[HN Gopher] Nine-year-old kids are launching DDoS attacks agains...
___________________________________________________________________
Nine-year-old kids are launching DDoS attacks against schools
Author : caaqil
Score : 89 points
Date : 2022-01-19 15:45 UTC (7 hours ago)
(HTM) web link (www.bitdefender.com)
(TXT) w3m dump (www.bitdefender.com)
| NikolaeVarius wrote:
| Good old remembering the days of LOIC.
| nisegami wrote:
| >The initiative being rolled out by the NCA to over 2,000 primary
| and secondary schools in the UK, ahead of going live at further
| schools and colleges across the country, will see students who
| search for terms associated with cybercrime greeted with an
| access denied "block page."
|
| Because telling adolescents that they aren't allowed to learn
| about something has an astounding success rate.
| Quillbert182 wrote:
| I'm sure kids searching for DDoS tools have never heard about
| VPNs.
| nisegami wrote:
| Knowing what little I do about the UK government, I expect
| "VPN" to be considered a term "associated with cybercrime" as
| well.
| maccard wrote:
| You're not too far off; this [0] is a UK government
| sponsored campaign right now
|
| [0] https://noplacetohide.org.uk/
| 908B64B197 wrote:
| This has to be a joke.
| maccard wrote:
| I really wish it was, but no. It's a "grassroots"
| campaign, supported by the UK government, using
| statistics from the US. It's really pretty unbelievable
| belter wrote:
| Sadly no: https://news.ycombinator.com/item?id=29978952
| joshstrange wrote:
| Back in 2006 in high school I carried an external hard drive
| with a clean macOS install on it. I'd boot that and I had a
| SOCKS proxy setup (before I knew of VPNs or could pay for one).
| It was a joy to browse unimpeded and without any annoying
| management software running. I can only imagine what kids are
| doing nowadays.
| blacksmith_tb wrote:
| I would think most kids today do their circumventing by BYOD?
| Not that it would be bad for them learn about using VPNs and
| TOR on their phones...
| james-redwood wrote:
| I recently gave my enterprising son a Tails USB after
| learning about his school's ridiculous blocking policies. The
| only condition was that he should sit with me for a few
| minutes each evening for me to teach him on a conceptual
| level how things like an OS, BIOS, Tor, etc work.
| vondur wrote:
| I would hope most school computers would be set to not
| allow non IT staff to boot from external devices.
| irrational wrote:
| Seriously. My corporation has made it impossible for us
| to use USB sticks, external hard drives, etc. on company
| computers. Well, if you go before a panel and prove why
| you need one, they will give you a hardened one that you
| can use. But you really have to have a good excuse.
| gen3 wrote:
| Back in highschool I had an old USB drive with a Linux
| install, it worked fine. I also had a copy of tor
| browser, so I could watch YouTube. Good times. I learned
| quite a bit about networking and windows security.
| 0xedd wrote:
| tharne wrote:
| > Because telling adolescents that they aren't allowed to learn
| about something has an astounding success rate.
|
| It's got an amazing success rate; at motivating them to learn
| the exact thing you don't want them to.
| dathinab wrote:
| So with other word, schools cyber security is garbage?
| sp332 wrote:
| A simple DDoS isn't a cyber security issue.
| dathinab wrote:
| It is an issue.
|
| As it means that your service is interrupted.
|
| Which in pandemic times can mean your teaching or tests might
| be interrupted.
|
| Or just your ability to pass in your homework.
|
| Or to know if your class is cancelled/shifted to remote.
|
| Etc.
| sp332 wrote:
| Ok but improving their cyber security practices isn't going
| to solve it. _Maybe_ they could identify the person
| responsible.
| namelessoracle wrote:
| Complaining about someone not having good cyber security due to
| ddos is odd.
|
| It's like saying someone should have "invested in home security
| and better locks" when someone chops your door down with an
| axe.
|
| Like yeah you COULD have bought a solid metal door (and door
| frame) but thats not a normal ask for most people.
| bediger4000 wrote:
| One of my kids would organize DOS of particular teachers. The
| teacher had to use a Mac/PC to control the classroom projector.
| Everyone had "fing" on their phones or tablets. Some fraction of
| the class would use "fing" to ping the teacher's laptop, shutting
| down use of the projector. This was at least 7 years ago.
|
| I'll also note that there was one kid who always knew the
| firewall's password, within a few days of it changing. Never did
| figure out how that kid knew it so rapidly.
| tharne wrote:
| > I'll also note that there was one kid who always knew the
| firewall's password, within a few days of it changing. Never
| did figure out how that kid knew it so rapidly.
|
| $20 says that kid installed a keystroke logger.
| edrxty wrote:
| Did the same thing in high school hijacking the remote
| management software to log into machines and mess with
| people.
|
| The password was stored in plaintext in the config file on
| every machine. They kept changing it but couldn't figure out
| how we'd instantly find the new one.
| yumraj wrote:
| Is it just me that found it interesting that they chose the image
| of a black kid for a DDOS/cyber crime story?
|
| It would have been nicer if they had shown a bunch of kids of all
| races.
|
| Note: I'm not black myself, just found that curious.
| theknock23 wrote:
| Your attitude appears more discriminating to me than the fact
| that they chose the image of a black kid.
|
| I bet you woldn't have commented if they showed a white kid. So
| why does it matter to you if they show a black or a white kid?
| Why does it make a difference to you?
| yumraj wrote:
| > I bet you woldn't have commented if they showed a white
| kid. So why does it matter to you if they show a black or a
| white kid? Why does it make a difference to you?
|
| That's an easy answer - majority vs minority.
|
| If you show an image of a person from the majority then
| obviously it makes no difference. However, if you single out
| a minority, any minority, it seems like an obvious statement.
| [deleted]
| known wrote:
| foxbarrington wrote:
| > One theory is that youngsters can fall into denial-of-service
| attacks by firstly playing online games, and then falling into
| installing mods, hacks, and even remote access trojans to get the
| upperhand on their gaming rivals.
|
| I don't think online games and mods are the gateway drug to a
| life of crime.
| detaro wrote:
| early notice about log4j was as a tool to attack rival
| minecraft servers. Trying to get IPs of and then DDoSing
| competitors in online games has a long history. etc. pp. Gaming
| communities absolutely are one path to these things.
| alach11 wrote:
| I first encountered scripting DDOSing, rainbow tables, and
| other sketchy content while playing (and cheating at)
| RuneScape.
| contravariant wrote:
| Launching a DDoS on a school website isn't exactly a "life of
| crime" either. In my mind it's about as malicious as egging a
| school building. Yet I don't see anyone calling for stricter
| regulations on eggs.
|
| Those trojans sound iffy, but the article is somewhat light on
| details.
|
| Personally I'd say we just leave kids free to do stupid shit,
| berate them for doing it and hope they learn something useful
| from it.
| dfxm12 wrote:
| Ah yes, put all the blame the curious 9 year old, and none on the
| professionals paid to design and run the software...
|
| I get that this is technically against the letter of the law, but
| I think the NCA's stance that this will lead to a life of crime
| is a gross overreaction. Investing more in the software would
| probably a better use of resources anyway.
|
| ETA: Also, invest more in the kids! Likely, they're interested in
| programming and they have no way to learn about it except by
| becoming script kiddies. Don't tell them "NO!", offer CS classes
| or some such. I think I was lucky my high school offered AP
| computer science in this regard.
| raxxorrax wrote:
| I am firmly rooting for the kids here.
| Rastonbury wrote:
| Reminds me of a reddit post where someone emailed a zip bomb to
| his teacher as a prank, took some system down, got charged with
| hacking and is now banned from accessing government computers in
| Canada.
| tharne wrote:
| I wish we'd take cyber attacks from the Russians and Chinese as
| seriously as we take pranks done by kids and bored teenagers.
| 908B64B197 wrote:
| Meanwhile:
| https://www.bloomberg.com/news/features/2020-07-01/did-china...
|
| And the Canadian government did nothing. Better to spend
| dollars going to court against kids I suppose.
| mhb wrote:
| Like the teachers' union.
| adolph wrote:
| The case studies make minor hacking sound like a job application.
|
| _After hacking the school IT systems Sam came to the attention
| of the police. As part of their engagement with the police, it
| was decided that Sam would benefit from education on the law
| through the Cyber Choices programme. They really engaged with the
| programme so they were offered work experience with a
| cybersecurity organisation. Whilst there they learnt how their
| skills could be put to good use and the type of damage their
| behaviour could have caused. At the end, Sam was offered a paid
| contract for 4 hours a week during the school term and up to 8
| hours a week in school holidays._
|
| https://nationalcrimeagency.gov.uk/what-we-do/crime-threats/...
| cue_the_strings wrote:
| _Hacking_ in some form (essentially being a script kiddie) isn 't
| that difficult for a kid, especially if there is something to
| gain - bragging rights at least.
|
| We got internet when I was 9. By the time I was 11 in the early
| 2000s, I was a full-blown script kiddie, scouring
| astalavista.box.sk for tools and scripts to hack anything that I
| could. I'd also hang on IRC. I thought hacking was the coolest
| thing ever, and took any opportunity to access anything forbidden
| or leave a silly signature anywhere. I didn't discriminate. It
| didn't matter that I had zero connection with any of these
| websites and services I 'hacked', I thought I was so cool.
|
| Most of the stuff I did was simply following the instructions /
| tutorials, mostly _Google dorking_ for strings in php files and
| using documented exploits. I never succeeded in any sort of
| targeted attack, and I lived in such a shithole that nothing
| important was online at the time, anyway. All of this was
| extremely low impact.
|
| The only thing even remotely impressive about any of this was
| that I initially had very poor control of English. I was using a
| primitive, non-phraseological dictionary all the time, and
| somehow understood enough to actually apply some of the tutorials
| I read. People don't give kids enough credit for their
| determination and persistence, and kids have so much of free time
| to learn whatever they set their mind to.
| maccard wrote:
| > discovered that the number of Distributed Denial of Service
| (DDoS) attacks launched against school networks and websites has
| more doubled from 2019 to 2020.
|
| "More than doubled" could be from 1 in 2019 to 3 in 2020. The
| "study" that it links to [0] doesn't mentionhow many there were
| in 2019 or 2020. I'm really curious how many there actually were
| to roll this out nationwide in primary and secondary schools?
|
| [0] https://www.nationalcrimeagency.gov.uk/news/rise-in-
| school-c...
| rob_c wrote:
| the embarrassment here is that the education system can't
| mitigate against an attack so basic a 9yo can launch it, this
| isn't some targeted l7 flood from a huge botnet
| adolph wrote:
| From 1983 popular media, "War Games":
|
| _David Lightman, a bright but unmotivated Seattle high school
| student and hacker, uses his IMSAI 8080 computer to access the
| school district 's computer system and change his grades. He does
| the same for his friend and classmate Jennifer Mack._
|
| https://en.wikipedia.org/wiki/WarGames
| CWuestefeld wrote:
| It seems like those entities that are supposed to be protecting
| our security, are investing more of their resources into finding
| ways to monitor people in hopes of detecting that they're trying
| to do bad things. Working on helping to actually harden our
| network infrastructure takes a back seat.
| Overtonwindow wrote:
| When I was 9 years old I discovered bulletin board systems, and
| The Cuckoos Egg. Dare I say, the headline made me shake my head
| and smile...
| PragmaticPulp wrote:
| I don't know. I grew up in the earlier era of internet mischief
| as well, but things are very different today.
|
| Back then, if a school's website went down (for whatever
| reason) it had basically zero impact on anything. Schools were
| offline-first and the website was basically a side project.
|
| Now, everything revolves around the internet and websites. A
| school's website going down could be a big deal for a large
| number of people, including interfering with the education of
| 100s or 1000s of students, as well as disrupting the lives of
| all of the parents who have to work around the disruptions.
|
| A DDoS is never really okay or cool, but I'd say that the
| disruptions are much worse in 2022 than they were in the days
| when the internet was a novelty.
| raxxorrax wrote:
| We mostly used ARP poisoning from inside the network. They
| never found out and we quickly could just disable the whole
| network of the school if we wanted to. What fun would that be
| today with all the remote schooling? Nope, we are not going to
| do a test today...
| JoeAltmaier wrote:
| It's similar to vandalism. To keep kids from messing around other
| places we lock the gate etc. These software systems are not
| locked.
|
| Expect curious kids to try lots of things and push the limits.
| They do it all the time. In the overwhelming number of kids it
| does not lead to a life of crime.
|
| My takeaway: Time to lock the gates.
| RF_Savage wrote:
| What gate do you lock to prevent a DDoS attack from saturating
| your network connection?
| JoeAltmaier wrote:
| The one everybody else uses
| the_only_law wrote:
| Heh, good luck. Large corporations with much more incentive to
| "lock the gates" seem to be unable or unwilling to do so.
| teeray wrote:
| We finally have a remote learning equivalent of pulling the fire
| alarm to get out of class
| supperburg wrote:
| A bit unrelated but I'm so tired of fake intellectual stuff like
| this. Once you recognize it you see it everywhere. A bunch of
| "intellectuals" who don't really do anything more than collect a
| bunch of stories like this -- not because they are intellectually
| interesting or because they are a part of some larger scholarly
| effort but simply because they are silly/contrarian. If the point
| of the work can be summed up in a meme headline then it's just
| noise. That's 99% of what passes through here and the rest of the
| internet.
|
| What it means to be a scholar is to engage in those things that
| are not supported at all by hardware acceleration in the brain
| but yield fruit at the end of the day. This is what separates
| scholars from everyone else, the scholars are so excited by the
| idea and the vision at the end of that boring tunnel that they
| can withstand the tedium. But the rest of us like to giggle at 9
| year olds ddosing a school. Wow, how did they even do that?
| Amazing!
|
| It's so embarrassing to see someone who's whole model of the
| world is basically built out surprising/clickbait headlines
| cobbled together... which is almost invariably a kind of teenage
| angst dystopian version of the world.
| bArray wrote:
| On the other hand, the schools should be thankful that some 9
| year old children are exploiting their system rather than some
| state actor or the like. The 9 year old is unlikely to really do
| much damage, whereas the experienced hacker could do much worse.
|
| In reality, the school systems are likely just really old/awful
| and need to be updated with some basic protections before
| something bad does happen. The school children should be
| encouraged to perform responsible disclosure and to request
| permission before testing something.
| horsawlarway wrote:
| They aren't really exploiting the system in any meaningful or
| clever way.
|
| This is akin to ripping down all the posters in the hallway.
| It's not a thing to be thankful for - it's a thing assholes do.
| kbuck wrote:
| A DDoS attack is not a security exploit. DDoS attacks overload
| internet connections to knock websites and users offline. There
| is nothing particularly technically exotic about them (most
| people are launching them with a cheap "booter" account that
| consists of a webpage with a "target" entry field and a "start
| attack" button).
|
| The only "solution" for DDoS attacks is to buy a dedicated DDoS
| protection service or upgrade your bandwidth to the point that
| the strength of the attack cannot saturate it. This is very
| expensive and isn't where schools should be spending their
| money.
| 908B64B197 wrote:
| > There is nothing particularly technically exotic about them
|
| Nor is their mitigation.
|
| I honestly wouldn't brag online about my software being
| vulnerable to... 9 years old script kiddies!
| goatsi wrote:
| The software has nothing to do with it, the "vulnerability"
| is that they probably have a 1Gbps port that is getting
| 5Gbps of reflected UDP thrown at it. I'd love to see your
| software mitigation for that.
| willcipriano wrote:
| Have a connection broker on another IP address that you
| authenticate against prior to getting connection details
| for the real system. Rotate the IP addresses the real
| system uses every couple of days. Let brokered
| connections live for 48 hours so the DDOS attack has to
| last that long to do anything. If the real system gets
| attacked, drop that IP and pick up a new one, noting what
| users received that IP address as they are potentially
| the attacker.
|
| Not perfect but it would probably stop these kids.
| goatsi wrote:
| Unless the connection broker has more bandwidth than the
| server, the attack will just take it out instead, still
| denying access to the site. Either it doesn't work or
| it's just adding more bandwidth with extra steps. Your
| solution might help people already connected to the
| server, but anyone else is still out of luck.
| willcipriano wrote:
| It will help anyone who connected to the server within 48
| hours, it will also eventually reveal who is responsible
| for the attacks to some degree. This won't work if anyone
| on the internet can make a account, but this situation is
| a finte group of people that you can eliminate.
| brimble wrote:
| You know how everyone complains about much of the web being
| behind CloudFlare and their captchas?
|
| The fact that it _is not_ easy or cheap to mitigate DDOS on
| your own, while it 's become surprisingly cheap and easy to
| _launch_ such attacks, is much of the reason for that.
|
| Most of the Web that's not megacorp owned or behind
| CloudFlare (or similar) only isn't constantly falling over
| because it's _not being targeted_ , not because defending
| against DDOS is super-easy and cheap and so they're all
| well-protected.
| rubatuga wrote:
| The solution is to optimize your code and have rate limiting
| TYMorningCoffee wrote:
| What if the request rate exceeds the capacity of the
| network, before the rate limiter is even invoked?
| crtasm wrote:
| When your network bandwidth is overloaded with traffic that
| isn't going to make a difference.
| stevenicr wrote:
| While those things may be good and me be helpful to a
| degree - the solution is generally to move your dns and
| pipes to the internet to a provider that can handle a
| larger spike in traffic - things like cloudflare and
| specialty ddos hosting center may be necessary - unless
| it's a short and cheap ddos - like a 30 minute attack -
| then just wait it out.
|
| A decent ddos attack, even ones that you can buy for 20
| dollars on the clearnet, is going to overwhelm the most
| optimized code base since it will disrupt most of the
| average data centers, regardless of the rate limiting that
| you try to make happen on the box itself.
|
| at least in my experiences and from the things I was forced
| to learn on the fly for some time.
| ransom1538 wrote:
| When i setup my kid to do DDOS -- first things first, you need
| good fiber.
| musicale wrote:
| Perhaps we should thank the script kiddies for irrefutably
| demonstrating that current networking and computing practices
| (and systems) are a house of cards.
|
| Perhaps we should abandon some of the operations, engineering,
| and design practices that created said house of cards.
|
| It's also rather amazing that there is apparently no warranty for
| clearly defective software, computing, or networking products and
| services, and that customers have no remedy when they are harmed
| by those defects.
| jinseokim wrote:
| Technology evolved, and we faced a change: Now it's easy to
| commit a crime through the internet!
|
| We teach kids "you should not steal" but not "you should not
| launch DDoS." I think the latter should be equally educated.
| krageon wrote:
| The former is probably harmful, the latter is probably just a
| blip on some giant vendor's radar. Those things are not equal.
| maccard wrote:
| > the latter is probably just a blip on some giant vendor's
| radar.
|
| As the person who has been woken up at 3am by a "giant
| vendor" (read: my employer, who was not giant, but would be
| considered a "giant vendor" by a 15 year old), it pretty much
| ruined my week when it happened to me.
| Cycl0ps wrote:
| >But it's not just a warning for those who search for "stresser"
| and "booter" services which provide an easy way to launch a DDoS
| attack against a school's network.
|
| I love articles that warn about the dangers of doing something
| while also providing a helpful starting point for those just now
| realizing that this was an option.
| pwdisswordfish9 wrote:
| Clickbait title. I hoped for an actual story of a nine-year-old
| kid who pulled this off.
___________________________________________________________________
(page generated 2022-01-19 23:02 UTC)