Possible Vendetta Behind the East Coast Web Slowdown
bloomberg.comFor a long time, I've wondered what would finally be the Securitypocalypse, the thing that finally caused our industry as a whole to take security seriously. These IoT DDoS attacks are as good a candidate as any I've seen in a long time. They are fundamentally very difficult to fix in light of the non-updateability of many of these devices, and this is only the beginning, because the IoT has hardly begun to develop. And in the short-term, I'm not sure I see any hope, because the forces that make people throw out cheap devices with broken firmwares with no update capability aren't going away.
If we could somehow mandate that these devices were supported with firmware updates for the indefinite future, that would simply destroy the entire market. And you can't do that, because even the devices created by an entity that no longer exists and didn't sell its IP to anybody else will eventually be enough to do these DDoSes, if they aren't already.
These attacks are mostly possible because of the complacency of operators at many sites and companies. This is not a new problem and many of RFC's talk about methods for preventing and mitigating them, but most people don't care and prefer to just outsource everything to a single provider, which becomes the weakest link.
The Internet wasn't envisioned with a single email provider, single DNS provider, single app container provider. (Ok, for most of these you have two, sometimes three choices, but still, that is too few). The centralization makes everything very vulnerable - imagine what would happen when Gmail is knocked out for a day.
Seriously? It's OK if only one site/company gets taken offline at a time?
There's no RFC that talks about methods for preventing or mitigating hundreds of thousands of machines all sending arbitrary traffic at you at the same time.
The only way to protect yourself from that sort of attack is to buy filtering from someone who has a bigger pipe than the largest DDoS available, and have them filter the packets so that you only get clean traffic. Unless you know of an alternative that nobody else has heard of yet.
So you wind up buying transit / scrubbing from one of a few big providers, because that's the only way to avoid being sniped by DDoSers.
> There's no RFC that talks about methods for preventing or mitigating hundreds of thousands of machines all sending arbitrary traffic at you at the same time.
The RFCs generally say that the problem is "you", i.e. the target. Of course those device makers could make their devices a little more secure, can't argue with that, it's another form of complacency. Still - the attackers are only able to do this because their targets are few.
If there were thousands of DNS providers such as Dyn each serving a small number of clients spread all over the world, it'd be impossible to attack them all.
To cause maximum damage you need to identify hosts that are common across many big companies. Someone did their homework and figured out that lots of companies are using Dyn for DNS, and for the East Coast of the US this is just a handful of servers. If the same DNS services were spread across 1000 servers, then the attackers would need proportionally more "power" to knock them out. DDos-ing 10 boxes is _so_ much easier than 1000 (approximately 100 times easier, to be precise).
The problem with these devices in particular is the weak point is the user. As is the case in most attacks.
Your average user says "Sure I can setup cameras" then sees "remote access" in the menu, sets it up, maybe it has some UPNP to the router and BOOM. Magic remote login without any type of mitigation.
Indeed. My mom got an internet connected "security camera" kit (for cheap from one of the big wholesalers, can't remember the manufacturer) and asked me to set it up.
The hardware was nice, cameras did a reliable 1080p full color, but the whole reason my mom wanted it was so she could check in while she and my dad were traveling (and also sneak a peek at her bird feeders while she was away; avid birder, that one).
So, I hooked that thing up to the network and did a port scan on it... First noticed - it's listening to port 22, auth is a googleable default password. It supports UPnP to punch a hole through the NAT and serve up video on another port. OS on the server box is some slightly customized version of linux with an _old_ kernel.
So I said, "Sure mom, I can set this up for you. We're going to need to get you a new firewall, it'll probably be easiest to put a *nix box in front of your wifi access point, then we can set up a tunnel between the isolated camera server and a locked down outside server that only you have access to so we can be sure that no one else is looking at those cameras. Should only take me a few hours, and we'll need to buy a box to run the firewall, and then a small monthly fee to keep the internet accessible server running"
Her response, "but it says on the box that it's easy to setup for outside access!". Mine: "It's easy to setup for everyone to access, much more involved if you want to make sure it's only you who has access".
Admittedly, it did have some authentication for accessing the video streams, but I didn't trust that thing as far as I could throw it; I'm glad she decided not to go through the trouble of getting it working (but mostly because I'm lazy and didn't want to have to setup and support that damn thing).
I can only imagine that the people who bought that device and didn't have a security paranoid person to help them set it up are all contributing to this most recent DDoS attack.
well that was a pretty clever answer, I needed to laught about that :D Basically the commercial was right :D "easy to setup for outside access" that didn' implied a single person ^^Her response, "but it says on the box that it's easy to setup for outside access!". Mine: "It's easy to setup for everyone to access, much more involved if you want to make sure it's only you who has access"The problem here is there's nearly zero incentive to do it right. I mean, ok, let's say the worst - somebody breaks in the box. For a regular person, worst thing somebody would get access to their DVR. As long as it keeps working as DVR, they couldn't care less. Yes, this DVR would also serve as botnet bot, but the owner doesn't care. It doesn't hurt them - except when Twitter goes down but they don't make the link between them not configuring the DVR properly and Twitter going down. Until we find a way to make the incentives work in right direction, nothing really would change...
> Admittedly, it did have some authentication for accessing the video streams, but I didn't trust that thing as far as I could throw it
So...you wanted to have authentication and it has authentication...I must be missing something.
It may not have been over HTTP, so possible to be sniffed. Or, even if it did have HTTPS, it might not generate keys in a secure way (or might use the same certificate as other devices). And you don't know if there are hidden backdoor accounts that might be found eventually...
So, yeah, it makes sense to block it - personally I block IOT devices from the Internet entirely (and don't let them initiate requests to my local network even) and use a VPN (IPSEC/IKEv2). That wouldn't work for devices that connect to cloud services, so I'd have to set up new firewall rules if I got one of them.
Late response, but yes - there was no https support whatsoever on this thing. Authentication was some custom shit and intended to be passed over the internet in clear text.
So...you wanted to have authentication and it has authentication...I must be missing something
You missed that you could SSH into it with a default password that is easy to find on a web search.
So... don't use that default password?
I will be interested if you take time to write this up.
why not generate a cert based off mac address and allow customer to use that
The real problem here, and this isn't going to be a popular position, is that you're relying on the internet for important things.
The original engineering and architecture of the the internet (and the web) was not intended to create something you put all your eggs in. It was for sharing information, not building your mission critical business operations on.
Right now, if you dumped your business into a cloud service you're mostly dead in the water. But those who have local infrastructure can keep working. As people have been noting here, centralization is bad.
Actually, the original engineering and architecture of the internet was intended to provide reliable command & control in the event of a nuclear war. A network of last resort. I can't think of anything more mission critical than that.
No, it wasn't. That's a myth, disturbed in many sources, including [1]. Also in [2]:
Many people have heard that the Internet began with some military computers in the Pentagon called Arpanet in 1969. The theory goes on to suggest that the network was designed to survive a nuclear attack. However, whichever definition of what the Internet is we use, neither the Pentagon nor 1969 hold up as the time and place the Internet was invented. A project which began in the Pentagon that year, called Arpanet, gave birth to the Internet protocols sometime later (during the 1970's), but 1969 was not the Internet's beginnings. Surviving a nuclear attack was not Arpanet's motivation, nor was building a global communications network.
Bob Taylor, the Pentagon official who was in charge of the Pentagon's Advanced Research Projects Agency Network (or Arpanet) program, insists that the purpose was not military, but scientific. The nuclear attack theory was never part of the design. Nor was an Internet in the sense we know it part of the Pentagon's 1969 thinking. Larry Roberts, who was employed by Bob Taylor to build the Arpanet network, states that Arpanet was never intended to link people or be a communications and information facility.
[1] https://www.amazon.com/Where-Wizards-Stay-Up-Late/dp/0684832...
[2] http://www.nethistory.info/History%20of%20the%20Internet/beg...
Where Wizards Stay Up Late is a fairly dry book, but it contains interesting kernels of information (like this). It's not a page turner, but it's worth a read if you are interested in things like, for example, the information in this comment's parent.
A few oral history interviews with key actors also confirm this.
> Arpanet was about time-sharing. Time sharing tried to make it possible for research institutions to use the processing power of other institutions computers when they had large calculations to do that required more power, or when someone else's facility might do the job better.
Arpanet is distributed shared information for science. Nuclear technology is science. Surviving science is a war that requires nuclear insights. Therefore, the Arpanet was developed for surviving nuclear war.
As Aristotle might have said if he were here, you committed an error in syllogism number 56.
And yet I suspect the government could pick up a phone, hop in a vehicle, etc and communicate with the right people.
Which means it falls under what he said.
ARPANET is nothing like the monstrosity we have today.
Even still, if indeed it is the cameras doing this, it's a problem of our own creation. The internet 'is fine' without a botnet of dvrs.
Exactly, I have tons of IOT devices. I put them on a separate subnet that does not have a gateway to the internet then I VPN into that network to access them. Perhaps a product that makes that a simple process will solve the problem?
We partly do that at Wormhole. I say partly because you still have to be able to access one of our addresses. Port of last resort is 443/TCP, so it works on lots of tricky networks out there.
The idea is that all your IOT stuff establishes a connection to this server, creating an encrypted network between them. You then add your control servers to that network and job done. You devices don't need any inbound access to talk to each other. All the connections are outbound, so no ports to open on your firewall and no risk.
You could do this by yourself, but we take that hassle out of your hands. Happy to help with custom deployments too outside our main service; it's a great way of learning our customers' needs.
It's hard though to have your exact setup as a service, it implies incoming VPN connections to the site where you deploy your IOT and a VPN server of sorts.
Our main focus was remote teams and devs having to use remote servers, however IOT might be a killer use here.
Interesting, I have a few thoughts. Perhaps you could sell a preconfigured pfsense box (or make a raspberry pi image to start with) that when plugged into the customers router creates a reverse tunnel via your service as well as a WiFi hotspot. Then offer the user a very simple firewall control panel and they can choose what devices to allow to the open internet and what to keep private and accessible via some sort of authenticated channel. Thus devices that contain sensitive data or require enhanced security (cameras, private network attached storage devices, home automation) and devices that require internet access (Amazon Echo) can both be served by the service.
Very nice service by the way. I have used ngrok in the past and found it invaluable for a few odd applications. I'll give it a try in future.
Hi!
Thank you for the feedback and the suggestion. It is a good idea actually. I'm considering new features in the roadmap, because at the moment I don't even offer Internet access through my system, it's just a private LAN (I'm not competing with the myriad of privacy-minded browsing VPNs out there). Adding a manageable Internet Gateway could be a nice option.
Developing and deploying a software+hardware piece would be very interesting too, so there's no need to deploy agents on the remote servers or IOT devices (on most of them you probably can't) and I take the hassle out of my customer's hands to setup a e.g. Linux gateway to route traffic through the tunnel.
A flexible gateway would be a great add on, I also like a private DNS server while developing. If you offered a Postfix forwarder and static, clean IP addresses, you could attract home users who wish to host their own email but are behind dynamic residential connections (like me, I use a digital ocean droplet currently for that purpose).
Thank you again, you're feedback is great!
FWIW, I would definitely be interested in paying for a service like this. I'm technical enough to care about this, but not technical enough to solve it myself. Similar to where I was before dropbox.
My comment here might be relevant to your interests: https://news.ycombinator.com/item?id=12765051
It could suit your needs or we can help with custom deployments. In any case I'd like to learn more about your needs and your expectations. Can I drop you an email?
totally, it's in my profile
I've been thinking about how you'd design a UI for that, that was easy to use. Maybe a separate wifi network that IOT devices go on to, and then a web app that knows devices with XYZ MAC are LIFX bulbs and shouldn't be able to talk to the smart TV, but that phones on the network should be able to jump the subnet and talk to the bulbs.
You can make it semi-automated in a way. I believe the first 6 characters of the mac address are the vendor id, I'd get the DHCP server to assign different vendors into different isolated vlans but with short leases at first and then allow you to merge them, assign permissions and move them around. Call it "learning mode". It won't be perfect but you can also augment it with human created presets.
The problem with any solution is getting it used widely enough to make a difference. We seem to have an unlimited predilection for making the same mistakes repeatedly, even though we could avoid them.
heh. move over user-centered design, user-centered malign is making a come-back :)
It's easy to fix; back in the day when a machine was infected; an ISP would just block outgoing traffic, contact line owner and re-enable when the issue is resolved.
If the "machine" in question is my ADSL router as supplied by my ISP, I will be deeply unimpressed if they block me due to their own negligence in updating it!
Similarly, a single bad device on my network would block the whole of my network from the internet. It's another sort of denial of service attack.
We need IPv6 and have devices either access the internet with their own IP address or not access it at all. This solution, then, would only impact bad actor devices, not your other (non-compromised) devices. Still, not easy.
I think it's fair to block the entire network. It is then up to the network administrator to fix the problematic device.
While technically accurate to describe them as such, the vast majority of consumers (and internet service subscribers) lack the actual technical expertise to be network administrators.
Where these devices are being attacked inside, ostensibly, professional organizations (companies, schools, government buildings), I agree. But there you have, again ostensibly, an actual network administrator capable of dealing with the issue (and paid to do so).
I think that's okay.
We don't expect all homeowners to be, say, experts in electrical wiring, or gas supply, plumbing, drainage, or waste management. But all of these things—if they are poorly modified, managed, or maintained—can cause impacts on third parties. In the case of networked devices, the possible impact on third parties is even greater. We also enforce strong regulation on these systems – defining what may and may not be legally connected to public utility networks, for example.
We would probably expect a homeowner to hire a tradesperson to maintain these services, and in some cases it's legally mandated that only a qualified person may install or modify these systems. Is it then unreasonable to kick consumers off of the Internet when they install poorly-maintained devices, and require them to resolve the problem – perhaps by hiring the networking equivalent of a qualified plumber?
Then we need to regulate the installation and maintenance of home networks like we do plumbing and electric. This is not a small requirement, and given the current ubiquity of home networks and networked devices it will be an incredible challenge to implement.
Probably a startup idea or two would come out of that sort of regulation. Now that, to install that Nanny Cam, I have to hire a certified network administrator.
If the ISP were held responsible by contract, the ISP could either transfer that responsibility as described above or they could just filter their outbound a little harder. The latter solution seems more practical.
Or they could go the cheap route, and have a whitelist of devices you're allowed to use on your network.
Huh, weird, this whitelist seems to mostly consist of devices the ISP would be glad to rent out to you on a monthly basis...
What sort of regulation are you referring to? I'm not a plumber or electrician but I replace broken faucets and light switches. No certification required.
I was more referring to requiring homes be up to code. You're right that individual projects don't really require anything special, more important when building new buildings.
It's oscillation all over again:
I feel like Amazon, Best Buy and new egg could get together and create a standard for IoT devices, no? Though I guess they'd get hit with antitrust.
I'm not all that familiar with standards bodies, but is it common for retailers to create standards? Isn't it often the case that industry does this?
That's fine, if you connect some cheap webcam and it causes you to be knocked off the internet you're going to be mad, leave a bad review for the camera, and not buy from them again. Market forces would then incentivize better security to be built into these devices.
But the average consumer won't realize, especially when the installation and network failure aren't temporally adjacent, that the camera is the cause of the problem.
The solutions available (and there are more, just enumerating some):
IPv6 so everything is directly on the internet or not hidden behind a common router like they are now. This allows direct blocking of bad actors.
Security certifications for all software and hardware that ever connects to the internet. Well, guess I won't be doing as much programming at home anymore. And good luck getting that open source project of yours certified without getting some Patreon supporters with deep pockets.
Arbitrarily, from the consumers perspective, block their access to the internet when they "did nothing wrong".
Hold the creators of the devices accountable for making shitty, exploitable systems. Sue them directly for the financial harm they've permitted (millions of dollars today alone). But good luck suing them, they're in a foreign and will cease to exist tomorrow (under that corporate entity).
>But the average consumer won't realize, especially when the installation and network failure aren't temporally adjacent, that the camera is the cause of the problem.
In theory the user could be presented with a "here is why you've been blocked" explanation when they try to browse any site. They could then (probably) figure out what is the offending device, take it off the network, then click "please let me back on the internet, the bad device has been removed". (Somewhat similar to how the MX blacklists work at present).
"the vast majority of consumers (and internet service subscribers) lack the actual technical expertise to be network administrators."
that's true, but the vast majority of internet service subscribers aren't their own network administrators. If you're using an ISP-supplied modem/router combo, i'd say that your ISP is your network administrator. If my ISP wants that kind of access into my local network (and they don't give me any other option) then they should be doing some actual administration.
Under this concept, they'd be able to specify precisely what kinds of computers and IoT devices you'd be allowed to use on your home network. This would be a net-negative for the world.
"Fix" is a relative term, especially if IoT devices are in play – yes, turning off the internet to customers stops the attack, but then (at least?) thousands of people lose internet connectivity because of a vulnerability that they could very well be powerless to fix. I'm not saying it's ok with me that an army of smart refrigerators could be taking out big chunks of the web, but it's a lot easier to tell someone, "Hey, either get the infection off your computer or re-format" than it is to make someone buy new lightbulbs and appliances.
Not powerless, just unplug their toaster and they get their internet back.
What is powerless is that many people today couldn't get twitter, github, reddit, spotify, box, etc. because many people don't care about securing their webcam.
I would hope things like smart refrigerators and lightbulbs actually still operate normally when the internet is out, right? By "normally" I mean similar to "dumb" versions of the same product. So a customer could fix the issue by kicking the device off the network (disconnect the smart fridge from the ethernet / wifi, unplug the hub for your light bulbs, etc) without actually having to immediately replace them.
When a pipe breaks in your condo and starts flooding all the people below nobody asks which appliance might be leaking. Water is cut and you get the bill for _all of the damages_.
Possibly stupid question: why is that no longer done?
Because it's hard to get an ISP to disable a service for one of their paying customers to help other people on the Internet who aren't paying them.
Why can't everyone else then block the customer? Get the big 5 tech companies to block IPs that are shown to do DDOS, for say a 24hr period, and you will see how quickly they unplug that IOT Toaster
Speaking as not-me, the average, non-technical homeowner who just installed his new internet connected washing machine at home.
Great, now I can throw in a load and get a notice on my phone when it's done. This is awesome! (3 hours later) Wait, why can't I get to the internet? I call my ISP, they tell me that my connection is fine (it's tech support, they aren't security experts). But, I tell them, Google doesn't work for me. They do some tests, everything should work. I bitch, moan, cry a little, rage quite my ISP and sign up with someone new. It works for a few days until my washing machine (having been offline for a bit) gets exploited again.
I still don't have a clue as to why I'm being blocked from Google and company. Maybe they kick back a message as a 4xx (what would be appropriate?) that says my network has been hacked. But I've seen those sorts of things all the time in ads, I know that's just someone trying to scam me, convince me to run something that'll install a virus on my computer.
Must be my computer! Damn Dell piece of shit. I can't afford a new one. Maybe that neighbor kid can come over again and help me out with this.
($200 and several trips for the neighbor kid later it's still not solved)
From my point of view as someone who is no longer ddos'd, I don't have a problem with this.
Wait, isn't this whole plan a massively worse DDoS than what we experienced today?
By exploiting a toaster, the attacker could shut off the domestic internet service entirely, rather than just disrupting Netflix.
As you said, some sort of message would have to be the way. A 4xx probably won't cut it but something like the messages Google shows you when asking for a captcha is fine.
My point is that there will be a cost, and that taking action against vendors won't be enough (sp. if they are in a different country, are no longer in business, etc.)
> Maybe they kick back a message as a 4xx (what would be appropriate?) that says my network has been hacked
429 seems appropriate.
Or maybe even 451.
Not very quickly? First, you wouldn't know why you were disconnected. You would try the standard things first (plug and unplug your router, etc). Then maybe after a while you would call your ISP. Get put on hold a bunch. Your ISP tech support probably won't know much either, since in your scenario it isn't the ISP doing the blocking. They MIGHT test the connection, or maybe they just give the customer a new IP address.
It is going to take quite a while in this scenario for the user to realize it is their IoT toaster that is causing the issue.
Because today you can't call the customer anymore if you block their traffic.
and dont forget the part where user is charged $ for violating contract.
Yep, and manufacturers have not much incentive to update firmware for a device which is not their latest greatest or update firmware while not adding more features to help them sell more. Security isn't a feature that the vast majority of consumers would pay extra for or know how to verify anyway. There was plenty of demand for that one "unhackable" android phone, but I'd be blown away if it wasn't 100% snake oil.
My prediction is that it'll get worse before it gets better and that these type of botnets will be around for at least 5 years. Look at what happened to unsecured-by-default routers, android phones, Windows PCs, cars...the way consumers will get more secure stuff is by manufacturers being publicly embarrassed / sued over problems until caring about security makes business sense, then they'll have it in their hands when their old insecure gadgets die.
My cynical side side thinks this will be a problem until all the old endpoints supporting these insecure things are shut down eventually in 5-10 years.
This isn't just small manufacturers either. I bought a new Samsung tablet for my kid two weeks ago. It is running a three year old version of Android with no updates available. Pretty shocking.
There'd be something ironic about a manufacturer's website being made unavailable because of a DDoS caused by their own poorly secured devices.
>They are fundamentally very difficult to fix in light of the non-updateability of many of these devices
as you proved, fixing the situation by fixing the devices wouldn't be a feasible approach. The traffic from those devices is carried by ISPs and this is there this traffic should be stopped. To me the situation reminds about email spam. We didn't get rid of spammers, instead the email traffic is analyzed and dealt with accordingly. I'm sure that ISPs easily see the patterns of such massive DDoS attacks and could just drop (or throttle down into oblivion, like 100s times down) the participating traffic.
> For a long time, I've wondered what would finally be the Securitypocalypse, the thing that finally caused our industry as a whole to take security seriously.
Nothing. If the economic system revolves around capital's valorization of itself, security is a distraction from that. I have to spend five seconds typing my password in every time I sit at my desk? I can't just easily e-mail this executable file to my co-worker and have them run it? My desktop is locked down by the desktop admins to prevent me being able to do this, and many other things? Every implementation of security costs money for the personnel to do it and possibly the product cost. Plus any lost productivity it might cause (15 seconds to type in a password each time one sits at their desk, compounded).
Donn Parker wrote one of the first books on computer security in 1976, Crime by Computer. The opening words are as apt for corporate security now as it was then. The #1 fear for the corporate manager are the employees of that company. They are the ones with the greatest control over the means of production, so to speak, even more than the managers themselves who are de jure in charge, but are de facto one step away from actual control. Look at how much access someone like Snowden had at Booz Allen.
Obviously, if all products have wide open holes, script kiddies will be able to get control. Some minimal security will always be done to stop this sort of thing. On the other hand, one (or better yet, several) dedicated people who want to get past some security arrangement can almost always get in. Even if the firewall is supposedly impenetrable, the wifi or the building security or the social engineering credulity of employees or something will be there. There will be some weak link in the chain. Especially for a company that needs to make a profit.
The real security is that semi-intelligent, persistent agents that seek to access and control systems without authorization are lacking. Things depend on the conditions that cause this to rise or diminish. Because once it rises, there is little that can be done. I forget who said that the czar's Russian Okhrana was one of the largest, most extensive security forces that existed. That meant little when Russia began collapsing in 1916 though - all it meant was that they were even more aware that virtually everyone in the country was becoming the czar's enemy.
Securitypocalypse events due result in business and government putting more focus on security for a while, but time moves on, and attention drifts back to the main focus. These things go in waves, and total security is never something of the highest priority.
I am a non-programmer who reads HN and keeps up with tech news in general.
And every time I read about the IoT botnet, my immediate response is to look around my apartment at my Internet-connected lights, and wonder if they're part of it.
How can I find this out?
Is anyone making a tool that a non-technical user can run to squint at their network and look for evidence of Mirai, or anything else trying to take advantage of this niche?
There are plenty of tools with a reasonably simple interface that will tell me if my laptop/desktop computer is infected with something. But what can I use to diagnose the health of all of the other computers proliferating around my house?
How can a non-technical user easily monitor the overall health of their connected household? Is this a project anyone is building? Because I think it's definitely something that needs to exist now.
Looking over all the replies this comment received, I think my plan for seeing if my apartment's Internet Things are on any botnet is going to be "bribe that security researcher I flirt with sometimes to visit my place and run some tests". Which is not really a solution that scales, either for that friend, or for people who don't happen to run in the kinds of circles where that's someone they could conceivably trade favors with.
And it's probably not gonna get any better any time soon, either. Because I'm not sure there's a money stream in making this something a non-programmer can do. And maybe there shouldn't even be a money stream in this - maybe there should just be huge-ass fines to motivate as many people as possible along the chain from "my Internet Thing" to "the Internet" to include a white/grey hat or three on their team very early in the design process of making their camera/light bulb/pacemaker/router/modem/whatever. Although if someone reading this can figure out a way to get a money stream out of making it a lot easier to see the health of your home's devices, and keep them safe, that might be a decent YC app for you.
How do we add an immune system to the Internet Of Things? Because we sure as hell need one.
> bribe that security researcher I flirt with sometimes to visit my place and run some tests...[w]hich is not really a solution that scales...
Assuming the flirting displayed is sincere, that security researcher may prove much more scalable than you'd imagine.
There's not really enough of a size difference between us to make "scaling" come into play.
My reading of Krebs On Security (krebsonsecurity.com), Mirai scans for factory default passwords or hardcoded default admin credentials. Going at this as a non-technical person, I would:
* Inventory all IOT devices in your possession.
* Find the device manuals and make sure you've changed the default password(s). Note there may be devices where it appears you've updated, but that have secret credentials you can't modify.
* Make note of which of your devices do not have an obvious way to change the factory default password.
* Keep an eye out for lists of devices that are known problems, here is one such sample list: https://blog.sucuri.net/2016/09/iot-home-router-botnet-lever...
* Check each manufacturer to see if they have issued a firmware upgrade to address security issues. Apply update.
* Think about retiring devices that appear on the "bad" hardware lists or the devices with unchangeable factory defaults.
Hope this helps.
Dowse is trying to help you out http://dowse.eu/#sec-2-2 Dowse is a transparent proxy facilitating the awareness of ingoing and outgoing connections, from, to, and within a local area network. ... Dowse communicates with users in various ways: via a web interface, but also pushing messages via audio (synthesized speech), Bonjour and simple apps interfacing with personal mobile devices.
You can even hook up Dowse to your TV set and show a live animation of where on the your internet your devices connect to https://youtu.be/vquh3IXcduc?t=74
Oooh. I think I may have finally found a use for the Raspberry Pi sitting around my apartment.
The best place to do this is at your border. You probably have a cable modem or router or some such that connects your home to the internet. You would typically install software known as IDS (Intrusion Detection System) such as Snort there and look for anomalous traffic.
As for a non-technical solution, it will be difficult to implement. It requires some computer know how and time. Such a secure device could be created or better yet offered by the manufacturers of the modems/routers frequently deployed in homes.
The last time I played around with Snort[1] I realized I'm lightyears away from being paranoid compared to the default settings :)
It would be good to have an IDS with bare minimum settings, easy to turn on layer after layer, though I understand it's tricky.
For non-technical users, I'd suggest the following:
Turn off the devices you don't want to check; leave only those up you want to investigate.
Visit your router on the web interface and see if there are any graphs are possible to check for things like requests/second or packets/second. If it's really high while you're not actively doing anything, that's a clue.
Visit the UPnP settings on the router. If there are ports listening for incoming internet connections, turn the UPnP off on the router.
If you can SSH to your router, log in and start collecting data with tcpdump[1]. This later can be analyzed with tools like wireshark[2], which can show you per protocol what is going in. Most of the botnets use telnet- or IRC-like interfaces which are, in most cases, plain text commands, so it's possible to spot them.
Apart from this: reset everything to factory and change all the passwords before letting anything on your network.
[1]: https://www.linux.com/blog/tcpdump-tutorial-beginners
[2]: https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntr...
> For non-technical users, ... routers ... packets ... UPnP ... SSH ... tcpdump ... wireshark ... protocol ... telnet ... IRC ... plain text commands ...
I think you unintentionally helped to cement GP's point. There is a huge opportunity for some kind of little box - vetted/certified or even insured - that non-technical users can plug in, click Next > Next > Finish, and be notified when any device on their home network starts acting suspicious.
Precisely. Users need something as simple as Malwarebytes where they just need to click the big 'Scan' button and after a few minutes it will say "Your living room ceiling fan is running a potentially unwanted program (bitcoinminer), your freezer is infected with a virus, your garage door opener is participating in a botnet, and your fitbit has a rootkit. Click here to quarantine and disinfect everything. Click here to repeat this scan daily and notify you if anything new shows up."
End users would expect that such a thing should be simple. But of course it's not (would need to work with any device running any OS with any interface). First we would need some sort of standard protocol for it. But a standard protocol that lets an external agent determine what software is running on any device could potentially be dangerous...
Well, you wouldn't necessarily need to determine what software is running on any device to quarantine it. However, what would be helpful would be some kind of central registry of botnet traffic signatures so that the scanner could use something more than just traffic volume.
This is not an easy problem.
You need a lot of data and a lot of current regularly updated information about websites being attacked or current known CnC servers. Also, there is a privacy aspect, so you can't send a lot of the data or even hashes of things to the cloud.
Such solutions might be more appropriate for workplaces in large companies and they already have things like SRX firewalls that have DDoS features.
How about a simple list of devices and a way to limit bandwidth per device, with sensible defaults (very few IOT devices will need more than 100k/s, the main exception is video cameras). It can allow "burst" bandwidth but limit, say, the total used per six hours.
Disclaimer: this is off the top of my head, there may be reasons it would fail.
I'm so tired of this.We live in a higly technical world and people should learn the basics. One of the reasons we are having this situation is because people don't understand their things.
WireShark is the first thing that jumps to mind, although I'm not sure if easy for non-technical users is the way I'd describe it.
To be part of Mirai network, your device needs to have telnet access open to the world AND use default factory credentials (which in turn must be on the lines "admin admin" or "root root").
I might be wrong, but in the case of Mirai I'm fairly sure you're safe if all your devices are behind NAT.
Doesn't Mirai use UPnP IGD to work around NATs/firewalls? I imagine a lot of people have that activated on their router to play video games and whatnot.
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things...
Edit: I guess it's more accurate to say that a lot of poorly designed devices use UPnP IGD to work around NATs/firewalls and Mirai takes advantage of this to infect them.
If the posted source is legit, then no.
Here's a better article from Mr. Krebs:
https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twit...
Personally I think his case is pretty convincing.
From the article:
"Last month, a hacker by the name of Anna_Senpai released the source code for Mirai, a crime machine that enslaves IoT devices for use in large DDoS attacks. The 620 Gbps attack that hit my site last month was launched by a botnet built on Mirai, for example."
I repeatedly hear people refer to IoT devices that are notoriously difficult to update...yet this Mirai code is technically able to access millions of devices and bend them to its will.
So what I'm wondering is just, what prevents the good guys from using Mirai to slurp down every available device to patch the vulnerability that allowed Mirai to work in the first place?
It seems like if vulnerabilities in these devices can destabilize the entire internet that it should be perfectly viable as a response to actively look for those vulnerabilities, patch/minimize them and notify their creators of the issue.
The problem is you're reading the situation wrong. Mirai isn't about an exploit, it's IoT devices that haven't had the default username/password changed.
Now, you might say "why doesn't a good samritan just login to all of those devices and change the password to something random?"
OK - ignoring the fact that THEY would be committing felonies in several countries... what happens when the device manufacturer wakes up and decides to patch these devices via that remote access? Suddenly the password doesn't work, and the end-user can't change it because... what's the procedure for changing the default ssh password on a light bulb?
Technically you could make the situation better by writing a worm that changes the passwords, but at this point even that is a lost cause since mirai has a command that will change the pw on all infected hosts.
I guess that's what I'm getting at though. If we were to scan for the affected devices, change the passwords and notify the manufacturer of the change and that it was made because their carelessness essentially endangered the internet it would make it possible for them to fix it.
You're plugging a leak and letting the owner know, hey this was leaking and I stopped it but you're going to need to address that.
Guess what, Krebs' site also receives a spanking at the moment. (Given that it's hosted by Google I find it highly unlikely to go down under normal traffic)
krebs is loading reaaaaal slow for me...i wonder if its related? or just a lot of people linking to it today.
502 already. Google cache: http://webcache.googleusercontent.com/search?q=cache%3Ahttps...
And the article about BackConnect mentioned by Bloomberg: http://webcache.googleusercontent.com/search?q=cache%3Ahttps...
I know the TTL is set really low for a lot of DNS entries but this recent outage got me wondering if it makes sense for servers further down the chain to hold onto it for longer than the TTL, honor it when they are able to get a new DNS entry within a reasonable amount of time, but fall back to the "expired" version if the authoritative server is not reachable.
I'm wondering what would be the negative consequences of this and if they outweigh the benefit of being more resilient to these types of attacks.
There was a good discussion on this in a sibling thread earlier today: https://news.ycombinator.com/item?id=12762110
Probably, but I would definitely avoid giving all my DNS resolutions to a *.ru domain.
The reputation of the government - shutting down access to websites that hurt them is kind-a no-go for me.
US government is not much better... or have you forgotten all those hundreds of FBI/ICE domain seizures. How many have Russians taken down? If your'e gonna use DNS servers and you don't want someone to track you, use the DNS server based somewhere where your government cannot access them. If you're in the US, it's easy to assume that US DoJ/FBI will not be able to subpoena Yandex or some Chinese internet provider.
Yeah, that worked for me in SV. But I'd rather not rely on anything Putin related.
Thanks!
bloomberg was down for me.
I had disabled adblock at their insistence...
i re-enabled adblock and I could get the article. hmmmm. maybe something about the 50 unrelated js calls?? perhaps?
More specifics about Mirai bots and their numbers:
https://threatpost.com/mirai-bots-more-than-double-since-sou...
Unfortunately, forced firmware updating is an area our governments should not be mandating. That puts unnecessary strain on small companies and creates a larger gap that companies must cross to become commercially viable
> Unfortunately, forced firmware updating is an area our governments should not be mandating.
It absolutely is an area that governments should be mandating, because the problem is an externality. These attacks are a cost imposed on neither the producer nor the consumer of the device itself, and (apart from some highly speculative libertarian conjectures) the only things that can fix externalities are taxes, regulations, and lawsuits.
Lawsuits are infeasible in this case since we probably can't prove whose devices were involved in any given attack, so that leaves taxes and regulations - and the latter would be better so we don't have to go through the business of collecting taxes from manufacturers and then distributing them to the victims of attacks.
> That puts unnecessary strain on small companies
Clearly it isn't unnecessary, because I can't get to any friggin websites today. If small companies don't have the resources to update the devices, they shouldn't be building them in the first place.
If you are a chemical company you have regulation on the stuff you put out and the environmental hazard of you product and waste products.
Something similar could work for IT.
Yeah, this seems, to me, the most apt existing analog. We have regulation for environmental pollution, this would be digital pollution (of a sort). Insecure devices create a harm to the digital environment.
But this is incredibly hard, due to ease of manufacture and distribution, to regulate in the case of IoT devices and software.
Which business model works best:
- planned obsolescence cranked to 11, you must replace everything in your house every month
- monthly subscription fees for each lightbulb, refrigerator, and everything else
- all products must refuse to operate unless they can connect to a central update server (which is being DDOSed by competing products made in a country without that government mandate, that are still working, while no products made in your country work)
- company shuts down, goes out of business, and a new company with a different name (but all the same employees and products except for the logo) opens every month
- all software created must be maintained indefinitely into the infinite future for free by...magic elves?
This one: Companies offer products that meet a consumer need without creating an effective, easily accessed platform for criminal third parties to tax the rest of us. If they can't do that, then they don't fucking offer the product. "The only way we can sell this is to enable DDOSes by Russian hackers!" is a reason to say "then don't offer the product!"
Fun fact, we have working systems for peer-to-peer publish/subscribe systems that only need a known peer to bootstrap off of, and then are reasonably resilient to nodes disappearing etc. No need to have central update servers - just push a signed message into some random selection of machines and go!
But then there is also the risk of government mandating a firmware update that has government features.
The consumer takes on some of the cost. But the only reason you are so for this legislation is because you don't understand the full-scale logistics involved in mandating such a feat as well implementing them as a tech company. If you want to mandate security to include well-established, cost-appropriate solutions, that's cool, but requiring future updates to these IoT devices is not the correct solution. It brings into question free speech issues for one, requiring companies to support the life of products they no longer wish to support. And the only companies who will not feel the full brunt of this would be the elite.
I don't think that's necessarily a bad thing. If a company doesn't have the resources to create secure products, then maybe it shouldn't be in that business in the first place.
The problem is not whether they can create a secure product, but whether they can afford to certify their products as secure.
From my experience in the aviation software world, we spend a great deal more on demonstrating reliability than in producing it. This forces a huge amount of overhead on our projects. This isn't a bad thing, mind you, but it is a thing to consider.
It is hard for a couple engineers to start a new company making these sorts of systems. The only practical way is to have a truly good and demonstrably better solution, or be inside a large corporation with already deep pockets.
> From my experience in the aviation software world, we spend a great deal more on demonstrating reliability than in producing it.
The same is true in organic produce. I hear of a lot of farms that follow all the rules to raise organic goods but can't label them "certified USDA organic" because the certification process is too expensive.
This is what I was responding to in the original comment:
> forced firmware updating is an area our governments should not be mandating
I think that if a company can't maintain a team to deliver regular security updates to their internet-connected products, then they shouldn't be producing internet-connected products in the first place.
I agree with you that government-mandated aviation-software levels of product certification would be destructive overkill.
Just like with bridges. Getting certification by a professional engineer is just too much barrier to entry for small construction companies.
Edit: forgot the /s
I'm not sure if you're being sarcastic, but isn't that a good thing?
Firmware updating isn't exactly a "hard tech" problem, even if it is hard to do right. I suspect we'll see some generic firmware update frameworks/solutions emerge in the coming decade, and at that point adoption will pick up rapidly because being able to push updates is good for business.
Firmware updating isn't hard tech. Secure firmware update over public network is.
Google's IoT solution offers this. But no one seems to want to use it.
In an age where security vulnerabilities can cause your thermostat to overheat your house and your smart lock to lock you out, maybe it'll be a good thing that companies that don't have good security practices and update mechanisms will be locked out of the IoT market.
Yea, it's a hard problem. While there's clearly a lot of vulnerabilities out there that emerge because it's cheaper to ignore security until you're large enough for a breach to be a big issue, forcing mandatory updates is a great way to discourage anyone from attempting to try something new. There might be a tipping point at which the costs of a breach outweighs the benefit, and maybe we've hit it already, but government mandates should be something we discuss cautiously and should prefer to avoid.
I think that the negative externalities of poorly secured IoT devices scale linearly with the number attached to the internet whereas the cost of writing more secure software and keeping it updated scales much much more slowly with the number of installs. I think this means that the best solution is to have tiered levels of certification and regulatory burden based on the number of times a piece of software is installed. Ideally tiering would be done on the total bandwidth of all devices with a piece of software installed but this would be much more difficult to measure and enforce then counting installs.
If no product with less then X thousand installs has to deal with the regulatory overhead of certification then experiments and early stage companies are less likely to be squashed. I would also exempt open source software from having forced audits or minimum standards for security. This would have the side effect of encouraging more companies to publish their firmware open source which would also not be a bad outcome.
To prevent companies manufacturing lots of almost identical product lines each individually under the limit for audits I think it would also be necessary to count all products that share more then half their code as one product.
Liability should be on the people who connect these things to the public internet. The owners of the devices. Like with cars, you have certain responsibilities and liabilities when you operate a potential dangerous machine on the public roads.
In the case of ISPs providing cable modems and routers and DVRs and other boxes to their customers, they should be responsible for keeping those secure.
If people start getting fines or sued over what their internet-connected devices are doing, they might stop connecting them to the internet, or shop more carefully for devices or providers that are secure.
So grandpa goes to Home Depot, buys a fancy new thermostat and installs it at his home, the device gets hijacked by the archetypal 400 lb hacker, and is used to take down a major commercial site, and then grandpa is liable for the whole thing?
I don't think so.
You make a little gizmo with shitty security, you are liable. Full stop.
So grampa doesn't take care of his car, the brakes fail and he kills a family with four kids. Is he liable? Yes. He may not know the first thing about brakes or car repair but owns the car, and he took it out on the road without being sure it was in safe operating condition.
But to steal an idea from another comment, make the ISPs liable also for routing the malicious traffic onto the internet. They will then have incentive to monitor their networks and they can take homes offline until their customers fix or disconnect their hacked devices.
I'm the "head fred" networking/infrastructure guy at an ISP. I want to avoid, as much as possible, peeking at my customer's traffic.
In my personal opinion, an ISP should be a dumb pipe. I'm providing you with the ability to send/receive "n" bits per second; I don't care whether you use it to participate in e-mail discussions with your church group or stream pornography and play online poker.
Are you certain you want ISPs to be responsible for monitoring all of your traffic and what you're doing online? Do you really want somebody else deciding -- at their own discretion -- what is "acceptable" for you to do online?
I'm very pro-privacy, pro-encryption, "pro-Internet freedom", etc., but the next guy may not be.
And so grandpa needs to become a network security expert to avoid getting sued. Right, "makes sense". ;)
This is not like not doing maintenance on your car. This is like buying a car with faulty airbags. The manufacturer needs to issue a recall and fix the darn thing - or else face legal action.
And here we go with what is malicious traffic.
Leaked news put the government in shame?
Copyrighted materail transmission?
Code to raise the temperature of some heater?
> Like with cars
That's not the same thing at all. For a car to hurt somebody, the owner has to be actively using it, and doing so in a reckless or negligent manner; and furthermore, note that reckless operation of a car can hurt somebody even if the manufacturer built it perfectly. (if your car somehow did hurt somebody when nobody was using it, then the liability probably would belong to the manufacturer).
IoT devices are the exact opposite: they can cause harm when the owner has done nothing wrong, and they can only cause harm if the manufacturer screwed up and did not secure it propertly.
All the liability belongs to the producer.
True, but then botnet owners would be using foreign IPs to do US attacks and viceversa. So you need punishments that you can actually enforce.
This makes a case for data caps or charging internet by usage which frankly nobody really likes. Maybe outbound caps for home users (if thats where a lot of the DDOS are coming from). The risk of getting shut off or a higher bill if your transmitting to much data might make people start noticing and securing their devices.
Car owners are not liable if the car is designed to be dangerous and they don't know it.
Ok, then they should be liable for any damage their lack of maintenance causes. The cost of properly maintaining your product is nothing compared to the lost business and repair costs caused by these DDOS attacks.
Being a small company doesn't mean you should be able to ship a defective product that is guaranteed to eventually become part of a botnet.
Any evidence this is using the IoT botnet that was reported on earlier this year?
Mirai? With the source of that being public, there are probably quite a few Mirai botnets now.
These attacks are possible because the US Congress hasn't extended tort liability to manufacturers of software and network hardware. The full weight of the US products liability bar will quickly and rapidly motivate manufacturers to ship secure devices. The lack of accountability is enabling vulnerability.
Who is the "manufacturer" in the case of FOSS?
Whoever puts the FOSS on the device
The failing here as in many cases such as a number of security breaches was a lack of investment. As someone with an engineering degree that worked as a VLSI design engineer, good engineering requires * backup systems *. This costs money that people don't want to spend. In some cases such as a startup they might be cash short, but many firms have the money but don't want to spend it ensuring that they have well engineered software that includes backups, up-to-date software and security upgrades, hiring (expensive) highly competent software engineers and consulting firms.
The mistake in this case was relying on one vendor for DNS. Amazon Route 53 would be a good alternate vendor for DNS, for example.
I think even basic home routers these days, have enough cpu power to handle egress filtering.
If you have an iot device, by its nature it only needs to connect to a few services and hosts.
The manufacturer can provide this in their docs, and give an automatic config url that the router uses to load its egress rules.
The rules to load are displayed and the user checks they are legit by comparing to the printed version in the manual, then clicks ok. Or something like that.
Rate limits in terms of packets per second, total bandwidth both instantaneous and over time, are set also.
Not only East Coast, Twitter can't be resolved in Ireland/UK right now (I assume the mobile app uses some kind of 'dns pinning' as that is working)
> (I assume the mobile app uses some kind of 'dns pinning' as that is working)
The app was down for me until I switched my WiFi network to use OpenDNS. It's possible your phone has the DNS record cached, or it's using a different DNS server. (Is it on cellular?)
Hardcoding IPs into a mobile app typically isn't done because it makes changing your infrastructure extremely painful.
I love those comments about IoT and who should be responsible for error-proof products, or ISP monitoring traffic, or ...
Internet, in the beginning, was even more insecure. Including the computers and OSes. There were less abuse because few had resources and knowledge. Read some old software and you'll find all bad designs in it. Software didn't become worst, it's just targeted with more knowledge and intensity.
DNS is actually fairly centralized the way it is actually used.
We need protocols and systems that are designed to be distributed from the outset.
I always thought DNS had enough redundancy built-in that this sort of thing wouldn't really have much effect. But here I am unable to access websites, simply because name resolution isn't working. If my local DNS server were caching things longer there would largely be no issue.
Yeah, DNS entries are usually (or at least used to be) cached for what would seem like long enough, but I guess it doesn't really work the way it sounds. "a hierarchical decentralized naming system [that] provides distributed and fault tolerant service and was designed to avoid a single large central database" doesn't sound like it should be so fragile. Having single 'authoritative' servers for the sort of thing that should be inherently distributed sounds more like an Achilles heel.
Perhaps a naive question, but Why can't a DNS provider identify such participants in a DDOS and ban their IPs forever?
Because IP addresses are often shared resources. Your ISP gives each customer an IP address (often a temporary one), and then that customer's router system handles assigning private, local-network-only IP addresses to any devices connecting through the network.
So if a DNS provider starts banning public IPs (which are the only IPs it sees), you could end up with an entire college getting banned because of one hacked webcam in one student's dorm room.
Or someone in an apartment somewhere with (unknowingly) a hacked thermostat finds their internet no longer works (DNS provider has banned them), so they reboot their modem, which causes their ISP to provide them with a new IP address. Guess what happens to their old IP address? It goes back into the pool of available IPs that that ISP can assign to other customers, and more and more banned-from-DNS addresses keep getting passed along to innocent, un-hacked customers.
Yep. The effects of this can be seen when someone sets up a new e-mail server on an IP address they've just acquired, a.b.c.d, and -- as soon as they connect it to the Internet -- are unable to send outgoing e-mail because the IP has previously been blacklisted due to another user's actions.
Ah, (inter)networking 101. Thanks! Then, is there a way for the DNS providers to know the ultimate recepient at all? MAC address? (or does it get truncated at the lower levels and not passed over IP protocol?)
Nope. Assuming you have a router connecting your home network to your ISP, for example, the MAC addresses of your "internal" devices are not visible to the ISP. The only MAC address they see is the MAC address of your router's "WAN" interface.
The source/destination MAC addresses in an Ethernet frame (layer 2) are rewritten at every router (layer 3) hop. The original IP source/destination addresses in the IP packet, however, do not change (exception: NAT, which does exactly that).
Another problem -- in many (most?) DDoS attacks where UDP traffic is involved -- is that the source IP addresses are "spoofed". That is, IP packet that the victim receives says that it's coming from Alice but it really came from Bob. There are also "amplification" attacks, where an "innocent third-party" is used, unknowingly, to "help" perform the attack.
Did any one else find the style of writing in this article really annoying? Things like using prefacing statements with "so-called" or putting terms in quotes to make them seem suspect.
e.g.s:
a so-called distributed denial-of-service (DDoS) attack
York said Dyn was “actively” dealing with a “third wave” of the attack.
I tend to assume that the larger publications use it in the underlying sense of "..as it is so called".
Not working, is bloomberg down too?
If you are unable to connect because of DNS problems, switch your DNS server to 8.8.8.8 (Google).
Edit: sorry there, this worked for me but apparently it's not guaranteed.
Didn't help me, heroku is still unreachable with DNS servers changed to 8.8.8.8 and 8.8.4.4.
Having good luck with opendns 208.67.222.222
They have other IPs as well, but that's what I'm using
I switched temporarily from those to Open DNS's 208.67.222.222 and things are working for now.
But, just to be clear, it's not Google's fault: 8.8.8.8 are not the authoritative name servers for the sites that are down. Rather, Dyn, the provider of the NS is down, and I presume Google (8.8.8.8) is correctly not returning any IP address because the underlying authoritative name server is not.
Presumably Open DNS is working because it's not abiding by the TTL it's supposed to? It's caching the underlying authoritative name server longer than it was told?
Yes, the call it "SmartCache": https://www.opendns.com/about/press-releases/opendns-introdu...
That didn't help me this morning. Switching to OpenDNS worked for Github but not for Twitter.
I had to move my DNS servers off google today to get twitter to load.
That would resolve neither python.org nor cpan.org this morning.
I'm suggesting this just so someone more knowledgeable can debunk it. Suppose FBI or someone up there had a meeting and said "in three weeks, there could be millions of armed Americans who believe that democracy was just stolen from them by some evil dictator in a massive globalist conspiracy. These people love twitter. Is there a way to make twitter go down without making it look like we're suddenly pulling the plug?" The answer was yes, we'll do a test run Friday.
I'll bite.
It would take a lot longer than a couple of hours of twitter being down for that to have a useful effect. For something as major as the presidential election result, it would probably take minimum a week before people got bored and moved on to a different topic.
So this kind of attack that only takes something out for a few hours would have no useful effect for an actor that wants to prevent people from discussing a recent event.
IMHO, it would be hard in general to take out a service run by a serious IT organization (of which there are admittedly few, by my definition of serious) for more than a few days unless the attacker carried out non-trivial physical damage (eg, bombing multiple datacenters, murdering multiple system administrators, etc) or managed to somehow destroy enough backups (which in a serious IT shop, should be hard, as there should be some offline cold backups that require physical human activity to destroy)
Sure it wouldnt work for an extended time. I'm just thinking that in an unpredictable situation, a few hours might be all you need to diffuse it. For example suppose someone claims they have evidence of some crazy shit happening at the polling places, and the only thing that can be done is to for Patriots to seize the equipment at the polling places before the globalists can cover their tracks.
Why do a test run at all? So that every security expert is on edge when it does happen?
... Perhaps if you try to argue that they did it in order to make sure everyone was on edge for the election... but even then it makes very little sense.
If the government wanted to shut them down, it would likely be easier for them to just get a judge to issue an order (an NSL, perhaps?) to Twitter's upstream Internet providers to cut off their service.
Do you really think of twitter as the center of right-wing lunacy?