Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Botnet Security

Krebs Warns Source Code Leaked From Massive IoT Botnet Attack (krebsonsecurity.com) 69

Remember that historically massive denial-of-service attack last month against security researcher Brian Krebs? The source code's just been leaked, Krebs reports, "virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices." An anonymous Slashdot reader quotes KrebsOnSecurity: The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Infected systems can be cleaned up by simply rebooting them -- thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot...

The user who leaked the source code says "there's lots of eyes looking at IOT now... I usually pull max 380K bots from telnet alone. However, after the Krebs DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300K bots, and dropping"...

Now that the source code has been released online for that 620-Gbps attack, Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems." He points out that 5.5 million new things get connected to the internet each day, according to Gartner. And they're also predicting that 6.4 billion things will be connected to the internet by the end of the year -- reaching 20.8 billion over the next four years.
This discussion has been archived. No new comments can be posted.

Krebs Warns Source Code Leaked From Massive IoT Botnet Attack

Comments Filter:
  • by Anonymous Coward

    The throw-away hardware market gave way to the throw-away software (APPS!) market... is this the result?

    • This is more a result of people wanting the latest gadget with the most gimmicks, ignoring security or whether they actually need those gimmicks. This of course leads to manufacturers stuffing more and more gimmicks into their toys, and with the rule that the first to the market makes the buck, security is simply ignored, since the customer does not give a shit about it.

      It's simply market economics at work.

      • by AmiMoJo ( 196126 )

        When people buy tech like this they buy the cheapest option. Why pay more for the same functionality? Security is a secondary consideration.

        I like the idea of ISPs scanning for these vulnerabilities and auto-blocking accounts that become infected until the owner contacts them.

        • What I don't like about this option is what will immediately follow: "If you can scan for bots, you can scan for torrents".

          In the end, we'll get something like that. And this is why we can't have nice things.

        • When people buy tech like this they buy the cheapest option. Why pay more for the same functionality? Security is a secondary consideration.

          "Security" rates as highly as that? What an optimist you are.

    • by Anonymous Coward

      As modern app appers know....

  • by TroII ( 4484479 ) on Sunday October 02, 2016 @03:51PM (#53000627)

    Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems."

    Yeah, I doubt it.

    Customer: My internet is slow.
    Comcast: I'm knowing how frustrating that is because I'm being a Comcast customer too! Did you rebooting your modem?
    Customer: Yes, my internet is still slow.
    Comcast: Let me to be sending the signal to your modem!
    Customer: Didn't do anything, my internet is still slow.
    Comcast: I'm knowing how frustrating that is because I'm being a Comcast customer too! Did you rebooting your modem?
    Customer: Yes, 5 minutes ago while I was talking to you! My internet is still slow.
    Comcast: Let me to be sending the signal to your modem!

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Used to work for 2Wire many years ago. Took transfers from outsourced SBC L1 techs. Unlike most, I don't blame them for being insanely inept at their jobs. They're hired to follow a script, not be technicians. Probing for info before the transfer often went like this:

      Me: "Did you try pinging the router?"
      L1: "...I was not able to do that."
      Me: "Ok, is there something wrong? How come you were unable to ping it?"
      L1: "...I was not able to do that."

      I get similar from my cable ISP from non-outsourced supp

  • by ledow ( 319597 ) on Sunday October 02, 2016 @03:58PM (#53000655) Homepage

    No problem.

    My old ISP used to detect SMB port access. If they witnessed any - i.e. your connection was opening your file shares to the world - they would block your web and replace every page with a notice until you signed a document stating that you intended to do this. I think you needed customer number so not something that the kids could just press okay on for you.

    At that point, they would open up the port again, or - if you'd fixed the problem and they detected that - they'd check once an hour and take the block off.

    Force ISPs to do the same for when they detect spam email, or botnet-contribution, etc. Then when they detect it again after they'd signed, you can just kick them off for AUP violation.

    But easier - just charge people by the byte. That's what'll end up happening. And most people won't even know or care that they're sending gigabytes to some poor sod's website.

    • by Doke ( 23992 )

      The problem is from amplification attacks. A sends a dns query (or something) packet to B, but forges a source address of C. B sends a much larger response to C. C blames B. B's internet fee goes up. Both B and C are victims. The correct solution is BPC38, "http://www.bcp38.info/index.php/Main_Page". Unfortunately, a lot of (IMO shady) network operators don't implement restrictions on their clients forging source ip addresses. They might be accepting payment to allow this abuse, they might be inco

    • by davecb ( 6526 )
      In various countries, ISPs are reluctant to block spam from their customers, or even tell the customers that they have an virus, for fear the customer will sue them. In Canada (right next to the US) we were advised to do nothing, as one litigatious customer could ruin your whole year (;-))
  • by Opportunist ( 166417 ) on Sunday October 02, 2016 @04:12PM (#53000717)

    The reason you can't simply get as many bots isn't that ISPs start finding out that they have a responsibility. It's simply that more players are fighting over the bots.

    Next step is probably botters hacking devices and changing the passwords so other bot herders can't use them. It's the usual game: A resource is only valuable if the other one does NOT have it.

  • Am I thinking wrong, or isn't this potentially a good thing? The more DOS:ers fighting for the same bots, the fewer of them will be able to hit each site. Thus they won't really be effective any longer.
  • by SeaFox ( 739806 ) on Sunday October 02, 2016 @04:34PM (#53000837)

    Krebs reports, "virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices."

    A frightening "future" indeed.

  • by slincolne ( 1111555 ) on Sunday October 02, 2016 @04:42PM (#53000867)
    Has anyone seen any lists of the devices that are being compromised?

    It would be really handy to know what devices are actually at risk, so that people can tell if they need to take action. It sounds like whatever these devices are, they have somehow been exposed to the Internet (didn't we all disable UPNP years ago).

    Maybe all the ISP's should grab a copy of the code and use it for scanning for vulnerable client devices and tell their customers to disconnect them before the ISP does it for them.

    • probably all of them, sooner or later. The IoT software built into nearly everything will be done as a marketing gimmick more than anything, with both cost and ease-of-usage kept down as low as possible meaning security will be non-existent, or if it is present will be so dumbed down to make it work out-of-the-box without any configuration.

    • It would be really handy to know what devices are actually at risk, so that people can tell if they need to take action. It sounds like whatever these devices are, they have somehow been exposed to the Internet (didn't we all disable UPNP years ago).

      I haven't seen the source code yet, but here [sucuri.net] is an interesting article that discusses at least some of the participants.

  • When is the whole www going to implement a system to disconnect items on the last leg of an internet connection when misbehavior occurs?

    If 100 users get disconnected and 99 all pounce on the guy responsible for having a Bot-IOT device.

    At least I can dream.

  • time to brick them? (Score:4, Interesting)

    by Gravis Zero ( 934156 ) on Sunday October 02, 2016 @06:09PM (#53001173)

    So is it time for people to start bricking every unsecured IoT device or what?

    • VERY Interesting: If an automated BOT went around and commandeered unsecured IOT devices and simply destroyed them, that would solve one problem. People would quickly learn to secure their IOT devices.

      • by dargaud ( 518470 )
        I think most IOT is hard to brick: if you reboot it it just restart in default mode as there's no writable filesystem (only a ramdisk) and only a few bytes where to save config information. So you are back to square one with a device still ripe open and ready for the ownage.
    • by Doke ( 23992 )

      Then get sued... :-(

  • BCP38 (Score:4, Interesting)

    by mars-nl ( 2777323 ) on Sunday October 02, 2016 @06:37PM (#53001259)

    Wouldn't most if not all DDoS attacks be much harder if ISPs implemented BCP38 [ietf.org]? Of course IoT devices should be secure, but this is a dream as software will always contain bugs. The number of ISPs is much smaller than the number of devices connected to the internet, so blocking spoofed IP traffic is much cheaper solution.

    • by ShaunC ( 203807 )

      Some of the traditional attacks (DNS/NTP reflection and amplification) would be mitigated but it's not likely to help with these IoT DDoSes. When you can control 300,000 pwned devices, you don't need to spoof any traffic.

      • by I4ko ( 695382 )
        In my case I have a set of rules on my router - you send me a packet I don't expect - blacklisted for 1 hour.
        You send me another packet - add another hour to your blacklist time. I have a few IP cameras - they are allowed to connect only to my internal DNS and to my external ftp server. All connections to them, and outbound from them to places I have not explicitly allowed are dropped silently.
        Same for NAS-es as well - no, you can't use UPNP, you can't phone home to mama(facturer), and you most certainly
      • by Doke ( 23992 )

        Regrettably, this is true. Krebs said his Akamai protection got hit primarly by GRE packets straight from the botted device. Very little of the DDOS was from amplification.

  • by ripvlan ( 2609033 ) on Monday October 03, 2016 @09:40AM (#53004101)

    I've been trying to get more info on this IoT unsecure thing and understand what these devices are. One thing that confuses me is that - aren't these things installed (mostly) in Residential Homes? which would be behind a "firewall" router that (usually) uses NAT?

    The reason I ask this - how do I protect myself if I place such a device in my home? Are these pwned devices on the open network --- or can they be attacked through NAT? My "smart" TV, Bluray, Amazon TV, Apple TV, Raspberry Pi, Sonos, etc are all on the network. I have a NAT w/ uPNP disabled (prevent holes from being poked). Sure I understand there are ways through NAT....but these IoT attacks seem to "telnet" directly to the device without any special layers.

    Beyond basic NAT/uPNP --- what else do I need to know?

    Thanks!

    • uPNP is the culprit in most cases. It lets IOT devices unilaterally open holes in firewalls. The thing is, there is no reason to do so, as IoT devices should only need to "phone home", which doesn't require inbound access. The second vector is viruses that invade a home user's desktop computer, and then scan for, and infect, IoT devices. This is much harder to protect against, as ISPs can't scan through the firewall. What would be helpful is a downloadable tool to let users run their own IoT vulnerability
    • by Doke ( 23992 )

      Most consumer grade gateways are designed for less technical users. To reduce support calls, they have UPNP turned on by default. These days, they usually have an option to turn it off, probably down in an "advanced" page of the WUI. However, they very seldom have options to limit it to specific internal devices. Many of the online games require open network ports, and use UPNP to obtain them. Technical users can manually set up the port forwarding for a game console, by assigning it a fixed ip, and pa

1 1 was a race-horse, 2 2 was 1 2. When 1 1 1 1 race, 2 2 1 1 2.

Working...