Smith,

During l'affair Snowden, Edward warned Laura Poitras et al. to conceal, as much aspossible, their internet locations: if NSA knows where you are, in the IP sense, it knowshow best to attack you.



I'm still surprised at how few people picked up on the implications of that comment. It's perhaps bettersaid "If I own the upstream node from you, I own your traffic". The main implication is the likes of theNSA strive to own the network switching/routing nodes, not individual leaf nodes.

So as an owner of a leaf node, it does not matter how much you instrument your systems, you willnot see NSA droppings on your systems. As we now know the likes of SSL has not been much of animpediment to their activities due to implementation defects.

However if you do become a person of sufficient interest, ownership of the upstream node to a targetalows a tailored approach to dropping RAM only malware onto your system. Then using that as abridge to get sufficient information on the system internals, put a real low level exploit in the likes ofROM on I/O devices, where all but the most expert of searchers with specialised equipment will notfind it.

As I indicated at the time sending "Tweedle Dee and Tweedle Dumb" up from GCHQ in Cheltenhamto the London Offices of the Guardian was a real mistake. It alowed the Guardian to subsiquentlyshow to the world the areas of hardware on motherboards where they had removed and destroyedcomponents.

It was confirmation of what sort of real low level attacks were possible (and actually known about by"old hands"). Which if people remember back then there was a lot of "head in sand" behaviour with"BadBIOS" denials. With such tricks later being shown to be used commercialy by the likes ofLenovo to put persistent malware on their systems that would survive a full hard drive wipe etc...

And people wonder why I still build systems using old CPU's with real old fashioned UVROMs andhave no Flash ROM or other "electricaly alterable" ROM...

BongSmoking Primitive MonkeyBrained Spook • September 14, 2016 1:56 AM

@Clive Robinson,

"head in sand" behaviour with "BadBIOS" denials.

Sir! Please! BadBIOS to you. It's GoodBIOS to me :)

And people wonder why I still build systems using old CPU's

Yea! Old CPUs! I manufacture new ones and make them look old. That 486 you get isn't really whatyou think it is :)

Flash ROM or other "electricaly alterable" ROM...

Hopefully another schmuck whistleblower won't publish a paper that leeks my electrostaticsubversion tool! I can charge a haircomb just right, and bring it next to your computer to infect it. Wecan alter your ROM by modulating the ambient humidity of your device. Try to airgap that one ;)

Matthew Skala • September 14, 2016 2:20 AM

Linode, where I do some virtualserver stuff, experienced a series of attacks fitting the profile Brucedescribes over the ChristmastoNew Year's period 2015/2016. They're not a huge player, but maybe

http://ansuz.sooke.bc.ca/



big enough to be targeted by the kind of attacker he implies.

Spooky • September 14, 2016 2:28 AM

@ Clive,

And people wonder why I still build systems using old CPU's with real old fashioned UVROMs and have no Flash ROM or other "electricaly alterable" ROM...

You know, I was reasonably happy with my trusty 286 in college; everything was rendered in asoothing shade of amber. So long as our standard unit of informational currency continues to be text,every computer produced since the 1960s should be capable of adequately consuming that data foryour ongoing edification and enjoyment. Also, symmetric crypto is still possible on those old beasts.

Cheers,Spooky


@ Spooky,

Also, symmetric crypto is still possible on those old beasts.

This is where I realy show how old I am...

Back when Byte Magazine was the number one computer mag to get, they published an article onRSA public key. Within a couple of days I'd written a 256bit version in Z80 assembler to run on aMicrosoft CP/M card for the Apple ][.

As for PC's yup I remember amber screens, they were so much nicer on the eye than erie green ofthe "glass tty's" still prevelent in data centers of the time.

For my sins locked up in the safe is an Amstrad PPC640 "portable" computer with 8086, 640K ram,dual 720k floppies and a 2400baud modem and "pull up" LCD panel with a strange yellowy greencolour. As I've mentioned before I still use it occasionaly for generating OTP pages on a dot matrixprinter with two part stationary...

Peter Galbavy • September 14, 2016 4:06 AM

20 years or so ago I remember standing up in a RIPE meeting and asking how IPv6 is going toprovide diverse routeing via BGP to those that don't want to live in a hierarchically routed world. Theacademics couldn't understand why we, the commercial world, would want this in the brave newworld of IPv6. This is one of the many reasons IPv6 failed and we are stuck with IPv4 (and no easy toget address space anymore).

The worry about stateactor attacks like this is somewhat like that; Many don't quite "get it" andbelieve that the individual parts that they are not interested in are not critical to others. You stop thecat videos flowing and you have as much of a problem as if you block consumer bank accounts.



Some here will worry about the power station or the sewage systems being attacked while notnoticing the traffic lights and cameras not working anymore.

Also, amazing what damage you can do with a pair of insulated wirecutters and knowing which roadjunctions to go fibre cutting at. Only other accessories required are hivis clothing and some trafficcones or barriers. No one will ask a thing.

Too Long Didn't Read • September 14, 2016 6:03 AM

TL;DR the comments. What if it's a helpful srite, what wants to improve the internetz. What if I have afriend, and he knows how to do things, and knows the internet is weak, but wants it to be strong. Heprobes, he scans, he DDOS's these various points, testing the other points along the way is just anatural consequence and I think is being read into more than needs to be. Things are gettingstronger, revisiting the folks appears to show that the improvements are working! Everything is sogloom and doom in security, just chill and lets see what happens.If it were a nationstate, which I again think too much credit is given to, a few guys with mildcoordination/discipline could do what "nation states" do, DOS is an unsophisticated tool, if I were a"nation state" I'd use something worse in addition to DOS.

Martin Marcher • September 14, 2016 6:05 AM

China or Russia would be my first guesses.

I'm sorry to be nitpicking but why isn't the United States a possibility here?

keiner • September 14, 2016 6:52 AM

"Jehova, he said Jehova!"

Ph • September 14, 2016 7:36 AM

"in Q2 2016, attacks continued to become more frequent, persistent, and complex."

DNS Root letters also got a lot of unnatural traffic in that period.up to 17 Gb/s/letter of TCP SYN and ICMP flood

http://rootservers.org/news/eventsof20160625.txt

I wonder if that was part of it.

As an old skool hacker, i wonder if i will see the root dns go down in my lifetime, it used to be thesummun for hackers, but i guess they gave up after a few reasonable tries.

r / agent rng • September 14, 2016 9:19 AM

@Clive, All

While I'm sure you realize this @Clive, for anyone else who's listening his dotmatrix printer would stillbe vulnerable to a simplified version of the 3d printer dual sidechannel leak I'd assume.

http://root-servers.org/news/events-of-20160625.txt



It's also likely QUITE A BIT louder accousticly and electromagneticly too.

War Geek • September 14, 2016 10:04 AM

First an observation: NANOG folks have noticed this before, typically the threads boil down to waysto do mandatory uRPF or postulations about reputation based filtering for the ISPs that refuse to douRPF.

Second on the this is really not new point is its especially not new for China.

I worked at a large operations center who among their customers included the uplinks for a numberof USAF bases. As I was on the night shift my team spent a lot of time fielding weird problemrequests escalated by the more prominent customers out of the CNS group. One such call was aclockwork monthly call we got for years starting in 2002 from a 'Hong Kong government IT' staffer.Every month he would ask the same thing, can we, the ISP for the same nuclear bomber USAF base,ask the USAF IT staff to stop filtering IP packets coming from their HK networks.

I had to find polite ways to say 'No' even though both ends of the phone knew it was a farce.

Yet they kept calling because they were waiting for the one time someone wasn't thinking.

The Chinese really don't care if we spot them, they think that overall they will eventually find thestupid and get through anyway.

Aegeus • September 14, 2016 10:12 AM

@Clive: Does the "covering fire" metaphor actually work in cyberspace? A DDOS attack makes theserver unusable for everyone, attackers included. You can't lay down covering fire if your allies arerunning in front of your own bullets.

Maybe you could make it more of a headache for the defenders to figure out what happened theiraccess logs show a trillion connections from the DOS attack and one connection from a moresophisticated attack, so it gets lost in the shuffle but a good search tool should be able to sortthrough all the "haystack" to find the needle within. And in any case, this would only serve to coveryour tracks, not to open up a path for attacks that wouldn't otherwise succeed.

Badtux • September 14, 2016 12:05 PM

I have hosts on three different major hosting companies. One has seen major attacks that took downlarge parts of their infrastructure for several days at the end of last year, and is having to quadrupletheir pipes to deal with continuing attacks. They are baffled because the attacks don't comport withany of the previous attacks they've ever seen, which is where an attack is against the hosts of aspecific domain that the attackers want to take offline, but, rather, the attacks are against the hostingcompany's infrastructure and they've received no zero communications about who the attackersare and what their demands are, something they've received in the past when people tried to takedown a specific domain and resorted to attacking the infrastructure as part of their campaign to do so.

The second is under nearcontinuous attack because of their scale, but they, too, have seen parts oftheir infrastructure temporarily taken down by attackers who figured out how to trigger various scaling



mechanisms rapidly and overload their control plane. They've hardened those mechanisms andadded throttles to prevent the backlogs of requests that overloaded their control plane, but again,nobody took credit for the attack.

The third has thus far been spared the majority of the attacks, but their control plane also gotattacked. Luckily they'd already implemented mechanisms to deal with an attack on their controlplane, but they did have their DNS servers taken offline for a couple of hours by the attack, whichmeant that their customers who used their DNS servers (rather than DNS servers hosted elsewhere)went offline from the perspective of most of the Internet. Again, nobody took credit for the attack ormade any demands.

All of these companies have had attacks against specific sites that have become controversial forone reason or another, but those are typically accompanied by demands from nonstate actors. Thisis the first time they've simply been silently attacked.

My prediction is that things are ramping up for a major attack at the end of this year, when themajority of senior staff at most of these companies take a vacation between Christmas and NewYears, where there will be concerted attacks on at least one of these infrastructure companies thatwill take down a large swathe of the Internet for at least several hours. What to do about it... I knowthat at least one of these infrastructure companies is making contingency plans, but of course am notprivy to the exact plans. As for the root servers going offline, there are contingency plans for that toothat should keep their customers working in many cases at least on a short term basis. Still, it'sworrisome that we still have zero communications from nonstate actors about any of these attacks which tends to back up the supposition that it's a state actor doing this.

Mark Stafford • September 14, 2016 1:07 PM

Deliberately proactive...

So here's an interesting little snippet. I understand from a retail ISP that they know for a fact that onlyabout 30% of domestic addresses in the UK have Malware protection, because they can see trafficto/from those providers, even though this same ISP give away subscriptions of one vendors offering.

That's the equivalent of having 70% of traffic on your road system as malicious, but targeted takeoverable malicious. Imagine every truck in a country free and able to head straight into a city all atonce. That's what a DDOS is. (Which we technologists should start to use these analogies and nottalk "DNS" this or "TCP" that)

There is a reason we ask that cars/trucks are tested regularly to make sure they are fit to be on ourroads, as well as the users of those vehicles being licensed. Those roads have capacities and trafficis managed (again I know that's a whole can of worms).

Either we apply that to the internet OR we allow those ISP's to have policing of end user access andblock those that are ignorant or have malpractice. ISP's the UK cannot immediately block an endpoint (currently) at source. So any traffic is free to do its stuff unhindered.

yoshii • September 14, 2016 2:18 PM

Please comprehend...



The US Government Establishment and/or it's Attache` has already historically (within the recent 510 years) publicly acknowledged that it/they have technological interest and research in how toaccomplish an "OFF SWITCH" for the Internet (DARPANET).

Please stop aggravating geopolitical nodes of information sharing with insinuations and accusationsthat all efforts are malicious and/or originate from nations other than the USA.

And of course it is worth mentioning that the USA is a big place with many different organizations andaffiliations and credos (or lack thereof).

Too many false assumptions spread like malware destabilizes international relations.

Z.Lozinski • September 14, 2016 3:43 PM

Ciaran Martin, whose title is Director General Cyber at GCHQ, gave a public speech yesterday inWashington DC. It makes interesting reading. Especially in the context of Bruce's comments.

One area he focuses on is how the UK telecoms and ISP industries are cooperating with GCHQ onmitigating potential attacks. He specifically calls out defending SS7 and BGP where theweaknesses are due to an outdated trust model.

He also mentions a pilot scheme scaling DNS filtering to the entire UK to automatically block traffic to"known malware and bad addresses". And he also makes the point this has to be optin to deal withconsumers' privacy concerns.

The whole speech is well worth reading. The first paragraphs are a standard diplomatic speech butmuch is refreshingly honest.

https://www.cesg.gov.uk/news/newapproachcybersecurityuk

Just this guy, you know • September 14, 2016 3:59 PM

The salient point is that it's happening now and now, oh, ten years ago. What else is happening now?Oh right, another round of DRAMA at ICANN't, where they're lobbying to get to rule themselves"transparently" while at the same time repeately proving to world+dog that they are not trustworthy.They're just wannabe oligarchs. Which is one reason why the critters in senate and congress opposeit so much. But whatever happens, since ICANN't is still a California corporation, subject to PATRIOTact, NSLs, and whatnot else, it's all for show.

So it makes eminent sense that other parties say things like, "oh right, things may or may not change,but let's at least make sure we know how to turn the whole thing on its head." For whatever reason,like taking it out at a crucial point and providing a more viable alternative. No matter the reason, thecapability is undeniably useful, but the timing is conspicuous.

And whoever they are, they're in a good position for such shenanigans, because in either case thepolitical supports of the current critical infrastructure are simply too weak to withstand any headwindat all. So we have structural failures at layer nine, and they are unfixable given all publiclycontemplated options.

https://www.cesg.gov.uk/news/new-approach-cyber-security-uk



And yes, far too often the techies get blindsided by the political games, or completely misinterpretwhat's going on, or outright refuse to see what's happening right under their noses. So this trainwreckwill go right on and continue to wreck itself.

I do have an alternative. Get Barry to call me, he has my number. If you care.


@ Badtux,

My prediction is that things are ramping up for a major attack at the end of this year,when the majority of senior staff at most of these companies take a vacation betweenChristmas and New Years

My guess if it is to be towards the end of the year and the perps want to cause major impact, it wouldbe the first shopping day after thanksgiving "black friday". It would be major news worthy and wouldgive rise to tabloid titles such as "Blackout Friday" etc. It would cause a fair degree of economicdamage at the bottom of the economy and cause quite a bit of distress in those hunting for thatspecial bargin.

Just a thought • September 14, 2016 8:34 PM

I don't know if it's been mentioned yet but....I think if this is true then it's just staging. I'm sure mostpeople aren't going to be OK with a foreign entity being in charge of the Internet as is beingsuggested by potus. The usual problem reaction solution trick the government does. So create aproblem garner reaction offer a solution.


@ Just a thought,

"So create a problem garner reaction offer a solution."

I doubt the exiting POTUS suggested that US is in control of the entire internet, though I agree thisseem more like a publicity stunt and an recurring event over many years.


@ Z.Lozinski,

He specifically calls out defending SS7 and BGP where the weaknesses are due to anoutdated trust model.

It's funny you should mention "outdated trust model" and GCHQ together.

I'm sure quite a few UK Members of Parliament (MPs) now understand the concept of "outdated trustmodel". Having being told by civil servants for decades that "the Wilson Doctrine" was specificalydesigned to keep their privileged communications confidential against the UK IC, thus they need not



concern themselves with privilege/confidentiality/secrecy. It must have come as quite a bit of a shockto be told that it was compleatly and utterly ignored by GCHQ virtually from day one...

The MPs must further have been gauled about GCHQ's supposed clearing of the use of certainMicrosoft products, that stored the MP's documents, emails etc via foreign countries such that they tobecame "legitimate traffic" for both GCHQ and other nations ICs to hoover up on mass.

And at the end of the day there is now no trust in the mind of a sensible informed individual[1] when itcomes to the ICs. Not just of foreign states that's almost a given, but the home nation as well.

Whilst the idea of a "Great British Firewall" (GBF) is a seductive idea it's actually a throw back to "OldImperialist Thinking".

That is it's just more old "Pull up the draw bridge and keep out 'johnny foreigner'" people arecastigating the likes of Donald Trump for. The GBF has been suggested and sensibly rejected in thepast a number of times. I suspect that it's been dragged out of the cupboard yet again because ourcurrent government is now under the control of Theresa May PM off of the back of the "Brexit vote".She is/was the driving force behind a great deal of very poor legislation including "the snooperscharter" and the European Court of Human Rights has been frequently and quite sensibly opposed towhat appears to be her "ideals, mores and morals".

The GBF would actually have been illegal previously because EEC and EU legislation uses the term"any person legal or natural" when talking about "free trade/movment". Which in effect means not just"Johnny foreigner" but all companies their agents and similar along with their "goods and services"tangible and intangible. Thus those outside the EU would set up European Shell Companies incompliant "blind eye turning" countries of which there are several as the Apple Tax Evasion scandlehas quite clearly shown.

Thus even if the GBF had been legaly possible it would have created the information equivalent ofthe physical problems "The Schengen Area" agrement created that has lead to the impossible tomanage Sangatte and similar issues.

The truth of the matter is "choke point security" which all Firewall systems are, are a bad idea if youcan not 100% guarantee there are no other ingress/egress points.

Thus the GBF could be looked on as a "decrepit fence around a nuclear waste dump", not somethingyou would sanction unless you had no other choice. And the truth is that the proper solution is "cleanup the mess" not "put an impossible to secure fence around it". Because if you don't you just "build infuture debt" that due to complexity will grow as a power law.

Thus the reality is a GBF would not realy solve any of the issues just mitigate them slightly shortterm. Further the cost would escalate to the point that it would be yet another unneeded tax oneconomic growth, as well as being a crippling impediment to productivity thus businesses wouldeither become stagnent or move, with the latter being the favoured path by most businesses (thinkabout why Apple setup it's European operation the way it did).

So rather than "hide the mess" behind a GBF the correct solution is "clear up the mess as quickly aspossible".



But... All of the above issues assume an "honest system" running the GBF, the problem is there areno "honest systems" when governments are involved due to various "capture mechanisms". Ourcurrent western IC is out of control and not subject to the level of trustable oversight needed to keepit honest or trustable. Leaving aside the idea of turning "poachers into gamekeepers" there is noincentive for the IC to behave honestly, therefore they can not by definition be trusted.

But it realy does not matter if the IC actually runs the GBF or not. The steps needed to make the GBFwork favour the IC more than the GBF, thus they benifit tremendously either way.

[1] "The reasonable man on a Clapham Omnibus" definition that was once much loved as a test bythe legal proffession.

Vytautas • September 15, 2016 1:02 AM

Something like this has been going on for some time. Remember a few years back when ChinaTelcom by accident (twice) diverted about 15 percent of world Internet traffic through it's systems? (see:http://www.pcworld.com/article/211277/china_probably_didnt_hijack_the_internet_on_purpose_researcher_says.html?tk=nl_dnx_t_crawl).

tyr • September 15, 2016 1:50 AM

@Clive

I'll bet at some point May decides to investigatebuying the GF of China because it works the wayher mindset does.

Malice is unnecessary when stupidity is around.

Skipresto • September 15, 2016 2:09 AM

Careless talk costs lives. Many on here just showing off their knowledge to the enemy.

Z.Lozinski • September 15, 2016 3:54 AM

@Clive,

You've made the obvious conclusion that this is a step towards a Great British Firewall (GBF). I'mgoing to disagree (in part) and agree (in part) with some of your conclusions on the implications.

First to disagree. Any major ISP already has to put in place defences against a variety of attacks. Andthey share information about what they see. The problem is usually the smaller, costfocused, ISPs.They are the ones that would benefit from GCHQ saying "here is your next set of problems: apply thisset of rules" . Much like GCHQ's security recommendations to UK businesses they are nothinganyone here would quibble with but for many small and medium companies they are valuable, ifonly they would implement them!

http://www.pcworld.com/article/211277/china_probably_didnt_hijack_the_internet_on_purpose_researcher_says.html?tk=nl_dnx_t_crawl).

http://skipresto.com/



And to agree. The UK courts have been willing to order ISPs to implement technical measures toprotect the commercial interests of media companies. It is a short step for those courts to see theGBF as a mechanism they can use to block content that is not illegal, but commercially or politicallyundesirable. (e.g. The UK celebrity injunction fiasco; some of the odd uses of the EU Right to beForgotten).

I would also think, from an intelligence point of view, that's it's preferable to have the world's nutjobson the open internet where you can keep an eye on them, as opposed to having them develop thetechnical skills to go into the dark web. And I'm aware this conflicts with my own views on privacy.

Your point about the EU is interesting. There was clearly something in the air on Tuesday, as that wasthe same day the the EU proposed its Directive on Copyright in a Single Digital Market. The netseems to be (Art. 13) that major OTTs will be responsible for policing online copyight. It's beingreported on /.

Article 13 "Use of protected content by information society service providers storing and givingaccess to large amounts of works and other subjectmatter uploaded by their users"

http://ec.europa.eu/transparency/regdoc/rep/1/2016/EN/12016593ENF11.PDF

Ross Anderson's BCS Lovelace Lecture earlier this year on The Challenges of Scale also makessome interesting points in this area, about the implications of scale on both the intelligencecommunity and the major digital companies (Apple, Google, Facebook).

http://academy.bcs.org/content/2016lecture

A logical consequence of Ross' presentations would be the Over The Top providers implementingprotection mechanisms like that proposed by GCHQ. (e.g. So you can't post malware links tosomeone's FB timeline.) Then you get into the debate on whose values prevail on the internet, asFacebook recently found out with Nick Ut's 1972 photo of a Vietnamese girl fleeing a napalm attack.

Finally, I'm going to disagree with you about "the sensible informed individual on the Claphamonmibus". I've been very disappointed with lack of public debate over the Snowdon affair, apart fromin Germany. Somehow the Overton Window of acceptable political discourse has moved to a pointthat was unthinkable only a few years ago with regards to surveillance. The only people concernedseem to be the security community, who observe backdoors are a Bad Idea, and that if you collectdata online it becomes a Target (e.g. the US Office of Personnel Management now if ever databelonged on paper in a double locked safe ...).

But it still leaves the question, how best to secure the vast majority of technology users who don'tunderstand security.

Mike Perry • September 15, 2016 7:05 AM

The fix for critical services like banking and hospitals is to get them off the Internet. There's no reasonwhy everyone should be there. Those with particularly needs should have their own networks andseverely limit who is on them. That makes sense for security now, independent of any DDOS attack.

And if the source is China—which is likely—come up with ways to cut almost all traffic into and out ofChina. And by that I meant something that could be as drastic as a giant guillotine cutting fiber cable.

http://ec.europa.eu/transparency/regdoc/rep/1/2016/EN/1-2016-593-EN-F1-1.PDF

http://academy.bcs.org/content/2016-lecture

http://www.inklingbooks.com/



Install those cutoffs as close to China as possible, but if a country refuses to have the cutoff, includethem in the exclusion. Keep in mind that you don't have to cut all traffic into and out of China. Justenough for that DDOS attack to fail.

And to state the all too obvious, come up with multiple ways to communicate that are not dependenton the Internet. That'd include HF radio, satellite phones, and any independent systems the militaryhave. Plan how to use them in advance.

Don't forget those scenes in Independence Day when, with all other communication schemes shutdown by the aliens, the U.S. military resorted to HF radio and CW. Sometimes the best technology isthe least sophisticated and least complex, particularly when the entire system is a transmitter/receiverat each end. For HF, nothing else matters but the ionosphere and the time of day.

Exohmin Crendraven • September 15, 2016 8:12 AM

Please accept this hat that I made for you!

I spent a lot of time in its making, and an entire roll of aluminum foil.

I believe that if you wear it daily it will really help you.

Artist formerly known as Art • September 15, 2016 8:22 AM

Seriously?What is there to defend? Access to claptrap like this?It is a shame that 23 years into the era of common home internet use, it has had not one iota of netpositive effect on the use of written language.

Rufo Guerreschi • September 15, 2016 8:23 AM

On what basis do you exclude US state agencies or groups within them?

Z.Lozinski • September 15, 2016 8:41 AM

@Mike Perry,

You have made me realise that one of the problems, ironically, is IP. We talk about how monoculturesare a Bad Thing from a security perspective. And yet IP, and specifically IPv4, has become sopervasive that (in security terms) it is a monoculture.

One of the consequences is that everyone who needs remote access to anything (e.g. previously thededicated dialup console accesses) now use IP.

I don't think disconnecting any company from the internet is likely to be helpful. Have a look at theTeleGeography maps of global interconnection to see how interconnected countries networks are.Secondly, US companies' supply chains are closely integrated with companies in China.

Mile • September 15, 2016 8:51 AM

http://www.openmediacluster.com/



"China or Russia would be my first guesses." oh move along, automatically blaming Russia orChina is so past century propaganda."It reminds me of the US's Cold War program of flying highaltitude planes over the Soviet Union toforce their airdefense systems to turn on" exactly, a US Cold War program. There is an impressivelist of badguythings which in reality is done by US more readily and on a larger scale than any othercountry labeled "bad guys". US is violating freedoms and privacy of their own citizens. US is killingforeign civilians daily. US is making deals with terrorists. US threw the first atomic bomb, and US willbe the first to perform major strike on the internet, as soon as the right excuse is created, as always.They are always trying to hard to make you believe that there is "US" and "them", and it is working.I'm not some fan of Russia either, but if I am to make a judgement based on evidence over doctrine,US deserves a place among top suspects.

r / agent rng • September 15, 2016 10:10 AM

@Art,

Really? You don't recognize that language even outside of the CE has been a moving target?

Maybe I articulated that enough for your particular articularity.

Dan • September 15, 2016 10:17 AM

Internet still uses old concepts and that freedom of thinking and its ingenuity pays back as usual inbad ways; instead of dynamic ips, use fix ones, make it linked to a precise person or company, like aphone number; make it all secure meaning that only certain ip addresses can go into certain sites; iknow that everyone will start yelling about privacy; there is no privacy even now so calm down; allsecurity issues are coming mainly from the fact that potentially any user can do anything; well, if youneed to use a site, certify your identity, that's all. Than, it's up top the software to see which one didwhat. End of worries.

bill • September 15, 2016 10:29 AM

Seems like only yesterday that we were all able to live just fine without the Internet. In some ways Ilong for those days.

Jim N • September 15, 2016 10:33 AM

@ Dan

You're making it too easy to for bad actors to impersonate someone else. And let's not forget a usermust be able to protect themselves from site operators because the trust model has issues of its own.There are a few countries that have had bad examples of this.

sinip • September 15, 2016 10:57 AM

Ah those pesky Russians and Chinese at work again. I mean, don't they have something else to do,like battle falling economy, improve democracy and human rights, build more Hbombs, dope moreathletes (wait, US does that too but "legally"), or so? :))

http://www.italkmoney.com/



Charles • September 15, 2016 11:36 AM

Let's remember that although human intelligence is (somewhat) easy, there are many things that slippast even the most intelligent and well trained humans. These attacks could very well be informationgathering for big data analysis, where very small sets of sparse data are being gathered to find 0daymethods, methods not known to humans, even the creators of the systems under attack (Ciscocomes to mind for some odd reason...) Sometimes a cigar is just a cigar.

Amal • September 15, 2016 11:47 AM

Agree with Mile one of the primary suspects is the NSA themselves. If there is one agency which has superpowers to launch attacks of any kind it is definitely the NSA.And we know from the Snowden incidents how little conscience these guys have to violate anyhuman rights and they have no backoff to perform the most evil of actions when they, in their divinerightness, deem this "necessary".

Green Squirrel • September 15, 2016 12:54 PM

@Clive it is very, very, very rare that I disagree with you but:

And I suspect that these DDoS attacks are the equivalent of "covering fire" to get in APTpayload etc.

I read a lot of things saying something similar to this but I still dont believe it. DDoS attacks are noisy,simplistic and blunt objects. All it does is set off alarms on the victim and trigger response processes.It is not an effective way of covering a more subtle attack.

The problem I have with this mindset is that it takes a real world analogy and misapplies it to thecyberrealm.

One of two situations is likely to exist:

1) The victims have good technical security (IPS, SIEM, Fireeye, Resilient etc, etc etc). If so, theDDoS wont stop any of these functioning, and if anything, will just draw attention to their alerts at atime of heightened panic.

2) The victims dont have good technical security in which case the DDoS isn't needed, just APTthem to death.

Neither support the value in running a DDoS to mask any other attack.

B • September 15, 2016 1:35 PM

It's sadly not surprising that a sizable portion of the moronic parrots posting comments all have thesame entirely predictable, kneejerk, banal objection to Bruce's comments pointing to China orRussia as the most likely suspects, borne out of nothing more than some sort of delayed adolescent,quasiknowing but utterly uninformed, emotional bias against the US [government] combined with aclear lack of reading comprehension.



Please, before one more of you posts another variation on your repetitive theme: reread the article.

Bruce does not rule out any other actor being responsible, he simply says that in his *informed*opinioni.e. that thing none of you hasChina or Russia are most likely.

And as he also clearly states, he has informationas do the people he talked to who pointed atChinathat he cannot share publicly.

So please those with the same biased disposition who haven't chimed in yet: save the rest of us fromanother "waaaahh!!! Why did you rule out the NSA!?!? Waaaahh!!" comment.


Green Squirrel

I think you are wrong. The main two reasons being your assuming that the usual protectionmechanisms still work (for everything except the DDOS) and the nature of a DDOS attack. There *isno* real protection, just some rather halfhearted mitigation. Once the traffic arrives at your firewalland other protection devices the damage is already done (and the costs incurred). Any protectionwhatsoever would need a propagation system (with all the caveats like trust problems).Moreover, looking closer you will notice that all that equipment has a max pps limit, beyond which itsworking (or not) becomes undefined. Depending one the device that may translate to "passeverything" applied or to "cut off everything"

Plus the human factor. Important example: Most attacks can be mumblejumble explained away("one customer has [done stupid or evil thing]. The problem is solved now. Apologies") but not DDOS.Each and every customer will notice that and quite probably the problem will also be mentioned inblogs, gazettes, etc.

Plus, while single customers might use massive protection schemes (like cloudflare) that's hardly anoption for a provider, e.g. a hoster. Just look at the prices of "protected bandwidth".

Mile • September 15, 2016 3:07 PM

@B As we all know, and as article itself confirms, attacks could be made to seem to come fromanywhere on the world, and I'm sure a great deal of hackers use Chinese IPs and servers. All I amsaying is, the way he puts it "China or Russia would be my first guesses." sounds more like the text isaimed at average brainless yellow press reader, the sort of stuff you add to article on purpose toinspire cheeky discussion like the one we have now, in order to increase number of page hits. Heshould have avoided publishing such assumption without basing it on something more solid than"state actors" (so we know it's a state? Must be China or Russia) and "It's not normal for companiesto do that" (like big companies are known to do normal stuff). Lets face it, "China or Russia would bemy first guesses" sounds like a line out of black&white American movies.All this makes me feel a bit disappointed in CodeProject, the newsletter that brought me to this page,as they even gave this article a headline. Btw B, you're the only one here who is calling people "moronic" and makes crying baby sounds incomment box, so maybe you're the one who should contemplate on his "delayed adolescence."



free • September 15, 2016 3:13 PM

Schneier is a textbook example of US sponsored terrorism. All he does is spit out war propaganda sothat people believe that evil actors everywhere are trying to attack them. This is the most basic tacticused by state terrorists in order to control their populations. Make them feel afraid (i.e. terrorize them)and then pretend to protect them and presenting themselves as divine saviours. Or "experts" in"cybersecurity"

Gerard van Vooren • September 15, 2016 3:32 PM

@ Skipresto,

Careless talk costs lives. Many on here just showing off their knowledge to the enemy.

They (whoever they are) invested a lot of money, tested a weapon and don't know what to do with it?It doesn't make sense. They know exactly what to do with it, when and why.

@ Amal,

Agree with Mile one of the primary suspects is the NSA themselves.

I don't think so. But are they ultimately responsible? Quite so. Not only the NSA but all IC and relatedparties I mean. Let me explain. Where do these DDOS'es originated? Weak security on personalcomputers mostly so malware gets easily installed. Could this have been solved? Of course, it's onlya matter of willing to do so. The current trend is that there is no willingness (just read some of Brucesblog articles). So the IC's are at least partly responsible. I don't think however that this attack is anNSA job.

@ Andy, Clive,

If it was Russia, it could be a test run for Nov. 8th.

My guess if it is to be towards the end of the year and the perps want to cause major impact, it wouldbe the first shopping day after thanksgiving "black friday".

Let me add another date, October 1. That's the day that China will join the SDR.

About a technical solution, there isn't one that I know of against DDOS in the current environment butof course IPFS (and similar) could deal with the single point of failure problem. Maybe it's time for atrue p2p internet.

Woo • September 15, 2016 3:37 PM

Sounds more like North Korea. You need someone with minimal internet connectivity. China andRussia are too connected.

Alex79 • September 15, 2016 3:48 PM



I'm sure it's Russia, because Putin's government now more and more brainwashes russian citizens,telling them that Iron Curtain was a good thing, that Internet is a product of the devil, a scientific andcultural progress is against God (or against "Russian spirit"), the West is rotting in sins, so Russiansshould restore Iron Curtain for themselves, to become isolated from "dirty, alien and sinful" Westernculture again. It's a wild mix of Soviet principles and orthodox christianity in its most conservativeform.


Alex79

Thank you so much. Thanks to your brillant "logic" I've finally succeeded in spotting the mostdangerous and evil cyberwarlords of all: The Amish in the united states of a part of a part of america.

Of course, the millions upon millions of pious usamericans and the poles are evil hackers, too.

Marcos Malo • September 15, 2016 4:29 PM

@r / agent rngAha! It's grammar prescriptivists that want to take down the Internet!

sinip • September 15, 2016 5:56 PM

@Alex79I'd like to have a bit of the same thing you're smoking now. Looks simply awesome. :)

SomeOtherSquirrel • September 15, 2016 7:15 PM

"These probes take the form of precisely calibrated attacks designed to determine exactly how wellthese companies can defend themselves, and what would be required to take them down."

since there're certain organisations out there that try to crash whole nations i've got some questions:

how big is the chance to calculate/estimate the possible crackdown point from the data they'vealready acquired?

given the fact that it would cost billions of $ if they're efforts were successful...could it trigger a neweconomic crisis?

and last but not least the creepiest question:

what would happen if they manage to take down some of those root servers on a certain religiouslyand/or conspiracy theory predicted day? think of the possible psychological impact that it would haveon those groups...O_O

so long sayssome other squirrel

PS: sry for my bad english...i'm tired as hell ._.

http://forum.italkmoney.com/



Grauhut • September 15, 2016 7:19 PM

@Gerard: We have seen a show of force from a silent attacker.

China? No, too much alibaba traffic to lose.

Russia? They work targeted and a ddos stops targeted work, you never know which packet will getlost.

US? No, its their toy.

Some kind of "would like to be the great invisible hand"... A NGO?

BongSmoking Primitive MonkeyBrained Spook • September 15, 2016 7:43 PM

Thilenth everyone! It wath jutht uth all along. Thmall fire drill, that'th all.

@sinip,

I'd like to have a bit of the same thing you're smoking now. Looks simply awesome. :)

I'm your Huckleberry ;)

SomeOtherSquirrel • September 15, 2016 7:51 PM

i wouldn't call it NGO...name it VEO (although it seems that they're not 'that' violent as long they'reable to use their softpower tactics...)

PS: the western nation states are the target not the culprit...but anyway...i'm just a squirrel...so whereare my nuts? :p


@ Grauhut

You're certainly right the big brothers would rather we be connected to the net all day so they canwatch our every single move, but a little FUD wouldn't hurt their cause atleast in terms of funding andmaking us give up more freedom. :)

Gordon • September 15, 2016 11:01 PM

@Green Squirrel

One of the resources that DDoS exhausts is 'eyes on glass'. It's all very well having great toolsproperly configured and effective processes for utilizing them and responding to threats but if theattention of the competent staff is diverted to other matters apparently more critical to the ability of thebusiness to continue to generate revenue then those tools won't be of much use no matter howbrightly they are lit up.



By the time the analysts return from DDoS mitigation detail the APT has already played out its 'falsepositive' cover.

Grauhut • September 16, 2016 2:27 AM

@Gordon: A multigig ddos is not usable as cover fire. This would be back to the 90s.

Matt • September 16, 2016 5:02 AM

Why not just block China and other states that are suspected of this activity from the internet? Theserogue countries are able to block their citizens from accessing it.

sinip • September 16, 2016 6:05 AM

@MattI'm pretty sure USA could do it for its own citizens, but if you haven't checked the facts lately, USAdoesn't own Internet any longer. :) Actually, considering the quantity of Chinese equipment onInternet backbones, it could be USA on the "receiving" end of the stick, this time. If it doesn't behave.

JR • September 16, 2016 8:05 AM

"China or Russia..." It amazes me that our governments fear mongering still lingers with everythingwe know. Anytime a politician wants to make sales commission on an arms deal, just throw out Chinaor Russia as a threat.

This is most likely our own government, as people are finally realizing that this country isn't as free aswe thought it was, the elite are abusing their power, using our troops to fight conflicts we started sothey can line their pockets, and at some point, an uprising may occur to take back this country fromthem.

Jeff • September 16, 2016 11:10 AM

Why are you assuming it's Russia or China ? it could be the US doing tests to prevent such attacks

Gerard van Vooren • September 16, 2016 12:20 PM

@ Grauhut,

Russia? They work targeted and a ddos stops targeted work, you never know which packet will getlost.

I don't think one excludes the other and I also don't think that "Russia" is one entity, like the US isn't.

I am speculating / probably bullshitting from here on:

When China joins the SDR at October 1, that's the biggest financial event of the year. We are talkingabout IMF. If the DDOS tests are as alarming as Bruce wants us to believe that must have a goodreason. I can't think of a better reason than a financial one (a racket).

http://forum.italkmoney.com/



What, except for "blowing up nukes/nuclear power plants" is the biggest impact an internet blackoutcan make? My monkey brain tells me it's not being able to make financial transactions. If thathappens for a considerable period of time, right at the moment that China joins the SDR, it couldresult in a wave of panic. If this panic is enough wide spread it could result in bank runs all over theworld which leads to a collapse of the entire financial system.

The questions are who benefits from this and how do they benefit from the crash.


@ B,

So please those with the same biased disposition who haven't chimed in yet: save therest of us from another "waaaahh!!! Why did you rule out the NSA!?!? Waaaahh!!"comment.

First of sauing "same biased disposition" not only destroys your argument but kind of makes you looklike a troll something you might want to think about when next you post.

Secondly, as I've indicated many times before, the atribution problem is not resolvable, unless youhave 100% vision over every link in the chain. As this is not possible even for the NSA all you are leftwith is "assumptions" or "hunches", none of which meets the "beyond reasonable doubt" bar. Worse itusually does not meet the lesser "balance of probability" bar either.

Thirdly the "attribution game" in the US is most easily clasified as at best a game of "follow theleader". First we had all the noise about "China APT" whilst wiser heads were pointing out othernations including Russia where at it. Now it's Russia's turn in the barrel, it will in due course besomebody elses turn at some point. However the most notable element is that the nation chosen forthe attention at any given time has abundently clear political overtones to do with how certain USAgencies perceive "foreign relations".

A simple examination of history shows that both China and Russia were doing what they were doinglong befor their turn in the barrel and will carry on regardless just the same during and after the USGov has turned the spotlight on another "Axis of neoevil".

It's fairly safe to predict that Iran or Similar on the US S41t list will be the next in the barrel. The onlyquestion that is realy pertinent is which US entity will provide the lead for others to follow.

Mean while the earth will keep turning, the sun will rise and set tommorow and almost as asuradlyevery one will carry on with their games regardless of who the US select next for barrel squatting.The only thing that will change is that more and more countries IC's will develop their own cybercapabilities. Including the "Independent Repubic of Tooting" that some kid in his back bedroom hasdecided now exists as a nation (or should do so).

Joe • September 16, 2016 1:45 PM

I can't see how taking down Verizon would take down the internet. Maybe if you took down all of theroot name servers then you might take down some of the DNS system but most isps cache a lot ofthis data. The internet was designed to not have a single point of failure.



However if you had a botnet big enough you could repeatedly overwhelm a few key routes andtrigger something like a BGP flood, that is how I would do it at least.

Joe

David Cameron • September 16, 2016 2:15 PM

Hmmmmm That sounds like going back to the 70s which were definitely the good ol' days. Soundsgood to me.

r • September 16, 2016 5:55 PM

@Marcus Malo,

That's exactly right, it's the would burners tilting at the wind mills.

Grauhut • September 16, 2016 6:12 PM

@Gerard: I think China entering the SDR basket is a singular event already booked in.

Have a look at recurring worldwide financial events like the "triple witching hours" four times a year.

If some org manages to get the worldwide financial internetworked markets out of sync by lights outon such a day we would see real fun...


@ r,

it's the would burners tilting at the wind mills.

Hmm "would burners" sounds like "witch finder generals" or "Spanish Inquisition" not a man on abroken down old cart puller fighting the giants his befuddled old mind sees the mills as.

Marc • September 16, 2016 6:44 PM

Is part of the reason that a DDoS attack is impossible to block because the source IP addresses canbe forged? If so, why is this even allowed?

If it was not allowed, then as a first step couldn't an attacked site at least cut off access from thecountry or countries where most of the attack was coming from? Just as a first step. And thenproceed to block the routes which most of the attack was coming from?

Eventually, couldn't at least some source IPs be knocked offline by their ISP until they get a clean billof health? Is this unrealistic?


@Clive,



Two things, both this and I could do irreparable harm to the coming parables:

One, I saw a garfield comic when I was young that said "diet is die with a little t at the end."

Two, it could be all the peanut butter on my diet.

Third, we already know that I suffer from the overlapping problem of reading too much and at thesame time not reading enough.

Should I leave well enough alone?

Maybe • September 16, 2016 7:51 PM

Could be manipulating traffic flow for the purposes of unmasking Tor users, by making packets dropon the destination end and watching for changes at the entry nodes.


@Clove (Because we all know IT's true.)

Wood burners, depending on the perspective are a thing of the soon to be distant past. Not thatthey're entirely inappropriate in this day and age but we have better things... Wind mills for those whomissed the @Sancho_Panza rant (of mine) is a reference to what P=NP would label as mouthbreathers. Ideas (and other unfortunate ventures) travel on the winds.

For the most part I'm of the camp that no idea is a bad idea, just like how guns don't kill people.

Jim • September 16, 2016 9:58 PM

DDoS can't completely be stopped because it can be the same as legitimate traffic, just a very bigvolume of it. Hitting refresh over and over again in your browser on a web page is like a very tinyDDoS in theory, though in practice each packet will be set with a fake source address and set tomake the server respond with as many bytes as possible.

A reflection attack uses packets first sent to another server or resource first, but with each packet'soriginal source set to the target's address, so that the first server thinks it is being asked to reply tothe target, and amplifies and reflects the original requests as it does this. A NTP reflection attackworks the same way, only it uses packets originally only a few bytes in size, reflected at time serverswith a query that produces the largest possible amount of bytes for each reply.

DDoS is basically abusing normal operations of the internet so that servers produce very largeamounts of data in response to very small queries. While pretending to be B, send 64 bytes to A,producing 64,000 bytes directed at target B.

Google for Work's online business mail, contacts and calendar service went down yesterday for manypeople, no word yet why, but also there were problems in some areas reaching their public DNS. Afew different DNS services have been some what unresponsive for certain locations over recentdays.




@ Gerard van Vooren

" If that happens for a considerable period of time, right at the moment that China joins the SDR, itcould result in a wave of panic. "

It's classic hump and dump, which is jacking up public expectations so interested parties can dump asubstantial holding. The expectations that "internet" may (though may not) crash is enough to jack upexpectations of the crash so any minimal selling triggers a vast selloff. We've seen this both waysover the course of the years both on the way up and down, but lately it touches home because thestockmeister game has been mostly involved with techs.

But let's not forget in order to profit, the actor needs to have access to a vast holding, and there areonly a few players in the world big enough to realize your version of the "bullshit".

Jim • September 16, 2016 10:42 PM

I should add that Microsoft for instance tried changing their version of the command line CMD to limitthe maximum values of byte size and wait for response times in packets that could be sent to othersystems. Someone can just replace this modified CMD with an older or customised version if theywanted to though. I don't imagine many malicious actors would use a microsoft operating system fora DDoS anyway, unless there was some advantage for the particular goal they were trying toachieve.

Cloudflare provides DDoS mitigation for many online providers of content, including those annoyingCAPTCHA things if it appears you might be behind some kind of proxy or VPN. They keep increasingthe complexity of CAPTCHAs as bots increasingly become more capable of learning to read andrecognise how to defeat them.CAPTCHA aims to slow multiple requests from the same address inorder to beat or frustrate abuse like DDoS. Other mitigation strategies include gateways or firewallsconfigured to ignore or drop packets once they exceed certain thresholds.Attackers find new ways toslip past, abuse or mitigate such counter measures.

DDoS is generally a very unsophisticated attack, though on occasion you do see people capable ofmuch more sophisticated DDoS attacks where only one actor using a single device can overwhelmcomparatively quite large systems, it's still mainly aimed at knocking stuff offline or making itunavailable, or frustrating and occupying the time of administrators. It's unfortunately often hard toprevent, easy to execute, and if deployed by a skilled adversary can be impossible to trace.


@ yoshii,

"The US Government Establishment and/or it's Attache` has already historically (within the recent 510 years) publicly acknowledged that it/they have technological interest and research in how toaccomplish an "OFF SWITCH" for the Internet (DARPANET). "

As I remember, this was put forth by the POTUS in response to "arab spring" which had withered intoISIS recruits accordingly. The Occupy Movement, no relation to ISIS, spurred a lot of discussions



around civil liberty and disobedience, which the POTUS had mitigated well.

I think we see a lot of exOccupy participants in the Bernie camp, which is making a comeback, butultimately Hillary is the better candidate for her party. It will be kind of interesting how this electionplay out. I think Hillary will win if she isn't replaced.

Jim • September 17, 2016 2:08 AM

I have noticed a few people have complained lately that they couldn't access the internet in my localarea, and I'm wondering if it was an equipment failure, maintenance work or some other problem. Afew different DNS services were largely unavailable from my local area and I had to reconfiguresystems and routers so people could connect to the internet normally.

The problem occurred across multiple ISPs, but a lot of the local infrastructure is owned by a singleTelco who sells wholesale access to other providers.For a couple days at least, using a VPN was asimple solution without having to reconfigure my own routers and systems and then later have toreconfigure them again. Probably time to run a few network and performance tests again as I haven'treally needed to in a while.

A.Simmons • September 17, 2016 9:45 AM

> If it goes down, how many deaths and serious injuries can we project, aside fromcarpal tunnel? > >Right: Hardly any to none. So, let's take a deep breath and try to calmdown. >

Depends how long, how widespread and how comprehensive the outage was.

I'm afraid you have a slight failuyre of imagination if you think such an attack couldn't cause deaths.Consider: walk through the process that leads to a can of baked beans being on the shelves of yourlocal supermarket. 20 years ago, those logistics and stock control systems would have run overleased lines, ISDN or whatnot. Nowadays... not so much. Run that thought experiment forward aweek or two and I think you'd find the bodies starting to pile up more quickly than you might expect.

Ron Royston • September 17, 2016 10:49 AM

Verisign delivers "two of the Internet's thirteen root nameservers" and "also offers a range of securityservices, including managed DNS, distributed denialofservice (DDoS) attack mitigation, and cyberthreat reporting." ¹

DDoS attacks on DNS servers potentially takes down the Web traffic, not Internet traffic; Internetcommunication occurs without DNS via IP addresses, not domain names. The distinction isimportant.

DNS servers are identified by IP addresses which can be virtualized/shared/forwarded by machinesin different continents at nearly the speed of light. DDoS ingress behavior can be detected by ISP's.

My name is Ron Royston. I am Cisco CCIE# 6824 with over 17 years of network engineeringexperience. I have never heard of the author of this alarmist post. Technology fundamentals seem tobe misunderstood and/or glossed over.

https://rack.pub/

https://rack.pub/



I would be happy to create a DDoS mitigation system for Verisign or anyone else using commerciallyavailable systems or from scratch. My rates are very fair.

¹ Source Wikipedia

John Wayne's Evil Twin • September 17, 2016 11:30 AM

"I have never heard of the author of this alarmist post."

Not surprising, Ron, since he doesn't write too many articles for High Times.

Alex • September 17, 2016 11:57 AM

There're no details in this article, but a guess that Russia or China can be behind this which issuspicious. Maybe the whole article is a lie? Who would behefit of accusing Russia or China. We allknow.


Ron Royston

DDoS attacks on DNS servers potentially takes down the Web traffic, not Internet traffic; Internetcommunication occurs without DNS via IP addresses, not domain names.

Pretty much every piece of that statement is to be doubted or plain wrong.

Web traffic can perfectly well, and often is, working by IP (without DNS) Internet communication can, often is, and usually *should* work through DNS. The credo you spread is bad engineering practice and a major factor in keeping us in IPv4 (Note:I'm no fan of IPv6, absolutely not, but I am a big fan of good engineering practice and of freedom,particularly the freedom to change a provider, to restructure an internal network, etc).

The usual argument for that (what you write) is "performance" and (often) goes like this: "thecommunication itself costs ca. 30 ms single trip, but the name lookup costs 150 ms. I'm not gonnawaste valuable time when I know the IP anyway!" and is BS.

Simple reason: DNS isn't performed for each packet but once frontup. Moreover virtually every layerinvolved has a cache of frequently used fqns/ips. And, of course, the application usually performs thelookup only once in the first place.

Ignorant • September 17, 2016 3:58 PM

This I still don't understand: On almost all routers and switches, the operator knows the valid rangesof IP addresses on one side or the other. Yet no one seems to block the bad ones. Packets fromPoughkeepsie should never come out of a router from China no matter how traffic is routed.

Blarp • September 19, 2016 1:12 AM

Trashy sensationalism.

https://en.wikipedia.org/wiki/Verisign



Ph • September 19, 2016 6:04 PM

@Ron Royston

"DNS servers are identified by IP addresses which can be virtualized/shared/forwarded by machinesin different continents at nearly the speed of light."

Please have a read about how and why (security) ROOT DNS works.https://en.wikipedia.org/wiki/Root_name_serverhttp://rootservers.org/

Furthermore you can mitigate all you want if your pipelines are filled and the entropy is large enoughso no net neutral ISP can filter it.You need mitigation AND big pipelines to stand a chance.

Last tip, boasting not knowing Bruce only shows your inexperience, but you already admitted that,just over 17 years. Most experts have 30+ years and thus a solid understanding of the basics.(I do hope you know the EFF?)

oh, and ab praeceptis is correct with his DNS explanation.webtraffic is internet traffic (usually specific ports, but not strictly).DNS lookup is separate from the traffic. It only means an extra step if you give the application a nameinstead of a number.

bsos • September 19, 2016 10:09 PM

Interesting paranoid article : Paranoids have a fatal tendency to look for the enemy in the wrongplace.

Subscribe to comments on this entry

Leave a commentLogin

Name (required):

Email Address:

URL:

Remember personal info?

Fill in the blank: the name of this blog is Schneier on ___________ (required):

Comments:

https://en.wikipedia.org/wiki/Root_name_server

http://root-servers.org/

https://www.schneier.com/blog/archives/2016/09/someone_is_lear.xml



← Leaked Stingray Manuals Organizational Doxing and Disinformation →

Allowed HTML: <a href="URL"> • <cite> • • • <ul> <ol> <li> • <blockquote> <pre>

Preview Submit

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.

https://www.schneier.com/blog/archives/2016/09/leaked_stingray.html

https://www.schneier.com/blog/archives/2016/09/organizational_1.html

https://www.resilientsystems.com/

Date post:	31-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Schneier on Security - Cyberpeace€¦ · Every quarter, Verisign publishes a DDoS trends report....

Documents