>The Aisuru DDoS botnet operates as a DDoS-for-hire service with restricted clientele; operators have reportedly implemented preventive measures to avoid attacking governmental, law enforcement, military, and other national security properties. Most observed Aisuru attacks to date appear to be related to online gaming.
So why? Like why would someone pay to take a game down? I see this all over reddit with different games but I just don't get the point. What's the benefit of taking down an online game for a couple of hours.
denkmoon 19 days ago [-]
Mad salt. Imagine a fully grown man having a toddler tantrum. "If I can't play/win/get my way, nobody can" type mentality. It's also a method of coercion. Give me mod status or I'll DDOS your server and destroy your community.
The other half comes from sever operators ddosing their competition. There is a lot of money to be made from paid cosmetics, ranks, moderator (demi-tyrant) status, etc on custom servers.
redwall_hp 19 days ago [-]
"Game servers" also doesn't just mean Timmy's Minecraft server. It's big commercial games.
Final Fantasy XIV keeps getting hammered, likely Aisuru, off and on since at least September.
That's correct! You've correctly interpreted the document -- they had 324.5 B yen total sales. FF14 is on page 11, made 55.5B yen sales. and grew 8B yen yoy.
alickz 19 days ago [-]
>There is a lot of money to be made from paid cosmetics, ranks, moderator (demi-tyrant) status, etc on custom servers.
Anyone have any idea how much a 15 Tbps DDoS attack would cost?
Thousands of dollars? Tens of thousands?
hansvm 19 days ago [-]
Ballpark math says you could sustain it for half an hour on Hetzner for $5k-$6k (only from 1500 IPs though), at least if your account didn't get banned first and you're halfway decent at network programming. I have no idea what a proper botnet like this costs though or how large the profit margins are.
anamexis 19 days ago [-]
Isn't the idea behind botnets that no one is paying for the bandwidth, besides the unsuspecting random people who have fallen victim to malware?
I'd imagine the pricing is quite disconnected from the price of "legitimate" bandwidth. But I don't know in what direction.
ocdtrekkie 19 days ago [-]
Yeah I assume there's the initial startup cost of successfully managing to infect a large network of devices, and then the cost for any given use is likely "what customers will pay for it". If they are selecting out big money targets and focusing on gaming, I'm guessing the price isn't that high, but they also presumably know interesting a state actor in taking them down either by changing targets or bringing in enough money is bad for business.
lukan 19 days ago [-]
The idea is, the botnets are in control of someone else. Who "owns" them. And some of those will rent "their property" for money, like they would legitimately own them.
anamexis 19 days ago [-]
Ok, but that doesn’t change the fact that the price of renting them is completely disconnected from the price of bandwidth.
lukan 19 days ago [-]
Depends. The more the owners use their bots, or let others use their botnets, the more attention there is to them and the less useful the botnet is (either blacklisted IPs or owners noticing).
And a little bit of malicious bandwidth is easy to hide, a lot not. So there is a price to bandwith to the criminal owner.
anamexis 19 days ago [-]
Sure, but there’s still no link between what the botnet operator charges and what ISPs charge for bandwidth, that’s the point I’m trying to make.
Because the botnet operator is not paying for the bandwidth, directly or indirectly.
pixel_popping 19 days ago [-]
it's not exactly, it depends on the provider, some services seem to display a cap in bandwidth usage.
weq 19 days ago [-]
back in '98 i got a 100mb per download limit for $100 on my cable connection. i recall getting DoS'd by someone cause i was a lpb barstard in quake tf. They were kind though, only DoS'd me 90mb as a warning.... Years later, TF2 is getting DoS'd into oblivion, an extorhted by DDoS for hire. Some things change, some things stay the same.
SJC_Hacker 19 days ago [-]
I'm old enough to remember this site called kuro5hin, and how it folded a bit after it got DoS'd to death around 2000
fsckboy 15 days ago [-]
for those not old enough to remember, that's pronounced "corrosion"
asciii 19 days ago [-]
I'm wagering something cheap for individual with a lot of bitcoin or crypto laying around
brunoarueira 19 days ago [-]
On my childhood I had a colleague were when him lose a match against me or my brother, him got mad and fire the joystick to the ground.
baxtr 19 days ago [-]
Games continue beyond the Games themselves...
duxup 18 days ago [-]
When I moderated a busy gaming forum long ago my most horrifying discovery was how many users I thought were children ... were very much "adults" by age.
sabatonfan 19 days ago [-]
What you are saying fits perfectly well in minecraft communities.
Are you mentioning the minecraft community by your message or any other gaming communities too
Also just peacocking, being that skid on the forums that took down PlayStation on Christmas will get you cred.
Onawa 19 days ago [-]
It depends on the game, but for those with some kind of marketplace or transferable currency, I'm guessing market manipulation is one possible reason.
For other games, maybe trying to interrupt some time limited event or tournament. Going all the way down the rabbit hole, if you're not already familiar take a look at how crazy things get in a game like EVE: Online.
Then of course there are the bored trolls and/or people who feel wronged by the game's developers or other players.
arkh 19 days ago [-]
> What's the benefit of taking down an online game for a couple of hours.
Competitive MMO. Imagine some event is setup to start at some time and your guild or alliance knows they're gonna lose it and the resource it gives: DDOS the server so it's down during the event so it does not run. Enjoy the fact you kept the asset linked to said event and sell the resources you get for real money.
If you've never played those kind of games you cannot fathom how cutthroat they can become. I'm part of a guild which has a specific intelligence branch with spies embedded in many other guilds and that's playing nice because we're not selling anything.
razakel 19 days ago [-]
EVE Online had to put their foot down when people were talking about what could easily be considered terrorism.
littlestymaar 19 days ago [-]
Please tell us more, I need to hear the story!
razakel 19 days ago [-]
The story goes that they were talking about figuring our where someone lived and cutting the power to their house so their ship would be defenceless.
You might be taking a game a bit too seriously if the FBI show up to have a chat.
Shocka1 18 days ago [-]
My online gaming days are basically non-existent the last decade, but seeing stuff like this makes me want to make my comeback. The funny and bizarre stories I have from WoW...
manquer 19 days ago [-]
Probably it has to do with all the gambling sites associated with gaming not the games itself.
Taking a competitor offline for a few hours is a lot of money in a market business I expect.
there seems to be lot of weird stuff going on with gaming casinos the recent CoffeeZilla episode comes to mind, so wouldn’t be surprised if botnets are used
iknowstuff 19 days ago [-]
They get banned for trolling, griefing, cheating, breaking rules etc. and want revenge. Every game operator has to deal with idiots like this
AmbroseBierce 19 days ago [-]
[flagged]
iknowstuff 19 days ago [-]
yeah bud if the person ends up ddosing I'm 100% certain their ban was justified lol
AmbroseBierce 19 days ago [-]
[flagged]
iknowstuff 19 days ago [-]
yes I've banned countless such assholes
19 days ago [-]
water-your-self 19 days ago [-]
At the end of the day, at least for silly private servers, you are always welcome to build it yourself. Theres much to learn in doing that.
bstsb 19 days ago [-]
the ddos market has been somewhat centered around gaming for a while now, mainly to take down game server competition, or as an attempt to sell big players on "ddos protection" services.
I'd be using someone else's credit card for that...
kachapopopow 19 days ago [-]
during release one of the servers peaked at around 8gbps which is around 1000MiB/s which is $1/s which comes out to a - spits out coffee - 2.6million a month, seems perfectly reasonable?
c420 19 days ago [-]
I'm surprised no one has mentioned duping. Selling items and currency for real world money is big bucks and IME, server crashes reliably enable duping exploits.
Not saying that's the case in this particular incident though.
wnevets 19 days ago [-]
> So why? Like why would someone pay to take a game down?
esports gambling and winning tournaments is big business.
> During the Fortnite Championship Series finals, a pair of pro players may have utilized denial of service attacks to disadvantage contesters [1]
The results are very public, it's the same way IRC is often targeted. They're easy targets, thousands of users are affected and the results are immediately noticeable.
ZeWaka 19 days ago [-]
A game I work with got hit by ~10Tbps earlier this year. It's likely because someone got mad they were banned.
neilv 19 days ago [-]
A satisfying theory for a lot of DDoS would be extortion or protection rackets. Pay up or we will DDoS you, or pay up or 'someone else' will DDoS you.
That's enough to explain it. But if you wanted to go more full shadowy conspiracy theory, someone arranged for a protection service that just so happens to work by giving some entity cleartext surveillance over much of the internet. Perhaps as a response to HTTPS everywhere being annoying.
I'm not suggesting that's the situation, but that it's the kind of possibility to keep in mind, intellectually, and it would be consistent with history.
DANmode 18 days ago [-]
I like the “some entity” bit.
ddtaylor 19 days ago [-]
> So why? Like why would someone pay to take a game down? I see this all over reddit with different games but I just don't get the point. What's the benefit of taking down an online game for a couple of hours.
Most of the time crime groups are running extortion campaigns, amplification campaigns, etc. For example, if a competitor can benefit from them being down you may be able to sell that. Eventually we will probably see the invention of crowd-funded randsomware, where everyone must submit one verification can of crypto to unlock the hacked game servers.
Hnrobert42 19 days ago [-]
Extortion. You got a nice little game server there. Would be a shame if anything happened to it.
diath 19 days ago [-]
I'm not sure why you're being downvoted, this is literally what keeps happening to me. I run a couple private MMO servers, I regularly get hit with DDoS attacks and clowns like this guy DMing me to demand money to stop attacking my servers:
What is even more interesting why attack Azure? It's not possible to extort anything from Microsoft, so what's the rationale?
baby_souffle 19 days ago [-]
Misdirection. If I knock _you_ offline, its not going to be that difficult for you to put together a probable suspects list with me on it.
If it's going to cost me about the same in terms of resources to target you and a bunch of other people colocated with you, it's a bit less obvious who launched it and why.
RajT88 19 days ago [-]
> targeting a specific public IP address
They weren't targeting Azure itself, per se, but some service which was hosted on Azure.
The IP address in question wasn't mentioned, so we're left to speculate what this was about.
markdown 19 days ago [-]
> It's not possible to extort anything from Microsoft
> They're thrilled to spend money to buy political favor whenever possible.
"Pay up or you'll have problems with the FCC/DOJ/etc."
Not saying its unique to this admin
fortran77 19 days ago [-]
Microsoft has succumbed to extortion recently.
andrecarini 18 days ago [-]
You have a Minecraft server. You generate money from it (selling VIP packages, et cetera). You could generate more money if you had more players. You can have more players if you consistently DDoS other more popular servers; the experience for these players will be horrible and they might give your server a chance.
vintermann 19 days ago [-]
It may be for market manipulation. It may be extortion against the owning company. It may even be to take down a rival online game for a while.
I don't expect the big publisher games like PUBG to attack each other with DDoS attacks, but casino games? Or even sleazy Minecraft servers? I can totally see it.
giancarlostoro 19 days ago [-]
Uh I used to get DDoSed by “booter” services whenever I would login to one of my Skype accounts. The script kiddie scene is that petty. In the private server scene one guy would DDoS competing servers that way everyone would funnel to his own.
Its just toxic behavior.
dahcryn 19 days ago [-]
Speculation online as to the why in this case, it's pure advertisement of their capabilities.
hobs 19 days ago [-]
Most of the time its just blackmail/extortion - pay us or we do the thing.
wnevets 19 days ago [-]
> So why? Like why would someone pay to take a game down?
esports gambling is big business
jay_kyburz 19 days ago [-]
I've always imagined somebody will get pissed-off at me one day for banning them for bad behavior, or because I said something wrong online.
Andrex 19 days ago [-]
Gamers, am I right?
19 days ago [-]
mattwad 19 days ago [-]
competitors might want to drive users to move away if they think a platform is broken
> it suddenly ballooned in size in April 2025 after its operators breached a TotoLink router firmware update server and infected approximately 100,000 devices
This is scary. Everyone lauds open source projects like OpenWRT but... who is watching their servers?
I imagine you can't run an army of security people on donations and a shoestring budget. Does OpenWRT use digital signing to mitigate this?
nine_k 19 days ago [-]
Why, OpenWRT firmware and packages are both signed, of course. You can manually and independently check the image signature before flashing an update.
The build infrastructure is, of course, a juicy target: infect the artifact after building but before signing, and pwn millions of boxes before this is detected.
This exchange is somewhat hilarious. Oh how on earth do we keep things safe and secure if everyone can see the code and verify what it does! Who would keep us safe if we turn our backs to unverifiable, unvetted, unprofitable security fixes, by for-profit companies!
teitoklien 19 days ago [-]
The biggest joke is most of the proprietary routers both consumer and enterprise grade often are running some old outdated version of custom tuned openwrt lol, this goes for tp-link, and everyone else almost.
fc417fc802 19 days ago [-]
> how on earth do we keep things safe and secure if everyone can see the code and verify what it does!
That's not always the silver bullet you seem to think it is. Have you ever tried to build something like Chromium, Firefox, or LLVM yourself? It's not realistic to do that on a mid tier let alone low end device.
Even when you go to the trouble of getting a local build set up, more often than not the build system immediately attempts to download opaque binary blobs of uncertain provenance. Try building some common pieces of software in a network isolated environment and you will likely be surprised at how poorly it goes.
If projects actually took this stuff seriously then you'd be able to bootstrap from a sectorlisp and pure human readable source code without any binary blobs or network access involved. Instead we have the abomination that is npm.
pabs3 19 days ago [-]
Debian manages to build Chromium, Firefox, and LLVM on servers of multiple architectures, including quite slow riscv64 machines, without any network access to the builds for any architecture.
See Bootstrappable Builds for starting from almost nothing, so far only GNU Guix and StageX have worked out how to start from the BB work to get a full distro. Should be fairly trivial for other distros too if they cared.
For context, I once found a bug in Chromium and fixed it, the initial build took a few days on and off on my development laptop that was pretty beefy for the time. I say on and off because I had to interrupt the build if I wanted to do anything else computationally taxing. They have incremental builds and caches all properly set up so you can just continue where you left off after the fact. After the initial build it's pretty fast, 5 minutes or so per build for me. On a low end device you're easily looking at a build time of a week or more if you're starting from scratch.
Karliss 19 days ago [-]
LLVM isn't so bad compared to the browsers. Relatively standard CMake build with mostly self contained c++ codebase and few third party dependencies. You don't need a crazy thread ripper workstation to do a build in reasonable time. A somewhat modern 8-16 core desktop CPU should be able to do it in 10-20 minutes or faster. Based on compilation benchmarks I have seen even some of 15 year old 4 core CPUs or 5year old mid/low tier mobile CPUs do it under hour.
Most importantly you need to pay attention to RAM usage, if necessary reducing parallelism so that it doesn't need to swap.
elAhmo 19 days ago [-]
> You can manually and independently check the image signature before flashing an update.
Of course you can. You can also read the ToS before clicking accept, but who does that?
baobun 19 days ago [-]
I'm sure there are dozens of us.
DANmode 18 days ago [-]
Ever since that one game with the soul-surrendering clause in the EULA, I read it all now, heh.
antonvs 19 days ago [-]
People who don't want to find themselves inadvertently participating in a botnet.
tetha 19 days ago [-]
Bit-Reproducible infrastructure could also result in some of the wildest build distribution architectures if you think about it. You could publish sources and have people register like in APT mirrors to provide builds, and at the end of the day, the build from the largest bit-equal group is published.
I do see the Tor-Issue - a botnet or a well-supplied malicious actor could just flood it. And if you flip it - if you'd need agreement about the build output, it could also be poisoned with enough nodes to prevent releases for a critical security issue. I agree, I don't solve all supply chain issues in one comment :)
But that in turn could be helped with reputation. Maybe a node needs to supply 6 months of perfect builds - for testing as well - to become eligible. Which would be defeated by patience, but what isn't? It'd just have to be more annoying to breach the distributed build infrastructure than to plant a malicious developer.
This combination of reproducible, deterministic builds, tests across a number of probably-trustworthy sources is quite interesting, as it allows very heavy decentralization. I could just run an old laptop or two here to support. And then come compromise hundreds of these all across the world.
smt88 19 days ago [-]
The distribution system you're describing exists and has been in use for decades. You just distribute the build using bittorrent.
cluckindan 19 days ago [-]
And if someone invests in having >90% of the peers offer a malicious file and serve DHTs matching that file?
smt88 19 days ago [-]
Torrent files are hashed, so it's exactly the same risk profile as the comment I was referring to. But generally hashing algorithms are collision-proof enough that what you're describing is basically impossible (requiring many years of compute time).
pabs3 19 days ago [-]
IIRC BitTorrent still uses SHA-1, which is becoming more problematic.
vhcr 19 days ago [-]
BitTorrent v2 uses SHA-256, but in any case SHA-1 is still second-preimage resistant. And the BitTorrent piece hashes are included in the .torrent file, so you would need to find a double collision.
HumanOstrich 19 days ago [-]
Sounds overly complex and completely unnecessary, like some kind of blockchain/defi scheme shoehorned onto distributed builds.
pabs3 19 days ago [-]
Reproducible isn't quite enough, you also need bootstrap from almost-zero binaries.
>It'd just have to be more annoying to breach the distributed build infrastructure than to plant a malicious developer.
It really wouldn't. You don't even need a powerful build server since you can mirror whatever someone else built. You can also buy / hack nodes of existing trusted people.
nunez 19 days ago [-]
> Try building some common pieces of software in a network isolated environment and you will likely be surprised at how poorly it goes.
I have yet to experience a straight shot install or build of anything in an air gapped environment. Always need to hack things to make it work.
tempest_ 20 days ago [-]
I don't follow.
> run an army of security people
Do you think these private companies do this? They don't. They pay as little as humanly possible to cover their ass.
Botnets comprised of compromised routers is common and commercial/consumer routers are a far juicer target than openwrt.
bigiain 19 days ago [-]
> They pay as little as humanly possible to cover their ass.
They probably spend more on the team who ends up writing the "We take your security very seriously" breach notification message than they do on "security people". At least until then get forced into brand-name external Cyber Security Consultants to "investigate" their breach and work out who they can plausibly blame it on that's not part of the C suite.
Aeolun 19 days ago [-]
> They pay as little as humanly possible to cover their ass.
It’s probably helpful that open source teams aren’t hampered by standards and 20 year outdated audit processes either.
sam_lowry_ 20 days ago [-]
This is exactly why OpenWRT has no unattended updates by default )
shoddydoordesk 20 days ago [-]
You are dismissing the seriousness of this. Their package manager is widely used. One would only need to compromise their build servers to wreak havoc.
Didn't they have a vulnerability in their firmware download tool like a minute ago?
The difference between OpenWRT and Linux distros is the amount of testing and visibility. OpenWRT is loaded on to residential devices and forgotten about, it doesn't have professional sysadmins babysitting it 24/7.
Remember the xz backdoor was only discovered because some autist at Microsoft noticed a microsecond difference in performance testing.
jacobgkau 20 days ago [-]
I'm confused why you're so honed in on OpenWRT as a third-party open-source project here when the vulnerability you quoted (TotoLink) was the official firmware update server of a brand of devices.
Is it "scary" to think about OpenWRT potentially getting hacked? If you get scared by theoretical possibilities in software, sure. Is it relevant? Not exactly. Are companies' official servers more secure than an open-source project's servers? In this case, apparently not.
danudey 19 days ago [-]
What's scary is that OpenWRT is a project created by people who wanted a better solution than what was out there, and are therefore largely driven by a desire to create a good product.
Meanwhile, corporations are driven entirely by profit motive, so as long as it's more expensive to be vigilant about security than it is to be lax about it they will never improve.
Until companies which produce (and do not update) vulnerable equipment are penalized (e.g. charged with criminal negligence) for DDoS attacks using their hardware then the open-source projects are going to continue to be far more trustworthy and less vulnerable than corporations which mass-produce the cheapest hardware they can and then designating it as obsolete and unsupported as fast as possible to force more updates.
AnthonyMouse 19 days ago [-]
The disappointing thing is that the companies don't just ship the open source firmware on their devices from the factory. They rarely if ever have any marketable features the open source firmware doesn't -- it's more often the other way around -- and then you don't have a zillion unpatched devices when they decide to stop caring because the community continues to maintain the code.
sidewndr46 19 days ago [-]
The post is nothing more than "but what about security" meant to deflect away from the discussion at hand and towards OpenWRT
whatshisface 20 days ago [-]
As always, hundreds watch the open repositories, maybe one watches a company's build servers, if they're lucky. :-)
TylerE 20 days ago [-]
Hundreds watch, but how closely?
Plenty of stories of fairly major projects having evil commits snuck in that remain for months.
I could go on but I trust this is a sufficient number of examples.
pona-a 19 days ago [-]
Only two of these were actual malicious commits. Two others were malware inserted into the repositories (if Twitter could be thought of as a meta-repo), which is bad but not on the same scale.
dxxvi 18 days ago [-]
I wonder why nowhere talked about who Jia Tan was. In my understanding, a few people already talked to that person. Now, does Jia Tan really vanish?
19 days ago [-]
Quothling 19 days ago [-]
I recently had some issues getting one of our embeded devices connect through passive ftp. Because the exact same device worked at a different site I knew it wasn't the device or it's settings. Long story short, it turned out the problematic site hadn't been updating its routers which meant they couldn't VPN passive FTP traffic. Anyway, we have literal thousands of those routers maintained by hundreds of different companies, who are mainly there to maintain the actual mechanical equipment and not the network. Turned out the site where the technicians updated things weren't in the majority.
I'm in the process of getting the business to implement better security, and it's going better than you might expect. If it wasn't because having a plan for how to update your OT security is required to meet EU compliance, however, I doubt we would've done anything beyond making sure we could do passive FTP when it was needed.
As an example, there is still no plans to deal with the OT which we know has build in hardware backdoors from the manufactures. Wnich is around 70% of our dataloggers, but the EU has no compliance rules on that...
immibis 20 days ago [-]
Digital signing wouldn't defend you from a compromised build server.
mbilker 19 days ago [-]
What in that act says OpenWrt would be made illegal? If anything, OpenWrt would roll out automated security updates for a supported branched release to comply with these regulations.
Also, if you actually read it, there are exceptions for open source software!
majorchord 19 days ago [-]
OP claims almost daily that some benign thing is actually illegal but practically never provides any useful proof when asked.
(please prove me wrong, Alex)
pabs3 19 days ago [-]
Reproducible Builds and multiple distributed builders would though.
> by exploiting compromised home routers and cameras, mainly in residential ISPs in the United States and other countries,
Presumably it’s possible to log the residential IP of the source of these packets.
Why isn’t there any industry group pushing for the ISPs to a) send the owners an email telling them or b) blocking off all traffic for a period to get them to do something - or is the economic cost higher than caused by the DDoS attacks?
ramon156 19 days ago [-]
This already happens in the Netherlands, your router will be put in quarantine mode and you have to prove that the "virus" is gone
This happened to me, at the time I thought it was strange but seeing this event happen it makes a lot more sense now
mrits 19 days ago [-]
What percentage of the population would have any idea how to do this? How long does it take to go through the process? Is your work, education, and safety just put on pause during this phase?
NooneAtAll3 19 days ago [-]
was router not provided by your own isp?
greazy 18 days ago [-]
In Australia you can byo router-modem which are generally better than those provided by isp.
matt-p 19 days ago [-]
The economic costs of that fall on the (residential) ISPs and they aren't really incurring very much cost in additional bandwidth from the outgoing attacks. In most cases it will be 0. It's not 'good', as it could affect quality to a certain extent for other subscribers and it's theoretically possible it could result in a slightly higher transit bill, but ultimately it's just not really a problem for them.
Setting up the infrastructure to email customers and tell them they've got an infected device is just going to cause the subscriber to:
A) Call customer support and tie up an agent who can't really tell them much - you're also going to have to train all your CS agents on these letters and what they mean.
B) Complain on faceybook/Churn off your network.
or
C) They'll ignore it
About one in a million will fix the issue themselves.
BeFlatXIII 19 days ago [-]
This is why we need an external rogue actor to send those notification emails without ISP consent.
seethishat 19 days ago [-]
Some of these devices are controlled by the ISP. The TMobile 5G routers for example are pretty much black box devices controlled by TMobile. The home owner can't fix the device and has very limited access (via a mobile app) to 'manage' the device.
phendrenad2 19 days ago [-]
I don't think there's a strong overlap between ISP-controlled black boxes and compromised botnet nodes. However, if there is, that just means that the ISPs should be partially held liable.
zoeysmithe 19 days ago [-]
This has always been the elephant in the room. imho, US intelligence don't want this so congress won't do it. Intelligence controls or buys these botnets when they need them, so regulation here is always impossible to push, but in other countries is more common.
ByThyGrace 19 days ago [-]
Hmm is there a haveibeenpwned for IP addresses found in botnets? Perhaps correlated at the time of known incidents.
I would like to know if I'm serving a rogue machine and not been paying attention.
mrweasel 19 days ago [-]
That industry group would need to include the big cloud providers, and they also doesn't want to shut of abusive traffic.
elorant 19 days ago [-]
Because then the ISPs have to provide support on how to secure those devices.
kwanbix 19 days ago [-]
I will say most of the time the ISPs themselves provide the routers at residential homes
elorant 19 days ago [-]
Sure, but if they now go out and say do this and that to secure them a big portion of the users will have support issues. They don't understand the instruction, the pressed the wrong button, they entered the wrong value, all sorts of things could go wrong and the ISP has to dedicate resources in fixing it while they don't gain anything in return.
jon-wood 19 days ago [-]
Most routers shipped by ISPs have remote management enabled, they can be reconfigured by the ISP themselves without having to involve the end user in the process.
ulrikrasmussen 19 days ago [-]
Ironically I can't read this article due to the ongoing Cloudflare explosion.
jadbox 19 days ago [-]
I am surprised no one has mentioned that today is Microsoft's conference keynote.
johnisgood 19 days ago [-]
Yup, many links I have tried to access without success. Well, sucks to have such a centralized Internet.
Uptrenda 19 days ago [-]
Man, if you had that many nodes can you guys imagine how much cool tech you could build with that? Like you could literally rival Tor with one command. Or build a decentralized archive system. Yet, the only thing these nodes will end up doing is being used to prop up some losers ego. Literally what a waste. If you're going to commit crime at least do something cool.
GaryNumanVevo 19 days ago [-]
Most of the compromised devices are routers or IoT devices, functionally no compute power to do anything interesting except spam IPs with requests.
mgaunard 19 days ago [-]
You could easily get better performance with a pair of well-optimized high-density cabinets, much more reliable and not even that expensive to operate legitimately.
perfmode 20 days ago [-]
A DDoS attack is often used to distract a company's security team. While the security staff is scrambling to get the website back online, the attackers use the chaos to conduct a more serious, stealthy attack.
Aachen 19 days ago [-]
I don't doubt there will have been sporadic examples of this, but what points to this "often" being the case? It seems like a tactic that wouldn't often pay off, since DDoS mitigation rarely involves relaxing security systems
Mistakes can be made during reconfigurations but you'd have to catch those while the issue is still live. Sounds like an advanced threat actor and not the run of the mill ransomware people (not that they're necessarily unsophisticated, but why'd they bother with these odds when there's low-hanging fruit to reliably exploit)
mihaaly 19 days ago [-]
It was interesting to read that the record breaking attack caused no glitch whatsoever in the service MS provides. Which is so slow normally that I start to wonder if that is a strategy, having headroom for these kind of situations, no-one realizes slowdown when it is already slow. ;)
This is just a crazy thought, tangential to what are happening during an attack.
RajT88 19 days ago [-]
There are many things which run well on Azure - built by companies with good dev teams.
or rather the slowness problems of MS has nothing to do with hardware or infrastructure limitations. You cannot just throw infra at a problem to mask poorly written code beyond a point.
bluedino 20 days ago [-]
IoT is just wave after wave of unsecure devices. There's gotta be a better way.
rdtsc 20 days ago [-]
The "S" in IoT stands for "security".
N19PEDL2 19 days ago [-]
We need IoST!
Razengan 19 days ago [-]
Internet of Thingsecurity?
heresie-dabord 20 days ago [-]
> There's gotta be a better way.
Until then... There's gonna be a bigger wave.
tclancy 19 days ago [-]
You’re gonna need a bigger boat.
rconti 19 days ago [-]
I suppose ISPs could be more restrictive about which routers they allow their customers to use, but I'm not sure I'm a fan of further lockdown in that department.
mghackerlady 19 days ago [-]
I doubt that would do much, most people don't even know they can use a non ISP provided router
rconti 19 days ago [-]
What do you mean "do much"? Wouldn't negatively impact users, or wouldn't help the botnet problem?
The article makes it sound like the issue is largely compromised routers and cameras -- and presumably cameras are less likely to be publicly-accessible to get compromised in the first place.
ISPs are able to update firmware on the routers they own, so it's my guess that it's customer-owned routers that are the main issue here.
kachapopopow 20 days ago [-]
fun fact, part of the reason this botnet exists is because europe required the ability to install security updates unattended that you cannot disable and they compromised one of the servers that had the capability to push these updates compromising hundreds of thousands of routers.
cyberpunk 19 days ago [-]
That's really impressive finger pointing.
If the vendor can't even secure their update server; how long do you think it would be until some RCE on these 100k un-patchable routers gets exploited?
The only people to blame for this is the vendor, and they failed on multiple levels here. It's not hard to sign a firmware, or even just fetch checksums from a different site than you serve the files from...
kachapopopow 19 days ago [-]
the problem is that these laws just make the problem bigger - instead of having to compromise 100 thousand routers they can just compromise a single update server from a vendor that doesn't care about security.
the fallout is some companies losing their revenue: https://status.neoprotect.net/ and other headaches for people all over the world
LinXitoW 19 days ago [-]
But that's already true for most cases and devices. Most people using most devices let auto updates just happen.
And the other option isn't that much better, because "don't do autoupdates because maybe the update server is compromised" leads to a bunch of unsecured devices everywhere.
The only "real" solution is also completely unrealistic: Every private person disables auto updates, then reads the change log, downloads updates manually, and checks them against some checksum.
The better solution would be to simply increase fines until morale improves.
efreak 18 days ago [-]
I tried to read this page, but it keeps refreshing itself and resetting the scroll position to the very top. Since I'm on mobile, I can't do anything about this easily and it's worse because it takes longer to figure out where to scroll to to continue.
mmooss 19 days ago [-]
Or the law makes the problem smaller, by making the routers secure, and makes outcomes just, by penalizing the responsible companies.
kachapopopow 19 days ago [-]
ok, let's redo this: instead of routers it's an IoT device. The router protects the IoT device from direct access so it is secure from majority of attack vectors - now an IoT device provider gets their server compromised and hundreds of thousands of IoT devices are now bots in a botnet due to the ability to forcefully push a security update.
mmooss 19 days ago [-]
I understand the risk, but the existance of risks doesn't mean they outweigh the benefits. Everything has risks.
kachapopopow 19 days ago [-]
I don't think it does outweigh the benefits, the real benefits would be punishing or/and banning vendors that do not secure their devices since using laws such as "timely updates" just promotes them to include sloppy (insecure) implementations for pushing said updates just to do bare minimum to comply with the law.
relevant law here: EU Cyber Resilience Act (CRA).
mmooss 19 days ago [-]
> I don't think it does outweigh the benefits
Fine, but that is the real discussion to have. Not 'it has this risk and therefore is bad'.
> banning vendors that do not secure their devices
I think the goal is to encourage positive behavior, not try to monitor everyone and evaluate their updates.
> promotes them to include sloppy (insecure) implementations for pushing said updates just to do bare minimum to comply with the law
I imagine the law is more than just one clause ?
alphager 19 days ago [-]
That's just not true. I'm in Europe and all of my routers allow me to disable unattended updates and most don't enable it by default.
kachapopopow 19 days ago [-]
might be too old, my asus router updated and I could no longer disable updates and you could just look up the relevant law here: EU Cyber Resilience Act (CRA) 2024.
While it doesn't make it mandatory, it does require patching devices in a timely fasion which in other terms: requires forced updates - pushing updated firmware is not enough if you read between the lines.
Even stronger requirements come into effect at the end of 2027.
Razengan 19 days ago [-]
Wait when was this?? Did it fly under the news??
kachapopopow 19 days ago [-]
it's one of the (i believe) hundreds (at this point) of zero-days that is used to build this botnet, at this point they are using funds that they get from selling this botnet to purchase new zero days
alpb 20 days ago [-]
Funny enough just got an error trying to reach to the blog
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote server
supportengineer 20 days ago [-]
I will never understand why there isn’t an international law enforcement agency with teeth, which can get rid of the bad actors.
dylan604 19 days ago [-]
Because every single nation would have to sign on to it allowing said agency to ignore sovereignty of each nation to come in and do their policing.
You'd also need to have every country not actively involved in these types of schemes yet we know some governments are directly benefiting from the scams/theft their citizens are perpetrating.
You'd also need to have every country think the things you want to police against are wrong. Again, we know that's just not true.
jazzyjackson 19 days ago [-]
How did we (USA) so it with copyright law?
potwinkle 19 days ago [-]
We didn't. The WTO copyright framework is a joke that only goes after sports rebroadcasting and people who watch Disney movies for free. Meanwhile every valuable piece of US science and industry has been replicated on the other side of the planet and used for great success.
robocat 19 days ago [-]
Because there were large corporations using their political clout to make it a number one issue for your administration.
Your administration then made copyright law changes a central goal of many agreements - essentially a non-negotiable requirement for say a trade agreement to proceed.
Y_Y 20 days ago [-]
The international organisation for stopping wars, human trafficking, money laundering, drug distribution etc. however capable they might be, haven't managed to stamp out any of those things.
I'd say a putative UN NetWatch would suffer from the same issues of funding and corruption and politics, but still we might have something better than this wild west lawlessness.
halapro 20 days ago [-]
> have something better than this wild west lawlessness.
Careful what you wish for. Before you know it you can't have an IP without your ID.
immibis 20 days ago [-]
This is already the case in Germany and many other countries. Same for phone numbers. On the other hand, I get no spam calls, and I can't access the sites on https://cuiiliste.de/domains - censorship is amazing.
fc417fc802 19 days ago [-]
If spam calls is the price I have to pay to avoid censorship then I'm okay with that. We need resilient decentralized protocols, not centralized authoritarian bodies.
bak3y 19 days ago [-]
Yes, surely the German government telling it's people what to do has never gotten them in trouble in the past...
immibis 19 days ago [-]
what does any government do besides tell its people what to do, and cause inflation?
mmooss 19 days ago [-]
> The international organisation for stopping wars, human trafficking, money laundering, drug distribution etc. however capable they might be, haven't managed to stamp out any of those things.
They've never been expected to "stamp out" those things, any more than a city police department is expected to stamp out all crime and doctors are expected to stamp out all illness. Their mission is to reduce those things:
For warfare, they have been extremely successful relative to human history. War has actually become taboo and illegal, and very few happen. Look at history before the UN - it's a miracle. Think of the vision and confidence of people who, looking at 10,000 years of human history, immediately after two world wars, thought it was even possible, came up with effective strategy, did the hard work, and accomplished it.
I don't know the details of the other fields.
> I'd say a putative UN NetWatch would suffer from the same issues of funding and corruption and politics, but still we might have something better than this wild west lawlessness.
Politics and funding, and corruption, come with every human institution over a certain size, and especially with governments which can't exclude undesireable people: Democratic governments are the least corrupt, but if the people elect a corrupt representative or executive, then nobody can kick them out (unless they commit prosecutable crimes). And now imagine an association or confederation of governments, which is what the UN is.
So yes, the goal is to make something better. Otherwise, we might as well quit on everything.
c0balt 20 days ago [-]
> putative UN NetWatch
But who will suppress attempts to go beyond the blackwall then?
dingnuts 20 days ago [-]
[dead]
Aurornis 20 days ago [-]
International DDoS busts and arrests do happen all the time.
Law enforcement takes time. The perpetrators of these attacks aren't hanging out in the open with their full names shielded only by the hope that their country won't extradite for political favor.
By the time the perpetrators are identified and a case is built, getting them charged isn't bottlenecked on the lack of an international agency. Any international law enforcement agency would be beholden to each country's own political wills and ideals, meaning any "teeth" they had would be no more effective than what we currenly have for extraditing people or cooperating with foreign police organizations.
poszlem 20 days ago [-]
Perhaps because, in many cases, the very governments responsible for enforcing it include the bad actors themselves.
mihaaly 19 days ago [-]
Legal systems are so convoluted and so colossally heterogenous - also very protective of their ways - around the globe that miniscule collaborations require grandiose efforts to initiate and maintain. No chance these fast paced adversaries will be caught by the interplay of several dozens of reluctant dinosaur legal systems.
Tangential: once I was targeted by a pretty primitive scam. More than 10 years ago (after someone I love was naive and inexperienced, having a medium amount stolen in a sensitive and stressful time of this person's life). I recognised fast and having time and will I sarted to play along, pretending I bite the bait. Collecting info while acting. In parallel trying to connect local and international authorities to report an ongoing scam effort. I believe I tried 4 organizations in 3 different countries apparently involved, I believe one was dedicated to online scams, also trying to warn Western Union, they are about to be used for scam. I even went personally to a police station locally to get some advice on how to assist catching the criminals. Since all I encountered insisted to report my damages, so they could start an investigation on an actual loss happened, I furiously gave up and decided whenever I will be having financial trouble I will invest my efforts in scamming others. No-one cares catching those in act! So the thugs can be incredibly bold and dumb, like the one I encountered, it is no effort doing better.
sva_ 20 days ago [-]
Since this is a distributed attack, I'm not really sure how that enforcement would look like? Am I missing something, are all these bots/zombies easily selectable and blockable?
toast0 19 days ago [-]
Investigative powers should be able to at least find and seize the command and control servers, and hopefully track down people operating the command and control servers.
Some sort of international clearing house for ISPs to help identify and sequester compromised customers might be nice, too; but that doesn't need law enforcement powers; and maybe it already exists?
zipy124 19 days ago [-]
Because countries benefit from conducting cyber warfare, the most publicised of are north Korea and Russia which have large state sponsored hacking groups.
bsder 19 days ago [-]
If we were all running IPv6, we could just block this crap.
But here we are in 2025 still running IPv4 with CGNAT, so we can't.
throwaway_ab 19 days ago [-]
Not sure how this would work, if you blocked those IPv6, the mostly innocent companies and people that are now blocked will be in short order getting a new IPv6 assigned by the ISP after a support call.
I was under the impression that these botnets still rely on vulnerable computers, which have a human that will be calling support asking for the issue to be resolved.
Then it needs an ISP to figure out the issue and ask the client to sort out their compromised computer, but unlikely the ISP will stop a paying customer from internet access especially if it's not clear why their original assigned IPv6 is blocked.
kundi 19 days ago [-]
What difference would it make?
bsder 19 days ago [-]
You can block the specific offending IPs without collateral damage.
CGNATs reuse IPs so any IP block rule fairly quickly becomes somebody else's IP that you shouldn't be blocking.
If, however, you use IPv6, you don't need CGNAT and, while addresses may change, a blocked address won't suddenly get recycled to an unsuspecting user. In addition, if the allocation is static, you can block the whole network range and the problematic devices can't change their allocation sufficiently to escape the IP block.
mrweasel 19 days ago [-]
While it would allow us to be more specific with the IPs, it would entail blocking 500.000 IPs, or more. That quickly becomes unmanageable as well.
What I'd love to see is a service where websites could report abuse to ISPs, who would then take the misbehaving customers offline, until their system or behavior is fixed. Right now there's zero incentives to take customers offline, neither for ISP, nor cloud providers.
bsder 19 days ago [-]
> it would entail blocking 500.000 IPs, or more. That quickly becomes unmanageable as well.
Companies don't seem to have a tough time managing the blocks for all the various ranges of all the VPS providers to prevent you from using VPNs to access their services. Somehow, I don't think blocking 500,000 IPs is a technical problem.
I also suspect that once you start getting effective IP blocking, that 500,000 number will drop quite rapidly as it simply won't be so profitable to commandeer a device.
> What I'd love to see is a service where websites could report abuse to ISPs, who would then take the misbehaving customers offline, until their system or behavior is fixed.
IPv4 CGNAT is part of that problem, too. Because of CGNAT, the offending IPs get "tumbled" and are more difficult to identify from outside the ISP. Consequently, it makes it difficult to punish the ISPs. Without IPv4 CGNAT, those IPs are more stable over time and can be identified outside the ISP boundary. If ISPs start losing customers because everybody in the universe has blocked various ranges, the ISPs will start blocking devices at origin.
morkalork 20 days ago [-]
I'm sure you could come up with at least few ideas why it hasn't happened
mkoubaa 19 days ago [-]
Those exist but they might have a different idea of what makes an actor bad than you and I. Just look at what happened to Julian Assange.
2OEH8eoCRo0 19 days ago [-]
What countries do you think these bad actors reside? Russia, China, Iran, and NK will wipe their ass with any law enforcement request.
kachapopopow 19 days ago [-]
the real reason why these are a problem in the first place is because of cgnat and transit providers not implementing flowspec.
but these bad actors are not possible to track down in the first place since internet is unfortunately decentralized and things as simple as transactions submitted to bitcoin or etherium blockchain can be used as c&c
victorbjorklund 19 days ago [-]
do you really think for example America would allow say Chinese prosecutors to arrest Americans on American soil and take them abroad to sentence them in a court that America has no influence over and then throw them in a prison which America doesn’t control?
Aachen 19 days ago [-]
When the deed is illegal in both places, they can be tried under either jurisdiction and convicted instead of continuing to roam free and fuck up the open web for everyone else. Yes I do think we'd want that
Borders currently get in the way but we needn't have law enforcement on foreign soil to solve that. Exchanging information and reliably acting upon it could be all these agencies need to do in their respective countries. When this proves effective aside from crime states that have no interest in upholding even their own laws (since dual illegality would probably be a prerequisite for any of this), they may eventually find themselves increasingly cut off and distrusted until they, too, cooperate or self-isolate like NK
victorbjorklund 13 days ago [-]
you really think that U.S. would hand over U.S. citizens to, say, Venezuela for crimes that are illegal in both U.S. and Venezuela?
anonym29 19 days ago [-]
Bad news, implied criticism of CCP policy (by acknowledging you'd change it) is an imprisonable offense. You're under arrest for violating the laws of China. You are not granted a trial. A joint unit comprised of the Ministry of State Security and the FBI will be at your house to pick you up and fly you to a Chinese black site tomorrow morning.
fragmede 19 days ago [-]
That’s the cartoon version of China you’ve been trained to believe. I’m talking about dual illegality and cooperation between states. You’re talking about a fantasy mashup of MSS and FBI black sites. Not the same thing.
Who is going to elect and oversee them? I don't want to be governed by China or Russia.
m00x 20 days ago [-]
How would you even enforce this if the offending country doesn't agree?
dijit 20 days ago [-]
Limit their upstream connection to the rest of the internet via allied countries.
Literally the same as economic sanctions. The internet is a network of peers “trading” bits and bytes after all.
m00x 20 days ago [-]
This won't do anything. The attacks are not from the offending countries they're from botnets of compromised devices.
North Korea doesn't care if you limit their internet they already allow people to go outside their own.
dijit 20 days ago [-]
perfect, then we just nullroute at source with Flowspec, even if we change the goalposts a thousand times in this thread there does exist a technical solution to this problem.
Just not enough economic or political incentive to pay for it.
m00x 19 days ago [-]
It's not changing the goalpost. You're just describing a solution that are heavy-handed, yet incredibly easy to circumvent.
dijit 19 days ago [-]
> How would you even enforce this if the offending country doesn't agree?
> This won't do anything. The attacks are not from the offending countries they're from botnets of compromised devices.
> It's not changing the goalpost.
fuck off.
immibis 19 days ago [-]
America already limits its upstream to China and Russia through a private companies such as Cloudflare and Spamhaus. It's often the case that for Chinese users seeking to escape censorship, once they've worked their way through the Chinese Great Firewall, they find themselves in front of the American one.
19 days ago [-]
Drunkfoowl 20 days ago [-]
[dead]
miohtama 19 days ago [-]
It's national interest of China and Russia to see the West to fail. Why would they co-operate? They are willing to murder people, West and their own, so "law" enforcement means a bit different in international context.
tw1984 19 days ago [-]
Typical brainwashed view.
It is China's national interests to see a stable America that can continue to maintain the post WWII world order that benefited China so much for so long. Without the US, who is going to maintain peace in the middle east, Africa and other places? without such peace, how could China export its goods and services?
"West" != America.
Your claim also implies that China and Russia are operating on the same level. That is laughable at best - Russia is a failed rogue state with the economic size comparable only to a Chinese province, it is left behind in ALL modern techs and its military hardware are aging fast. It is the complete opposite of the path took by China.
kjkjadksj 19 days ago [-]
The whole sentiment with that is china uptakes the mantle. It already is in terms of infrastructure investments, selling goods and arms, import and export agreements. The same neoliberal playbook that made the US what it is. Only from a much more focused regime with little in the way of internal division or even external threats at this point.
mkoubaa 19 days ago [-]
It is absolutely not in China's interest to see the West fail. This is propaganda
strangegecko 19 days ago [-]
China (or at least the CCP, I find the equivocation of the CCP with the country disagreeable) has had the desire or even need to get revenge for their "century of humiliation" for a long time.
They have a fundamentally different government and social model, basically a one person dictatorship that feels the need to micromanage and control their populace.
They absolutely love seeing democracy and businesses associated with it fail because it reinforces their perspective of the CCP model being superior and thus strengthens their perceived legitimacy (or even inevitability) of CCP control over China.
mkoubaa 19 days ago [-]
A rivalry, wanting to score points, wanting to gain standing at the expense of another, are all things that do not have much to do with wanting your opponent to collapse
0xbadcafebee 19 days ago [-]
> international law enforcement agency
You mean Team America, World Police?
Besides the fact that not much happens in the international public sector, law enforcement is more about deterrence than prevention. Criminals aren't deterred by law enforcement, so the bad actors never stop. Human nature's a bitch.
If they did focus on prevention instead, most of this could be... prevented. Create a treaty that mandates how critical infrastructure technology is created/sold. Consumer routers will stop being shit at security, and home devices are slowed-down in upstream spamming. That's a good chunk of the denial-of-service market gone, with no need to police the world.
...but the criminals are smart and intentionally avoid attacking the powerful, so nobody cares. Same reason organized crime still exists. It's poor people caught up in gang violence and crime, not rich people, so it persists.
trollbridge 20 days ago [-]
I mean, America can’t do anything about scam phone calls aimed at seniors who forge caller ID of local hospitals.
lossyalgo 19 days ago [-]
As alluded to by morkalork, they definitely could if they wanted to, as the (most? of the) rest of the world doesn't seem to have this problem. As long as spammers keep paying telecoms & no law(s) forbidding this exist, it will continue.
edit: grammar
toast0 19 days ago [-]
> As long as spammers keep paying telecoms & no law(s) forbidding this exist, it will continue.
That's the trick. A lot of countries bill calls to cell phones at 10 cents a minute; in the US, calling is near zero cost. The US makes a great market for scammers to target because of low operating costs, penetration of globally usable payment cards, minimal language diversity.
Of course, these scams are forbidden by law, but that doesn't change the economics. Very few scam shops get busted; especially when most of them run from outside the US. STIR/SHAKEN helps a bit, but not much... without a effective mechanism to report unwanted calls that leads to those callers being ejected from the network as well as ejecting providers that are unresponsive to reports, there's not really hope of progress.
morkalork 20 days ago [-]
Can't or won't?
trollbridge 19 days ago [-]
I’ve decided there isn’t a difference.
Hikikomori 20 days ago [-]
America gonna allow someone else to regulate them?
discordance 19 days ago [-]
Who would they take orders from?
unnouinceput 19 days ago [-]
from those who pay them. They are a service for hire. you can hire them if you want and have the dough.
Thaxll 20 days ago [-]
Because it's not technicaly possible, I mean we're on HN, we all know how internet works.
dijit 20 days ago [-]
You should talk to a network engineer before making claims like this. There are mechanisms to curtail DDOS attacks at origin.
For a few reasons (political, economical) there’s little will to enact them, these attacks are so few and far between and you can pay your way out of them in most cases, so the incentives aren’t there for ISPs (whom are a commodity judged primarily on price and bandwidth)
m00x 20 days ago [-]
How exactly would you keep the origin from sending a command to a botnet?
dijit 20 days ago [-]
you don’t stop the message to the botnet, thats impossible:
You detect the behaviour downstream and send a signal to the ISP that there is traffic that needs to he rate limited.
One mechanism for this is called RTBH (Remote Triggered BlackHole) which relies on community tagged prefixes of addresses exceeding rate limited to be blackholed from
forwarding traffic further in to the internet.
There’s also things like flowspec but a lot of things rely on proper trust between ASNs.
esseph 19 days ago [-]
It's not that simple and hasn't been for awhile.
There's layer upon layer of relays now, and meshed C2C networks.
Lots of DNS fastflux too
Thaxll 19 days ago [-]
How do you know where it comes from, if they use UDP and change the src of the packets.
Fabricio20 19 days ago [-]
IP spoofing is pretty uncommon nowadays because everyone has anti-spoofing mechanisms in place and most ASNs often don't forward spoofed addresses outbound.
But as the sibling mentioned, even with spoofing, you can still follow the packet trail from your border routers upstream. I think the main thing we are lacking is just responsibility on the ISP side, if someone reaches out complaining that half of your customers are sending ddos attacks, maybe you need to do something about it. Most of these huge attacks are compromised routers or IoT devices (remember Mirai Botnet?).
esseph 19 days ago [-]
This is clearly not true, or the CAIDA anti-spoofer project wouldn't exist.
Just because SOME ASNs don't have it in place doesn't mean it's not uncommon. In the link provided, 80% of all tracked network blocks for ipv4 are blocking spoofing. Though they only track 1000 ipv4 /24 blocks and their data is highly biased towards having spoofable ranges, considering their end goal is identifying spoofable networks!
toast0 19 days ago [-]
The Microsoft blog suggests there was miminal source spoofing (although I don't know how they determine that). But if you can't trust the IP source, packet samples from your border router should indicate which upstream is sending those packets ... then you ask them to find the source... eventually you'll get somewhere ... but when the sources are distributed, it's not so helpful to find the source, unless there's a mechanism to stop the source from sending it.
When I was running servers that would routinely attract DDoSed at ~ 10 Gbps, I ended up always running a low sample rate packet capture. Anytime I noticed a DDoS, I could go and look at the packets. If you've got connectivity to sink and measure 15 Tbps of DDoS, you can probably influence your providers to take some sampled packet captures and look at them too.
Even without clear information from packet captures, 15 Tbps is going to make an impact on traffic graphs, and you can figure out sources from those, although it might be a bit tricky because the attack duration was reported at only 40 seconds, so if someone only has hourly stats, it might be too small to be noticed; but once a minute stats are pretty common.
SirMaster 20 days ago [-]
I heard it's a series of tubes.
daedrdev 19 days ago [-]
many countries sponsor these attackers
amelius 19 days ago [-]
Are these IP addresses available somewhere so I can check if I'm part of it?
DownGoat 19 days ago [-]
You can assume that you are part of it or another similar botnet if you have any IoT device exposed to the internet. You can use something like Shodan to see how your network looks like from the outside
sva_ 20 days ago [-]
I feel like posting the traffic output of the network might not be a great idea because they might do these attacks on purpose to market their network's capability.
codexon 19 days ago [-]
Why wouldn't microsoft advertise this though? If they had the ability to take the attack and others might not, then it'll result in more customers for them.
kachapopopow 20 days ago [-]
it's an open secret at that point and the attacks are far larger than that are causing congestion world-wide from the time they wake up to the time they go to sleep.
bentt 19 days ago [-]
It took over 10 seconds to add a To-Do item to my Microsoft To-Do app. Apparently an item cannot be added until the server responds?
musicale 15 days ago [-]
> "These sudden UDP bursts had minimal source spoofing and used random source ports, which helped simplify traceback and facilitated provider enforcement."
That seems fairly blockable.
Y_Y 20 days ago [-]
Cui bono?
There is a big (opportunity) cost to this kind of thing, How is this worthwhile for anyone? I assume that its's not just a competitor. Is it really worth <insert evil country>'s time to temporarily upset one of of three big cloud providers? Is there a ransom behind the scenes?
kachapopopow 20 days ago [-]
nope, there's really no cost to it - they've been hitting with attacks double or even triple the size towards random minecraft hosts for months now.
imglorp 20 days ago [-]
> it targeted a single endpoint in Australia.
It would really help to understand why attack one endpoint with "the largest DDoS attack ever observed in the cloud". If it was important, it would be redundant in its CDN. Who paid for this attack and what did they gain?
cookiengineer 19 days ago [-]
You are assuming that DDoS is signal. It's not, it's the noise.
The idea of DDoS for hire is to bury your own tracks in as much network requests as possible, so that the other side is overwhelmed processing (or even storing) that dataset and won't find out what the real target was.
That's literally the strategy of APT28/29.
kachapopopow 20 days ago [-]
we were getting hit with attacks like this daily at some point and were forced to use cloudflare magic transit it's pretty random and you shouldn't read too deep into it as nearly every anti-ddos solution, host and isp has been hit with this botnet by now.
estearum 20 days ago [-]
but why? For fun?
toast0 19 days ago [-]
I used to run servers for a very popular service. I'm 99% sure people DDoSed our www for lolz and also to kick the tires on DDoS as a service vendors. We would get DDoS on a pretty regular basis, for exactly 90 seconds, +/- a few nodes that had bad clock sync and were 2 seconds off; which was exactly what you get from a free trial at DDoS as a service. I feel like we got a ransom request like once; but I can't remember if it actually corresponded to an attack, if it did, I don't think it was consequential.
Thankfully, it was almost always targetted at our www servers, which were not important for our service. Very occasionally, we'd get hit on the machines that we actually ran our service on, but between the consistent DDoS on www, and our own self-inflicted DDoS from defects in the client code we wrote for our users, our service was well prepared... if the DDoS went over line rate for the server, our hosting provider would null route it [1], but otherwise, we could manage line rate of udp reflection or tcp syn floods and what have you. From what I could tell, most attackers didn't retarget to our other servers when one got null routed.
[1] They did try a DDoS scrubbing service, but having our servers behind the scrubber was way worse than just null routing. Maybe the scrubbing could have been tuned, but as it was, it was better for us to just have the attacked servers lose connectivity to the public network.
Razengan 19 days ago [-]
> self-inflicted defects
is what I'll call bugs from now
Fabricio20 19 days ago [-]
As someone on the receiving end of these, I've yet to receive any explanation. Every other week we see the most basic of attacks against our infrastructure (http floods - GET / - for example), with no specific goal in mind and we never received any threats. I can only assume it's some disgruntled user or maybe a competitor, but it could also just be stray bullets. I don't know who used these IPs before us, though it's been several years we've owned them. Who knows.
kachapopopow 19 days ago [-]
likely cause here is carpet bombing
kachapopopow 20 days ago [-]
yep, there's no consistency to their actions - basically hit a target and keep it down for as long as possible causing heavy business loss. to my knowledge none of the target servers have ever received a ransom request.
executesorder66 19 days ago [-]
So that cloudflare can now MITM their HTTPS encryption. /s
ropable 19 days ago [-]
It's just a couple of local Aussie nerds beefing again. Simmo broke up with Jonno's sister via IM, so feelings were hurt.
BLKNSLVR 19 days ago [-]
Is Shazza single now? Bonza!
19 days ago [-]
null_deref 20 days ago [-]
I don’t mean to cast any doubt, but are those short articles the standard, or why was there almost no data provided?
sammy2255 19 days ago [-]
Cloudflare eats that up for breakfast
isodude 19 days ago [-]
This did not age well!
averageRoyalty 19 days ago [-]
> This attack lasted only 40 seconds but was roughly equivalent to streaming one million 4K videos simultaneously.
Who is this for? Is there anyone reading the article that can't grasp what a terrabit is but can somehow conceptualise one million 4k videos streaming simultaneously? I don't think anyone sits in that venn diagram.
Hnrobert42 19 days ago [-]
Yeah. That falls in the same bin as number of Olympic swimming pools or distance to the moon.
The best, meaningful comparison I've read is from Bill Bryson in A Short History of Nearly Everything. In it, he notes that there are 1M seconds in 11 days but 1B seconds takes 32 years.
manquer 19 days ago [-]
An regular user would associate 4k is premium / expensive and difficult to use without better phones/network/plans/signal strength etc so the idea would be to be signal it is 1M times with a somewhat challenging thing for them.
Non-tech savy users know how live streams crash with sports like with Netflix recently during boxing etc or on Twitter last year and usually those come with some n Million users in kind of headlines or the like, so they have some reference to that scale.
As analogies go, there are worse examples. BleepingComputer is hardly the New Yorker or Atlantic, best we can hope for these days is a human is writing the article I suppose.
fishgoesblub 19 days ago [-]
I've always disliked the "it's like X amount of [resolution] video!!" Are we talking a UHD 4K Bluray? or 4K Netflix? or 4K YouTube? Bitrate is all that matters.
sunaookami 19 days ago [-]
Well I found it helpful for putting it into perspective.
drob518 19 days ago [-]
Impressive. Just reacting to the headline since the article is inaccessible.
akarve 19 days ago [-]
this link is now hammered because of cloudflare. hard day for the internets.
drcongo 20 days ago [-]
Imagine how much of that traffic was just the bots following the endless redirects.
siva7 20 days ago [-]
Those redirects would crash Azure, i'm betting a grand
elAhmo 19 days ago [-]
What can be the result of this?
Seems useless, you might make a dent but why?
mgaunard 19 days ago [-]
500k isn't even that many. Can probably rent that many IPs for a few grand.
19 days ago [-]
20 days ago [-]
esafak 20 days ago [-]
Is this Aisuru growing? How can it be dismantled?
SLWW 20 days ago [-]
Yes.
Only way is to secure your IoT devices/routers/cameras/etc.
esafak 20 days ago [-]
Through personal responsibility? That is not scalable; look at how many compromised devices there are. We need a better solution as an industry.
rollcat 19 days ago [-]
Yep. Manufacturers / distributors should be held responsible. Aligning the incentives is half the battle.
fch42 19 days ago [-]
A "do not connect to the cloud" physical flip switch on the IoT device is what I want. Where can I sign the petition for that?
rollcat 16 days ago [-]
A physical switch is extra BoM / cost, and doesn't make sense in the context of a networked device. Just make it LAN-first / LAN-only. Any Internet-enabled features should happen on the gateway, and be opt-in.
qiqitori 19 days ago [-]
Yes, need to protect Azure from those evil manufacturers.
catlikesshrimp 19 days ago [-]
Azure AWS and cloudflare will survive, then everything else will pay them for protection; when all of the internet is captive, they will lobby for regulation to reduce the costs.
It would be better to get the regulation set up before stronger gatekeepers are created
userbinator 19 days ago [-]
"a better solution as an industry" = "corporate authoritarianism"
I'd rather these attacks continue, than they not exist at all, because the latter is only possible in a world without any freedom.
YetAnotherNick 19 days ago [-]
> This attack lasted only 40 seconds
What's the point of this? Are they continuously running DDoS somewhere and 40 second is what the buyer paid for?
ACCount37 19 days ago [-]
"Look at how big of a botnet we have! Imagine all of that, but on the target YOU want to go down!"
It's how you do marketing, basically.
orbital-decay 19 days ago [-]
It's basically an ad.
aydyn 19 days ago [-]
> Aisuru is a Turbo Mirai-class IoT botnet
IoT botnet. Just read that again, we're literally inventing problems where none needs to exist.
IoT adds basically null or negative value, except to nerds who like to think they're smarter than other people by consuming the latest e-slop.
Its all so tiresome.
ACCount37 19 days ago [-]
Most "IoT botnet" devices are Wi-Fi routers and IP cameras. Which are the two classes of IoT devices that provide undisputed value.
Maybe, just maybe, people aren't as stupid as you think they are?
aydyn 19 days ago [-]
Routers are generally not considered IoT devices. So your second sentence is kind of ironic.
nunez 19 days ago [-]
My Hue lights and vacuums would like a word!
dainiusse 20 days ago [-]
/sarcasm
Another ai crawler...
m00x 20 days ago [-]
Anthropic agent went a little haywire on the tool use
The Microsoft article reads like a corporate press release. The original link contained additional pertinent information and research which is good for discussion.
dang 19 days ago [-]
OK, I've swapped them back. Thanks!
The principles here are clear: we prefer the best third-party article to corporate press releases*, but at the same time we don't want blogspam (i.e. ripoffs that don't add anything interesting).
We really shouldn’t - this seems like perhaps one of the worst ideas one could propose in an era of rising authoritarian rule. Seems like a bad time to be putting silly restrictions on how folks route their traffic.
derwiki 20 days ago [-]
Tinfoil hat says it’s the gov’t doing it for those reasons /s
meowface 20 days ago [-]
I will disregard your cowardly "/s" and say: no, I bet it isn't.
TZubiri 19 days ago [-]
[flagged]
kachapopopow 20 days ago [-]
breaking the law by using wireguard to access my home network, hmm, great idea.
TZubiri 19 days ago [-]
Ok, I'll be a bit more specific, banning businesses and the trade of proxies that are purposefully marked as residential, in order to evade firewall blocks, and even to evade proxy blocks.
You gotta draw the line in the sand somewhere, VPNs are already morally dubious, but if you ban the most shady of VPNs, residential proxies, then you can at least guarantee service providers the right to deny service to proxy users, while allowing proxy users to use the proxy everwhere they are welcome in.
potwinkle 19 days ago [-]
But the botnets don't use VPNs, they use IoT devices owned by people who don't even know there's a computer inside. It seems like you just don't like the idea of VPNs in general and are using an unrelated attack to argue for deprivatizing (And thus, surveilling) the citizenry.
TZubiri 19 days ago [-]
Hey.
The way it works is that these pwned IoT devices sell themselves to paying customers as proxies. So the pwners are not the ones actually running the DDoS service/Ransomware distribution/malicious activities. Rather it's an economy where each malicious actor offers their specific service.
In this case IoT device pwners pwn the device, install a VPN server and place their devices on a marketplace where they charge cents per hour using cryptocurrency. Then whoever needs an anonymous IP address pays for a couple of hours of 10k ip residential addresses, and sends their traffic wherever they need to.
So both are true: DDoSers (and malicious actors in general) use pwned devices, but they also use VPNs
kachapopopow 19 days ago [-]
yah, but how else am I going to create millions of youtube accounts to spam sex bot ads >:(
on a more serious note, it's just not really possible since most residential proxy sites are botnets :)
jeroenhd 20 days ago [-]
Making them illegal seems far-fetched, but at this point something like email blacklists but for web services is becoming inevitable.
At the moment, that's what Cloudflare is doing. They're just not obvious enough, leading to people on forums (and here) asking "why do I constantly need to fill out captchas to enter websites".
teeray 20 days ago [-]
...and suddenly no one is allowed to VPN back through their home router.
rjdj377dhabsn 19 days ago [-]
How would that be enforced?
Rendered at 07:45:34 GMT+0000 (Coordinated Universal Time) with Vercel.
>The Aisuru DDoS botnet operates as a DDoS-for-hire service with restricted clientele; operators have reportedly implemented preventive measures to avoid attacking governmental, law enforcement, military, and other national security properties. Most observed Aisuru attacks to date appear to be related to online gaming.
https://www.netscout.com/blog/asert/asert-threat-summary-ais...
So why? Like why would someone pay to take a game down? I see this all over reddit with different games but I just don't get the point. What's the benefit of taking down an online game for a couple of hours.
The other half comes from sever operators ddosing their competition. There is a lot of money to be made from paid cosmetics, ranks, moderator (demi-tyrant) status, etc on custom servers.
Final Fantasy XIV keeps getting hammered, likely Aisuru, off and on since at least September.
https://na.finalfantasyxiv.com/lodestone/news/detail/6b56814...
Anyone have any idea how much a 15 Tbps DDoS attack would cost?
Thousands of dollars? Tens of thousands?
I'd imagine the pricing is quite disconnected from the price of "legitimate" bandwidth. But I don't know in what direction.
And a little bit of malicious bandwidth is easy to hide, a lot not. So there is a price to bandwith to the criminal owner.
Because the botnet operator is not paying for the bandwidth, directly or indirectly.
Are you mentioning the minecraft community by your message or any other gaming communities too
For other games, maybe trying to interrupt some time limited event or tournament. Going all the way down the rabbit hole, if you're not already familiar take a look at how crazy things get in a game like EVE: Online.
Then of course there are the bored trolls and/or people who feel wronged by the game's developers or other players.
Competitive MMO. Imagine some event is setup to start at some time and your guild or alliance knows they're gonna lose it and the resource it gives: DDOS the server so it's down during the event so it does not run. Enjoy the fact you kept the asset linked to said event and sell the resources you get for real money.
If you've never played those kind of games you cannot fathom how cutthroat they can become. I'm part of a guild which has a specific intelligence branch with spies embedded in many other guilds and that's playing nice because we're not selling anything.
You might be taking a game a bit too seriously if the FBI show up to have a chat.
Taking a competitor offline for a few hours is a lot of money in a market business I expect.
there seems to be lot of weird stuff going on with gaming casinos the recent CoffeeZilla episode comes to mind, so wouldn’t be surprised if botnets are used
well, gaming and Krebs's blog: https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with...
https://www.cloudflare.com/en-gb/application-services/produc...
I'd be using someone else's credit card for that...
Not saying that's the case in this particular incident though.
esports gambling and winning tournaments is big business.
> During the Fortnite Championship Series finals, a pair of pro players may have utilized denial of service attacks to disadvantage contesters [1]
[1] https://fortnitetracker.com/article/1087/ddos-scandal-from-c...
That's enough to explain it. But if you wanted to go more full shadowy conspiracy theory, someone arranged for a protection service that just so happens to work by giving some entity cleartext surveillance over much of the internet. Perhaps as a response to HTTPS everywhere being annoying.
I'm not suggesting that's the situation, but that it's the kind of possibility to keep in mind, intellectually, and it would be consistent with history.
Most of the time crime groups are running extortion campaigns, amplification campaigns, etc. For example, if a competitor can benefit from them being down you may be able to sell that. Eventually we will probably see the invention of crowd-funded randsomware, where everyone must submit one verification can of crypto to unlock the hacked game servers.
https://abyss.diath.net/img/20251118055501688.png
If it's going to cost me about the same in terms of resources to target you and a bunch of other people colocated with you, it's a bit less obvious who launched it and why.
They weren't targeting Azure itself, per se, but some service which was hosted on Azure.
The IP address in question wasn't mentioned, so we're left to speculate what this was about.
lul wut?
https://www.businessinsider.com/trump-white-house-ballroom-d...
https://www.cnbc.com/2025/01/09/microsoft-contributes-1-mill...
"Boeing, Microsoft and Amazon among big donors to Biden’s inauguration"
https://www.seattletimes.com/seattle-news/politics/boeing-mi...
"Pay up or you'll have problems with the FCC/DOJ/etc."
Not saying its unique to this admin
I don't expect the big publisher games like PUBG to attack each other with DDoS attacks, but casino games? Or even sleazy Minecraft servers? I can totally see it.
Its just toxic behavior.
esports gambling is big business
Cloudflare scrubs Aisuru botnet from top domains list - https://news.ycombinator.com/item?id=45857836 - Nov 2025 (34 comments)
Aisuru botnet shifts from DDoS to residential proxies - https://news.ycombinator.com/item?id=45741357 - Oct 2025 (59 comments)
DDoS Botnet Aisuru Blankets US ISPs in Record DDoS - https://news.ycombinator.com/item?id=45574393 - Oct 2025 (142 comments)
This is scary. Everyone lauds open source projects like OpenWRT but... who is watching their servers?
I imagine you can't run an army of security people on donations and a shoestring budget. Does OpenWRT use digital signing to mitigate this?
The build infrastructure is, of course, a juicy target: infect the artifact after building but before signing, and pwn millions of boxes before this is detected.
This is why bit-perfect reproducible builds are so important. OpenWRT in particular have that: https://openwrt.org/docs/guide-developer/security#reproducib...
That's not always the silver bullet you seem to think it is. Have you ever tried to build something like Chromium, Firefox, or LLVM yourself? It's not realistic to do that on a mid tier let alone low end device.
Even when you go to the trouble of getting a local build set up, more often than not the build system immediately attempts to download opaque binary blobs of uncertain provenance. Try building some common pieces of software in a network isolated environment and you will likely be surprised at how poorly it goes.
If projects actually took this stuff seriously then you'd be able to bootstrap from a sectorlisp and pure human readable source code without any binary blobs or network access involved. Instead we have the abomination that is npm.
https://buildd.debian.org/status/package.php?p=firefox-esr
See Bootstrappable Builds for starting from almost nothing, so far only GNU Guix and StageX have worked out how to start from the BB work to get a full distro. Should be fairly trivial for other distros too if they cared.
https://bootstrappable.org/ https://guix.gnu.org/blog/2023/the-full-source-bootstrap-bui... https://stagex.tools/
Most importantly you need to pay attention to RAM usage, if necessary reducing parallelism so that it doesn't need to swap.
Of course you can. You can also read the ToS before clicking accept, but who does that?
I do see the Tor-Issue - a botnet or a well-supplied malicious actor could just flood it. And if you flip it - if you'd need agreement about the build output, it could also be poisoned with enough nodes to prevent releases for a critical security issue. I agree, I don't solve all supply chain issues in one comment :)
But that in turn could be helped with reputation. Maybe a node needs to supply 6 months of perfect builds - for testing as well - to become eligible. Which would be defeated by patience, but what isn't? It'd just have to be more annoying to breach the distributed build infrastructure than to plant a malicious developer.
This combination of reproducible, deterministic builds, tests across a number of probably-trustworthy sources is quite interesting, as it allows very heavy decentralization. I could just run an old laptop or two here to support. And then come compromise hundreds of these all across the world.
https://bootstrappable.org/
It really wouldn't. You don't even need a powerful build server since you can mirror whatever someone else built. You can also buy / hack nodes of existing trusted people.
I have yet to experience a straight shot install or build of anything in an air gapped environment. Always need to hack things to make it work.
> run an army of security people
Do you think these private companies do this? They don't. They pay as little as humanly possible to cover their ass.
Botnets comprised of compromised routers is common and commercial/consumer routers are a far juicer target than openwrt.
They probably spend more on the team who ends up writing the "We take your security very seriously" breach notification message than they do on "security people". At least until then get forced into brand-name external Cyber Security Consultants to "investigate" their breach and work out who they can plausibly blame it on that's not part of the C suite.
It’s probably helpful that open source teams aren’t hampered by standards and 20 year outdated audit processes either.
Didn't they have a vulnerability in their firmware download tool like a minute ago?
The difference between OpenWRT and Linux distros is the amount of testing and visibility. OpenWRT is loaded on to residential devices and forgotten about, it doesn't have professional sysadmins babysitting it 24/7.
Remember the xz backdoor was only discovered because some autist at Microsoft noticed a microsecond difference in performance testing.
Is it "scary" to think about OpenWRT potentially getting hacked? If you get scared by theoretical possibilities in software, sure. Is it relevant? Not exactly. Are companies' official servers more secure than an open-source project's servers? In this case, apparently not.
Meanwhile, corporations are driven entirely by profit motive, so as long as it's more expensive to be vigilant about security than it is to be lax about it they will never improve.
Until companies which produce (and do not update) vulnerable equipment are penalized (e.g. charged with criminal negligence) for DDoS attacks using their hardware then the open-source projects are going to continue to be far more trustworthy and less vulnerable than corporations which mass-produce the cheapest hardware they can and then designating it as obsolete and unsupported as fast as possible to force more updates.
Plenty of stories of fairly major projects having evil commits snuck in that remain for months.
https://medium.com/@aleksamajkic/fake-sms-how-deep-does-the-...
https://blog.linuxmint.com/?p=2994
https://www.bleepingcomputer.com/news/linux/malicious-packag...
https://www.cnx-software.com/2021/04/22/phd-students-willful...
I could go on but I trust this is a sufficient number of examples.
I'm in the process of getting the business to implement better security, and it's going better than you might expect. If it wasn't because having a plan for how to update your OT security is required to meet EU compliance, however, I doubt we would've done anything beyond making sure we could do passive FTP when it was needed.
As an example, there is still no plans to deal with the OT which we know has build in hardware backdoors from the manufactures. Wnich is around 70% of our dataloggers, but the EU has no compliance rules on that...
Also, if you actually read it, there are exceptions for open source software!
(please prove me wrong, Alex)
https://reproducible-builds.org/
Presumably it’s possible to log the residential IP of the source of these packets.
Why isn’t there any industry group pushing for the ISPs to a) send the owners an email telling them or b) blocking off all traffic for a period to get them to do something - or is the economic cost higher than caused by the DDoS attacks?
This happened to me, at the time I thought it was strange but seeing this event happen it makes a lot more sense now
Setting up the infrastructure to email customers and tell them they've got an infected device is just going to cause the subscriber to: A) Call customer support and tie up an agent who can't really tell them much - you're also going to have to train all your CS agents on these letters and what they mean. B) Complain on faceybook/Churn off your network. or C) They'll ignore it
About one in a million will fix the issue themselves.
I would like to know if I'm serving a rogue machine and not been paying attention.
Mistakes can be made during reconfigurations but you'd have to catch those while the issue is still live. Sounds like an advanced threat actor and not the run of the mill ransomware people (not that they're necessarily unsophisticated, but why'd they bother with these odds when there's low-hanging fruit to reliably exploit)
This is just a crazy thought, tangential to what are happening during an attack.
https://trends.builtwith.com/websitelist/Microsoft-Azure
Plenty of crappy websites on the list too.
Until then... There's gonna be a bigger wave.
The article makes it sound like the issue is largely compromised routers and cameras -- and presumably cameras are less likely to be publicly-accessible to get compromised in the first place.
ISPs are able to update firmware on the routers they own, so it's my guess that it's customer-owned routers that are the main issue here.
If the vendor can't even secure their update server; how long do you think it would be until some RCE on these 100k un-patchable routers gets exploited?
The only people to blame for this is the vendor, and they failed on multiple levels here. It's not hard to sign a firmware, or even just fetch checksums from a different site than you serve the files from...
the fallout is some companies losing their revenue: https://status.neoprotect.net/ and other headaches for people all over the world
And the other option isn't that much better, because "don't do autoupdates because maybe the update server is compromised" leads to a bunch of unsecured devices everywhere.
The only "real" solution is also completely unrealistic: Every private person disables auto updates, then reads the change log, downloads updates manually, and checks them against some checksum.
The better solution would be to simply increase fines until morale improves.
relevant law here: EU Cyber Resilience Act (CRA).
Fine, but that is the real discussion to have. Not 'it has this risk and therefore is bad'.
> banning vendors that do not secure their devices
I think the goal is to encourage positive behavior, not try to monitor everyone and evaluate their updates.
> promotes them to include sloppy (insecure) implementations for pushing said updates just to do bare minimum to comply with the law
I imagine the law is more than just one clause ?
While it doesn't make it mandatory, it does require patching devices in a timely fasion which in other terms: requires forced updates - pushing updated firmware is not enough if you read between the lines.
Even stronger requirements come into effect at the end of 2027.
You'd also need to have every country not actively involved in these types of schemes yet we know some governments are directly benefiting from the scams/theft their citizens are perpetrating.
You'd also need to have every country think the things you want to police against are wrong. Again, we know that's just not true.
Your administration then made copyright law changes a central goal of many agreements - essentially a non-negotiable requirement for say a trade agreement to proceed.
I'd say a putative UN NetWatch would suffer from the same issues of funding and corruption and politics, but still we might have something better than this wild west lawlessness.
Careful what you wish for. Before you know it you can't have an IP without your ID.
They've never been expected to "stamp out" those things, any more than a city police department is expected to stamp out all crime and doctors are expected to stamp out all illness. Their mission is to reduce those things:
For warfare, they have been extremely successful relative to human history. War has actually become taboo and illegal, and very few happen. Look at history before the UN - it's a miracle. Think of the vision and confidence of people who, looking at 10,000 years of human history, immediately after two world wars, thought it was even possible, came up with effective strategy, did the hard work, and accomplished it.
I don't know the details of the other fields.
> I'd say a putative UN NetWatch would suffer from the same issues of funding and corruption and politics, but still we might have something better than this wild west lawlessness.
Politics and funding, and corruption, come with every human institution over a certain size, and especially with governments which can't exclude undesireable people: Democratic governments are the least corrupt, but if the people elect a corrupt representative or executive, then nobody can kick them out (unless they commit prosecutable crimes). And now imagine an association or confederation of governments, which is what the UN is.
So yes, the goal is to make something better. Otherwise, we might as well quit on everything.
But who will suppress attempts to go beyond the blackwall then?
Law enforcement takes time. The perpetrators of these attacks aren't hanging out in the open with their full names shielded only by the hope that their country won't extradite for political favor.
By the time the perpetrators are identified and a case is built, getting them charged isn't bottlenecked on the lack of an international agency. Any international law enforcement agency would be beholden to each country's own political wills and ideals, meaning any "teeth" they had would be no more effective than what we currenly have for extraditing people or cooperating with foreign police organizations.
Tangential: once I was targeted by a pretty primitive scam. More than 10 years ago (after someone I love was naive and inexperienced, having a medium amount stolen in a sensitive and stressful time of this person's life). I recognised fast and having time and will I sarted to play along, pretending I bite the bait. Collecting info while acting. In parallel trying to connect local and international authorities to report an ongoing scam effort. I believe I tried 4 organizations in 3 different countries apparently involved, I believe one was dedicated to online scams, also trying to warn Western Union, they are about to be used for scam. I even went personally to a police station locally to get some advice on how to assist catching the criminals. Since all I encountered insisted to report my damages, so they could start an investigation on an actual loss happened, I furiously gave up and decided whenever I will be having financial trouble I will invest my efforts in scamming others. No-one cares catching those in act! So the thugs can be incredibly bold and dumb, like the one I encountered, it is no effort doing better.
Some sort of international clearing house for ISPs to help identify and sequester compromised customers might be nice, too; but that doesn't need law enforcement powers; and maybe it already exists?
But here we are in 2025 still running IPv4 with CGNAT, so we can't.
I was under the impression that these botnets still rely on vulnerable computers, which have a human that will be calling support asking for the issue to be resolved.
Then it needs an ISP to figure out the issue and ask the client to sort out their compromised computer, but unlikely the ISP will stop a paying customer from internet access especially if it's not clear why their original assigned IPv6 is blocked.
CGNATs reuse IPs so any IP block rule fairly quickly becomes somebody else's IP that you shouldn't be blocking.
If, however, you use IPv6, you don't need CGNAT and, while addresses may change, a blocked address won't suddenly get recycled to an unsuspecting user. In addition, if the allocation is static, you can block the whole network range and the problematic devices can't change their allocation sufficiently to escape the IP block.
What I'd love to see is a service where websites could report abuse to ISPs, who would then take the misbehaving customers offline, until their system or behavior is fixed. Right now there's zero incentives to take customers offline, neither for ISP, nor cloud providers.
Companies don't seem to have a tough time managing the blocks for all the various ranges of all the VPS providers to prevent you from using VPNs to access their services. Somehow, I don't think blocking 500,000 IPs is a technical problem.
I also suspect that once you start getting effective IP blocking, that 500,000 number will drop quite rapidly as it simply won't be so profitable to commandeer a device.
> What I'd love to see is a service where websites could report abuse to ISPs, who would then take the misbehaving customers offline, until their system or behavior is fixed.
IPv4 CGNAT is part of that problem, too. Because of CGNAT, the offending IPs get "tumbled" and are more difficult to identify from outside the ISP. Consequently, it makes it difficult to punish the ISPs. Without IPv4 CGNAT, those IPs are more stable over time and can be identified outside the ISP boundary. If ISPs start losing customers because everybody in the universe has blocked various ranges, the ISPs will start blocking devices at origin.
but these bad actors are not possible to track down in the first place since internet is unfortunately decentralized and things as simple as transactions submitted to bitcoin or etherium blockchain can be used as c&c
Borders currently get in the way but we needn't have law enforcement on foreign soil to solve that. Exchanging information and reliably acting upon it could be all these agencies need to do in their respective countries. When this proves effective aside from crime states that have no interest in upholding even their own laws (since dual illegality would probably be a prerequisite for any of this), they may eventually find themselves increasingly cut off and distrusted until they, too, cooperate or self-isolate like NK
for at least 6 months
https://www.bbc.com/news/articles/c785n9pexjpo
https://www.justice.gov/archives/opa/pr/new-york-resident-pl...
Literally the same as economic sanctions. The internet is a network of peers “trading” bits and bytes after all.
North Korea doesn't care if you limit their internet they already allow people to go outside their own.
Just not enough economic or political incentive to pay for it.
> This won't do anything. The attacks are not from the offending countries they're from botnets of compromised devices.
> It's not changing the goalpost.
fuck off.
It is China's national interests to see a stable America that can continue to maintain the post WWII world order that benefited China so much for so long. Without the US, who is going to maintain peace in the middle east, Africa and other places? without such peace, how could China export its goods and services?
"West" != America.
Your claim also implies that China and Russia are operating on the same level. That is laughable at best - Russia is a failed rogue state with the economic size comparable only to a Chinese province, it is left behind in ALL modern techs and its military hardware are aging fast. It is the complete opposite of the path took by China.
They have a fundamentally different government and social model, basically a one person dictatorship that feels the need to micromanage and control their populace.
They absolutely love seeing democracy and businesses associated with it fail because it reinforces their perspective of the CCP model being superior and thus strengthens their perceived legitimacy (or even inevitability) of CCP control over China.
You mean Team America, World Police?
Besides the fact that not much happens in the international public sector, law enforcement is more about deterrence than prevention. Criminals aren't deterred by law enforcement, so the bad actors never stop. Human nature's a bitch.
If they did focus on prevention instead, most of this could be... prevented. Create a treaty that mandates how critical infrastructure technology is created/sold. Consumer routers will stop being shit at security, and home devices are slowed-down in upstream spamming. That's a good chunk of the denial-of-service market gone, with no need to police the world.
...but the criminals are smart and intentionally avoid attacking the powerful, so nobody cares. Same reason organized crime still exists. It's poor people caught up in gang violence and crime, not rich people, so it persists.
edit: grammar
That's the trick. A lot of countries bill calls to cell phones at 10 cents a minute; in the US, calling is near zero cost. The US makes a great market for scammers to target because of low operating costs, penetration of globally usable payment cards, minimal language diversity.
Of course, these scams are forbidden by law, but that doesn't change the economics. Very few scam shops get busted; especially when most of them run from outside the US. STIR/SHAKEN helps a bit, but not much... without a effective mechanism to report unwanted calls that leads to those callers being ejected from the network as well as ejecting providers that are unresponsive to reports, there's not really hope of progress.
For a few reasons (political, economical) there’s little will to enact them, these attacks are so few and far between and you can pay your way out of them in most cases, so the incentives aren’t there for ISPs (whom are a commodity judged primarily on price and bandwidth)
You detect the behaviour downstream and send a signal to the ISP that there is traffic that needs to he rate limited.
One mechanism for this is called RTBH (Remote Triggered BlackHole) which relies on community tagged prefixes of addresses exceeding rate limited to be blackholed from forwarding traffic further in to the internet.
There’s also things like flowspec but a lot of things rely on proper trust between ASNs.
There's layer upon layer of relays now, and meshed C2C networks.
Lots of DNS fastflux too
But as the sibling mentioned, even with spoofing, you can still follow the packet trail from your border routers upstream. I think the main thing we are lacking is just responsibility on the ISP side, if someone reaches out complaining that half of your customers are sending ddos attacks, maybe you need to do something about it. Most of these huge attacks are compromised routers or IoT devices (remember Mirai Botnet?).
https://spoofer.caida.org/summary.php
When I was running servers that would routinely attract DDoSed at ~ 10 Gbps, I ended up always running a low sample rate packet capture. Anytime I noticed a DDoS, I could go and look at the packets. If you've got connectivity to sink and measure 15 Tbps of DDoS, you can probably influence your providers to take some sampled packet captures and look at them too.
Even without clear information from packet captures, 15 Tbps is going to make an impact on traffic graphs, and you can figure out sources from those, although it might be a bit tricky because the attack duration was reported at only 40 seconds, so if someone only has hourly stats, it might be too small to be noticed; but once a minute stats are pretty common.
That seems fairly blockable.
There is a big (opportunity) cost to this kind of thing, How is this worthwhile for anyone? I assume that its's not just a competitor. Is it really worth <insert evil country>'s time to temporarily upset one of of three big cloud providers? Is there a ransom behind the scenes?
It would really help to understand why attack one endpoint with "the largest DDoS attack ever observed in the cloud". If it was important, it would be redundant in its CDN. Who paid for this attack and what did they gain?
The idea of DDoS for hire is to bury your own tracks in as much network requests as possible, so that the other side is overwhelmed processing (or even storing) that dataset and won't find out what the real target was.
That's literally the strategy of APT28/29.
Thankfully, it was almost always targetted at our www servers, which were not important for our service. Very occasionally, we'd get hit on the machines that we actually ran our service on, but between the consistent DDoS on www, and our own self-inflicted DDoS from defects in the client code we wrote for our users, our service was well prepared... if the DDoS went over line rate for the server, our hosting provider would null route it [1], but otherwise, we could manage line rate of udp reflection or tcp syn floods and what have you. From what I could tell, most attackers didn't retarget to our other servers when one got null routed.
[1] They did try a DDoS scrubbing service, but having our servers behind the scrubber was way worse than just null routing. Maybe the scrubbing could have been tuned, but as it was, it was better for us to just have the attacked servers lose connectivity to the public network.
is what I'll call bugs from now
Who is this for? Is there anyone reading the article that can't grasp what a terrabit is but can somehow conceptualise one million 4k videos streaming simultaneously? I don't think anyone sits in that venn diagram.
The best, meaningful comparison I've read is from Bill Bryson in A Short History of Nearly Everything. In it, he notes that there are 1M seconds in 11 days but 1B seconds takes 32 years.
Non-tech savy users know how live streams crash with sports like with Netflix recently during boxing etc or on Twitter last year and usually those come with some n Million users in kind of headlines or the like, so they have some reference to that scale.
As analogies go, there are worse examples. BleepingComputer is hardly the New Yorker or Atlantic, best we can hope for these days is a human is writing the article I suppose.
Seems useless, you might make a dent but why?
Only way is to secure your IoT devices/routers/cameras/etc.
It would be better to get the regulation set up before stronger gatekeepers are created
I'd rather these attacks continue, than they not exist at all, because the latter is only possible in a world without any freedom.
What's the point of this? Are they continuously running DDoS somewhere and 40 second is what the buyer paid for?
It's how you do marketing, basically.
IoT botnet. Just read that again, we're literally inventing problems where none needs to exist.
IoT adds basically null or negative value, except to nerds who like to think they're smarter than other people by consuming the latest e-slop.
Its all so tiresome.
Maybe, just maybe, people aren't as stupid as you think they are?
The Microsoft article reads like a corporate press release. The original link contained additional pertinent information and research which is good for discussion.
The principles here are clear: we prefer the best third-party article to corporate press releases*, but at the same time we don't want blogspam (i.e. ripoffs that don't add anything interesting).
* https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...
You gotta draw the line in the sand somewhere, VPNs are already morally dubious, but if you ban the most shady of VPNs, residential proxies, then you can at least guarantee service providers the right to deny service to proxy users, while allowing proxy users to use the proxy everwhere they are welcome in.
The way it works is that these pwned IoT devices sell themselves to paying customers as proxies. So the pwners are not the ones actually running the DDoS service/Ransomware distribution/malicious activities. Rather it's an economy where each malicious actor offers their specific service.
In this case IoT device pwners pwn the device, install a VPN server and place their devices on a marketplace where they charge cents per hour using cryptocurrency. Then whoever needs an anonymous IP address pays for a couple of hours of 10k ip residential addresses, and sends their traffic wherever they need to.
So both are true: DDoSers (and malicious actors in general) use pwned devices, but they also use VPNs
on a more serious note, it's just not really possible since most residential proxy sites are botnets :)
At the moment, that's what Cloudflare is doing. They're just not obvious enough, leading to people on forums (and here) asking "why do I constantly need to fill out captchas to enter websites".