Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Botnet Security

Bigger Than Mirai: Leet Botnet Delivers 650 Gbps DDoS Attack (betanews.com) 74

Reader Mark Wilson writes: Earlier in the year, a huge DDoS attack was launched on Krebs on Security. Analysis showed that the attack pelted servers with 620 Gbps, and there were fears that the release of the Mirai source code used to launch the assault would lead to a rise in large-scale DDoS attacks. Welcome Leet Botnet. In the run-up to Christmas, security firm Imperva managed to fend off a 650 Gbps DDoS attack. But this was nothing to do with Mirai; it is a completely new form of malware, but is described as "just as powerful as the most dangerous one to date". The concern for 2017 is that "it's about to get a lot worse". Clearly proud of the work put into the malware, the creator or creators saw fit to sign it. Analysis of the attack showed that the TCP Options header of the SYN packets used spelled out l33t, hence the Leet Botnet name.
This discussion has been archived. No new comments can be posted.

Bigger Than Mirai: Leet Botnet Delivers 650 Gbps DDoS Attack

Comments Filter:
  • by Desler ( 1608317 ) on Wednesday December 28, 2016 @01:08PM (#53566363)

    Should rename these from IoT devices to Internet of DDoS devices.

    • by Anonymous Coward

      The name in the subject was better. IoS Internet of Shit devices.

    • The internet is really trashing its own reputation with this guff. I'm pretty interested in an internet camera system for my house (Live inner city, it gets pretty crazy in my hood) BUT If its just going to make me a sitting duck for s'kiddies building ddos nets, well no, I think i'll hold off.

    • Internet of Never updated, Easily Pwn3d Things,

      I.N.E.P.T?

  • I know I might be being naive, but there is no way to solve the problem at the root, such as cutting the connection of devices that begin to generate disproportionately traffic aimed at a single site (the target)?
    • I know I might be being naive, but there is no way to solve the problem at the root, such as cutting the connection of devices that begin to generate disproportionately traffic aimed at a single site (the target)?

      Each source is just a small part of the whole generating traffic the looks "normal" for the most part. So a bit harder to automatically filter. But... Logs and tracking back, and using the existing RIAA procedures to warn and then disconnect those sources would be a good start.

      • by Desler ( 1608317 )

        Exactly. Especially when these IoT bothets are in the hundreds of thousands of devices. The amount of traffic per device is less than what is used simply streaming from Netflix.

    • by Anonymous Coward

      The whole point of a ddos attack is that each bot is only sending small amounts of traffic such as to not alert the user or their ISP.

      • I imagined something like that, but this would not limit the effectiveness of the attack? 650Gbps suggest a large number of machines generating a lot of traffic each, if they are using your suggestion this would mean an absurd number of bots involved to be possible.
        • by Anonymous Coward

          Now we know what is in the header, couldn't the ISP reject these packets?

    • by gweihir ( 88907 )

      Nobody in this attack generates "disproportional traffic". That is the idea of DDoS.

    • I'll take the liberty of re-phrasing the question: What can be done to prevent "my" IOT devices, which require some access to the internet, from being part of the problem?

      Don't really know the answer; consumer routers aren't up to the task, and configuring a more advanced router/firewall isn't easy, and the end devices themselves have terrible security. You could proxy some of the data that is sent by the equipment and track anomalies... but that becomes a lot of work.
      • I just bought a small box with two Ethernet ports for under $150US that I plan to run something like pfSsense or similar on. I'll supplement an HDD and RAM scavenged from a retired laptop to complete the H/W package. The initial rationale was to block DNS requets to any but my preferred provider to defeat the DNS hijacking attacks. Perhaps there would be a way to detect unusual traffic patterns and block them to thwart other sorts of attacks. Better yet, I could restrict outbound connections from my devices

        • I would say you might be better off with a $50 Ubiquiti EdgeRouter X; cheaper and easier.

          (I was just thinking about Breaking Bad this morning...)
          • I would say you might be better off with a $50 Ubiquiti EdgeRouter X; cheaper and easier.

            Definitely cheaper and easier. My Asus AC-RT68 is also cheaper and easier.

            I'm pretty confident that that pfSense has a broader feature set and is likely more secure than the Asus. I wonder where the EdgeRouter X fits on that spectrum?

      • Most IoT devices don't need to talk to the entire Internet. At most, they need to phone home to a few servers made by the device manufacturer. So build a protocol in which devices identify themselves, and after authorization the home router then downloads a signed ruleset. If the device is later compromised, the DDoS traffic is blocked and reported somewhere.

        Yes, there are quite a few details to work through to reduce the risk of this being spoofed, and dealing with legacy devices, but in principle this

        • Good point; you could create a pretty simple adaptive firewall for each product. Problem is feature changes and off-requests, but if initially blocking doesn't hinder functionality it isn't too bad. I think the DPI engine on my EdgeRouter can get me halfway there... but it would be a pain to maintain individually.
    • I wonder if some security boffin might publish on github some iptables rate limiting rules in the same vein as dropping inbound ssh connections, but for any outbound IOT device traffic. Perhaps an ISO/ECMA mandated IOT ID byte in the MAC address after vendor ID [FE]? It appears iptables wont match against a MAC Regular Expression in filters.The manpage seems to require requires a fully qualified MAC. In lieu of revising the source code, the logic can be inverted and limit all addresses that aren't specifi
  • by xanthos ( 73578 ) <[xanthos] [at] [toke.com]> on Wednesday December 28, 2016 @01:50PM (#53566633)
    Ok, everybody who was effected by this raise your hands! Anybody?

    These DDOS attacks are mildly interesting but irrelevant in the grander scheme of things. Given the nature of the attack payloads, it probably would have been effective at less than 100 Gbps so why hype the new high watermark? AFAIK, DDOS isn't a huge money maker so this isn't a threat in the same league as ransomware.

    Quit trying to promote vandalism as news and maybe, just maybe it will become less interesting a thing to do.
    • by Anonymous Coward

      "These DDOS attacks are mildly interesting but irrelevant in the grander scheme of things"

      Hitler's conquering of Poland was irrelevant in the grander scheme of things, until it wasn't.

    • This is just a test really, and it'll be irrelevant until it's not. Egg on their face and what not.

      When they can ramp this up to hit something important that's not air gapped, I wonder if you'll still be on the high horse saying it's 'vandalism'.

      DDoS doesn't exist to generate money, it's used to create chaos.

    • Ok, everybody who was effected by this raise your hands! Anybody?

      Me. I'm affected. I'm affected by the display of a possibility. I'm affected by the fact that this amount of bandwidth is available to someone to knock essentially any target offline. Today it's Krebs, tomorrow it's my bank.

      Just because my internet wasn't slow doesn't mean that it's a very real problem that needs to be looked in and addressed, just like a bunch of vandals tagging a subway station is good and fun until the tag the windscreen of my car.

    • by Anonymous Coward

      It is a money maker, Companies who suffer from the DDoS lose revenue, their competitors make a ton during that period

    • "Ok, everybody who was *sic*effected*sic* by this raise your hands! Anybody?"

      Short memory eh? A DDoS attack took down multiple services around oct ( https://www.wired.com/2016/10/... [wired.com] ). That one personally affected me as one of our dns providers went down, causing customers headaches for a day or two.

      So yes, ddos attacks do *affect* people, in the real world, right now. And they are scary and newsworthy when they occur.

      The end result should be that companies are law bound and forced to support IoT devices f

    • Ok, everybody who was effected by this raise your hands! Anybody?

      It's certainly possible that with traffic to some sites disrupted, some people turned to other ... entertainments, and in the process effected someone. But I'm afraid you'll have to wait ~9 months for any of the latter group to raise their hands.

  • by Anonymous Coward

    See subject: SYN Attack Protection

    ---

    The named value to enable SYN attack protection is located beneath the registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

    Value name: SynAttackProtect

    Recommended value: 2

    Valid values: 0 1 2

    Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried a

  • by silas_moeckel ( 234313 ) <silas AT dsminc-corp DOT com> on Wednesday December 28, 2016 @02:25PM (#53566853) Homepage

    10g transit ports are about the smallest practical to buy, 40 and 100 are a lot more common. This is a big attack as attacks go but not really pushing a well-built network.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      > This is a big attack as attacks go but not really pushing a well-built network.

      This attack is 5% _larger_ than the one that was directed at Krebs's site. Krebs was forced offline because the provider that was keeping his site up could no longer do so pro-bono, and there was no way in hell he could pay market rate for those services: https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/

      Also, the attack against Krebs's site was -prior to this most recent one- the largest reported DDoS, e

    • This is a big attack as attacks go but not really pushing a well-built network.

      This is a larger attack that previously caused a company which defends against these kinds of attacks to cut ties with the customer under attack.
      It's also a significantly larger attack than many smaller attacks which have had actual economic damage as not everyone builds your "well-built" network because surprise surprise when you provision a network you design it for maximum load under conditions based on your users, not on the entire weight of an IoT botnet raining hell on you.

      Brushing this off is a big m

      • No, those networks are just not large enough to realistically defend against a DDOS lots of places sell the service few can really back that up.

  • Solution: change the default password on your IoT device and disable UPnP ..

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...