Slashdot Mirror
Krebs Warns Source Code Leaked From Massive IoT Botnet Attack (krebsonsecurity.com)
Remember that historically massive denial-of-service attack last month against security researcher Brian Krebs? The source code's just been leaked, Krebs reports, "virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices." An anonymous Slashdot reader quotes KrebsOnSecurity:
The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Infected systems can be cleaned up by simply rebooting them -- thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot...
The user who leaked the source code says "there's lots of eyes looking at IOT now... I usually pull max 380K bots from telnet alone. However, after the Krebs DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300K bots, and dropping"...
Now that the source code has been released online for that 620-Gbps attack, Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems." He points out that 5.5 million new things get connected to the internet each day, according to Gartner. And they're also predicting that 6.4 billion things will be connected to the internet by the end of the year -- reaching 20.8 billion over the next four years.
The user who leaked the source code says "there's lots of eyes looking at IOT now... I usually pull max 380K bots from telnet alone. However, after the Krebs DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300K bots, and dropping"...
Now that the source code has been released online for that 620-Gbps attack, Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems." He points out that 5.5 million new things get connected to the internet each day, according to Gartner. And they're also predicting that 6.4 billion things will be connected to the internet by the end of the year -- reaching 20.8 billion over the next four years.
Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems."
Yeah, I doubt it.
Customer: My internet is slow.
Comcast: I'm knowing how frustrating that is because I'm being a Comcast customer too! Did you rebooting your modem?
Customer: Yes, my internet is still slow.
Comcast: Let me to be sending the signal to your modem!
Customer: Didn't do anything, my internet is still slow.
Comcast: I'm knowing how frustrating that is because I'm being a Comcast customer too! Did you rebooting your modem?
Customer: Yes, 5 minutes ago while I was talking to you! My internet is still slow.
Comcast: Let me to be sending the signal to your modem!
"If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
No problem.
My old ISP used to detect SMB port access. If they witnessed any - i.e. your connection was opening your file shares to the world - they would block your web and replace every page with a notice until you signed a document stating that you intended to do this. I think you needed customer number so not something that the kids could just press okay on for you.
At that point, they would open up the port again, or - if you'd fixed the problem and they detected that - they'd check once an hour and take the block off.
Force ISPs to do the same for when they detect spam email, or botnet-contribution, etc. Then when they detect it again after they'd signed, you can just kick them off for AUP violation.
But easier - just charge people by the byte. That's what'll end up happening. And most people won't even know or care that they're sending gigabytes to some poor sod's website.
The reason you can't simply get as many bots isn't that ISPs start finding out that they have a responsibility. It's simply that more players are fighting over the bots.
Next step is probably botters hacking devices and changing the passwords so other bot herders can't use them. It's the usual game: A resource is only valuable if the other one does NOT have it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is more a result of people wanting the latest gadget with the most gimmicks, ignoring security or whether they actually need those gimmicks. This of course leads to manufacturers stuffing more and more gimmicks into their toys, and with the rule that the first to the market makes the buck, security is simply ignored, since the customer does not give a shit about it.
It's simply market economics at work.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Am I thinking wrong, or isn't this potentially a good thing? The more DOS:ers fighting for the same bots, the fewer of them will be able to hit each site. Thus they won't really be effective any longer.
Krebs reports, "virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices."
A frightening "future" indeed.
It would be really handy to know what devices are actually at risk, so that people can tell if they need to take action. It sounds like whatever these devices are, they have somehow been exposed to the Internet (didn't we all disable UPNP years ago).
Maybe all the ISP's should grab a copy of the code and use it for scanning for vulnerable client devices and tell their customers to disconnect them before the ISP does it for them.
So is it time for people to start bricking every unsecured IoT device or what?
Anons need not reply. Questions end with a question mark.
Wouldn't most if not all DDoS attacks be much harder if ISPs implemented BCP38? Of course IoT devices should be secure, but this is a dream as software will always contain bugs. The number of ISPs is much smaller than the number of devices connected to the internet, so blocking spoofed IP traffic is much cheaper solution.
What's "misbehaviour"?
Il n'y a pas de Planet B.
I've been trying to get more info on this IoT unsecure thing and understand what these devices are. One thing that confuses me is that - aren't these things installed (mostly) in Residential Homes? which would be behind a "firewall" router that (usually) uses NAT?
The reason I ask this - how do I protect myself if I place such a device in my home? Are these pwned devices on the open network --- or can they be attacked through NAT? My "smart" TV, Bluray, Amazon TV, Apple TV, Raspberry Pi, Sonos, etc are all on the network. I have a NAT w/ uPNP disabled (prevent holes from being poked). Sure I understand there are ways through NAT....but these IoT attacks seem to "telnet" directly to the device without any special layers.
Beyond basic NAT/uPNP --- what else do I need to know?
Thanks!