Krebs Warns Source Code Leaked From Massive IoT Botnet Attack (krebsonsecurity.com) 69
Remember that historically massive denial-of-service attack last month against security researcher Brian Krebs? The source code's just been leaked, Krebs reports, "virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices." An anonymous Slashdot reader quotes KrebsOnSecurity:
The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Infected systems can be cleaned up by simply rebooting them -- thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot...
The user who leaked the source code says "there's lots of eyes looking at IOT now... I usually pull max 380K bots from telnet alone. However, after the Krebs DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300K bots, and dropping"...
Now that the source code has been released online for that 620-Gbps attack, Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems." He points out that 5.5 million new things get connected to the internet each day, according to Gartner. And they're also predicting that 6.4 billion things will be connected to the internet by the end of the year -- reaching 20.8 billion over the next four years.
The user who leaked the source code says "there's lots of eyes looking at IOT now... I usually pull max 380K bots from telnet alone. However, after the Krebs DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300K bots, and dropping"...
Now that the source code has been released online for that 620-Gbps attack, Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems." He points out that 5.5 million new things get connected to the internet each day, according to Gartner. And they're also predicting that 6.4 billion things will be connected to the internet by the end of the year -- reaching 20.8 billion over the next four years.
Throw away economics? (Score:1)
The throw-away hardware market gave way to the throw-away software (APPS!) market... is this the result?
Re: (Score:3)
This is more a result of people wanting the latest gadget with the most gimmicks, ignoring security or whether they actually need those gimmicks. This of course leads to manufacturers stuffing more and more gimmicks into their toys, and with the rule that the first to the market makes the buck, security is simply ignored, since the customer does not give a shit about it.
It's simply market economics at work.
Re: (Score:2)
When people buy tech like this they buy the cheapest option. Why pay more for the same functionality? Security is a secondary consideration.
I like the idea of ISPs scanning for these vulnerabilities and auto-blocking accounts that become infected until the owner contacts them.
Re: (Score:2)
What I don't like about this option is what will immediately follow: "If you can scan for bots, you can scan for torrents".
In the end, we'll get something like that. And this is why we can't have nice things.
Re: (Score:2)
"Security" rates as highly as that? What an optimist you are.
Re: Throw away economics? (Score:1)
As modern app appers know....
Overly optimistic (Score:5, Funny)
Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems."
Yeah, I doubt it.
Customer: My internet is slow.
Comcast: I'm knowing how frustrating that is because I'm being a Comcast customer too! Did you rebooting your modem?
Customer: Yes, my internet is still slow.
Comcast: Let me to be sending the signal to your modem!
Customer: Didn't do anything, my internet is still slow.
Comcast: I'm knowing how frustrating that is because I'm being a Comcast customer too! Did you rebooting your modem?
Customer: Yes, 5 minutes ago while I was talking to you! My internet is still slow.
Comcast: Let me to be sending the signal to your modem!
Re: (Score:3, Informative)
Used to work for 2Wire many years ago. Took transfers from outsourced SBC L1 techs. Unlike most, I don't blame them for being insanely inept at their jobs. They're hired to follow a script, not be technicians. Probing for info before the transfer often went like this:
Me: "Did you try pinging the router?"
L1: "...I was not able to do that."
Me: "Ok, is there something wrong? How come you were unable to ping it?"
L1: "...I was not able to do that."
I get similar from my cable ISP from non-outsourced supp
DDoS (Score:3)
No problem.
My old ISP used to detect SMB port access. If they witnessed any - i.e. your connection was opening your file shares to the world - they would block your web and replace every page with a notice until you signed a document stating that you intended to do this. I think you needed customer number so not something that the kids could just press okay on for you.
At that point, they would open up the port again, or - if you'd fixed the problem and they detected that - they'd check once an hour and take the block off.
Force ISPs to do the same for when they detect spam email, or botnet-contribution, etc. Then when they detect it again after they'd signed, you can just kick them off for AUP violation.
But easier - just charge people by the byte. That's what'll end up happening. And most people won't even know or care that they're sending gigabytes to some poor sod's website.
Re: (Score:2)
The problem is from amplification attacks. A sends a dns query (or something) packet to B, but forges a source address of C. B sends a much larger response to C. C blames B. B's internet fee goes up. Both B and C are victims. The correct solution is BPC38, "http://www.bcp38.info/index.php/Main_Page". Unfortunately, a lot of (IMO shady) network operators don't implement restrictions on their clients forging source ip addresses. They might be accepting payment to allow this abuse, they might be inco
Re: (Score:2)
Re: (Score:2)
I would just go for 1 and for the really bad things like backdoor accounts, fixed known default passwords etc. Then make the fines repeat at double the rate every say three months if they don't fix it.
At least that way one should in the future be able to buy from big name vendors and have a hope that they are reasonably secure.
Re: (Score:2)
Unfortunately, by the time the FTC or FCC got the fine through appeals, the bad device would have been on the market for 10 years. By then the sub-company created to market that device would no longer exist. It also would not eliminate the bad devices already out there.
Re: (Score:2)
1) Defeated by bankruptcy
2) Defeated by lobbying
3) Blood from turnips. Good luck with that.
Good luck with that. The problem is, these types of events are easily solvable, except the part where solving it requires cooperation. The whole "That's Not My Problem" response by just about everyone.The problem is, it is everyone's problem because just about everyone contributes to it. There is one almost IoT device for every person on earth already.
The biggest problem with IoT devices is that they are mostly replac
It's not "cleaning up", it's competition (Score:4, Interesting)
The reason you can't simply get as many bots isn't that ISPs start finding out that they have a responsibility. It's simply that more players are fighting over the bots.
Next step is probably botters hacking devices and changing the passwords so other bot herders can't use them. It's the usual game: A resource is only valuable if the other one does NOT have it.
Good! (Score:2)
Re: (Score:2)
He got Slashdotted ! (Score:2)
In the past this used to be a good thing indeed,
but by now everyone seems to have forgotten the Slashdot Effect:
https://en.wikipedia.org/wiki/... [wikipedia.org]
I am getting old ...
Re: (Score:2)
You'd be dead too. ;)
"Mirai" (Score:3)
Krebs reports, "virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices."
A frightening "future" indeed.
Re: (Score:2)
Have the actual IoT devices been identified? (Score:4, Interesting)
It would be really handy to know what devices are actually at risk, so that people can tell if they need to take action. It sounds like whatever these devices are, they have somehow been exposed to the Internet (didn't we all disable UPNP years ago).
Maybe all the ISP's should grab a copy of the code and use it for scanning for vulnerable client devices and tell their customers to disconnect them before the ISP does it for them.
Re: (Score:3)
probably all of them, sooner or later. The IoT software built into nearly everything will be done as a marketing gimmick more than anything, with both cost and ease-of-usage kept down as low as possible meaning security will be non-existent, or if it is present will be so dumbed down to make it work out-of-the-box without any configuration.
Re: (Score:2)
It would be really handy to know what devices are actually at risk, so that people can tell if they need to take action. It sounds like whatever these devices are, they have somehow been exposed to the Internet (didn't we all disable UPNP years ago).
I haven't seen the source code yet, but here [sucuri.net] is an interesting article that discusses at least some of the participants.
Auto-Disonnect by ISPs? (Score:2)
When is the whole www going to implement a system to disconnect items on the last leg of an internet connection when misbehavior occurs?
If 100 users get disconnected and 99 all pounce on the guy responsible for having a Bot-IOT device.
At least I can dream.
You don't want this. (Score:2)
Slippery slope. Very slippery. Oh look the ??AA just lobbied to get torrents listed as malware traffic legally and now ISPs are required to go around policing which is what the shit lord copyright trolls have always wanted.
Re: (Score:3)
What's "misbehaviour"?
time to brick them? (Score:4, Interesting)
So is it time for people to start bricking every unsecured IoT device or what?
Re: (Score:2)
VERY Interesting: If an automated BOT went around and commandeered unsecured IOT devices and simply destroyed them, that would solve one problem. People would quickly learn to secure their IOT devices.
Re: (Score:2)
Re: (Score:2)
Then get sued... :-(
BCP38 (Score:4, Interesting)
Wouldn't most if not all DDoS attacks be much harder if ISPs implemented BCP38 [ietf.org]? Of course IoT devices should be secure, but this is a dream as software will always contain bugs. The number of ISPs is much smaller than the number of devices connected to the internet, so blocking spoofed IP traffic is much cheaper solution.
Re: (Score:3)
Some of the traditional attacks (DNS/NTP reflection and amplification) would be mitigated but it's not likely to help with these IoT DDoSes. When you can control 300,000 pwned devices, you don't need to spoof any traffic.
Re: (Score:2)
You send me another packet - add another hour to your blacklist time. I have a few IP cameras - they are allowed to connect only to my internal DNS and to my external ftp server. All connections to them, and outbound from them to places I have not explicitly allowed are dropped silently.
Same for NAS-es as well - no, you can't use UPNP, you can't phone home to mama(facturer), and you most certainly
Re: (Score:2)
Regrettably, this is true. Krebs said his Akamai protection got hit primarly by GRE packets straight from the botted device. Very little of the DDOS was from amplification.
Re: (Score:2)
I've heard that mentioning specific vendors and models can get a security researcher sued. These days, you need to either post the list of weak devices anonymously, or consult a lawyer about responsible disclosure.
How to protect myself? (Score:3)
I've been trying to get more info on this IoT unsecure thing and understand what these devices are. One thing that confuses me is that - aren't these things installed (mostly) in Residential Homes? which would be behind a "firewall" router that (usually) uses NAT?
The reason I ask this - how do I protect myself if I place such a device in my home? Are these pwned devices on the open network --- or can they be attacked through NAT? My "smart" TV, Bluray, Amazon TV, Apple TV, Raspberry Pi, Sonos, etc are all on the network. I have a NAT w/ uPNP disabled (prevent holes from being poked). Sure I understand there are ways through NAT....but these IoT attacks seem to "telnet" directly to the device without any special layers.
Beyond basic NAT/uPNP --- what else do I need to know?
Thanks!
Re: How to protect myself? (Score:3)
Re: (Score:2)
Most consumer grade gateways are designed for less technical users. To reduce support calls, they have UPNP turned on by default. These days, they usually have an option to turn it off, probably down in an "advanced" page of the WUI. However, they very seldom have options to limit it to specific internal devices. Many of the online games require open network ports, and use UPNP to obtain them. Technical users can manually set up the port forwarding for a game console, by assigning it a fixed ip, and pa