Slashdot Mirror
Mirai and Bashlight Join Forces Against DNS Provider Dyn (arstechnica.com)
A second wave of attacks has hit dynamic domain name service provider Dyn, affecting a larger number of providers. As researchers and government officials race to figure out what is causing the outages, new details are emerging. Dan Drew, chief security officer at Level 3 Communications, says the attack is at least in part being mounted from a "botnet" of Internet-of-Things (IoT) devices. "We're seeing attacks coming from a number of different locations," Drew said. "An Internet of Things botnet called Mirai that we identified is also involved in the attack." Ars Technica reports: The botnet, made up of devices like home WiFi routers and internet protocol video cameras, is sending massive numbers of requests to Dyn's DNS service. Those requests look legitimate, so it's difficult for Dyn's systems to screen them out from normal domain name lookup requests. Earlier this month, the code for the Mirai botnet was released publicly. It may have been used in the massive DDoS attack against security reporter Brian Krebs. Mirai and another IoT botnet called Bashlight exploit a common vulnerability in BusyBox, a pared-down version of the Linux operating system used in embedded devices. Mirai and Bashlight have recently been responsible for attacks of massive scale, including the attacks on Krebs, which at one point reached a traffic volume of 620 gigabits per second. Matthew Prince, co-founder and CEO of the content delivery and DDoS protection service provider CloudFlare, said that the attack being used against Dyn is an increasingly common one. The attacks append random strings of text to the front of domain names, making them appear like new, legitimate requests for the addresses of systems with a domain. Caching the results to speed up responses is impossible. Prince told Ars: "They're tough attacks to stop because they often get channeled through recursive providers. They're not cacheable because of the random prefix. We started seeing random prefix attacks like these three years ago, and they remain a very common attack. If IoT devices are being used, that would explain the size and scale [and how the attack] would affect: someone the size of Dyn."
So which is it?
The name of the bot is Mirai.
Here is the source: https://github.com/jgamblin/Mirai-Source-Code
I wrote this 2.5 years ago:
"The Hillary Clinton campaign is tied to Dyn.com through its officer, Gray Chynoweth and others. This connection is being used because in 1999, I hosted critical evidence on the free dyndns service. A free service can't be censored in the same way that a paid for service can. I know this from personal experience because I couldn't be censored until now. My ISP was pressured to close my account but couldn't because the NZ courts upheld my Lifetime Premier Internet connection. Instead the ISP was sold many times and is now in the hands of Vodafone. You may think me delusional, when I say that maintaining this 15 year long Clinton battle has cost me everything, but that's just the way it turned out. Being railroaded by Clinton reputation cleaners means they've set up everything to go down a single track to make me appear guilty and take the fall for a crime and not be able to get out of it. Unbeknownst to me a dormant bank account was fed with disability checks and then siphoned. My regular NZ bank account was also drained by someone booking a flight out of Malta for a Libyan to get to Ukraine in early Sept 2011, and then after 20 million seconds, or 33 weeks to be exact on May 1st, 2012, I was sent a phishing email from a Masonic organization in Paris alerting me to the dormant bank account in Canada. Inquiries led me to believe a higher amount actually existed and subsequent attempts to settle this overpayment have been stonewalled and bank transactions no longer exist to explain the siphoned funds. Search for dyndns + clinton and save what you can from the first Google link, because in a month it will be gone."
AND ITS GONE. so instead search in quotes "GOOGLE WHY CLINTON WAS RUSSIAN SPY"
Reddit, Airbnb, and some other shit sites were affected.
No harm was done.
If you take down critical infrastructure, you should expect law enforcement to shoot to kill.
You are welcome on my lawn.
Spammers would prepend characters on email address domain names. Sounds familiar. It was difficult to filter out. Was able to get around it with Spam Assassin but risked false positives.
Maybe dns needs something similiar.
Forcing Ecuador to cut of Assange's Internet access didn't work out like you petty thug wannabees planned, did it?
There is no good reason that we should be dependant on this system of domains. Centralized control is dangerous and enables censorship and attacks like this one. Whether it is a criminal, rogue agent, or government we shouldn't be dependant on centralized infrastructure. Obviously it's a lot harder to decentralize than this, but it's a great area for Computer Science research. We need more of it. We need more focus on distributed anonymous decentralized systems of all kinds.
There may very well be something I'm missing here, but I have a suggestion for how to deal with the random prefix attack.
Keep a running count of the number of requests for non-existent subdomains. Once they exceed a certain number in a short period of time, cease to respond to requests for subdomains that aren't already cached as valid.
Example: foo.com, www.foo.com, and mail.foo.com are cached. A flood of requests for (random chars).foo.com starts up. Once this exceeds 100 requests in a minute, all requests for foo.com subdomains are ignored except for foo.com, www.foo.com, and mail.foo.com.
This would still cut off access to infrequently-accessed subdomains, but subdomains with enough traffic to be in the cache would remain reachable.
Proud member of the Weirdo-American community.
Could there be no way for consumers of IoT to secure their own devices- a centralized 'app' to check that their IoT are not sending unexpected traffic over the network?
The widespread growth of IoT connected consumer devices with default and often outdated settings is staggering.
Why does everyone use such small DNS TTLs? Checking some of the domains (including twitter) that went down, their TTLs are all less than 200...are their networks so dynamic that 1800, 3600, 7200 wouldn't work? Would really minimize the effect of DNS outages...
Is there a reputable and updated list posted anywhere? I'd like to know if I happen to own something that has a decent chance of being taken over. I'd probably replace it, assuming I could not simply update the firmware.
Right now the only IoT type devices I have connected are a Buffalo router (DD-WRT out of the box) and a Ooma telephone box. Of course there is also the cable modem, but that is leased.
Perhaps we could add features to DD-WRT and similar that look at our usage patterns, and notify us when it sees a usage pattern that just seems odd.
"Dan Drew, chief security officer at Level 3 Communications, says the attack is at least in part being mounted from a "botnet" of Internet-of-Things (IoT) devices."
Gee, who could have seen this coming? Oh, that's right, lots of people, including me.
The IoT (Internet of Terrors) is upon us. Buckle up, baby. It's going to be a bumpy ride and it's going to get worse before it gets better...if it ever does, that is.
Personally I'm not holding out much hope- the damage is done. Millions and millions of craptastic insecure IoT gadgets are out there right now, happily botting away.
Even if starting tomorrow every single new gadget sold was 100% secure, it's too late- the world's infrastructure is already infected with mountains of this consumer-grade garbage that will be around for a long, long time.
Just cruising through this digital world at 33 1/3 rpm...
Why are we still using DNS? It's stupid. It's not secure. It's ugly. Quit bickering and settle on a secure alternative.
The Level 3 CSO is Dale, not Dan.
is not "a pared-down version of the Linux operating system"
It is often USED as PART of a pared-down Linux install, but is not itself a version of Linux.
https://www.busybox.net/about....
BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc.
Is your job to invent phony job postings?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Technically speaking, Mirai and Bashlight are the most widespread. So it's like launching an attribution dart at a board large as a two-storey building
Implement a solution for the DDOS attacks that can filter out the requests as near to the device as possible. And figure out a way to disable or fix the device. And find a permanent solution to the problem like banding devices from the internet if their software is not up to date.
I have two routers. Ones a Zytel provided by the phone company and then I also have one of the russian make one (TP / Archer).
How would I know if they are part of the botnet?
Some drink at the fountain of knowledge. Others just gargle.
What I don't understand is how this is affecting things. Most people and small bussinesses just use the DNS that their service provider offers. I.e. comcast. Another tranche of people change it to something like googles 8.8.8.8. Large bussinesses may implement their own DNS
So how is it DYN matters? Who uses it?
Some drink at the fountain of knowledge. Others just gargle.
There have been many debates on slashdot over the years about whether it's a good thing for 'grayhats' to take over and patch/disable compromised PCs which are part of a botnet. Generally the consensus seemed to be it was probably not a good idea. But with the IOT botnets, we're in a whole different situation. It's quite likely that nearly of of them will be not only unpatched but will never even patchable and their sheer numbers are getting overwhelming. If they're starting to effectively bring down large sections of the internet and there's no other realistic solution it's really time for a 'search and destroy/disable' action against them.
Your ISP's name servers don't have the records for each name. Instead, it goes like this:
Your computer asks your ISP for the IP of mail.yahoo.com .com names?" The root server says "ask dns.root.com, aka 1.2.3.4." The ISP asks dns.root.com "which DNS servers know about yahoo.com?" Foo.root.com replies "four.dyndns.org knows about yahoo.com names."
Your ISP asks the root servers "which DNS servers know about
The ISP asks four.dyndns.org "what's the IP for mail.yahoo.com?"
four.dyndns.org has the record for mail.yahoo.com and sends it back to your ISP.
The ISP sends it to you.
The ISP caches the answer for a few minutes, in case your neighbor wants to access mail.yahoo.com too.
If this seems convoluted and slow, it is. In fact, doing DNS lookups for all the ads, javascript, and crap on a web page is a major proportion of the total load time. It's not that loading of the ad banner itself is slow, it's doing the (very indirect) DNS lookups for the domain that counts ad impressions, another domain with Javascript that loads the ad, another domain where the actual ad image is, etc. Plus the site logo is on a CDN domain, the html on the home domain, some other part of the page on images.foo.com, etc. Your browser can easily look up 20 or 30 different names to load just one page.