100Gbps DDoS Attacks Now Commonplace

[Megalith]

Free tools are allowing just about anyone to play the DDOS game. Attacks in 2016 have reached as high as 579Gbps, with the US, China, and Korea being primary targets. Forty six attacks over 200Gbps have also been discovered this year.

…over the first six months of 2016, there has been a surge in the frequency and power of distributed denial-of-service (DDoS) attacks, with the most extreme attack reaching 579Gbps. DDoS attacks are a common way to disrupt businesses and online services. Traffic floods a system with requests, overloading the service and preventing legitimate traffic from getting through. The cost of these attacks can be severe in lost revenue and frustrate users, but rarely cause any intense damage to infrastructure itself. Data released by the group on Tuesday claims that there is now an average of 124,000 DDoS attacks per week taking place, based on information gathered over the last 18 months.

 

[Zarathustra[H]]

I don't understand why nothing can be done about this.


Like a universal automatic suspension of every IP address from which a DDOS packet originates.


I'd like to see operating systems where the Network stack is disabled if they are not fully patched and more active scanning on the ISP's part to take systems where packets used in DDOS attacks originate offline.

They need to be ruthless. No matter who you are no matter how critical you think your system is, plug gets automatically pulled if part of a botnet used in a DDOS attack until the IP address owner takes action to make sure it doesn't happen again.

This shit is just not acceptable. I want to see people with three letter abbreviation jackets kicking down doors and arresting everyone who downloads LOIC, not just the botnet masterminds.

 

[xmadror]

I can see how a DDoS attack over 100Gpps could be hard to manage even more so over 500!

This shit is just not acceptable. I want to see people with three letter abbreviation jackets kicking down doors and arresting everyone who downloads LOIC, not just the botnet masterminds.

nah its way easier to go after movie, music and tv show uploader !!

 

[Eickst]

I understand why nothing can be done about this.


Like a universal automatic suspension of every IP address from which a DDOS packet originates.


I'd like to see operating systems where the Network stack is disabled if they are not fully patched and more active scanning on the ISP's part to take systems where packets used in DDOS attacks originate offline.

They need to be ruthless. No matter who you are no matter how critical you think your system is, plug gets automatically pulled if part of a botnet used in a DDOS attack until the IP address owner takes action to make sure it doesn't happen again.

This shit is just not acceptable. I want to see people with three letter abbreviation jackets kicking down doors and arresting everyone who downloads LOIC, not just the botnet masterminds.

How can i get the latest patches if my networking stack is disabled?

Also, if you've never had a bad MS update hose one of your computers, you haven't lived until you see it done to 1000 overnight at a business.

 

[Zarathustra[H]]

How can i get the latest patches if my networking stack is disabled?

But more seriously, you are right, maybe not completely disabled, but how about blocked off to everything except the update server?

Also, if you've never had a bad MS update hose one of your computers, you haven't lived until you see it done to 1000 overnight at a business.

I understand this might be inconvenient, but I'm sorry, security must come before uptime in 100% of cases. If its between going down, and being up with an unpatched security hole, "going down" is the correct answer 100 times out of 100.

I'd rather have people pissed off because they cant get online, than be sucked into yet another botnet. I don't care how "mission critical" you think you are.

Microsoft and other OS makers need to get draconian on this point, and have no exceptions for anyone ever. Get patched or GTFO the net.

 

[Spidey329]

Microsoft and other OS makers need to get draconian on this point, and have no exceptions for anyone ever. Get patched or GTFO the net.

Some might argue they have been with Win10. It's not easy to ignore updates and they're trying to force as many systems onto it.

 

[donald_k]

A lot of these attacks are conducted within the cloud on virtual server instances. Too easy to set up a few synchronized thousand VMs across a cloud service's network and then let it rip with one little command...

To the poster that said cblock a certain IP range: due to class-less routing done these days (hosted on the same cloud services that also host the DDoS attacks unknowingly), IP blocks on a grand scale will flat out break most services. Now maybe if IPv6 can roll out and cloud services don't share IPs across subscribers then a block could work. I run dual-stack with HE.Net tunnel... IPv6 is spotty at best even now.

 

[bitbum]

protection is available ...
Advanced DDoS Protection and Mitigation - CloudFlare

 

[Chaos Machine]

But more seriously, you are right, maybe not completely disabled, but how about blocked off to everything except the update server?



I understand this might be inconvenient, but I'm sorry, security must come before uptime in 100% of cases. If its between going down, and being up with an unpatched security hole, "going down" is the correct answer 100 times out of 100.

I'd rather have people pissed off because they cant get online, than be sucked into yet another botnet. I don't care how "mission critical" you think you are.

Microsoft and other OS makers need to get draconian on this point, and have no exceptions for anyone ever. Get patched or GTFO the net.

Tell a hospital that relies on telemedicine they aren't mission critical enough.

 

[Ur_Mom]

How can i get the latest patches if my networking stack is disabled?

Also, if you've never had a bad MS update hose one of your computers, you haven't lived until you see it done to 1000 overnight at a business.

Whitelist Windows Update and a few other security sites.

If a business with 1000+ PC's isn't using WSUS or other patch management along with internal testing, then it needs some real IT people working there.

 

[DrLobotomy]

I guess all those unsold/unrented cloud instances would make for a righteous assault.

 

[-PK-]

It really needs to be handled at the ISP level since src ip's can be spoofed, so any retaliation from the destination could be abused to attack a secondary target.

 

[Dead Parrot]

But more seriously, you are right, maybe not completely disabled, but how about blocked off to everything except the update server?

I understand this might be inconvenient, but I'm sorry, security must come before uptime in 100% of cases. If its between going down, and being up with an unpatched security hole, "going down" is the correct answer 100 times out of 100.

I'd rather have people pissed off because they cant get online, than be sucked into yet another botnet. I don't care how "mission critical" you think you are.

Microsoft and other OS makers need to get draconian on this point, and have no exceptions for anyone ever. Get patched or GTFO the net.

This might be a good policy right up to the point where YOU are the one laying in the hospital bed listening to your doctor tell you that he/she can't access your medical records stored in your GP's office because the hospital is on a 'security lock down' due to a false positive security issue but that IT reports they should have the situation cleared up with 'Security Central' in a few days once they manage to navigate the tech support phone menu and get a human to call back since the Internet is down.

 

[Gigus Fire]

Microsoft and other OS makers need to get draconian on this point, and have no exceptions for anyone ever. Get patched or GTFO the net.

Being up to date with patches have no correlation to DDOS attacks or being used in a DDOS attack. There are exploits in the black hat community that they don't share with microsoft, thus enabling them to hijack the systems.

Some of the patches open up more exploits.

There really is no miracle cure for malicious use of the internet.

Like a universal automatic suspension of every IP address from which a DDOS packet originates.

There would be a lot of false positives.

 

[drakken]

Watching Black Desert Online get hit with a ddos attack and yet they fixed it by fixing the routers suggests that some of it may just be people taking five bucks to switch networks over from tcip subnetted traffic to udp and watching as the servers melt from the traffic. Though it could be as simple as some kid got access to a data center or public system like the dmv and is hiding a bot net in there. traffic going out of the normal locations like say over seas would suddenly show up as out of the normal traffic.

 

[bigstusexy]

I would like to know what can be done and what I as a net admin can do. I'd like to see stuff for this in my firewall. While I have the ability to have it scan for viruses (we do it else where) I'd like as part of my maintenance for it to scan for general DDOS and patterns and report it to me. That way I know what IP(s) on my network need to be looked at.

Not only does my job not put a lot of money towards IT, were a school district, in IL so yeah money is a big issue. Some days I spend my entire day looking after things and I can tell you that every single day we get tons of virus spam and phishing scams. They want in to our 1Gbps connection badly. Part of it is that we are in the middle of a migration (STILL) and I've got the new system to tell me about any mail it denies inbound or outbound; just this morning I woke up to 70 emails and within a few minutes it was over 120. I had to remote in and set a new pattern just to get my phone to stop beeping about these emails!

Edit: Very rarely but a few times I have gotten emails from my service provider (AT&T) about suspicious activity from my network. However because we have to use NAT it doesn't do much but alert me and give me a heacache since they can't see inside my network. Luckily they have all been off known port connections so I can set that port in my firewall and investigate any that use that port. Our old provider alerted us to the fact that someone was torrenting on our connection. No DMCAs but they just let us know the usage spiked around hours that was after work and on the weekends. I already knew who it was and they worked in the office. It mysteriously went away when I started unplugging their NIC as I'd leave after them and come in before them.

 

[ZenDragon]

I don't understand why nothing can be done about this.


Like a universal automatic suspension of every IP address from which a DDOS packet originates.


I'd like to see operating systems where the Network stack is disabled if they are not fully patched and more active scanning on the ISP's part to take systems where packets used in DDOS attacks originate offline.

They need to be ruthless. No matter who you are no matter how critical you think your system is, plug gets automatically pulled if part of a botnet used in a DDOS attack until the IP address owner takes action to make sure it doesn't happen again.

This shit is just not acceptable. I want to see people with three letter abbreviation jackets kicking down doors and arresting everyone who downloads LOIC, not just the botnet masterminds.

The problem is that most of these systems involved in the botnets are older un-patched systems owned by clueless users. They have no idea why their internet is so slow, nor that their machine is part of a bot net, and they have no idea how to go about patching/fixing or reinstalling the OS. Most of the time they still have the default passwords on their routers or the firewalls turned off altogether, bot net operators count on this to operate. Taking those machines offline is certainly not a bad idea in that it would probably work, but for most ISPs simply allowing it and absorbing the cost associated with the bandwidth usage is cheaper than trying to get clueless customers to update their machines. I'm not saying the ISPs do this willingly or on purpose, just that it all come down to money.

 

[Zarathustra[H]]

Tell a hospital that relies on telemedicine they aren't mission critical enough.

This might be a good policy right up to the point where YOU are the one laying in the hospital bed listening to your doctor tell you that he/she can't access your medical records stored in your GP's office because the hospital is on a 'security lock down' due to a false positive security issue but that IT reports they should have the situation cleared up with 'Security Central' in a few days once they manage to navigate the tech support phone menu and get a human to call back since the Internet is down.

You know, I don't want a hospital being so cavalier with my medical records that they are used on unpatched machines.

I'd rather wait, and have them pull the records when the problem is resolved, and if there is an emergency, there are backup protocols in place for transferring essential medical records, like printing and faxing.

God.. EVERYONE thinks they are so special, and that they need a reason to not patch their shit. And that's why we have problems like this.

Patch your shit, or GTFO the internet, no exceptions.

I don't even think enterprise users should be allowed to opt out and pre-validate security patches. Feature patches, certainly, but security patches no way. If a security patch takes down a system, so be it. Better it go down, than stay up unpatched.

The mindset needs to be altered to a patch first no matter what. uptime be damned mentality across all of computing, enterprise and home.

 

[earnolmartin]

Unfortunately, when it comes to DDoS attacks, UDP packets can be spoofed which makes finding who is responsible next to impossible. This is why BIND recursion attacks are common along with attacks against game servers. Someone selects a target, sends spoofed requests for BIND DNS resolution appearing to originate from the target, data is sent back to the target, and multiple requests are made flooding the target who didn't even make the request.

UDP has low overhead and is stateless, but is open for abuse. Time to start testing for sociopaths and keep their online activities monitored. Banning IPs is not an ideal solution. The internet needs a rewrite which most people nowadays have no knowledge as to how that could actually be done.

The future looks bleak.

 

[earnolmartin]

Operating system patches won't fix the problem. The worst exploits lie in different internet protocols themselves.

 

[Gigus Fire]

Operating system patches won't fix the problem. The worst exploits lie in different internet protocols themselves.

You're talking to someone who doesn't understand this.

The internet needs a rewrite which most people nowadays have no knowledge as to how that could actually be done.

The internet was written to be open and not secure. It's like a open highway for traffic.
What's wrong with open highways?

 

[earnolmartin]

Nothing is wrong with an open highway until it's abused. In my opinion, abuse comes from people with no empathy (sociopaths). The internet could be fixed if we fix society first, but those in power who are running the show are usually sociopaths themselves.

 

[Zarathustra[H]]

Operating system patches won't fix the problem. The worst exploits lie in different internet protocols themselves.

Yes, I know there are exploits in protocols that amplify the problem, but you still need a fairly large amount of compromised boxes to get the ball rolling.

And to those saying that you can do this by just renting some time on a cloud service, sure, that is possible, but now there must be a trail to who you are. Where are the silent black helicopters already? We need to reaper drone these fuckers.

 

[Mugato]

You know, I don't want a hospital being so cavalier with my medical records that they are used on unpatched machines.

I'd rather wait, and have them pull the records when the problem is resolved, and if there is an emergency, there are backup protocols in place for transferring essential medical records, like printing and faxing.

God.. EVERYONE thinks they are so special, and that they need a reason to not patch their shit. And that's why we have problems like this.

Patch your shit, or GTFO the internet, no exceptions.

I don't even think enterprise users should be allowed to opt out and pre-validate security patches. Feature patches, certainly, but security patches no way. If a security patch takes down a system, so be it. Better it go down, than stay up unpatched.

The mindset needs to be altered to a patch first no matter what. uptime be damned mentality across all of computing, enterprise and home.

I (and the whole company!) would be out a job based on the line you've drawn, you are going way to extreme man.

 

[Gigus Fire]

Nothing is wrong with an open highway until it's abused. In my opinion, abuse comes from people with no empathy (sociopaths). The internet could be fixed if we fix society first, but those in power who are running the show are usually sociopaths themselves.

I believe you're using the term sociopath incorrectly. Most people just don't care about other people they don't know. Changing people's behavior to care about people they don't know could be considered evil.

Fixing the internet by fixing society first is pretty much asking to change human nature and to me sounds extremely idealistic

 

[toast0]

I would like to know what can be done and what I as a net admin can do. I'd like to see stuff for this in my firewall. While I have the ability to have it scan for viruses (we do it else where) I'd like as part of my maintenance for it to scan for general DDOS and patterns and report it to me. That way I know what IP(s) on my network need to be looked at.

I've been the target of a bunch of DDoS at work. There's three classes of attacks I've seen:

a) SYN floods -- if your network is participating in this, it's sourced inside your network (kids or botnet-ed computers)
b) UDP reflection -- if you're running UDP services accessible from the public (NTP, DNS, ***** chargen), rate limit by source IP, and if you're running chargen, don't. Also, don't think you can fix this by dropping outgoing responses, if they're big enough, they get fragmented, and most firewalls will easily drop the first fragment and let the rest go through; it's way more annoying getting a bunch of fragments but not the first one.
c) Wordpress pingbacks -- if you're running wordpress, don't Or at least turn off pingbacks and consider not allowing the wordpress machine to initiate connections to the outside world.

 

[DrLobotomy]

You cant stop earthquakes, so you prepare yourself for the event. You cant stop insanity, but you can prepare for it. That is the way it works. Save the idealistic stuff for movies and dreams.

 

[Ducman69]

I want to see people with three letter abbreviation jackets kicking down doors and arresting everyone who downloads LOIC, not just the botnet masterminds.

Most attacks are done by unwitting users that downloaded malware, and are victims themselves. Seems silly to bust down the door of an old grandma, shoot her two dogs, and throw her on the ground and steal her computer because she picked up some malware while trying to find a new kitten wallpaper for her screen.

 

[Zarathustra[H]]

Most attacks are done by unwitting users that downloaded malware, and are victims themselves. Seems silly to bust down the door of an old grandma, shoot her two dogs, and throw her on the ground and steal her computer because she picked up some malware while trying to find a new kitten wallpaper for her screen.

Downloading LOIC = intent. LOIC is an intentional "make me part of a botnet" program.

With malware you are right, we should be going after those holding the strings, not those who are compromised, but I still say it makes sense to take them offline until they have cleaned their systems.

 

[Biznatch]

You know, I don't want a hospital being so cavalier with my medical records that they are used on unpatched machines.

I'd rather wait, and have them pull the records when the problem is resolved, and if there is an emergency, there are backup protocols in place for transferring essential medical records, like printing and faxing.

God.. EVERYONE thinks they are so special, and that they need a reason to not patch their shit. And that's why we have problems like this.

Patch your shit, or GTFO the internet, no exceptions.

I don't even think enterprise users should be allowed to opt out and pre-validate security patches. Feature patches, certainly, but security patches no way. If a security patch takes down a system, so be it. Better it go down, than stay up unpatched.

The mindset needs to be altered to a patch first no matter what. uptime be damned mentality across all of computing, enterprise and home.

HAHAHAHHAHAAHA you have no idea how bad the system are in the healthcare industry. My company works with health plans/hospitals and you would not believe what they are using. We had one client location not able to run our web application and demanded to know why it wouldn't load. When asked what OS they were using, they said Windows 95... They stopped patching that years ago, but the cost to upgrade is too much and hey it works right?

And you wouldn't believe how many people see your medical records outside of your dr/his office (You sign those rights away when you get insurance). Seriously, be careful what you tell your doctor.

 

[WangChung]

Part of the problem with banning IPs and people screaming "PATCH OR DIE" is the people that I'm sure a lot of us on this site support.

You know the ones. The ones that point to their computer chassis and call it the CPU. Or when you tell them to turn their computer off and back on they press the power button on their monitor. Or like the people that I keep running into that somehow jam the USB cable from their mouse into their ethernet port after moving their computer and wonder why they have no internet. They're nice people, but differentiating "left click" from "right click" elicits a frightened exclamation of "I'M NOT A TECHNICAL PERSON! I'M JUST A (Insert Other Than I.T. Job Title)!"

You really want to walk these people through updating their router? Or if it really goes sideways, having them do a 30/30/30 reset and try to time a TFTP bin file upload?

This was supposed to be the promise of the IoT, where manufacturers would use open source protocols and make sure their stuff was updated. It would guarantee we as IT folks wouldn't have to do such crazy and backwards things to update a refrigerator via serial cable. Yet, here we are. I can guarantee you we're going to read about botnets consisting of wireless light sockets or connected toasters in a year's time.

 

[Zarathustra[H]]

Part of the problem with banning IPs and people screaming "PATCH OR DIE" is the people that I'm sure a lot of us on this site support.

You know the ones. The ones that point to their computer chassis and call it the CPU. Or when you tell them to turn their computer off and back on they press the power button on their monitor. Or like the people that I keep running into that somehow jam the USB cable from their mouse into their ethernet port after moving their computer and wonder why they have no internet. They're nice people, but differentiating "left click" from "right click" elicits a frightened exclamation of "I'M NOT A TECHNICAL PERSON! I'M JUST A (Insert Other Than I.T. Job Title)!"

You really want to walk these people through updating their router? Or if it really goes sideways, having them do a 30/30/30 reset and try to time a TFTP bin file upload?

This was supposed to be the promise of the IoT, where manufacturers would use open source protocols and make sure their stuff was updated. It would guarantee we as IT folks wouldn't have to do such crazy and backwards things to update a refrigerator via serial cable. Yet, here we are. I can guarantee you we're going to read about botnets consisting of wireless light sockets or connected toasters in a year's time.

I'm tempted to say:

"Not a technical person? Fine, Not connected to the internet anymore"

I mean, where else can you just say "I'm not an X person" and just be allowed to continue what you are doing with potential for harming other people?

"Sir, you just cut off and almost killed that family of 5 without even looking or using your turning signal."

You can't just say, "I'm not a driving person" and then drive off.

IMHO, if you can't use google to figure out how to flash a ROM using TFTP, you have no place on the internet, ever.

I'm not saying you have to be an expert at it, but god damnit, when there are step by step directions for just about everything under the sun online, and in many cases even VIDEO's there really is no excuse at all.

become a technical person, fix/patch your shit, or GTFO the web.

This is why we can't have nice things...

 

[Gigus Fire]

I'm tempted to say:

"Not a technical person? Fine, Not connected to the internet anymore"

I mean, where else can you just say "I'm not an X person" and just be allowed to continue what you are doing with potential for harming other people?

"Sir, you just cut off and almost killed that family of 5 without even looking or using your turning signal."

You can't just say, "I'm not a driving person" and then drive off.

IMHO, if you can't use google to figure out how to flash a ROM using TFTP, you have no place on the internet, ever.

I'm not saying you have to be an expert at it, but god damnit, when there are step by step directions for just about everything under the sun online, and in many cases even VIDEO's there really is no excuse at all.

become a technical person, fix/patch your shit, or GTFO the web.

This is why we can't have nice things...

The retirement home is this way. They'll promise to stay off your lawn as well.

 

[bigstusexy]

I've been the target of a bunch of DDoS at work. There's three classes of attacks I've seen:

a) SYN floods -- if your network is participating in this, it's sourced inside your network (kids or botnet-ed computers)
b) UDP reflection -- if you're running UDP services accessible from the public (NTP, DNS, ***** chargen), rate limit by source IP, and if you're running chargen, don't. Also, don't think you can fix this by dropping outgoing responses, if they're big enough, they get fragmented, and most firewalls will easily drop the first fragment and let the rest go through; it's way more annoying getting a bunch of fragments but not the first one.
c) Wordpress pingbacks -- if you're running wordpress, don't Or at least turn off pingbacks and consider not allowing the wordpress machine to initiate connections to the outside world.

Thanks, I so far haven't had to deal with actual DDOS, actually I take that back, one was a xobx live killer, that wasn't hard to find. The other things I had were scanners for things like VNC and one other. A lot of our client machines are too old to run AV or they are bogged down with and without it. I keep the AV installed anyway. The only thing I've had slip through every now and again is crypto lockers but thankfully that has stopped too.

 

[Dead Parrot]

A lot of the problem is that the core infrastructure of the Internet was designed and built assuming the Internet was going to be a safe cooperative place. Hasn't turned out that way, but we are stuck with the design decisions made years ago. Now we need core and mid level switches that know what your normal traffic patterns are and can compare abnormalities to a live list of places receiving DOS traffic. When they find a match, block or greatly degrade that traffic while at the same time notifying all senders of such traffic.

 

[Zarathustra[H]]

Thanks, I so far haven't had to deal with actual DDOS, actually I take that back, one was a xobx live killer, that wasn't hard to find. The other things I had were scanners for things like VNC and one other. A lot of our client machines are too old to run AV or they are bogged down with and without it. I keep the AV installed anyway. The only thing I've had slip through every now and again is crypto lockers but thankfully that has stopped too.

I was a member of a clan for 4 years (well, we called our self a clan, but we really weren't competitive, we just managed a server) that ran the #1 Red Orchestra 2 server on the internet, with a great community.

We suffered repeated DDOS attacks, presumably orchestrated by some clown on the server who got himself banned for being an obnoxious prick, and decided to take revenge. it completely killed our server. Took us from #1, to being almost empty 24/7 in a matter of a couple of months.

DDOS attacks completely ruined one of the very few games and one of the very few communities I really liked online.

Once it became clear that these were not just random occurrences, and that they were going to keep happening, we moved our server toa different host, which was larger and better able to deal with these attacks, but by then it was too late. Our regular player base had already moved elsewhere, and we couldn't get enough critical mass to get the server going again. (It's tough to seed a 64 player game enough to make it interesting to play so that people stay)

It pisses me off to no end that we make it so easy for people to ruin nice things and are unwilling to go medieval on this problem and just kick it into submission.

 

[raz-0]

My place of business got hit with a series of DDOSs. They went appreciably above 100Gbs, but nowhere near the record levels, nowhere near transient either.

Mitigation is problematic. These large attacks aren't botnets composed for random desktops, a lot of it was coming from server farms in various countries, either compromised or rented for the task. Multiple mitigation services did not work. ISP mitigation was sketchy at best given that one of the attacks took down most of at least one of our upstream providers. They are a pain in the ass, and not cheap to mitigate. Also very hard ot explain to the people who write checks until you are int eh middle of it. Even tehn it is hard to explain that it's an ongoing expense or this will happen again.

 

[Grahamkracka]

You know, I don't want a hospital being so cavalier with my medical records that they are used on unpatched machines.

I'd rather wait, and have them pull the records when the problem is resolved, and if there is an emergency, there are backup protocols in place for transferring essential medical records, like printing and faxing.

God.. EVERYONE thinks they are so special, and that they need a reason to not patch their shit. And that's why we have problems like this.

Patch your shit, or GTFO the internet, no exceptions.

I don't even think enterprise users should be allowed to opt out and pre-validate security patches. Feature patches, certainly, but security patches no way. If a security patch takes down a system, so be it. Better it go down, than stay up unpatched.

The mindset needs to be altered to a patch first no matter what. uptime be damned mentality across all of computing, enterprise and home.

Tell that to your boss when you take down 10000 systems with a fucked up security patch and cause your company to lose millions of dollars in productivity because you were too risk averse to validate the patch before you pushed it.

 

[Zarathustra[H]]

Tell that to your boss when you take down 10000 systems with a fucked up security patch and cause your company to lose millions of dollars in productivity because you were too risk averse to validate the patch before you pushed it.

Well, which is worse, causing a bunch of systems to go down for a little bit or leaving known zero days unpatched for several days/weeks during validation and allowing someone to break in and steal company data?

The "greater good" to make the internet a better place is that everyone patches immediately, but even when you think selfishly about it, there are risks of having known open vulnerabilities.

 

[Eickst]

Well, which is worse, causing a bunch of systems to go down for a little bit or leaving known zero days unpatched for several days/weeks during validation and allowing someone to break in and steal company data?

The "greater good" to make the internet a better place is that everyone patches immediately, but even when you think selfishly about it, there are risks of having known open vulnerabilities.

A bunch of systems to go down for a little bit? Is that a joke?

Also if you have never used WSUS before they send out bad updates periodically. Even after rolling them out to the general public. How long do I get to test them in a pilot group before rolling them out to the entire company? You know, before you kick everyone off the internet. Can i have 7 days? A month? What if it's patch tuesday and I have to validate a bunch of patches against 200+ different applications? Can I have 60 days? Or - is it patch by EOB or your off the net?

In your world every business would pretty much have to go back to paper and vacuum tubes.