Security man Krebs' website DDoS was powered by hacked Internet of Things botnet The huge distributed denial of service (DDoS) attack which wiped security journalist Brian Krebs' website from the internet came from a million-device-strong Internet of Things botnet. "Attack appears to include numerous IoT devices, including security cameras. Still itemizing them," an Akamai spokesman told El Reg by email. …
That's the problem: besides keeping the firmware up to date, and having non-default passwords, nothing can be done. They have basic configuration security holes you can fly a Deathstar through, and you can't do anything about them, except for not allowing the world+dog to access them through the network.
But most people (vast majority) not only allow world+dog to access them, but the devices don't have the passwords changed or the software updated. And this won't change until the ISPs shut access off until the customers secure the devices.
...not allowing the world+dog to access them through the network.
That! That right there! Some enterprising soul ought to start offering home network security services that start with setting up a router and blocking any attempt to access from outside and move on from there.
An increasing number of cameras seem to, in addition to manufacturer dyndns, have always-on unconfigurable tunnels back to the manufacturer, or some other "cloud" in China, so that the mobile apps will "just work" through quadruple NATs.
My router supports WAN capture and I figured out the external IP the camera connected to with that, and the router also let's me block IPs. Quite a complicated thing to do for most people though!
I made sure I bought wired and kept the box unconnected from our network. If I develop an overwhelming urge for off-site monitoring, well that's what subnets, VPN's, & c. are for. Recording (deliveries anyone?) and bonking when someone comes on-property were my interests.
There are far too may devices out there were you can't change its password or upgrade its firmware. Some of them will have a device-unique password, but is mathematically derived from its MAC address or serial number (Which it'll stuff into every outgoing packet...)
> ... just block the GRE ports and ignore such requests?
Well that would be what the DDoS management service would do. But it needs the ability to divert all the traffic through a site which a) has the bandwidth and b) is able to apply filters to that volume of traffic.
Most ISPs won't have the means to redirect all that traffic AND filter it - even if they have the upstream bandwidth. Trying to filter it at your own site is useless because it's too late then - a few Gbps of traffic down your 10-100Mbps pipe will completely overwhelm everything.
And then there is the issue that dealing with this needs prior planning. It's no good phoning up your ISP and asking them to do it "on the fly" as they won't have anything in place. This is where the DDoD mitigation services come in - what to do when it happens is pre-arranged, so you call them up, they trigger the required changes (typically changing the advertised route), and filter the traffic from their own network before passing it (the filtered :good: traffic) on to you.
Yeah you could. Depending on the router...however even dropped packets could technically cause a DDoS. The router/firewall still has to determine what a packet is before it drops it. A big enough queue of traffic could fill the routers memory up or put a significant load on the processor to prevent other traffic getting through.
Your best bet is to redirect it upstream somewhere.
Whichever has the lowest overhead.
In this case they redirected to a sinkhole.
I generally reserve an IP or two with old crap hardware for this very purpose.
It also helps to have a website that can be shifted easily. This may be part of the reason static content generators are becoming more popular.
In So-IoT Russia they have strong DDoS. Russian DDoS. Covered in bears.
Also, Putin could probably DDoS you by himself. With his shirt off. In the wilderness. Whilst riding a bear that he tamed himself by hypnotising it by waving his massive (and 150% heterosexual) cock and balls.
At least thats what his press team would say.
Seems that IoT is about to bite itself in the ass... if it hasn't already. Add zilch security to basically solutions looking for problems.
As for the cameras... while necessary for many businesses and home security, the manufacturers just don't give a crap as to who has access to them. Pity... security of the device could be a selling point, in my opinion.
The irony of security devices with zilch security shouldn't be lost on anyone.
The way forward is to prosecute a few people for participating in a DDoS.
If they turn around and sue their suppliers, things would change pretty fast. Finding there are liabilities involved is a rapid way of making people aware of the consequences of their negligence.
Are you feeling it now, Mr Krebs?
Seriously though, how long are we going to suffer all this hell of unsecured gadgets and a systems before we get something even remotely secure... (haha, geddit?)
Maybe someone should use such a network and go hit he designers systems, give them a taste of a problem of their own making, methinks?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
