Slashdot Mirror
Who Should We Blame For Friday's DDOS Attack? (fortune.com)
"Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list," tweeted Trend Micro's Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras. An anonymous reader quotes Fortune:
Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in. Finally, it's time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well.
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."
The people that did it.
"By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well." A lot of cheap Chinese IoT devices don't have any way to update the firmware. How are consumers supposed to secure those devices?
How about Luxembourg, they never get accused of anything and must be feeling left out.
From TFA: "Dormann said instead of hard-coding credentials or setting default usernames and passwords that many users will never change, hardware makers should require users to pick a strong password when setting up the device."
This advice is just plain wrong. It requires educating every single end user on security best practices. Lately I've seen a trend from ISPs for their router admin pages and wifi access points: they come pre-configured with a randomly generated password for each, which is then printed out on a sticker and stuck to the side of the device. Without physical access to the device, nobody would know the credentials for it. This keeps the burden of security within the realm of those who know what they are doing and making good decisions. The act of using a poor password would then end up on the end user, having to type in the secured password, and then change it to something less secure.
CONSPIRACY THEORIES??
[insert meme of "Aliens!" here]
Has anyone thought about this act being caused by a "government agency" that has something to prove?
Blame DNS. Time for something completely different.
“He’s not deformed, he’s just drunk!”
I was worried about my Dropcam until figuring out that it appears on none of the lists and Forbes was simply too lazy to find a proper picture to accompany their story.
Only our President, Barack Hussein Obama and our President-elect, Hillary Clinton, can decide that. We cannot, as ordinary citizens, have the understanding and the scope to make important and informed decisions. There are many things we do not know for our own safety. I for one trust our great Leaders and will never question their wisdom. I am ready to inform on any dissenter or malcontent as is my duty as a loyal citizen of this great country.
I blame windmills, and other forms of green energy as well.
Who should we blame for deadly gas on Venus? The damn Martians! Thank you for your OPINION and for letting everyone here know that you are stupid.
Ha. Just kidding, but isn't it obvious this is in retaliation for the US getting Ecuador to cut off Assange's internet?
Blame CANADA. They are not a real country anyway!
So here we go through the pros and cons of each. This is not to rule any of them out, as I don't think you can at this point, but to lay it all out there.
Hacktivists (Specifically New World Hackers):
Pro - claimed responsibility. Anonymous/offshoots responsible for lots of past DDoS activity.
Cons - Several security firms called BS on the evidence, and cited past history of false claims of responsibility to boost DDoS for hire business. Also the complexity and sophistication make this unlikely.
Cybercriminals:
Pro - probable originators of Mirai botnet, likely responsible for preceding DDoSes of Brian Krebs and OVH.
Con - No stated ransom demands (at least none reported) or other identifiable material benefit. Lacks a direct reason.
North Korea:
Pro - Past history of DDoS and malware attacks. Never claims responsibility. Suffers nothing if the internet goes down.
Cons - Attack only targeted the USA, not perennial NK targets of South Korea or Japan. If this was North Korea, why ignore those two?
Russia
Pro - contacts/influence in Russian cybercrime community. Possible interest in interference in US politics.
Con - No real rhyme or reason for doing so now. Widespread (as opposed to targeted) disruptions likely don't have any predictable impact to swaying the election.
China
Pro - Reports that many of the infected devices were Chinese in origin
Con - China normally steals your business secrets rather than DDoS you. Chinese devices weren't the only ones, too - bad security is everywhere.
US intelligence (NSA et al)
Pro - False flag?
Con - NSA wants to listen in on your data, not shut you off from communicating. Unlikely that there is anyone who supports Wikileaks/Assange/Anonymous/etc that would change their minds over this.
This is by no means a comprehensive list, just off the top of my head.
They'll use this event to justify "traffic management". Would not put it past them to have paid for or sponsored the event off the books.
I blame the evil engineers who just spread out IPv4 instead of working on IPv6 and perfecting the solutions around that.
You are not logged in. You can log in now using the convenient form below, or create an account, or post as Anonymous Coward.
Panasonic, Toshiba, Xerox, Samsung, ... These are names in the device list. These companies have built Electronics for Decades. And yet. They are cheap enough to add default passwords... to devices connected to the internet. Routers, IP cameras, the like.
This is no longer anything we can fix incrementally. Electronics needs a revolution, French style. Heads rolling. Schematics getting burned. Insecure languages suppressed. The survivors rebuilding from scratch, with lessons learned.
The PCs and devices infected that are part of the botnet that are used in these type of attacks.
Blame the ISPs who detect this traffic yet let it flow without intercepting it or calling whoever that traffic comes from to inform them that they may be part of a botnet.
HILLARY CLINTON. Only someone who has suffered severe brain damage (in 2012) with an observable lazy eye (as recently as 2016 in the third debate), and seizures (also observed, as she was instructed to "smile" when she had a seizure), would do such a thing. Hillary is responsible for all the evil in this world. Only a brain damaged woman would dare to try to sicken all of mankind with the fruit of the tree of knowledge of good and evil, and HILLARY IS THAT FUCKING WOMAN. We need to lynch that bitch.
Oh, great. With IPV6, instead of only devices which punch their way through a NAT gateway using UPnP, every IOT device can be on the Internet. I'm sure that will help things tremendously. Unless, of course, you expect the same users who won't even change default passwords to learn about and configure firewalls.
"National Security is the chief cause of national insecurity." - Celine's First Law
Assuming most consumer devices are installed at home behind some kind of NAT functionality, how did all these consumer devices get exposed to the public internet? This is the one thing about this entire hack I do not understand.
ISPs that don't implement rfc2827
Vendors that don't ship secure devices
The people that did it
These people
DNS is the problem, we need to move to something a little better
Ultimately, it's the groups that initiated the DDoS who are to blame. But others have to take some responsibility for failing to do what they could to mitigate the opportunities to initiate attacks:
1. ISPs could implement measures based on RFCs 3704 and 2827 that would make spoofed traffic difficult to impossible to generate.
2. Router makers could implement RFC 3704 and 2827 rules in their firewalls by default, could implement default rules that blocked access to external DNS to everything except the router (with the option for the user to allow some or all access), could provide a separate network for IoT devices that defaults to no Internet access and the user has to specifically authorize access per device, and could make randomized default passwords the standard for factory-default configurations.
3. IoT manufacturers could make randomized default passwords standard and design their devices to not require Internet access to configure.
4. Consumers could acknowledge that they're responsible for their own networks and routinely make use of the available tools to check on the health of their networks and the status of the devices on it.
The makers of the broken insecure products.
I find it unfair to blame lawmakers. The law is not a catch-all program that can be written once for any situations. This is why we regularly elect people to make it evolve
And regulators tried to do what they could we the power they had been granted by lawmakers.
All the people who made it possible for them to do it Meaning the vendors, and the low information consumers.
Spread the blame around. There's plenty.
The Patriarchy!
One day: "I don't care about security, I've got nothing to hide."
The next day: "Why can't I access twitter?"
I must confess that this was kind of fun.
Um. NAT doesn't prevent outgoing connections in any way. Any device on your network that's been hacked would likely use an active outgoing connection than make an easily detected port forward in your firewall via UPnP. NAT isn't security.
If the device is already hacked, you're absolutely right that NAT won't add any security. However, GP's point was that NAT could make it a little more difficult to get the device hacked in the first place.
The bad news is, I tried the Bullguard IoT scanner, and it told me that I'm vulnerable!
The good news is, it points to my ISP, 5 miles from where I am.
not only this but the inept users whose devices get pawned and used to attack other systems should be held legally responsible for the attacks.
Only up to a point. It's not really fair to expect the random non-computer guy who owns an IoT light bulb to secure it against electronic attack. The company that manufactures the bulb and decides telnet is an appropriate protocol to use to connect to it, on the other hand...
Real lawyers write in C++
There so quiet up North. Blame Canada!
We got a Cujo to protect our home network. Turns out it insures our devices cannot be recruited for these attacks. Very nice.
Mise' well blame Trump. I'm sure the media wouldn't mind.
The Stop Online Piracy Act
That's right, the failure of passing SOPA was cited as the reason by a member of Congress's Communications and Technology Subcommittee.
Warning: This video hurts to watch.
The main problem was the incompetence of those sites' sysadmins. A TTL under 3600 and all your authoritative nameservers not just with the same provider but on the same platform with the lowest of low, cheap, scum of DNS providers (DynDNS)
Someone tripping over a cable or typing in the wrong command could've caused this. And it's not like Dyn hasn't just unplugged their customers before.
Custom electronics and digital signage for your business: www.evcircuits.com
We have nobody to blame except ourselves.
Furries make the internet go.
For allowing such a broken internet design to continue to exist.
For allowing ICANN, RIPE, ARIN and APNIC to continue to exist.
For not adopting IPv6 faster/earlier.
For not adopting DNSSEC faster/earlier.
For not adopting Blockchain based name services faster/earlier and leaving the power at the hands of incompetents.
Just like non-voting during critical government elections, we vote for those attacks to continue by our lack of action.
You want those attacks to stop? DO SOMETHING ABOUT IT.
All those moments will be lost in time, like tears in rain... time... to... die...
> Unless, of course, you expect the same users who won't even change default passwords to learn about and configure firewalls.
Well, that's why Cisco, Belkin, TP-Link, et. al. should configure their consumer routers' default IPv4/6 WAN-facing firewalls to DEFAULT REJECT, ALLOW RELATED or ESTABLISHED. As you imply, defaults are a powerful thing, and this is a super-trivial configuration change.
I would be somewhat surprised if Apple's AirPort routers were not configured this way.
Properly configured DNS secondaries hosted at different ISPs would have completely mitigated the problem for everyone but Dyn. Because Dyn hosts its own secondaries, hitting Dyn downed both primary and secondary servers.
ISPs need a peering pool arrangement for DNS secondaries, where secondaries are distributed over the entire pool.
This is how it was designed to work: multiply connected redundant secondaries.
The worst damage possible in that scenario is the inability to update DNS information hosted at Dyn itself, or to initiate zone transfers in or out of Dyn.
That reduces it from an attack on the DNS infrastructure to an attack on Dyn itself (which is much less important to everyone but Dyn).
NAT makes it a _great deal_ more difficult. There is simply no point in most modern environments to installing hardware, whatsoever, without NAT.
I'm surprised noone mentioned this article from Schneier, published justa month ago : https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html
It seems to me this attack fits the description, especially considering it isn't targetting a specific website, but a part of the infrastructure of the Internet.
Dyn should be blamed, after all, they advertise "Total business accountability".
Change is certain; progress is not obligatory.
Unless, of course, you expect the same users who won't even change default passwords to learn about and configure firewalls.
That's the wonderful thing about defaults. Every router I've seen shipped has a default password, and a stateful firewall ENABLED BY DEFAULT.
You don't need users to configure things in a secure way. There's no configuration for NAT so there's no reason to assume that by going to IPv6 the internet would be any less secure.
I found the biggest surprise here is that those large-ish sites are outsourcing their DNS. Why on earth wouldn't they be running their own nameservers? He who holds the DNS holds the power.
Blame the admins for not taking their DNS seriously, and of course the people responsible for the attack.
Most implementations of NAT have major security flaws. It is complex, has no standard implementation, breaks a lot of crap, and is many times trivial to by-pass. If you really think what you said is true, then you are horribly uninformed about the issues it actually creates. But now that I have mentioned it's issues and you keep spouting your false information, then you're willfully ignorant or trolling.
"Every router I've seen shipped has a default password, and a stateful firewall ENABLED BY DEFAULT."
Your limited experience is not a suitable basis for drawing a valid conclusion.
"National Security is the chief cause of national insecurity." - Celine's First Law
I blame Russia. Seems to work for everyone else.
IPv6 doesn't mean no more firewalls - it just means no more NAT.
NAT provides some protection by its nature, but honestly, not much. Devices that use UPNP or whatever to open up external firewall ports so you can connect to them are going to be a problem with NAT or not.
Nice of Fortune, the folks who constantly whine about government interference with the so-called free market, the people who say all government regulation is bad & industry will regulate itself, says this is all the governments fault for not passing laws and regulations to prevent this.
Stop being dumb, how are attackers going to find their victims if they have to scan the entire IPv6 address space?
Filed under "this is why we can't have nice things" --- How about: upgrading "home" routers to offer some form of packet inspection? Yes I know that sometimes the routers themselves are enlisted in the attack. However, it appears that many IoT devices are setup inside the home/business and are insecure. And homes are adding more IoT devices than they are adding routers - thereby increasing the available munition surface area. Usually it is 1-router and (n)-IoTs.
Maybe this is a trivial solution - but couldn't router software enforce a few simple restrictions on properly formed outbound packets?
Or wait - we don't need to upgrade the routers. Instead change their Gateway to send traffic to scanning device. Although one has to wonder if the likes of Comcast have IPS.
And since DNS seems to be in vogue - might DNS servers start asking themselves "why does server x.y.z need 1-bazillion replies to the same entry?"
However, these ideas only resolve the (current) symptom. The basics of the internet may need to be rethought - a super IPSEC? It wasn't that long ago that open mail routers posed a similar threat and opportunity for spammers (yes - the game has since moved to "legit" robo-inboxes). As the network grows attackers will continue to find ways to break it. A "single" person can take over the whole network. Things like blaster/code-red took over whole corporate networks from inside. Now these attacks are outside and treat all domain systems as one giant inside-system.
However, GP's point was that NAT could make it a little more difficult to get the device hacked in the first place.
So does also any sensible router that I've seen that blocks inbound traffic by default.
(i.e.: router where you explicitely need to open Internet->PC access).
It doesn't matter if they are private IP (v4) addresses, that need NAT and port forwarding (i.e.: port 8080 from the router, should be forward to port 80 on intenal sebserver 10.0.0.x),
or plain normal public IP (generally v6) addresses, that need simply to enable access to some ports on the public intenet (request for port 80 on machine IPv6 2xxx:yyyy:zzzz:wwww:vvvv:uuuu should be allowed through by the router).
If the router blocks inbound access by default, and the user needs to explicitely enable some access in the settings, both NATed IPv4 and IPv6 with public addresses are protected equally.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Lets be honest here....most of the readers of slashdot know more about how the net operates than the average net user. Ever try to explain the basics to a average user? Their eyes glaze over after the second sentence. The net is a complicated beast and I believe that the responsibility of the mfg who put an IoT device out should enforce, by design, best security practices. Further more, the service providers are also responsible for this....if they know of deficiencies/problems they should fix them instead of focusing on lining their pockets.
It might be a good idea for every mfgs product show compliance to some 'IoT safe certificaton. The devices I've looked at over the years are so badly designed & implemented from a security perspective it was clear the only objective was to get something out to market. Until that changes, the net will be a mess for many years.
"Every router I've seen shipped has a default password, and a stateful firewall ENABLED BY DEFAULT."
Your limited experience is not a suitable basis for drawing a valid conclusion.
Ok, let's run with that for a second. Are you suggesting ISPs will send you a wireless router without NAT enabled by default? Because NAT by necessity requires a stateful firewall to be running.
Think about it, if China had not weaponized botnets and put IP in every product, we wouldn't be in this mess.
Now upgrade to IPv6sec and stop whining. And shut out IoT.
-- Tigger warning: This post may contain tiggers! --
No sense going any further until you learn more about networking. NAT does not imply a stateful firewall, they're two completely different things.
"National Security is the chief cause of national insecurity." - Celine's First Law
Keep in mind that job creators - and the GOP oligarchy in general - decry anytime someone wants to add "regulations" (aka cost) to an industry or product. It just gives more fuel to the off-shored fodder types.
As far as getting the globe to agree on "being nice", well as soon as human trafficking goes away, I'll believe it. Till then, the reality is nobody needs a camera in their toaster, fridge or Amazon echo.... Or if you think you want one, you need your head examined.
Till consumers decide privacy is a basic human right, is important and stop posting every silly pointless thought and picture on social media- this will only get worse.
Your mom has too many open ports.
Actually, IPv6 does not mean no more NAT. It just means that NAT ain't necessary, but that doesn't prevent it from being used if it's required for other requirements like load balancing, network isolation, and so on. In fact, in IPv6, there is an official recognized way to do NAT - NPT (Network Prefix Translation) That's a lot better than IPv4, where you have at least 3 different ways of doing NAT - none of them officially recognized by the IETF
While this is valid, a way to better secure the network would be to have a PAM setup in DHCPv6, where certain addresses change after a certain period. That way, not only would a spoofing agent have to scour a huge block - it would also have an artificially limited amount of time in which to do it. Reason I mention this is that whenever we get to a point where we determine that /64 is too much wasted area and need to reduce it to /32, we don't make the subnet more insecure by reducing the scan area by a factor of 4 billion.
Now, it is true that people make the argument that the 4 billion addresses in the global prefix gives gazillions of addresses to everybody. That is only true until one looks at lending structure to the addresses - be it making routing easier to (at the subnet address level) defining each character as representative of something, such as a physical location, a department or so on. Once that starts happening, one starts running out of addresses.
We the people want the next best thing...and we want it NOW!!! Take my money!!! GIVE IT NOW!!! -=ahem=- Obviously the blame lies with the perpetrators, but the avenues they exploited has existed since the inception of the internet. There has been no change to the underlying infrastructure to mitigate the problem. Band-aids have been applied, but the wounds are festering. We need a new paradigm if there is to be any improvement. There is an old saying, fool me once shame on you, fool me twice, shame on me. The internet is way beyond twice, and it keeps happening. The fault does not lie with the perpetrators, but with the internet in general. Sacrifices have to be made to have good solid security, sacrifices no one wants to make. So...instead of trying to find out who to blame, realize that as you are finding someone to blame, another attack is happening elsewhere, with someone else to blame. Until the whole paradigm of networking, the internet, security, and anonymity changes, there will be no solution, only band-aids.
(Oh, and until instant gratification and the "oh that's so cool, I want it" factor goes away.)
You're right. Now show me a NAT implementation that works without a stateful firewall enabled.
The two terms serve a different purpose yet you can't have NAT without effectively having the other and I stand by my original comment. Every consumer router currently being delivered does exactly the same thing as a stateful firewall out of the box ENABLED BY DEFAULT, with the minor addition of packet forwarding.
We run 17 physical 24 virtual servers on the public Internet. We host all kinds of high value attack targets (eCommerce, political, medical, insurance) all kinds of stuff people despise (and really nice stuff too).
We have been the subject of numerous DDOS and DOS attacks. We fended them all off with ease because we run the right fucking tools on our servers
So I don't understand why this is an issue at all for anybody...
Murphy was an optimist
We're done. You didn't bother leaning even a minimum about networking.
"National Security is the chief cause of national insecurity." - Celine's First Law
Retards who think their fucking refrigerator needs to be internet connected, that's who.
Please note that performing a deep scan may result in any vulnerabilities being indexed by Shodan.
WTF?
Tell me about it. Come back when you know how NAT works.
NAT's inbound "security" is entirely accidental and any decent IPv6 device applies the same firewalling rules for inbound IPv6 as for IPv4
What you're describing is called a packet filter, not a router.
For 99.9% of the "average joe 6-pack" users, the packet filter is running inside [the linux kernel on the firmware of] their home DSL/cable/FITH router.
So yeah, for most of the clueless user who would be benefiting from NAT, they will be also benefiniting from the fact that the router sitting in their living room is doing packet filtering.
The "security" of NAT comes as a by-product of the fact that multiple devices NEED to be on a private RFC1918-style network (assuming we're talking typical consumer-grade NAT), and hence no single device does - by default - receive inbound traffic because they're not addressable in the first place.
And I'm telling you :
- you DO NOT need to be on an unaddressable private address (192.x.y.z or fxxx:::) to not receive any traffic.
The [packet filtering running inside the linux kernel in the firmware of the] router could be all the same blocking inbound traffic even if the target address happened to be addressable (e.g.: 2xxxx::: )
So please stop with this "NAT increases security".
It's the packet filtering that does.
And most sensible modern routeur (that have a not too much lousy firmware) do.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
And I'm telling you :
- you DO NOT need to be on an unaddressable private address (192.x.y.z or fxxx:::) to not receive any traffic.
No shit. Then again, how many "average joe 6-pack" users get assigned anything bigger than a /32 (i.e. a single address) for IPv4, or anything at all for IPv6?
Here around on our side of the pond ? :
Let me count
- Most of the ISP here around in Europe that I know of (Switzerland, France, Germany) are providing IPv6. /60 or /56 prefix, so each (IPv6-enabled) device on the home network can get its very own 64bits suffix based on the MAC-Address (and the router get a few extra 4 or 8 bits of headroom for its internal management).
Usually they are 6RD (rapid deployment), i.e.: their network (fiber, xDSL, etc.) is still legacy IPv4,
but their router automatically establish a 6to4 tunnel to the ISP's IPv6 access point,
Usually, most 6rd deployment offer
So anyone plugging "the box" they've received from their ISP is automatically on IPv6.
And automatically getting sensible IPv6 packet filtering on said box (to go back to the subject of this discussion)
(And hopefully also getting sensible default passwords for amdin and Wifi in the form of long random base32 strings printed on the backside of the box)
- Lots of 3G/4G wireless providers are moving to IPv6 (well, obviously as 4G is a purely packet-switched network. IPv6 is more or less an unofficial requirement)
(Though usually, a smartphone will get a publicly addressable IPv4 and IPv6 on lots of networks. Not all though, some wireless providers are moving to NATed IPv4 and only publicly addressable for the IPv6 prefix)
(3G/4G to USB+Wifi routers do work similarily to above-mentionner xDSL/FITH routers. They advertise a publicly accessible IPv6 prefix and provide packet-filtering).
- Most universities I've seen also provide both IPv4 and IPv6 (but usually provide publicly addressable IPs on both).
(Though not necessarily on the "eduroam" shared wireless network. They used to be on IPv4 on some universities, and as of lately, all univesrities I've been in seem to move their eduroam on a different special IPv4-only subnet).
(And though to go back to the current discussion, universities here around seldom do any filtering. As soon as you plug in your laptop, your start to see failed login attempts in your SSHD logs)
- If you want your very own special IPv6 prefix, you can get one from SiXXS over a 6in4 or AYIAY tunnel.
(But then again that's not average joe).
And with only a single globally routable address, you do NEED to be on RFC1918 network.
Obviously this isn't the only way one can do NAT, but it's the only way joe sixpack's router does it.
Most users in a non backwater countries will get a 6rd publicly addressable IPv6 prefix, too.
By default, the box they've received from their ISP and they've plugged into the wall will filter the packets by default.
So please stop with this "NAT increases security".
And I'm telling you, the extra security provided to joe sixpack DOES come from the fact that he's being NATted, since he's still unreachable when any other packet filtering is disabled.
(emphasis mine)
Yup. We've reached a conclusion.
We both agree that for security, you need packet filtering.
You need a "magic box" standing between the wild wide interweb and the home network that does this filtering.
Usually this box is the xDSL/Cable/FITH/whatever router that the user has recieved from the ISP.
NAT'ing, is one of the peculiar types of packet filtering that happens o
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]