Re: [tlug] Linode DDOS postmortem

["Stephen J. Turnbull" <stephen@example.com>]

Curt Sampson writes:
>>>>> Fernando G. Schwartz writes:

 > > Many times "FBI" officials spoke about giving up trying to crack places 
 > > like Ukraine with just not enough international legislation and the 
 > > current affairs

"Current"?
http://www.amazon.co.jp/Why-Nations-Fail-Origins-Prosperity/dp/1846684307
Legislation will never be enough.

 > > of corruption in such places.

 > I don't really see how this applies; this sort of attack could
 > easily be set up and controlled entirely from within the United
 > States or any other country of your choice as well.

It could be, but other venues are more likely, I think.  These botnets
aren't script kiddie level.  I suppose that somebody really pissed off
at Linode as an individual could have done it.  But I don't see how
you could get away with it as a business model for long in the U.S. or
Europe where police agencies (FBI, let alone NSA -- which might decide
to do nothing, see below) now use epidemiological technology to track
bot activity to source.  Sure, you can keep moving, but these guys are
basically lazy and motivated by money.  Why hustle when you can pay a
bribe?  If you're willing to hustle like you were afraid of being
busted, wouldn't you rather work for Google or Microsoft?

 > On 2016-02-01 12:16 +0900 (Mon), Charles Muller wrote:
 > 
 > > ...saying that the attacks were on a scale that could only be mounted
 > > by a good-sized corporation, or even a state.
 > 
 > Actually, my suspicion is that attacks on this scale are more likely
 > to be non-state actors.

My suspicion is that the likelihood of a state actor depends on the
target and situation.  I don't see how Linode offends a state, but
clearly their infrastructure was susceptible to attack.  The only
reasons to attack something because you can are because you're 13 and
to extort money.  (Rabies, too, I guess.  That said, North Korea is
hardly a state.)

 > Keep in mind that that the obvious and by far most effective
 > infrastructure from which to stage these attacks is not groups of
 > servers but a "botnet": PCs on the end of consumer Internet

s/PCs/anything with a CPU, including your refrigerator (joke, for now)
and NTT's router (no joke, watch yourself Bubelle) and probably Apple
watch, too/

 > connections spread as widely over the world as possible. Building a
 > botnet of any decent size is an extremely invasive and, in most
 > countries, highly illegal process. Not that blatent illegality has
 > ever stopped the NSA before,

When Benesse f**ked up, the cops went public, and Benesse started
sending furikomi to people.  I know at least two who received
compensation.  You ever heard of anybody who received compensation for
having cycles stolen by an illegal botnet, or even a note that "your
iPad was part of an illegal botnet and must be cleaned"?  Me neither.
I wouldn't be surprised to find that China (or the NSA) has a network
of putatively deactivated and currently infiltrated criminal botnets
waiting to flip from black to white (or vice versa, if you're on the
receiving end) like a Reversi game.  The crooks can hardly complain
"You stole my botnet!"  By the same token, I bet the larger crooks go
around suborning smaller crooks' (and each other's!) botnets.

Note that it's not as easy to conceal as a naive person might think.
You need to distribute the C2 apps as well as the pawns, and (if it's
a business model) you need to find clients.  Lots of clients -- so you
can't set up those pr0n sites on the "black" net, it's got to be at
least grey.  But if on the Internet noone knows you're a dog, how are
they going to figure out you're actually K-9 come to infiltrate them?