←back to thread

Man who built ISP instead of paying Comcast $50K expands to hundreds of homes

(arstechnica.com)
1135 points carride | 3 comments | 10 Aug 22 13:23 UTC | HN request time: 0.672s | source
Show context
Octoth0rpe ◴[10 Aug 22 13:45 UTC] No.32411808[source]
A couple of fun facts about this guy:

His little ISP is AS267, which is a SHOCKINGLY low number. That's like.. the ISP equiv of a 4 digit slashdot id, or owning something like sodapop.com.

He's also one of the authors of RFC 5575, which is a pretty big deal in the DDoS world.

replies(6): >>32411871 #>>32412016 #>>32412338 #>>32412975 #>>32413877 #>>32415482 #
upupandup ◴[10 Aug 22 14:15 UTC] No.32412338[source]
can somebody ELI5? what is this code mean? what is RFC 5575?
replies(4): >>32412400 #>>32412415 #>>32412501 #>>32412541 #
1. Octoth0rpe ◴[10 Aug 22 14:27 UTC] No.32412541[source]
RFC 5575 is a widely adopted specification implemented by router vendors that lets ISPs (think Comcast, Verizon, Deutsche Telekom, Akamai) block certain kinds of traffic at their routers using rules called "Flow Specifications". A rule looks _something_ like "Drop traffic if it's on Port 80 and its packet size is 252 bits". That level of logic is good enough to block many simple DDoS attacks, and since it's done on a router, it's hardware that the ISP has to buy anyway. The more expensive / but also more powerful solution usually involves a dedicated piece of hardware that does packet inspection.
replies(1): >>32414962 #
2. daniel-cussen ◴[10 Aug 22 16:47 UTC] No.32414962[source]
Yeah FPGA's are marketed for packet inspection. Like on xilinx.com, and microsemi.com, they talk about radar and military, defense, on top of AI and fintech. It's just really hard to market FPGA's, it's such a shiny toy but then it never ends up actually selling in volume, like GPUs, there's envy of that success. Especially because in many ways F's have merits that go toe-to-toe with GPU, and defeat them in eg latency, which is why Wall Street prefers F's to GPU's. Just not enough killer apps.

And packet inspection is a good fit for F's [FPGA's] by their very nature, DDoS's are squirrely and ASICs get stale, you need to reprogram you F's on the fly to catch that attack in-progress. So to adapt to new attacks on the fly, or update based on new fashions of DDoS's, patch vulnerabilities, and plus they're harder to reverse-engineer than ASICs, they're strong against that, good crypto to protect the bitstreams that define them. Basically built for that. ASICs on the other hand, can just have the lid scraped, take a photo, done. (Though to some extent they do put functionality on memory that gets lost if the chip is turned off during abduction, that can be done, the line between F's and ASICs is not truly that sharp).

A lot of DDoS's are done by state-sponsored or -affiliated or -harbored adversaries, capturing the ASIC that stops the DDoS is a real thing. Reverse engineering usually happens in another country, another jurisdiction. Under smiling eyes, blind eyes, can't get the police to go there, can't get extradition, maybe sue, maybe get them punished within the country that harbors them.[1]

[1] I read in China there was a Chinese man who traveled to New Zealand and murdered somebody, I think a woman. But he would not be extradited. Instead, the New Zealanders presented their evidence in Chinese court, which found it had merit and credibility enough to imprison the murder, within China, so he paid for his crimes fully. All without extraditing one of their own.

replies(1): >>32415262 #
3. Octoth0rpe ◴[10 Aug 22 17:05 UTC] No.32415262[source]
Amidst all the discussion of fpga vs asic vs flowspec, it's probably worth distinguishing two types of attacks: big, dumb volumetric ddos (flow specifications are great and cheap here, if you can match), and more sophisticated layer 5/6/7 attacks where FPGA/packet inspectors are likely necessary (unless you get lucky and the supposedly smart attack has an obvious signature such as a particular packet length combined with other components)