I'm honestly kinda curious why nobody's blocking these IPs from sending data near the source.
Like, I can come up with plenty of possible reasons, and reasons why it could potentially be very bad if ISPs started cracking down on this, but I don't actually know any reasons.
Are any talking about why / why not? It seems like this whole insecure-IoT-device thing would probably dry up pretty quickly if people's internet was cut off when one was detected. They can then turn around and lambast / sue / etc the company that sold it, putting pressure on the source of the problem. Right now there's no reason for sellers to do anything at all to ensure security, afaict.
So... not actually arguing in favor of it, but definitely curious about any stated ISP / core networking system's stated reasons.
1) (Mainly) the huge increase in upstream capacity of residential broadband connections with FTTH. It's not uncommon for homes to have 2gbit/sec up now and certainly 1gbit/sec is fairly commonplace, which is an enormous amount of bandwidth compared to many interconnects. 10, 40 and 100gbit/sec are the most common and a handful of users can totally saturate these.
2) Many more powerful IoT devices that can handle this level of attack outbound. A $1 SoC can easily handle this these days.
3) Less importantly, CGNAT is a growing problem. If you have 10k (say) users on CGNAT that are compromised, it's likely that there's at least 1 on each CGNAT IP. This means you can't just null route compromised IPs as you are effectively null routing the entire ISP.
I think we probably need more government regulation of these IoT devices. For example, having a "hardware" limit of (say) 10mbit/sec or less for all networking unless otherwise required. 99% all of them don't need more than this.
This is very challenging, in about one year the biggest recorded DDoS attack has increased from 5 Tbps to almost 30.
Almost all of the DDoS mitigation providers have been struggling for a few weeks because they just don't have enough edge capacity.
And normal hosting companies that are not focused on DDoS mitigation also seem to have had issues, but with less impact to other customers as they'll just blackhole addresses under larger attacks. For example, I've seen all connections to / from some of my services at Hetzner time out way more frequently than usual, and some at OVH too. Then one of my smaller hosting providers got hit with an attack of at least 1 Tbps which saturated a bunch of their transit links.
Cloudflare and maybe a couple of the other enterprise providers (Gcore?) operate at a large enough scale to handle these attacks, but all the smaller ones (who tend to have more affordable rates and more application-specific filters for sensitive applications that can't deal with much leakage) seem to be in quite a bad spot right now. Cloudflare Magic Transit pricing supposedly starts at around $4k / month, and it would really suck if that became the floor for being able to run a non-HTTP service online.
Something like Team Cymru's UTRS service (with Flowspec support) could potentially help to mitigate attacks at the source, but residential ISPs and maybe the T1s would need to join it, and I don't see that happening anytime soon.
I'd rather there be periodic DDoS attacks, than a locked-down highly-regulated internet. Don't forget that infamous Franklin quote, and what Stallman has been warning us about for the past few decades.
I can already see the authoritarians salivating every time something like this happens.
> “The problem is, even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in.”
In the year 2025, we should understand that such devices are defective. They should become bricks and companies that continue to sell such defective merchandise should fail.
ISPs should be regulated to require alerting and disconnecting users with compromised devices.
Furthermore, device manufacturers should be regulated and held accountable for comprised devices. This also implies forbidding sale of noncompliant devices, which requires regulation of platforms and logistics supply chains to prevent counterfeit and dangerous goods from being sold.
19 comments
[ 4.4 ms ] story [ 43.4 ms ] threadLike, I can come up with plenty of possible reasons, and reasons why it could potentially be very bad if ISPs started cracking down on this, but I don't actually know any reasons.
Are any talking about why / why not? It seems like this whole insecure-IoT-device thing would probably dry up pretty quickly if people's internet was cut off when one was detected. They can then turn around and lambast / sue / etc the company that sold it, putting pressure on the source of the problem. Right now there's no reason for sellers to do anything at all to ensure security, afaict.
So... not actually arguing in favor of it, but definitely curious about any stated ISP / core networking system's stated reasons.
1) (Mainly) the huge increase in upstream capacity of residential broadband connections with FTTH. It's not uncommon for homes to have 2gbit/sec up now and certainly 1gbit/sec is fairly commonplace, which is an enormous amount of bandwidth compared to many interconnects. 10, 40 and 100gbit/sec are the most common and a handful of users can totally saturate these.
2) Many more powerful IoT devices that can handle this level of attack outbound. A $1 SoC can easily handle this these days.
3) Less importantly, CGNAT is a growing problem. If you have 10k (say) users on CGNAT that are compromised, it's likely that there's at least 1 on each CGNAT IP. This means you can't just null route compromised IPs as you are effectively null routing the entire ISP.
I think we probably need more government regulation of these IoT devices. For example, having a "hardware" limit of (say) 10mbit/sec or less for all networking unless otherwise required. 99% all of them don't need more than this.
* no default password * * no login if not on the local wifi or wired ethernet *
Almost all of the DDoS mitigation providers have been struggling for a few weeks because they just don't have enough edge capacity.
And normal hosting companies that are not focused on DDoS mitigation also seem to have had issues, but with less impact to other customers as they'll just blackhole addresses under larger attacks. For example, I've seen all connections to / from some of my services at Hetzner time out way more frequently than usual, and some at OVH too. Then one of my smaller hosting providers got hit with an attack of at least 1 Tbps which saturated a bunch of their transit links.
Cloudflare and maybe a couple of the other enterprise providers (Gcore?) operate at a large enough scale to handle these attacks, but all the smaller ones (who tend to have more affordable rates and more application-specific filters for sensitive applications that can't deal with much leakage) seem to be in quite a bad spot right now. Cloudflare Magic Transit pricing supposedly starts at around $4k / month, and it would really suck if that became the floor for being able to run a non-HTTP service online.
Something like Team Cymru's UTRS service (with Flowspec support) could potentially help to mitigate attacks at the source, but residential ISPs and maybe the T1s would need to join it, and I don't see that happening anytime soon.
That's nearly a pint, or over 2 daL!
I can already see the authoritarians salivating every time something like this happens.
Source: Server Owner's Chat
In the year 2025, we should understand that such devices are defective. They should become bricks and companies that continue to sell such defective merchandise should fail.
In other words, attacks coming from our own IP's are not our problem ¯\_(ツ)_/¯
Furthermore, device manufacturers should be regulated and held accountable for comprised devices. This also implies forbidding sale of noncompliant devices, which requires regulation of platforms and logistics supply chains to prevent counterfeit and dangerous goods from being sold.