DDoS Botnet Aisuru Blankets US ISPs in Record DDoS

Original Article ↗ Hacker News Discussion ↗

Why ISPs Don’t Aggressively Block Botnet Traffic at the Source

  • Several commenters argue there’s little direct economic incentive: outbound DDoS traffic often doesn’t hurt the ISP as much as it hurts others, and mitigation costs money and risks angering customers.
  • Many residential networks are heavily asymmetric (much more inbound than outbound), so there’s often “room” for large outbound attacks before the ISP feels pain.
  • Abuse handling is labor‑intensive: building convincing reports and coordinating with remote networks is seen as not worth the effort compared to just mitigating inbound traffic.
  • Only now, with multi‑terabit outbound attacks from residential networks, are some ISPs reportedly starting to feel operational pain and consider more serious outbound controls.
  • Some examples exist (e.g., ISPs that quarantine users via captive portals), showing it’s possible but not widespread.

How End Users and Routers Could Help

  • Suggestions: ISPs cut off or rate‑limit compromised customers, routers snapshot per‑device traffic before disconnection, and users hire local services to locate infected devices.
  • Power users note there’s no simple, mainstream way to know if they’re in a botnet; proposals include router‑level monitoring, Pi‑hole DNS anomaly checks, jailed/guest LANs, and better traffic graphs (e.g., opnsense, IPFire).

IoT Insecurity and Regulation Proposals

  • Many see insecure IoT as the core problem: devices re‑infect “within minutes” after reboot. Some say such products are defective and should effectively become bricks; others insist vendors should be forced to patch and support them.
  • Policy ideas:
    • Mandatory recalls for devices participating in DDoS, with strong manufacturer liability.
    • Hard caps on IoT outbound bandwidth (e.g., 10 Mbps) unless explicitly justified.
    • No default passwords, secure onboarding flows, signed firmware, long‑term updates, and possibly ISP‑mandated routers that filter DDoS traffic.
  • Critics warn this risks over‑lockdown, erosion of software freedom (signed‑only ecosystems), and black‑market imports; some prefer periodic DDoS to a “highly regulated internet.”

IPv6, CGNAT, and Blocking Strategies

  • One camp argues widespread IPv6 would let operators block individual compromised addresses or /64s instead of entire CGNAT ranges, making botnet suppression easier and restoring end‑to‑end connectivity.
  • Others with DDoS experience say IPv6 doesn’t fundamentally change the problem: attackers can control large prefixes; defenders still end up blocking bigger ranges, risking collateral damage.
  • There are also privacy concerns around IPv6 address stability, and questions about what business incentives ISPs actually have to deploy IPv6.

Attack Scale and DDoS Mitigation Market

  • Commenters note a jump from ~5 Tbps to nearly 30 Tbps in about a year, overwhelming many DDoS mitigation providers and some traditional hosts (Hetzner, OVH mentioned as seeing issues).
  • Smaller/cheaper mitigation providers are reportedly struggling; large players with huge edge capacity (e.g., Cloudflare, possibly a few others) appear to cope better, raising concerns that serious protection may become affordable only at high monthly cost.
  • Some are surprised that the dominant strategy is “absorb and scrub” rather than blocking near sources; others mention cooperative schemes (like shared routing/flowspec blackholing) but doubt broad ISP participation.

Bandwidth, Hardware, and Botnet Power

  • Contributors link the new scale of attacks to:
    • Widespread FTTH with high upstream (1–2 Gbps) in some regions.
    • Cheap SoCs capable of saturating gigabit links and generating high‑rate traffic.
    • CGNAT making it hard to block individual compromised users without impacting many others.
  • There’s debate over how common symmetric gigabit really is; some say it’s routine on fiber, others call it rare outside specific markets.

Targets and Motives (Minecraft, Games, Extortion)

  • Many attacks reportedly focus on Minecraft and other online games.
  • Hypotheses: extortion (“buy DDoS protection or stay down”), emotional players paying to knock out rivals, or low‑profile targets that avoid attention from law enforcement and big security teams.
  • Some note the engineering challenge of building very large botnets, but acknowledge diminishing returns once they’re already huge.

Governance, Freedom, and “Authoritarian” Risks

  • A visible thread worries that every major DDoS incident will be used to justify tighter control over networking, devices, and software.
  • Speculative comments suggest that powerful intermediaries (e.g., CDNs, DDoS vendors) benefit from a threat landscape that drives everyone onto their platforms, prompting suspicion about incentives.

User‑Level Concerns and Practicalities

  • Some ask for concrete tools to detect compromised devices at home; responses mostly mention router graphs, separate VLANs/guest networks, and ISP usage meters (with skepticism about what ISPs actually share).
  • Others suggest simple baseline rules: no remote login for IoT outside the local network, mandatory guest networks/proxies, and default network isolation for untrusted devices.

Responsibility and Liability

  • Strong calls appear for:
    • Regulating ISPs to detect, alert, and disconnect compromised customers.
    • Regulating device makers and retail/logistics platforms so insecure or noncompliant devices can’t be sold.
    • Potential tort liability for harm caused by grossly insecure devices.
  • Counterpoints emphasize cost to consumers, dead vendors (no one left to patch), and the risk that over‑broad rules would also hit general‑purpose computers or encourage locked‑down “appliance” designs.