Connect with us


Two record DDoSes disclosed this week underscore their growing menace



Aurich Lawson / Getty

Distributed denial-of-service attacks—those floods of junk traffic that criminals use to disrupt or completely take down websites and services—have long been an Internet scourge, with events that regularly cripple news outlets and software repositories and in some cases bring huge parts on the Internet to a standstill for hours. Now there’s evidence that DDoSes, as they’re usually called, are growing more potent with two record-breaking attacks coming to light in the past week.

DDoS operators hack thousands, hundreds of thousands and in some cases millions of Internet-connected devices and harness their bandwidth and processing power. The attackers use these ill-gotten resources to bombard sites with torrents of data packets with the goal of taking the targets down. More advanced attackers magnify their firepower by bouncing the malicious traffic off of third-party services that in some cases can amplify it by a factor of 51,000, a feat that, at least theoretically, allows single home computer with a 100 megabit-per-second upload capacity to deliver a once-unimaginable 5 terabits per second of traffic.

These types of DDoSes are known as volumetric attacks. The objective is to use machines distributed across the Internet to send orders of magnitude more traffic volume to a circuit than it can handle. A second class— known as packet-per-second focused attacks—forces machines to bombard network gear or applications inside the target’s data center with more data packets than they can process. The objective in both types of attacks is the same. With network or processing capacity fully consumed, legitimate users can no longer access the target’s resources, resulting in a denial of service.

Hugely disproportionate negative impacts

DDoS attacks over the past two decades have grown increasingly powerful. The ones that a 15-year-old Canadian used in 2000 to take down Yahoo ETrade, and measured in the hundreds of megabits per second, roughly comparable to many of today’s home broadband connections but enough to clog the sites’ pipelines with enough traffic to completely block legitimate connections.

By 2011, attackers had increased DDoSes to the tens of gigabits per second. Record attacks reached 300 Gbps, 1.1 terabytes per second and 1.7 Tbps in 2013, 2016, and 2018 respectively. While less common, packet-per-second attacks have followed a similar upward trajectory.

The race upward is showing no signs of slowing. Last week, Amazon reported that its AWS Shield DDoS mitigation service went head-to-head with a 2.3 Tbps attack, a 35-percent increase over the 2018 record. Meanwhile, network provider Akamai said on Thursday that its Prolexic service repelled a DDoS that generated 809 million packets per second. That’s a 35-percent increase over what’s believed to be the previous high-water mark of 600Mbps DDoS that Roland Dobbins, principal engineer at competing mitigation service Netscout Arbor, said his company handled.

“We anticipate continued innovation in the area of DDoS attack vectors due to the various financial, ideological, and social motivations of attackers,” Dobbins told me. “DDoS attacks allow attackers to have a hugely disproportionate negative impact on both the intended targets of attacks, as well as uninvolved bystanders.”

Amplifying firepower

One of more recent innovations DDoSers have hit upon is exploiting misconfigured servers running CLDAP, short for Connectionless Lightweight Directory Access Protocol. A Microsoft derivation of the LDAP standard, the mechanism uses User Datagram Protocol packets to query and retrieve data from Microsoft servers.

While CLDAP should be available only from inside a network, Dobbins said that Netscout has identified some 330,000 servers that have the mechanism exposed to the Internet at large. Attackers have seized on this mass blunder. By sending the misconfigured servers CLDAP requests with spoofed IP addresses, the servers unwittingly bombard targets with responses that are 50 or more times bigger.

“It’s frequently administrative sloppiness that allows this attack to exist,” Roger Barranco, vice president of global security operations at Akamai said. He added that locking down network ports such as 389 and installing patches will generally prevent a server from being abused this way.

In the past, DDoSers abused servers running other widely used protocols that had been misconfigured. When not set up correctly, memcached, a database caching system for speeding up websites and networks, can amplify DDoSes by an unthinkable factor of 51,000, an innovation that powered the 2018 record of 1.7Tbps. Four years earlier, attackers abused the Network Time Protocol that servers rely on to keep clocks synchronized across the Internet. The technique, which magnifies junk traffic by about 19 fold, led to the 2014 DDoses that took down servers for League of Legends,, and other online game services.

Usually, when misconfigurations of widely used protocols or services are abused en masse, Internet watchdogs will push administrators to clean them up. When admins finally do, attackers find new ways to increase their firepower. The cycle continues.

A growth in bots threatens gamers, banks, and you

Besides seizing on amplification methods, the growing size of DDoSes is the result of attackers taking control of an ever-growing number of devices. Whereas Windows and later Linux computers were once the sole dominion of botnets that sent targets junk traffic, the mushrooming number of routers, Internet-connected cameras and other so-called Internet of things devices have now become active participants as well.

In Thursday’s report, Akamai said that 96 percent of the IP addresses used to deliver the record 809 million packets-per-second DDoS over the weekend had never been observed before. The growing number of compromised IoT devices is likely fueling that increase.

Among the most common DDoS targets are online game players and the companies, platforms, and broadband ISPs they use. Rivalries between gamers are one motivation. Another objective is to disrupt the flow of large amounts of money that’s often wagered in gaming.

Financial institutions, government agencies, political advocacy organizations, and retailers are also frequent marks, often by hacktivists motivated by ideology. DDoSers sometimes strike so they can demand ransoms to stop the attacks. Other times, DDoSers attack out of plain meanness.

The intended targets aren’t the only ones who suffer the adverse effects of DDoSes. Once-unimaginable data storms can overwhelm ISP peering connections, DNS servers, and other infrastructure that everyday people and businesses rely on to shop, send email, and do other important tasks.

“The collateral damage footprint of DDoS attacks is often far larger than the impact on the intended targets,” Dobbins said. “Suffice it to say that far more uninvolved people and organizations often have their activities disrupted by the collateral damage of DDoS attacks than those who are the actual targets of these attacks.”

Continue Reading


YouTube flags horror video as “for kids,” won’t let creator change rating



Enlarge / YouTube thinks the dark and creepy “Local58TV” series is for kids.

Google’s wonderful content moderation bots are at it again. After previously doing things like including suicide instructions in a children’s video, and the whole Elsagate problem, YouTube is now flagging a horror video as “for kids.” Worst of all, this is against the creator’s wishes. The video was previously flagged as for ages 18 and up, and YouTube decided it was for kids and won’t let the creator restore its content rating.

The video in question is from horror series Local58TV. The creator, Kirs Straub, checked his account over the weekend to find that his not-for-kids content has been spotted by YouTube’s content moderation AI, and automatically marked for kids.

“For kids” in this context means Google has flagged the video for inclusion in the “YouTube Kids” app, which is a separate interface for YouTube that is supposed to only show a “safe” curated slice of YouTube. The “Kids” flag also means the video is forced to comply with US Children’s Online Privacy Protection Act (COPPA), so comments are turned off.

Local58TV has millions of views across its nine videos and is famous enough to have a Wikipedia page. The channel’s about page describes itself as “ANALOG HORROR AT 476 MHz. Unsettling shorts in the found footage/VHS aesthetic from Kris Straub.” The channel’s most popular video, “Contingency,” is a faux public service announcement from the “US Department for the Preservation of American Dignity.” The message, set to an ultra-creepy rendition of The Star-Spangled Banner, declares that America has lost the war and was forced to surrender. Before the occupiers arrive though, you can “take America with you” by murder/suiciding your family. The video continues with instructions. This is obviously not the type of channel that is for kids!

YouTube, this title does not mean what you think it means.
Enlarge / YouTube, this title does not mean what you think it means.

YouTube doesn’t get the Local58TV vibe though. It automatically flagged one episode, titled “Show For Children” as for children. You can see how an AI bot might get its wires crossed from that title, but it immediately says “Not for Children” in the description, and the creator, Straub, originally set the video’s age rating as “18+” when it was uploaded.

The episode is a black-and-white cartoon where a cute cartoon skeleton wanders around a graveyard looking for a cute cartoon girlfriend skeleton, only to find horrifying, more realistic skeletons and other creatures in the open graves. At the end of the video, seemingly from depression, the cute skeleton lays down in a grave and dies, turning into a realistic skeleton. The cartoon is something an AI bot might not understand, but a human could immediately tell the unsettling video is not kid-friendly. YouTube is certainly not hurting for money having done $28.8 billion in revenue last year, but it does not hire a significant number of human moderators.

YouTube not only flagged a video explicitly marked as “inappropriate for kids” as “made for kids” it also won’t let the creator change it back. The video’s content is now labeled “Made for kids (set by YouTube)” and Straub is forced to file an appeal with YouTube to get the video’s age rating corrected.

Even if you’re using robots for moderation, it doesn’t make a ton of sense for YouTube to be in this position. For every single video upload, YouTube asks if a video is kid-friendly or not. Since YouTube already has this data, it’s not clear why it would ever try to automatically categorize videos, especially by lowering an age rating that was explicitly set as “adults only.” For something as delicate and subjective as whether or not certain content should be viewed by a kid, it seems like Google should be erring on the side of caution.

🎵 One of these things is not like the others! One of these things, doesn't belong! 🎵
Enlarge / 🎵 One of these things is not like the others! One of these things, doesn’t belong! 🎵

At press time, Straub went public with the issue 20 hours ago and it hasn’t been resolved. The “Team YouTube” Twitter account said it was “looking into” the complaint nine hours ago. You can tell the video is still flagged for children due to the disabled comments section and the “Try YouTube Kids!” ad at the bottom. You also only get suggestions for other “kids” content, which, at a glance, does not appear to feature as much death as the usual Local58TV content.

Continue Reading


IDC: “All eyes will be on Apple” as Meta’s VR strategy “isn’t sustainable”



Enlarge / The Oculus Quest 2.

A recent media release from market research firm IDC predicts that Meta (the parent company of Facebook) may not be able to compete in the mixed-reality business in the long run if its strategy remains unchanged.

The media release offers a bird’s-eye view of the virtual reality hardware marketplace. In the release, IDC research manager Jitesh Ubrani said that, while “Meta continues to pour dollars into developing the metaverse, [the company’s] strategy of promoting low-cost hardware at the expense of profitability isn’t sustainable in the long run.”

A similar concern was raised by tech industry analyst Ming-Chi Kuo late last month. Kuo predicted that Meta would make moves to scale down investment in virtual reality, creating an opening for Apple and other competitors. He also wrote that Meta’s practice of selling VR headsets at a loss is unsustainable.

Currently, Meta owns 90 percent of the VR headset market, according to the IDC release. In distant second is ByteDance’s Pico, at just 4.5 percent. Overall, VR headset shipments jumped 241.6 percent year over year in the first quarter of 2022. But the industry faced significant supply issues in Q1 2021, contributing to “a favorable comparison” for this year’s Q1.

Like Kuo a couple of weeks ago, IDC research director Ramon Llamas said that “all eyes will be on Apple as it launches its first headset next year.” Apple’s headset is expected to be much more expensive than Meta’s offerings, driving up the average unit price for the product category across the board, and Llamas believes Apple’s offering “will appeal primarily to a small audience of early adopters and Apple fans.”

In other words, don’t expect the first Apple headset to ship vastly more units than Meta’s Oculus Quest 2 right out of the gate. It’s just a first step in a long-term plan to own the mixed-reality market. As several reports over the past couple of years have noted, that plan will ultimately involve low-cost AR glasses and other products that will seek to broaden the user base for mixed-reality hardware.

Apple and Meta are not the only companies working on mass-market mixed-reality hardware products. We reported in April that Amazon posted several job listings soliciting candidates who can help the company build an “advanced” AR/VR product. And in December, we learned from job listings that Google plans to build a new augmented-reality device and operating system.

Continue Reading


How to turn off Gmail’s new sidebar (and other ways to deal with New Gmail)



The new desktop Gmail design started rolling out this weekend. If you use the default theme, you’ll know it has arrived when your entire Gmail interface turns blue. Gmail’s new design first entered an opt-in preview in February, and after gathering feedback and fixing a few things, Google is pushing the design out to everyone. Everyone dislikes Gmail changes, so let’s talk about what’s different and how to turn it back.

A few things have changed between now and the February preview. The most striking change is the all-blue color scheme. Google’s blog post says: “You’ll notice the new navigation now features Material You, our updated, fresh look and feel for your Google apps.” “Material You” launched with Android 12 as a color-coordinated theming system that matched your OS color scheme with your wallpaper. There’s no color-matching with Gmail’s “Material You,” though, just the blue color scheme.

Gmail still has a theme system, so you can change the color to whatever you want. Click on the settings gear in the top right and then under the “theme” section, click “view all.” The background closest to Old Gmail is the solid “soft grey” background option. To truly match the Old Gmail background, you would want “white,” but that’s not an option. (You can also pick from your Google Photos collection via a “my photos” link at the bottom, and I tried uploading a solid-white background, but trying to apply it only brings up an error message). This “theme” screen is also where you can apply Gmail’s weirdly hidden dark mode: Just pick the black background option, and everything will switch over to light text on a dark background.

The other change you might want to make involves fixing our biggest complaint with New Gmail: that new, giant sidebar. Google has long had the strategy of shoving whatever new products it wants to promote into Gmail, and the new Gmail design comes with a big, full-height sidebar featuring only four icons: one for Gmail, two for Google Chat (Google’s latest messaging app), and one for Google Meet (Google’s version of Zoom meetings). Gmail already has a sidebar, but this new design adds a second sidebar, which feels like a big banner ad for Google’s other communication apps. Thankfully, in between the February preview and this on-by-default rollout, Google apparently listened to feedback and added the option to turn off the sidebar.

This new “no-sidebar” option isn’t very obvious, but you can kill the Gmail sidebar by turning off Google Chat and Google Meet. Just head to the settings gear, then the “Customize” link under “Chat and Meet.” Un-tick both checkboxes, and the sidebar will disappear, allowing you to reclaim a lot of screen real estate. It’s strange that New Gmail works this way when Old Gmail put Gmail controls, Google Chat, and Google Meet all in a single, adjustable sidebar, but that’s what Google chose to do.

Turning off the two-sidebar layout not only makes New Gmail look a lot more like Old Gmail—it also makes the regular Gmail sidebar work the way it used to. With the two-sidebar layout, clicking the hamburger button to collapse the sidebar only shows the app switcher and not any of the Gmail controls—you see links for Google Chat and Google Meet instead of “Inbox,” “Stars,” “Spam,” etc. When you turn off Google Chat and Meet, though, collapsing the Gmail sidebar once again shows Gmail controls inside Gmail! Huzzah.

If you really don’t like the new Gmail, you still can, for at least a little while longer, opt out of the new design. Click the settings gear, and you should still see a “Go back to the original view” option. This won’t last forever, though, and you’ll have to get used to New Gmail eventually. The original version was rough, but Google seems to have listened to the complaints about the second sidebar. If you tick the right settings boxes, you’ll see that there is no longer much difference between New Gmail and Old Gmail.

Listing image by Google

Continue Reading