We in the West are sophisticated and smart. When Muslims claim the offensive "Innocence of Muslims" video is state-sponsored by the U.S. government, we know their conspiracy theory is silly.
But we aren't that smart when it comes to "state sponsored hacks". We see cyber-bogeymen everywhere, from Chinese stealing state secrets, to Iranians attacking banks in retaliation over an offensive video. In every country, the government stokes fears of outsiders to further their own ends. There is no government that doesn't do this. For Muslim countries, Islam-hating America is their prime enemy. For America, Muslim terrorists are hyped threat. In recent years, "cyber" has become a popular bogeyman as well. "Cyber" is the new Occam's Razor: it's the default explanation for everything.
A 70-gpbs attack against banks is trivially easy for any individual.
What's new with this attack is that it doesn't come from a botnet of thousands of machines, but from a few data centers. This is an easy attack. Data centers have 10-gbps+ connections to the Internet and hundreds of vulnerable servers. Just run nmap or Nessus or any hacking tool targeting the data center, and you'll compromise several servers to run your attacks from.
Easier yet is simply run an exploit across the Internet (instead of a single data center). Take the recent Ruby-on-Rails bug. Just go to Shodan, find a bunch of servers running Rails, and compromise them. Of those you compromise, take the ones with high-speed connections, and use them to do your DDoS attack.
Easier still is just renting VPS (virtual private servers) for $10 each for a month in data centers across the world, and use them to run your DDoS attacks. For $1000 for a month, you can easily create a 70-gbps attack. I guess $1000 is more than most individuals might want to pay, but it's not at the "state sponsored" level. It's more at the level of some rich dude giving a credit card to his son telling him "you and your friends, go have some fun".
The NYTimes claims:
"The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States."
This is a lie. I know no of competent security researcher that has been convinced this is the work of Iran's government. The only people who agree with that statement are those with something to sell, either pimping new government regulations or products. (If you are a competent researcher without a blatantly obvious conflict of interest, I'd love to hear your view).
This (DDoS against banks attack) is something any security researcher I know can carry out in their spare time. It's foolish to believe, in the absence of specific evidence, that a nation state is involved.
Update: Below is the signup page for a VPS hosting service. For $10, you get a 30-day trial with unmetered bandwidth. Just grab a few of these from different companies and different data centers, and you can easily DDoS a target site.
I chose this because it's the first result for googling "VPS hosting". Googling "unmetered vps" gives a lot more results costing less than $10.Seriously, you don't need any hacking skills whatsoever. Just go get a Visa/Amex gift cards from your local store, sign up for VPS hosting, and poof, 100-gbps DDoS attacks.
Update: There is likewise no evidence that this wasn't a state-sponsored attack. That the Iranian government sponsored this is perfectly plausible. The point of this post is to criticize the evidence. The proper thing to believe, given the evidence, is "we don't know", not that we know one way or the other.
Also, there is at least some sophistication to this attack. It's been going on for some weeks, implying some investment of time and resources. This implies a more skilled operator who has some experience overcoming whatever the defenders are doing to mitigate the attacks. You can start an attack by simply VPS machines, but it's hard to sustain it over time as defenders come after you and filter or disable your accounts. While a VPS provider claims "unmetered" bandwidth, they won't be happy when you are filling up their pipes.
Update: Here is a post that looks at the online identities of the group claiming responsibility for the attacks. There's a lot of links to Iran, they have more confidence it's government sponsored than I do.
Update: Here's a story from DarkReading about somebody discovering compromised web-servers in the Iranian bank attacks. It was compromised because of it's password set to "admin".
Update: Dan Goodin has a great article on this. He goes into great detail describing how this is a more sophisticated attack than I portray here. But, at the same time, he quotes the experts as saying "no evidence of state-sponsored attack". Also, he quotes the real experts, people from CloudFlare and Arbor who deal with these sorts of attacks every day and who have analyzed the details of the banking attack.
Hiç yorum yok:
Yorum Gönder