Slashdot Mirror
Who Should We Blame For Friday's DDOS Attack? (fortune.com)
"Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list," tweeted Trend Micro's Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras. An anonymous reader quotes Fortune:
Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in. Finally, it's time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well.
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."
The people that did it.
From TFA: "Dormann said instead of hard-coding credentials or setting default usernames and passwords that many users will never change, hardware makers should require users to pick a strong password when setting up the device."
This advice is just plain wrong. It requires educating every single end user on security best practices. Lately I've seen a trend from ISPs for their router admin pages and wifi access points: they come pre-configured with a randomly generated password for each, which is then printed out on a sticker and stuck to the side of the device. Without physical access to the device, nobody would know the credentials for it. This keeps the burden of security within the realm of those who know what they are doing and making good decisions. The act of using a poor password would then end up on the end user, having to type in the secured password, and then change it to something less secure.
Oh, great. With IPV6, instead of only devices which punch their way through a NAT gateway using UPnP, every IOT device can be on the Internet. I'm sure that will help things tremendously. Unless, of course, you expect the same users who won't even change default passwords to learn about and configure firewalls.
"National Security is the chief cause of national insecurity." - Celine's First Law
ISPs that don't implement rfc2827
Vendors that don't ship secure devices
The people that did it
Egress filtering would be nice too. If the source address of packets coming out of your network is not in your address space, don't let it out.
In the free world the media isn't government run; the government is media run.
Ah, the DMCA approach.
I can see it now.
Since we can't figure out how to stop ddos attacks, we create mechanism wherein our Internet equivalent of the RIAA sends ISPs notifications about who is part of a botnet.
The ISP, in turn, immediatly has to notify and throttle users who are part of the botnet. They have to do it otherwise they'll be airing and abetting internet pira...er, ddos attacks, and thus, are open to lawsuits. This creates the proper incentive to rubber stamp... I mean, streamline the process.
The user, of course, has a chance to contest this throttling in case that the user is not part of the botnet (IP addresses are so easy to spoof these days). So it is totally fair. All they have to do is send a counterclaim and if it is rejected (which it will), they have the option to take this to court.
Out of their own pocket of course. For something they didn't even do.
Its a totally fair system and it will not at all be abused.
Ultimately, it's the groups that initiated the DDoS who are to blame. But others have to take some responsibility for failing to do what they could to mitigate the opportunities to initiate attacks:
1. ISPs could implement measures based on RFCs 3704 and 2827 that would make spoofed traffic difficult to impossible to generate.
2. Router makers could implement RFC 3704 and 2827 rules in their firewalls by default, could implement default rules that blocked access to external DNS to everything except the router (with the option for the user to allow some or all access), could provide a separate network for IoT devices that defaults to no Internet access and the user has to specifically authorize access per device, and could make randomized default passwords the standard for factory-default configurations.
3. IoT manufacturers could make randomized default passwords standard and design their devices to not require Internet access to configure.
4. Consumers could acknowledge that they're responsible for their own networks and routinely make use of the available tools to check on the health of their networks and the status of the devices on it.
not only this but the inept users whose devices get pawned and used to attack other systems should be held legally responsible for the attacks.
Only up to a point. It's not really fair to expect the random non-computer guy who owns an IoT light bulb to secure it against electronic attack. The company that manufactures the bulb and decides telnet is an appropriate protocol to use to connect to it, on the other hand...
Real lawyers write in C++
"I think the best way to handle this is to make people somehow accountable when they participate in a DDoS, whether they do it willingly or not."
Well, you self important prick, answer me this:
One manufacturer was quickly identified on Friday as contributing a major part of the Attack.
Name them. No, you don't get to scour the Web now, you should _know_ this.
Now, you as an enlightened Consumer goes out Monday to buy a new DVR. How can you tell if it has been compromised? At the least, you are going to have to take your toolbox with you, and start disassembling them on the floor of Fry's, (This is much more difficult if you favor Amazon...). You will need a cheat sheet to identify all of the compromised boards, and that doesn't yet exist.
Now you take your new DVR home, and an hour later, you notice your Wifi has slowed to a crawl. Multiply that by the 3 million or so Xiongmai Electronics cards already out there in scours of products from dozens of manufacturers, (Oops, I gave the name away...), how do you "...think twice about buying insecure shit." How can you, baby shit for brains, possibly know? I think that it is best if you no longer have _any_ Internet Access from now on, until you are better informed, and learn some humility.
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
It struck me that there is a "nuclear option" solution that would be highly illegal but highly effective. Every time one of these shitty IOT devices is found exploitable and the manufacturer doesn't bother to update , scan the whole damn net for that device and tell it to DDOS the manufacturer and not stop. The manufacturer would pretty quickly realise they have to get a patch out if they wish to remain a citizen of the internet. For added niceness make sure the user understands why their baby monitor is attempting to murder it's creator
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.