Slashdot Mirror
Who Should We Blame For Friday's DDOS Attack? (fortune.com)
"Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list," tweeted Trend Micro's Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras. An anonymous reader quotes Fortune:
Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in. Finally, it's time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well.
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."
The people that did it.
"By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well." A lot of cheap Chinese IoT devices don't have any way to update the firmware. How are consumers supposed to secure those devices?
From TFA: "Dormann said instead of hard-coding credentials or setting default usernames and passwords that many users will never change, hardware makers should require users to pick a strong password when setting up the device."
This advice is just plain wrong. It requires educating every single end user on security best practices. Lately I've seen a trend from ISPs for their router admin pages and wifi access points: they come pre-configured with a randomly generated password for each, which is then printed out on a sticker and stuck to the side of the device. Without physical access to the device, nobody would know the credentials for it. This keeps the burden of security within the realm of those who know what they are doing and making good decisions. The act of using a poor password would then end up on the end user, having to type in the secured password, and then change it to something less secure.
Blame DNS. Time for something completely different.
“He’s not deformed, he’s just drunk!”
I believe global warming increases the severity of these attacks. Look at the facts: it's getting warmer every year, and the intensity of these attacks is likewise increasing.
So here we go through the pros and cons of each. This is not to rule any of them out, as I don't think you can at this point, but to lay it all out there.
Hacktivists (Specifically New World Hackers):
Pro - claimed responsibility. Anonymous/offshoots responsible for lots of past DDoS activity.
Cons - Several security firms called BS on the evidence, and cited past history of false claims of responsibility to boost DDoS for hire business. Also the complexity and sophistication make this unlikely.
Cybercriminals:
Pro - probable originators of Mirai botnet, likely responsible for preceding DDoSes of Brian Krebs and OVH.
Con - No stated ransom demands (at least none reported) or other identifiable material benefit. Lacks a direct reason.
North Korea:
Pro - Past history of DDoS and malware attacks. Never claims responsibility. Suffers nothing if the internet goes down.
Cons - Attack only targeted the USA, not perennial NK targets of South Korea or Japan. If this was North Korea, why ignore those two?
Russia
Pro - contacts/influence in Russian cybercrime community. Possible interest in interference in US politics.
Con - No real rhyme or reason for doing so now. Widespread (as opposed to targeted) disruptions likely don't have any predictable impact to swaying the election.
China
Pro - Reports that many of the infected devices were Chinese in origin
Con - China normally steals your business secrets rather than DDoS you. Chinese devices weren't the only ones, too - bad security is everywhere.
US intelligence (NSA et al)
Pro - False flag?
Con - NSA wants to listen in on your data, not shut you off from communicating. Unlikely that there is anyone who supports Wikileaks/Assange/Anonymous/etc that would change their minds over this.
This is by no means a comprehensive list, just off the top of my head.
I blame the evil engineers who just spread out IPv4 instead of working on IPv6 and perfecting the solutions around that.
Oh, great. With IPV6, instead of only devices which punch their way through a NAT gateway using UPnP, every IOT device can be on the Internet. I'm sure that will help things tremendously. Unless, of course, you expect the same users who won't even change default passwords to learn about and configure firewalls.
"National Security is the chief cause of national insecurity." - Celine's First Law
Assuming most consumer devices are installed at home behind some kind of NAT functionality, how did all these consumer devices get exposed to the public internet? This is the one thing about this entire hack I do not understand.
ISPs that don't implement rfc2827
Vendors that don't ship secure devices
The people that did it
Egress filtering would be nice too. If the source address of packets coming out of your network is not in your address space, don't let it out.
In the free world the media isn't government run; the government is media run.
Incorrect use of DNS...DNS was designed to be very fault tolerant, but when you publish records with 30 second TTLs, so the authoritative server has to be accessed twice a minute, making millions of caching nameservers useless.
Ultimately, it's the groups that initiated the DDoS who are to blame. But others have to take some responsibility for failing to do what they could to mitigate the opportunities to initiate attacks:
1. ISPs could implement measures based on RFCs 3704 and 2827 that would make spoofed traffic difficult to impossible to generate.
2. Router makers could implement RFC 3704 and 2827 rules in their firewalls by default, could implement default rules that blocked access to external DNS to everything except the router (with the option for the user to allow some or all access), could provide a separate network for IoT devices that defaults to no Internet access and the user has to specifically authorize access per device, and could make randomized default passwords the standard for factory-default configurations.
3. IoT manufacturers could make randomized default passwords standard and design their devices to not require Internet access to configure.
4. Consumers could acknowledge that they're responsible for their own networks and routinely make use of the available tools to check on the health of their networks and the status of the devices on it.
When a gun is stolen and used in a crime we seize it as evidence.
When a zombie PC or "IoT" piece of shit is DDoSing something, we should block its traffic and cut off the customer if necessary.
I find it unfair to blame lawmakers. The law is not a catch-all program that can be written once for any situations. This is why we regularly elect people to make it evolve
And regulators tried to do what they could we the power they had been granted by lawmakers.
All the people who made it possible for them to do it Meaning the vendors, and the low information consumers.
Spread the blame around. There's plenty.
The Patriarchy!
Um. NAT doesn't prevent outgoing connections in any way. Any device on your network that's been hacked would likely use an active outgoing connection than make an easily detected port forward in your firewall via UPnP. NAT isn't security.
Neither, apparently, would have had any impact on the Dyn DDoS or the Krebs DDoS. The Mirai botnet traffic comes from compromised devices using legitimate source IPs -- no one is spoofing anything.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
If the device is already hacked, you're absolutely right that NAT won't add any security. However, GP's point was that NAT could make it a little more difficult to get the device hacked in the first place.
not only this but the inept users whose devices get pawned and used to attack other systems should be held legally responsible for the attacks.
Only up to a point. It's not really fair to expect the random non-computer guy who owns an IoT light bulb to secure it against electronic attack. The company that manufactures the bulb and decides telnet is an appropriate protocol to use to connect to it, on the other hand...
Real lawyers write in C++
Add to this - the retailers who sell said insecure devices.
The main problem was the incompetence of those sites' sysadmins. A TTL under 3600 and all your authoritative nameservers not just with the same provider but on the same platform with the lowest of low, cheap, scum of DNS providers (DynDNS)
Someone tripping over a cable or typing in the wrong command could've caused this. And it's not like Dyn hasn't just unplugged their customers before.
Custom electronics and digital signage for your business: www.evcircuits.com
It struck me that there is a "nuclear option" solution that would be highly illegal but highly effective. Every time one of these shitty IOT devices is found exploitable and the manufacturer doesn't bother to update , scan the whole damn net for that device and tell it to DDOS the manufacturer and not stop. The manufacturer would pretty quickly realise they have to get a patch out if they wish to remain a citizen of the internet. For added niceness make sure the user understands why their baby monitor is attempting to murder it's creator
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
We have nobody to blame except ourselves.
Furries make the internet go.
For allowing such a broken internet design to continue to exist.
For allowing ICANN, RIPE, ARIN and APNIC to continue to exist.
For not adopting IPv6 faster/earlier.
For not adopting DNSSEC faster/earlier.
For not adopting Blockchain based name services faster/earlier and leaving the power at the hands of incompetents.
Just like non-voting during critical government elections, we vote for those attacks to continue by our lack of action.
You want those attacks to stop? DO SOMETHING ABOUT IT.
All those moments will be lost in time, like tears in rain... time... to... die...
Huh?
Properly configured DNS secondaries hosted at different ISPs would have completely mitigated the problem for everyone but Dyn. Because Dyn hosts its own secondaries, hitting Dyn downed both primary and secondary servers.
ISPs need a peering pool arrangement for DNS secondaries, where secondaries are distributed over the entire pool.
This is how it was designed to work: multiply connected redundant secondaries.
The worst damage possible in that scenario is the inability to update DNS information hosted at Dyn itself, or to initiate zone transfers in or out of Dyn.
That reduces it from an attack on the DNS infrastructure to an attack on Dyn itself (which is much less important to everyone but Dyn).
NAT makes it a _great deal_ more difficult. There is simply no point in most modern environments to installing hardware, whatsoever, without NAT.
I'm surprised noone mentioned this article from Schneier, published justa month ago : https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html
It seems to me this attack fits the description, especially considering it isn't targetting a specific website, but a part of the infrastructure of the Internet.
Dyn should be blamed, after all, they advertise "Total business accountability".
Change is certain; progress is not obligatory.
Unless, of course, you expect the same users who won't even change default passwords to learn about and configure firewalls.
That's the wonderful thing about defaults. Every router I've seen shipped has a default password, and a stateful firewall ENABLED BY DEFAULT.
You don't need users to configure things in a secure way. There's no configuration for NAT so there's no reason to assume that by going to IPv6 the internet would be any less secure.
Might be better to just patch the damn thing if you have access to it, or at the very least change the settings so that it can't be hacked by anyone else.
I seem to recall an ISP doing this some years back. They realized that the shitty Netgear mode/routers they had bought all had insecure wifi passwords. The password was a hash of the wifi MAC address, the thing that gets broadcast constantly in the clear. Anyway, they sent out updates to all devices to reset the wifi password to something really random and emailed users. They probably had a lot of support calls anyway.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
"Every router I've seen shipped has a default password, and a stateful firewall ENABLED BY DEFAULT."
Your limited experience is not a suitable basis for drawing a valid conclusion.
"National Security is the chief cause of national insecurity." - Celine's First Law
I blame Russia. Seems to work for everyone else.
IPv6 doesn't mean no more firewalls - it just means no more NAT.
NAT provides some protection by its nature, but honestly, not much. Devices that use UPNP or whatever to open up external firewall ports so you can connect to them are going to be a problem with NAT or not.
Filed under "this is why we can't have nice things" --- How about: upgrading "home" routers to offer some form of packet inspection? Yes I know that sometimes the routers themselves are enlisted in the attack. However, it appears that many IoT devices are setup inside the home/business and are insecure. And homes are adding more IoT devices than they are adding routers - thereby increasing the available munition surface area. Usually it is 1-router and (n)-IoTs.
Maybe this is a trivial solution - but couldn't router software enforce a few simple restrictions on properly formed outbound packets?
Or wait - we don't need to upgrade the routers. Instead change their Gateway to send traffic to scanning device. Although one has to wonder if the likes of Comcast have IPS.
And since DNS seems to be in vogue - might DNS servers start asking themselves "why does server x.y.z need 1-bazillion replies to the same entry?"
However, these ideas only resolve the (current) symptom. The basics of the internet may need to be rethought - a super IPSEC? It wasn't that long ago that open mail routers posed a similar threat and opportunity for spammers (yes - the game has since moved to "legit" robo-inboxes). As the network grows attackers will continue to find ways to break it. A "single" person can take over the whole network. Things like blaster/code-red took over whole corporate networks from inside. Now these attacks are outside and treat all domain systems as one giant inside-system.
However, GP's point was that NAT could make it a little more difficult to get the device hacked in the first place.
So does also any sensible router that I've seen that blocks inbound traffic by default.
(i.e.: router where you explicitely need to open Internet->PC access).
It doesn't matter if they are private IP (v4) addresses, that need NAT and port forwarding (i.e.: port 8080 from the router, should be forward to port 80 on intenal sebserver 10.0.0.x),
or plain normal public IP (generally v6) addresses, that need simply to enable access to some ports on the public intenet (request for port 80 on machine IPv6 2xxx:yyyy:zzzz:wwww:vvvv:uuuu should be allowed through by the router).
If the router blocks inbound access by default, and the user needs to explicitely enable some access in the settings, both NATed IPv4 and IPv6 with public addresses are protected equally.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
If Mirai could spoof source addresses then it could use DNS amplification attacks and the like to send even more traffic. Mirai is particularly impressive because of the amount of traffic it can source without doing that, but that doesn't mean that spoofing prevention had no effect on it.
"Every router I've seen shipped has a default password, and a stateful firewall ENABLED BY DEFAULT."
Your limited experience is not a suitable basis for drawing a valid conclusion.
Ok, let's run with that for a second. Are you suggesting ISPs will send you a wireless router without NAT enabled by default? Because NAT by necessity requires a stateful firewall to be running.
Think about it, if China had not weaponized botnets and put IP in every product, we wouldn't be in this mess.
Now upgrade to IPv6sec and stop whining. And shut out IoT.
-- Tigger warning: This post may contain tiggers! --
No sense going any further until you learn more about networking. NAT does not imply a stateful firewall, they're two completely different things.
"National Security is the chief cause of national insecurity." - Celine's First Law
Keep in mind that job creators - and the GOP oligarchy in general - decry anytime someone wants to add "regulations" (aka cost) to an industry or product. It just gives more fuel to the off-shored fodder types.
As far as getting the globe to agree on "being nice", well as soon as human trafficking goes away, I'll believe it. Till then, the reality is nobody needs a camera in their toaster, fridge or Amazon echo.... Or if you think you want one, you need your head examined.
Till consumers decide privacy is a basic human right, is important and stop posting every silly pointless thought and picture on social media- this will only get worse.
Your mom has too many open ports.
Actually, IPv6 does not mean no more NAT. It just means that NAT ain't necessary, but that doesn't prevent it from being used if it's required for other requirements like load balancing, network isolation, and so on. In fact, in IPv6, there is an official recognized way to do NAT - NPT (Network Prefix Translation) That's a lot better than IPv4, where you have at least 3 different ways of doing NAT - none of them officially recognized by the IETF
While this is valid, a way to better secure the network would be to have a PAM setup in DHCPv6, where certain addresses change after a certain period. That way, not only would a spoofing agent have to scour a huge block - it would also have an artificially limited amount of time in which to do it. Reason I mention this is that whenever we get to a point where we determine that /64 is too much wasted area and need to reduce it to /32, we don't make the subnet more insecure by reducing the scan area by a factor of 4 billion.
Now, it is true that people make the argument that the 4 billion addresses in the global prefix gives gazillions of addresses to everybody. That is only true until one looks at lending structure to the addresses - be it making routing easier to (at the subnet address level) defining each character as representative of something, such as a physical location, a department or so on. Once that starts happening, one starts running out of addresses.
You're right. Now show me a NAT implementation that works without a stateful firewall enabled.
The two terms serve a different purpose yet you can't have NAT without effectively having the other and I stand by my original comment. Every consumer router currently being delivered does exactly the same thing as a stateful firewall out of the box ENABLED BY DEFAULT, with the minor addition of packet forwarding.
We run 17 physical 24 virtual servers on the public Internet. We host all kinds of high value attack targets (eCommerce, political, medical, insurance) all kinds of stuff people despise (and really nice stuff too).
We have been the subject of numerous DDOS and DOS attacks. We fended them all off with ease because we run the right fucking tools on our servers
So I don't understand why this is an issue at all for anybody...
Murphy was an optimist
We're done. You didn't bother leaning even a minimum about networking.
"National Security is the chief cause of national insecurity." - Celine's First Law
Tell me about it. Come back when you know how NAT works.
NAT's inbound "security" is entirely accidental and any decent IPv6 device applies the same firewalling rules for inbound IPv6 as for IPv4
What you're describing is called a packet filter, not a router.
For 99.9% of the "average joe 6-pack" users, the packet filter is running inside [the linux kernel on the firmware of] their home DSL/cable/FITH router.
So yeah, for most of the clueless user who would be benefiting from NAT, they will be also benefiniting from the fact that the router sitting in their living room is doing packet filtering.
The "security" of NAT comes as a by-product of the fact that multiple devices NEED to be on a private RFC1918-style network (assuming we're talking typical consumer-grade NAT), and hence no single device does - by default - receive inbound traffic because they're not addressable in the first place.
And I'm telling you :
- you DO NOT need to be on an unaddressable private address (192.x.y.z or fxxx:::) to not receive any traffic.
The [packet filtering running inside the linux kernel in the firmware of the] router could be all the same blocking inbound traffic even if the target address happened to be addressable (e.g.: 2xxxx::: )
So please stop with this "NAT increases security".
It's the packet filtering that does.
And most sensible modern routeur (that have a not too much lousy firmware) do.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
And I'm telling you :
- you DO NOT need to be on an unaddressable private address (192.x.y.z or fxxx:::) to not receive any traffic.
No shit. Then again, how many "average joe 6-pack" users get assigned anything bigger than a /32 (i.e. a single address) for IPv4, or anything at all for IPv6?
Here around on our side of the pond ? :
Let me count
- Most of the ISP here around in Europe that I know of (Switzerland, France, Germany) are providing IPv6. /60 or /56 prefix, so each (IPv6-enabled) device on the home network can get its very own 64bits suffix based on the MAC-Address (and the router get a few extra 4 or 8 bits of headroom for its internal management).
Usually they are 6RD (rapid deployment), i.e.: their network (fiber, xDSL, etc.) is still legacy IPv4,
but their router automatically establish a 6to4 tunnel to the ISP's IPv6 access point,
Usually, most 6rd deployment offer
So anyone plugging "the box" they've received from their ISP is automatically on IPv6.
And automatically getting sensible IPv6 packet filtering on said box (to go back to the subject of this discussion)
(And hopefully also getting sensible default passwords for amdin and Wifi in the form of long random base32 strings printed on the backside of the box)
- Lots of 3G/4G wireless providers are moving to IPv6 (well, obviously as 4G is a purely packet-switched network. IPv6 is more or less an unofficial requirement)
(Though usually, a smartphone will get a publicly addressable IPv4 and IPv6 on lots of networks. Not all though, some wireless providers are moving to NATed IPv4 and only publicly addressable for the IPv6 prefix)
(3G/4G to USB+Wifi routers do work similarily to above-mentionner xDSL/FITH routers. They advertise a publicly accessible IPv6 prefix and provide packet-filtering).
- Most universities I've seen also provide both IPv4 and IPv6 (but usually provide publicly addressable IPs on both).
(Though not necessarily on the "eduroam" shared wireless network. They used to be on IPv4 on some universities, and as of lately, all univesrities I've been in seem to move their eduroam on a different special IPv4-only subnet).
(And though to go back to the current discussion, universities here around seldom do any filtering. As soon as you plug in your laptop, your start to see failed login attempts in your SSHD logs)
- If you want your very own special IPv6 prefix, you can get one from SiXXS over a 6in4 or AYIAY tunnel.
(But then again that's not average joe).
And with only a single globally routable address, you do NEED to be on RFC1918 network.
Obviously this isn't the only way one can do NAT, but it's the only way joe sixpack's router does it.
Most users in a non backwater countries will get a 6rd publicly addressable IPv6 prefix, too.
By default, the box they've received from their ISP and they've plugged into the wall will filter the packets by default.
So please stop with this "NAT increases security".
And I'm telling you, the extra security provided to joe sixpack DOES come from the fact that he's being NATted, since he's still unreachable when any other packet filtering is disabled.
(emphasis mine)
Yup. We've reached a conclusion.
We both agree that for security, you need packet filtering.
You need a "magic box" standing between the wild wide interweb and the home network that does this filtering.
Usually this box is the xDSL/Cable/FITH/whatever router that the user has recieved from the ISP.
NAT'ing, is one of the peculiar types of packet filtering that happens o
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
A lot of this stuff is running pirated/old firmware which has nothing to do with the original author.
A lot of the time the company in the exporting country selling this stuff to the importer has no idea what the firmware is, isn't the manufacturer and may be several steps removed from the manufacturer (which is why firmware is such a bitch to deal with)
Liabilities have a hard time crossing national boundaries. The buck stops at the importer.
From a consumer point of view, liability stops with whoever sold it to them unless it was sold with specific disclaimers.
On the bright side: in the last week a couple of the largest DVR/camera makers have stepped up to the plate and taken responsibility - recalls and firmware updates are happening. The hard part is going to be to track and update every affected device out there even if they're phoning home (I have items around the net still tickling my boxes from projects that ceased working 16 years ago - and that's stuff that's supposedly operated by "responsible" network admins, let alone endusers)