Hacker News new | ask | show | jobs
by JayNeely 3525 days ago
Because IP addresses are often shared resources. Your ISP gives each customer an IP address (often a temporary one), and then that customer's router system handles assigning private, local-network-only IP addresses to any devices connecting through the network.

So if a DNS provider starts banning public IPs (which are the only IPs it sees), you could end up with an entire college getting banned because of one hacked webcam in one student's dorm room.

Or someone in an apartment somewhere with (unknowingly) a hacked thermostat finds their internet no longer works (DNS provider has banned them), so they reboot their modem, which causes their ISP to provide them with a new IP address. Guess what happens to their old IP address? It goes back into the pool of available IPs that that ISP can assign to other customers, and more and more banned-from-DNS addresses keep getting passed along to innocent, un-hacked customers.
2 comments
jlgaddis 3524 days ago
Yep. The effects of this can be seen when someone sets up a new e-mail server on an IP address they've just acquired, a.b.c.d, and -- as soon as they connect it to the Internet -- are unable to send outgoing e-mail because the IP has previously been blacklisted due to another user's actions.
link
reacharavindh 3524 days ago
Ah, (inter)networking 101. Thanks! Then, is there a way for the DNS providers to know the ultimate recepient at all? MAC address? (or does it get truncated at the lower levels and not passed over IP protocol?)
link
jlgaddis 3524 days ago
Nope. Assuming you have a router connecting your home network to your ISP, for example, the MAC addresses of your "internal" devices are not visible to the ISP. The only MAC address they see is the MAC address of your router's "WAN" interface.

The source/destination MAC addresses in an Ethernet frame (layer 2) are rewritten at every router (layer 3) hop. The original IP source/destination addresses in the IP packet, however, do not change (exception: NAT, which does exactly that).

Another problem -- in many (most?) DDoS attacks where UDP traffic is involved -- is that the source IP addresses are "spoofed". That is, IP packet that the victim receives says that it's coming from Alice but it really came from Bob. There are also "amplification" attacks, where an "innocent third-party" is used, unknowingly, to "help" perform the attack.

link