[Kye]

More protection at the OS and ISP level. ISPs can isolate nodes that become part of botnets, and operating systems increasingly remove the avenues malicious actors use to cause trouble. Microsoft's push for hardware security is justly controversial, but the move to TPM by default in Windows 11 is the latest in a long line of changes that's made it harder to take over an ordinary person's computer. Android has had an equivalent since 8, and I'm pretty sure iOS has it.

Put that with the change to more people being mobile-only and there's fewer ways to create the botnets behind these.

[zugi]

> TPM by default in Windows 11 is the latest in a long line of changes that's made it harder to take over an ordinary person's computer

Interesting, I think of TPM as being for holding keys for bitlocker encryption or personal certificates. Can you clarify how TPM makes it harder for to remotely take over a computer?

[will4274]

It's what you can do with the TPM. With the TPM to hold keys, you can require that e.g. bootloader changes be signed by the vendor. It's hard for malware to convince an ordinary person to go into BIOS and disable vendor locked bootloaders. Of course, Microsoft also gets into trouble here, because sometimes the vendors (and Microsoft itself) don't put the option to disable locking in the BIOS.

[Kye]

Bingo. I've seen multiple instances in the last year or so where people were advised to reboot their devices to make sure a newly identified and patched out malware was removed.

[gruez]

but why does malware need to mess with the bootloader when you can launch DDoS attacks from userspace?

[Kye]

It's a lot easier for something like Windows Defender to untangle something confined to user space than something that can prevent the OS from protecting its files by taking over the boot process.

[birdman914]

You are correct on the ISP level. I am a network engineer for an ISP, we utilize Corero to monitor and mitigate DDoS attacks into our network. Since 99% of the time the DDoS is not targeted to us but rather the customer, I also kill the active IP addressing to their Modem/ONT, and configure that endpoint so it isn't allowed to pull an IP. Once the attack stops, re-config the endpoint and have it pull a new address.

[DanAtC]

That will stop overloading paths inside your network, but if your edge can't handle a 100 Gbps DDoS all your other customers still suffer.

Better to have the target blackholed upstream. Can usually be done with a BGP community of 666 if your peers support it.

[kijin]

Doesn't that simply mean that the customer loses connectivity, just as the attacker intended, for the duration of the attack?

From the ISP's point of view, you might have prevented an overload that could have affected other customers. From the customer's point of view, their service was denied all the same. Doesn't sound like anything has improved compared to 10-20 years ago.

[gsich]

In both cases the customer has no access. (or a very limited one)