back to article Security man Krebs' website DDoS was powered by hacked Internet of Things botnet

The huge distributed denial of service (DDoS) attack which wiped security journalist Brian Krebs' website from the internet came from a million-device-strong Internet of Things botnet. "Attack appears to include numerous IoT devices, including security cameras. Still itemizing them," an Akamai spokesman told El Reg by email. …

  1. CM
    WTF?

    Akami?

    Surprised at Akami. The world knows their limit now. They should have kept him onboard even if a short offline of the host was done to shut down the attack.

  2. Anonymous Coward
    Anonymous Coward

    Cry baby dossers

    ohh poor babies got caught being bad people, so now they do more bad things. Fricking crybabies. Get a real job, contribute to the world and stop being such a cry baby/taker.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cry baby dossers

      :') Get back to Reddit!

  3. Dick

    What's an IOT device owner to do?

    Aside from changing any default password that's user accessible, what can an IOT device owner do to minimize the risk of their device being used this way?

    1. SImon Hobson Silver badge

      Re: What's an IOT device owner to do?

      > ... what can an IOT device owner do to minimize the risk of their device being used this way?

      Unplug it ?

      1. CrazyOldCatMan Silver badge

        Re: What's an IOT device owner to do?

        > Unplug it ?

        Or (if you *have* to have it), put in a good firewall and make sure access to it is comprehensively filtered.

    2. Brian Miller

      Re: What's an IOT device owner to do?

      That's the problem: besides keeping the firmware up to date, and having non-default passwords, nothing can be done. They have basic configuration security holes you can fly a Deathstar through, and you can't do anything about them, except for not allowing the world+dog to access them through the network.

      But most people (vast majority) not only allow world+dog to access them, but the devices don't have the passwords changed or the software updated. And this won't change until the ISPs shut access off until the customers secure the devices.

      1. Robert Helpmann??
        Childcatcher

        Re: What's an IOT device owner to do?

        ...not allowing the world+dog to access them through the network.

        That! That right there! Some enterprising soul ought to start offering home network security services that start with setting up a router and blocking any attempt to access from outside and move on from there.

      2. ilmari

        Re: What's an IOT device owner to do?

        An increasing number of cameras seem to, in addition to manufacturer dyndns, have always-on unconfigurable tunnels back to the manufacturer, or some other "cloud" in China, so that the mobile apps will "just work" through quadruple NATs.

        My router supports WAN capture and I figured out the external IP the camera connected to with that, and the router also let's me block IPs. Quite a complicated thing to do for most people though!

        1. Anonymous Coward
          Anonymous Coward

          Re: What's an IOT device owner to do?

          I made sure I bought wired and kept the box unconnected from our network. If I develop an overwhelming urge for off-site monitoring, well that's what subnets, VPN's, & c. are for. Recording (deliveries anyone?) and bonking when someone comes on-property were my interests.

          1. Dan 55 Silver badge
            Coffee/keyboard

            Re: What's an IOT device owner to do?

            Two nations divided by a common language?

          2. phuzz Silver badge
            Alert

            Re: What's an IOT device owner to do?

            "bonking when someone comes on-property"

            I'm not sure what that means but it sounds kinky.

            Please continue...

        2. CrazyOldCatMan Silver badge

          Re: What's an IOT device owner to do?

          > and the router also let's me block IPs

          My firewall currently blocks the whole Chinese netblock..

      3. Crazy Operations Guy

        "besides keeping the firmware up to date, and having non-default passwords, nothing can be done."

        There are far too may devices out there were you can't change its password or upgrade its firmware. Some of them will have a device-unique password, but is mathematically derived from its MAC address or serial number (Which it'll stuff into every outgoing packet...)

        1. Long John Brass
          Pirate

          besides keeping the firmware up to date, ...

          derived from its MAC address or serial number (Which it'll stuff into every outgoing packet

          MAC addresses are stripped by whatever gateway forwards the traffic

    3. Captain Badmouth
      Big Brother

      Re: What's an IOT device owner to do?

      I think we should start referring to them as idIOT devices.

      1. Captain DaFt

        Re: What's an IOT device owner to do?

        "I think we should start referring to them as idIOT devices."

        Insecurely Designed Internet Of Things

        There ya go!

        1. peecoomar

          Re: What's an IOT device owner to do?

          FULLY AGREE.. I like it IDIOTS will take over the world !!

    4. ecofeco Silver badge

      Re: What's an IOT device owner to do?

      Not buy one in the first place.

      I and others here have been warning it was only a matter of time. The other warning is that it will not be fixed any time soon.

    5. Matt Bryant Silver badge
      Facepalm

      Re: Dick Re: What's an IOT device owner to do?

      "....what can an IOT device owner do to minimize the risk of their device being used this way?" Put a decently configured firewall between the IoT devices and the Internet to stop them being a nuisance to everyone else.

  4. Matt Bryant Silver badge
    Facepalm

    GRE packets?

    Surely, if you're not expecting any incoming VPN requests to the IP address of your website, just block the GRE ports and ignore such requests?

    1. SImon Hobson Silver badge

      Re: GRE packets?

      > ... just block the GRE ports and ignore such requests?

      Well that would be what the DDoS management service would do. But it needs the ability to divert all the traffic through a site which a) has the bandwidth and b) is able to apply filters to that volume of traffic.

      Most ISPs won't have the means to redirect all that traffic AND filter it - even if they have the upstream bandwidth. Trying to filter it at your own site is useless because it's too late then - a few Gbps of traffic down your 10-100Mbps pipe will completely overwhelm everything.

      And then there is the issue that dealing with this needs prior planning. It's no good phoning up your ISP and asking them to do it "on the fly" as they won't have anything in place. This is where the DDoD mitigation services come in - what to do when it happens is pre-arranged, so you call them up, they trigger the required changes (typically changing the advertised route), and filter the traffic from their own network before passing it (the filtered :good: traffic) on to you.

    2. Anonymous Coward
      Anonymous Coward

      Re: GRE packets?

      Yeah you could. Depending on the router...however even dropped packets could technically cause a DDoS. The router/firewall still has to determine what a packet is before it drops it. A big enough queue of traffic could fill the routers memory up or put a significant load on the processor to prevent other traffic getting through.

      Your best bet is to redirect it upstream somewhere.

      Whichever has the lowest overhead.

      In this case they redirected to a sinkhole.

      I generally reserve an IP or two with old crap hardware for this very purpose.

      It also helps to have a website that can be shifted easily. This may be part of the reason static content generators are becoming more popular.

  5. gr00001000

    sites down again

    26-Sept-2016 18:55 site is saying 503 Service Temporarily Unavailable. I was navigating to read it but suspected something was up then found this story.

  6. Badger Murphy
    Mushroom

    The shock! The horror!

    Looks like the DDOSers are starting to take advantage ow the e-WMDs we've given them by failing to regulate security requirements onto IoT hardware. Stay tuned as their power grows year over year, as everything with an outlet slowly gets moved online.

  7. Anonymous Coward
    Go

    In So-IoT Russia....

    Refrigerator used to make choices about website!! :)

    1. Anonymous Coward
      Anonymous Coward

      Re: In So-IoT Russia....

      In So-IoT Russia they have strong DDoS. Russian DDoS. Covered in bears.

      Also, Putin could probably DDoS you by himself. With his shirt off. In the wilderness. Whilst riding a bear that he tamed himself by hypnotising it by waving his massive (and 150% heterosexual) cock and balls.

      At least thats what his press team would say.

  8. Mark 85 Silver badge

    Seems that IoT is about to bite itself in the ass... if it hasn't already. Add zilch security to basically solutions looking for problems.

    As for the cameras... while necessary for many businesses and home security, the manufacturers just don't give a crap as to who has access to them. Pity... security of the device could be a selling point, in my opinion.

    1. Alan Brown Silver badge

      As for the cameras...

      The irony of security devices with zilch security shouldn't be lost on anyone.

      The way forward is to prosecute a few people for participating in a DDoS.

      If they turn around and sue their suppliers, things would change pretty fast. Finding there are liabilities involved is a rapid way of making people aware of the consequences of their negligence.

  9. Syntax Error

    IoT should be banned. Trouble is finding a politician in the UK who understands.

    1. ecofeco Silver badge

      Or anywhere. It's the new fashion tech.

  10. Mikey

    Are you feeling it now, Mr Krebs?

    Seriously though, how long are we going to suffer all this hell of unsecured gadgets and a systems before we get something even remotely secure... (haha, geddit?)

    Maybe someone should use such a network and go hit he designers systems, give them a taste of a problem of their own making, methinks?

  11. Anonymous Coward
    Anonymous Coward

    A quick fix...

    For a significant chunk of the devices out there would be for ISPs to disable uPNP by default on their crap routers.

    Then get rid of the crap routers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • AMD refreshes Ryzen Embedded line with R2000 series
    The target? Thin clients and industrial devices – with new SoC family running up to 4 independent displays

    Embedded World AMD is bringing to market a new generation of Ryzen chips for embedded apps promising more CPU cores, enhanced built-in graphics and expanded I/O connectivity to drive kit such as IoT devices and thin clients.

    Crucially, AMD plans to make the R2000 Series available for up to 10 years, providing OEM customers with a long-lifecycle support roadmap. This is an important aspect for components in embedded systems, which may be operating in situ for longer periods than the typical three to five-year lifecycle of corporate laptops and servers.

    The Ryzen Embedded R2000 Series is AMD's second-generation of mid-range system-on-chip (SoC) processors that combine CPU cores plus Radeon graphics, and target a range of embedded systems such as industrial and robotic hardware, machine vision, IoT and thin client devices. The first, R1000, came out in 2019.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Malaysia-linked DragonForce hacktivists attack Indian targets
    Just what we needed: a threat to rival Anonymous

    A Malaysia-linked hacktivist group has attacked targets in India, seemingly in reprisal for a representative of the ruling Bharatiya Janata Party (BJP) making remarks felt to be insulting to the prophet Muhammad.

    The BJP has ties to the Hindu Nationalist movement that promotes the idea India should be an exclusively Hindu nation. During a late May debate about the status of a mosque in the Indian city of Varanasi – a holy city and pilgrimage site – BJP rep Nupur Sharma made inflammatory remarks about Islam that sparked controversy and violence in India.

    Continue reading
  • Ubuntu releases Core 22: Its IoT and edge distro
    A tougher nut to crack than the regular flavor, some will find it very tasty

    Canonical's Linux distro for edge devices and the Internet of Things, Ubuntu Core 22, is out.

    This is the fourth release of Ubuntu Core, and as you might guess from the version number, it's based on the current Long Term Support release of Ubuntu, version 22.04.

    Ubuntu Core is quite a different product from normal Ubuntu, even the text-only Ubuntu Server. Core has no conventional package manager, just Snap, and the OS itself is built from Snap packages. Snap installations and updates are transactional: this means that either they succeed completely, or the OS automatically rolls them back, leaving no trace except an entry in a log file.

    Continue reading
  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading

Biting the hand that feeds IT © 1998–2022