Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Government Networking

Who Should We Blame For Friday's DDOS Attack? (fortune.com) 190

"Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list," tweeted Trend Micro's Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras. An anonymous reader quotes Fortune: Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in. Finally, it's time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well.
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."
This discussion has been archived. No new comments can be posted.

Who Should We Blame For Friday's DDOS Attack?

Comments Filter:
  • by iCEBaLM ( 34905 ) <icebalm@icebalm . c om> on Sunday October 23, 2016 @04:41PM (#53135849)

    The people that did it.

    • by Anonymous Coward on Sunday October 23, 2016 @04:59PM (#53135925)

      Nah, too much effort figuring out who did it. Just blame Russia. Works for everyone else lately.

    • by Anonymous Coward

      What? This is 2016...we should be blaming everyone BUT who did it!

    • by AmiMoJo ( 196126 ) <mojo@@@world3...net> on Sunday October 23, 2016 @05:07PM (#53135951) Homepage Journal

      Also the people who didn't change the default passwords. Looking at the list, most of the devices are not particularly insecure or anything, it's just that their owners did not change the default login credentials but did manage to expose them to the internet.

      Also blame the engineers who didn't put in some interlocks, e.g. no requests from outside the LAN until the default password has been changed or simply force the user to change the password the first time they log in.

      • It should be standard practice to force the user to create a device password upon first setup. The idea of a "default password" to anything connected online these days is abhorrent! Forgot the password to the device?? Tough shit; back to a factory reset you go!

        • Forgot the password to the device?? Tough shit; back to a factory reset you go!

          I'm not sure that anybody who leaves his/her router on default credentials, would have the acumen to change anything else from factory defaults.

          • Which is why the default password should be randomly(*) set and uPNP disabled by default.

            (*) Not according to some algorithm predictable from the MAC, etc.

      • Also blame the engineers who didn't put in some interlocks, e.g. no requests from outside the LAN until the default password has been changed or simply force the user to change the password the first time they log in.

        That's the problem. Not end users not changing default passwords - many may not even know that it can or should be changed, and why should they? They're not security managers or IT engineers or so. Having users change the password on first login before they can do anything else, that's the only reasonable way to go. Maybe also add a list of the 1,000 most common passwords out there, and reject all those, make them come up with something a bit more unique, or hackers would still easily get access to the firs

        • "Having users change the password on first login before they can do anything else, that's the only reasonable way to go"

          Which mostly means that the password will be "password" or something similar.

          Better to leave it as some complex random password unless changed.

          Even better, have an interlock which requires positive action to allow external access AND a requirement to ACK warning of the consequences if not properly secured (not just a OK, but scroll to the bottom first and warning that failure to read/under

          • warning that failure to read/understand properly before clicking OK may result in personal legal liabilities)

            Which, considering I'm one of the 95% of the world's population that doesn't live in the country all such warnings are written (i.e. the USA), has no meaning to me. Then there are the many, many people that don't understand English well enough or don't understand computing well enough to even stand a chance of understanding such long, long pieces of legalese.

      • by b0bby ( 201198 )

        The problem with some of these devices is that they also have a hardcoded root password. I have one like that - I kept it behind its own router since I didn't trust it, but took it offline a couple of months ago when I learned that it has a hardcoded root and no new firmware. I had changed the admin password of course, but that really didn't do anything.
        I'm no longer going to allow an open port for any device like this, but most people won't know how to set up a vpn for home.

    • by ArmoredDragon ( 3450605 ) on Sunday October 23, 2016 @05:19PM (#53135971)

      Regardless of who is behind it, it's about time that we treat DDoS as the censorship that it is. I'm sick of hacktivists trying to justify bringing down major websites just because they don't like whoever runs it, while at the same time talking about how they are pro democracy and pro free speech. DDoS is the opposite of both, no matter who the target is. People who justify it because they don't like Walmart or whoever are fucking hypocritical assholes.

      • by AmiMoJo ( 196126 )

        Sounds like you want to ban real life protests as well. As all, what is a protest if not a DDoS on a particular location? The whole point is to block and area / road and make lots of noise so people can't ignore you.

        Of course, most DDoS attacks are not protests, but you have to draw the line somewhere. Is manually submitting hundreds of bogus web forms censorship? What about sending thousands of letters to a TV company because a show was cancelled? That might make it hard for them to respond to other mail t

        • Another point is DDOS attacks are conducted by bot nets of zombified computers, most of us /.ers take a considerable amount of pride in having our infernal machines do our bidding and only our bidding. Having one of my machines commandeered for a DDoS attack would be rankling for me and most here; I don't mind you making a statement with your resources, but trying to use mine to make your statement is just going to piss me off.

          If this leads to some senile Grandma pissing her panties in the White House decid

      • Oh but this is 2016 and if you're a leftist cyber attacker, you're a 'freedom fighter.' God forbid if free expression matters.
    • Re: (Score:1, Redundant)

      by execthis ( 537150 )

      "The people that did it." First of all you would use the pronoun "who": The people who did it.

      But, who *did* "do* *it*?

      What is the it that was done, and by whom?

      Was it someone who created the botnet? Was it someone who controlled the botnet and directed it to attack a specific target?

      Was it the manufacturers of devices who used crappy chips in their products which were vulnerable?

      Was it the manufacturer(s) of the chip themselves for even making such product(s)?

      Was it our government for failing to regulate

    • The criminal assholes that did it.
    • "it's time for consumers to acknowledge they have a role in the attack too."

      I call "Bullshit!" The devices have no access for non corporate interests to investigate. "It's a closed system," "it's a corporate secret." and all the other excuses that led to Fridays event. Volkswagon, not IoT devices; it's time to recognize their falsehoods.
  • by Anonymous Coward
    "By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well." A lot of cheap Chinese IoT devices don't have any way to update the firmware. How are consumers supposed to secure those devices?
    • Re: (Score:2, Interesting)

      I think the best way to handle this is to make people somehow accountable when they participate in a DDoS, whether they do it willingly or not. Personally I think their internet access should be throttled to dialup speed for 60 days if they are conclusively found to be participating, and that 60 days starts over each time they're found participating. It will make them think twice about buying insecure shit.

      • by Anonymous Coward

        Ah, the DMCA approach.

        I can see it now.

        Since we can't figure out how to stop ddos attacks, we create mechanism wherein our Internet equivalent of the RIAA sends ISPs notifications about who is part of a botnet.

        The ISP, in turn, immediatly has to notify and throttle users who are part of the botnet. They have to do it otherwise they'll be airing and abetting internet pira...er, ddos attacks, and thus, are open to lawsuits. This creates the proper incentive to rubber stamp... I mean, streamline the process.

        Th

        • The ISP, in turn, immediatly has to notify and throttle users who are part of the botnet. They have to do it otherwise they'll be airing and abetting internet pira...er, ddos attacks, and thus, are open to lawsuits. This creates the proper incentive to rubber stamp... I mean, streamline the process.

          The user, of course, has a chance to contest this throttling in case that the user is not part of the botnet (IP addresses are so easy to spoof these days). So it is totally fair. All they have to do is send a counterclaim and if it is rejected (which it will), they have the option to take this to court.

          Did I say a single word about identifying them by IP address, jackoff? No, so put a cock in it.

          Besides, we can do more about IP address spoofing.

          • Apart from ISPs applying spoofed address filtering, enduser ROUTERS should be filtering this shit too.

      • I'm not sure I like putting all the blame on the users. Don't we have a reasonable expectation that we're not going to be sold faulty products? And I can't characterize such brain-dead non-security as anything but "broken".

        Maybe we also should force companies to shoulder the cost of a product recall if their device is found to have security issues that can't be automatically patched and fixed. That would add a nice financial incentive for companies to release more secure products.

        If a company continues t

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        "I think the best way to handle this is to make people somehow accountable when they participate in a DDoS, whether they do it willingly or not."

        Well, you self important prick, answer me this:
        One manufacturer was quickly identified on Friday as contributing a major part of the Attack.
        Name them. No, you don't get to scour the Web now, you should _know_ this.
        Now, you as an enlightened Consumer goes out Monday to buy a new DVR. How can you tell if it has been compromised? At the least, you are going to have to

      • "I think the best way to handle this is to make people somehow accountable when they participate in a DDoS, whether they do it willingly or not"

        Absolutely. A strict liability law and hefty fines would make most people think twice, especially after it made a few newspaper headlines.

        They may have secondary rights to sue the seller(*) but at the end of the day the USER is the one who connected the device to the network.

        (*) The seller has upstream rights to sue the wholesaler, importer and upwards to the maker.

    • by AHuxley ( 892839 )
      Get consumer AV to scan the networked hardware with all listed easy to try passwords.
      Inform the user to change the password or to get a new device if its of a poor design that cant be fixed.
  • WRONG (Score:5, Insightful)

    by darkain ( 749283 ) on Sunday October 23, 2016 @04:46PM (#53135879) Homepage

    From TFA: "Dormann said instead of hard-coding credentials or setting default usernames and passwords that many users will never change, hardware makers should require users to pick a strong password when setting up the device."

    This advice is just plain wrong. It requires educating every single end user on security best practices. Lately I've seen a trend from ISPs for their router admin pages and wifi access points: they come pre-configured with a randomly generated password for each, which is then printed out on a sticker and stuck to the side of the device. Without physical access to the device, nobody would know the credentials for it. This keeps the burden of security within the realm of those who know what they are doing and making good decisions. The act of using a poor password would then end up on the end user, having to type in the secured password, and then change it to something less secure.

    • not only this but the inept users whose devices get pawned and used to attack other systems should be held legally responsible for the attacks.

      • by SeattleLawGuy ( 4561077 ) on Sunday October 23, 2016 @08:42PM (#53136633)

        not only this but the inept users whose devices get pawned and used to attack other systems should be held legally responsible for the attacks.

        Only up to a point. It's not really fair to expect the random non-computer guy who owns an IoT light bulb to secure it against electronic attack. The company that manufactures the bulb and decides telnet is an appropriate protocol to use to connect to it, on the other hand...

        • I agree. I was thinking about cases where for example a device when purchased is secure and then the user changes the password to "password". If they have the capacity to actually log in to a configuration page and change the password, then they should also be held accountable for weakening the devices security by choosing a bad password.

      • 1) Build a prison cell for absolutely every American citizen.

        2) Pass a law about changing passwords or otherwise securing computers.

        3) Fill 'em all up.

    • Lately I've seen a trend from ISPs for their router admin pages and wifi access points: they come pre-configured with a randomly generated password for each ...
      This keeps the burden of security within the realm of those who know what they are doing and making good decisions

      Next time you look at the device compare the randomly generated password with the mac address. I would put it to you that many of the ISP provided routers with "random passwords" were not at all designed by people who know what they are doing. :-)

  • Blame DNS. Time for something completely different [youtube.com].

    • I blame the evil engineers who just spread out IPv4 instead of working on IPv6 and perfecting the solutions around that.
      • by msauve ( 701917 ) on Sunday October 23, 2016 @05:30PM (#53136009)
        Oh, great. With IPV6, instead of only devices which punch their way through a NAT gateway using UPnP, every IOT device can be on the Internet. I'm sure that will help things tremendously. Unless, of course, you expect the same users who won't even change default passwords to learn about and configure firewalls.
        • Unless, of course, you expect the same users who won't even change default passwords to learn about and configure firewalls.

          That's the wonderful thing about defaults. Every router I've seen shipped has a default password, and a stateful firewall ENABLED BY DEFAULT.
          You don't need users to configure things in a secure way. There's no configuration for NAT so there's no reason to assume that by going to IPv6 the internet would be any less secure.

          • by msauve ( 701917 )
            "Every router I've seen shipped has a default password, and a stateful firewall ENABLED BY DEFAULT."

            Your limited experience is not a suitable basis for drawing a valid conclusion.
            • "Every router I've seen shipped has a default password, and a stateful firewall ENABLED BY DEFAULT."

              Your limited experience is not a suitable basis for drawing a valid conclusion.

              Ok, let's run with that for a second. Are you suggesting ISPs will send you a wireless router without NAT enabled by default? Because NAT by necessity requires a stateful firewall to be running.

              • by msauve ( 701917 )
                No sense going any further until you learn more about networking. NAT does not imply a stateful firewall, they're two completely different things.
                • You're right. Now show me a NAT implementation that works without a stateful firewall enabled.

                  The two terms serve a different purpose yet you can't have NAT without effectively having the other and I stand by my original comment. Every consumer router currently being delivered does exactly the same thing as a stateful firewall out of the box ENABLED BY DEFAULT, with the minor addition of packet forwarding.

        • IPv6 doesn't mean no more firewalls - it just means no more NAT.

          NAT provides some protection by its nature, but honestly, not much. Devices that use UPNP or whatever to open up external firewall ports so you can connect to them are going to be a problem with NAT or not.

          • Actually, IPv6 does not mean no more NAT. It just means that NAT ain't necessary, but that doesn't prevent it from being used if it's required for other requirements like load balancing, network isolation, and so on. In fact, in IPv6, there is an official recognized way to do NAT - NPT (Network Prefix Translation) That's a lot better than IPv4, where you have at least 3 different ways of doing NAT - none of them officially recognized by the IETF
    • Properly configured DNS secondaries hosted at different ISPs would have completely mitigated the problem for everyone but Dyn. Because Dyn hosts its own secondaries, hitting Dyn downed both primary and secondary servers.

      ISPs need a peering pool arrangement for DNS secondaries, where secondaries are distributed over the entire pool.

      This is how it was designed to work: multiply connected redundant secondaries.

      The worst damage possible in that scenario is the inability to update DNS information hosted at Dyn

  • The Usual Suspects (Score:5, Interesting)

    by Fire_Wraith ( 1460385 ) on Sunday October 23, 2016 @05:01PM (#53135931)
    So here we go through the pros and cons of each. This is not to rule any of them out, as I don't think you can at this point, but to lay it all out there.

    Hacktivists (Specifically New World Hackers):
    Pro - claimed responsibility. Anonymous/offshoots responsible for lots of past DDoS activity.
    Cons - Several security firms called BS on the evidence, and cited past history of false claims of responsibility to boost DDoS for hire business. Also the complexity and sophistication make this unlikely.

    Cybercriminals:
    Pro - probable originators of Mirai botnet, likely responsible for preceding DDoSes of Brian Krebs and OVH.
    Con - No stated ransom demands (at least none reported) or other identifiable material benefit. Lacks a direct reason.

    North Korea:
    Pro - Past history of DDoS and malware attacks. Never claims responsibility. Suffers nothing if the internet goes down.
    Cons - Attack only targeted the USA, not perennial NK targets of South Korea or Japan. If this was North Korea, why ignore those two?

    Russia
    Pro - contacts/influence in Russian cybercrime community. Possible interest in interference in US politics.
    Con - No real rhyme or reason for doing so now. Widespread (as opposed to targeted) disruptions likely don't have any predictable impact to swaying the election.

    China
    Pro - Reports that many of the infected devices were Chinese in origin
    Con - China normally steals your business secrets rather than DDoS you. Chinese devices weren't the only ones, too - bad security is everywhere.

    US intelligence (NSA et al)
    Pro - False flag?
    Con - NSA wants to listen in on your data, not shut you off from communicating. Unlikely that there is anyone who supports Wikileaks/Assange/Anonymous/etc that would change their minds over this.

    This is by no means a comprehensive list, just off the top of my head.
    • So in other words, they have no clue who did it.
      • Attribution isn't easy.
        In the words of a certain Dread Pirate, "Anyone who tells you differently is trying to sell you something."
    • by AHuxley ( 892839 )
      Given the billions the 5 eye nations spend on the "internet" and all their bases, camps and shared site globally finding the command and control should be not hard?
      Even if its encrypted or p2p2 or via a commercial or staging server, VPN or lots of hops, or in unexpected nations or by a few people.
      Will they show what their tech can do or save it for "cyber" events?
      Strange how well former crypto gov "operators", open-source counterintelligence operations and contractors can work together and in the open wi
    • by ShaunC ( 203807 )

      There's also the "Bored Teenager" possibility. Some people just want to watch the world burn [wikipedia.org]. For all we know, this is the work of some kid with lots of free time, fucking around for no benefit and without any real motivation.

    • Dyn
      Pro - They misconfigured their own hardware, causing enormous useless trafffic and failures.
      Con - A company that charges so much couldn't possibly make a simple configuration mistake!
    • Your Russia con ignores the recent US/CIA saber-rattling about hitting back at Russia for their election related hacking. Russia may have been making it clear that they can hurt us more than we can hurt them because their criminal element owns most of our IoT devices and they can turn those against us at will.
    • This question isn't about who did it, it's about who's to blame.

      The blame here clearly lies on manufacturers that produce products that are insecure by default and lack update policies and procedures to make them secure. There's literally nothing that can be done about this problem on a grand scale.

  • The attackers (Score:5, Insightful)

    by Todd Knarr ( 15451 ) on Sunday October 23, 2016 @06:18PM (#53136169) Homepage

    Ultimately, it's the groups that initiated the DDoS who are to blame. But others have to take some responsibility for failing to do what they could to mitigate the opportunities to initiate attacks:

    1. ISPs could implement measures based on RFCs 3704 and 2827 that would make spoofed traffic difficult to impossible to generate.

    2. Router makers could implement RFC 3704 and 2827 rules in their firewalls by default, could implement default rules that blocked access to external DNS to everything except the router (with the option for the user to allow some or all access), could provide a separate network for IoT devices that defaults to no Internet access and the user has to specifically authorize access per device, and could make randomized default passwords the standard for factory-default configurations.

    3. IoT manufacturers could make randomized default passwords standard and design their devices to not require Internet access to configure.

    4. Consumers could acknowledge that they're responsible for their own networks and routinely make use of the available tools to check on the health of their networks and the status of the devices on it.

  • I find it unfair to blame lawmakers. The law is not a catch-all program that can be written once for any situations. This is why we regularly elect people to make it evolve

    And regulators tried to do what they could we the power they had been granted by lawmakers.

  • by pipingguy ( 566974 ) on Sunday October 23, 2016 @07:25PM (#53136385)
    The Patriarchy!
  • The main problem was the incompetence of those sites' sysadmins. A TTL under 3600 and all your authoritative nameservers not just with the same provider but on the same platform with the lowest of low, cheap, scum of DNS providers (DynDNS)

    Someone tripping over a cable or typing in the wrong command could've caused this. And it's not like Dyn hasn't just unplugged their customers before.

  • For allowing such a broken internet design to continue to exist.
    For allowing ICANN, RIPE, ARIN and APNIC to continue to exist.
    For not adopting IPv6 faster/earlier.
    For not adopting DNSSEC faster/earlier.
    For not adopting Blockchain based name services faster/earlier and leaving the power at the hands of incompetents.

    Just like non-voting during critical government elections, we vote for those attacks to continue by our lack of action.

    You want those attacks to stop? DO SOMETHING ABOUT IT.

  • Who Should We Blame For Friday's DDOS Attack?

    Dyn should be blamed, after all, they advertise "Total business accountability".

  • Filed under "this is why we can't have nice things" --- How about: upgrading "home" routers to offer some form of packet inspection? Yes I know that sometimes the routers themselves are enlisted in the attack. However, it appears that many IoT devices are setup inside the home/business and are insecure. And homes are adding more IoT devices than they are adding routers - thereby increasing the available munition surface area. Usually it is 1-router and (n)-IoTs.

    Maybe this is a trivial solution - but cou

  • Keep in mind that job creators - and the GOP oligarchy in general - decry anytime someone wants to add "regulations" (aka cost) to an industry or product. It just gives more fuel to the off-shored fodder types.
    As far as getting the globe to agree on "being nice", well as soon as human trafficking goes away, I'll believe it. Till then, the reality is nobody needs a camera in their toaster, fridge or Amazon echo.... Or if you think you want one, you need your head examined.
    Till consumers decide privac
  • Your mom has too many open ports.

UNIX is many things to many people, but it's never been everything to anybody.

Working...