Mirai Botnet Attackers Are Trying To Knock Liberia Offline (zdnet.com)

← Back to Stories (view on slashdot.org)

Mirai Botnet Attackers Are Trying To Knock Liberia Offline (zdnet.com)

Posted by msmash on Thursday November 3, 2016 @07:20AM from the botnets dept.

Zack Whittaker, reporting for ZDNet: One of the largest distributed denial-of-service attacks happened this week and almost nobody noticed. Since the cyberattack on Dyn two weeks ago, the internet has been on edge, fearing another massive attack that would throw millions off the face of the web. The attack was said to be upwards of 1.1 Tbps -- more than double the attack a few weeks earlier on security reporter Brian Krebs' website, which was about 620 Gbps in size, said to be one of the largest at the time. The attack was made possible by the Mirai botnet, an open-source botnet that anyone can use, which harnesses the power of insecure Internet of Things devices. This week, another Mirai botnet, known as Botnet 14, began targeting a small, little-known African country Liberia, sending it almost entirely offline each time. Security researcher Kevin Beaumont, who was one of the first to notice the attacks and wrote about what he found, said that the attack was one of the largest capacity botnets ever seen. One transit provider said the attacks were over 500 Gbps in size. Beaumont said that given the volume of traffic, it "appears to be the owned by the actor which attacked Dyn." An attack of that size is enough to flatten even a large network -- or as was seen this week, a small country. Update: 11/03 19:37 GMT: The title of the story (same as the ZDNet's story) was updated to mention the name of the country. The summary was updated to reflect the same, as well.

40 of 73 comments (clear)

Min score:

Reason:

Sort:

which damn country? by Anonymous Coward · 2016-11-03 07:25 · Score: 3, Informative

Is that too hard to put in the post, which country?
It's Liberia.
1. Re:which damn country? by sciengin · 2016-11-03 07:27 · Score: 3, Funny
  
  Mod him up please.
  I almost considered to RTFM.
  Thanks to him I was saved.
2. Re: which damn country? by tomxor · 2016-11-03 07:57 · Score: 1
  
  Actually North Korea have a separate internet that's more like a large LAN called "Kwangmyong" and they own a tiny block of 1024 global IPs. Almost no one inside North Korea has "internet" access.
3. Re:which damn country? by PolygamousRanchKid+ · 2016-11-03 07:57 · Score: 1
  
  Is that too hard to put in the post, which country?
  It's Liberia.
  "Suffice to say 'Liberia' is one of the words the Knights of Ni! cannot hear!"
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
4. Re:which damn country? by The+Grim+Reefer · 2016-11-03 08:31 · Score: 1
  
  I almost considered to RTFM.
  It's in the title:
  
  Mirai Botnet Attackers Are Trying To Knock Liberia Offline
  I realize this is /., but I thought most people read the title and then started making accusations.
  It's also in TFS, though not in the first sentence.
  
  This week, another Mirai botnet, known as Botnet 14, began targeting a small, little-known African country Liberia...
  Which is better than the actual source. They don't have the country in the title, and you have to scroll past a picture and the first paragraph to see which country it is. It's also first mentioned in a picture of a Twitter post before it's actually in the article. Believe it or not, the /. posting is better than the actual source with regards to stating which country it was in.
  This wasn't my submission, but I'll make a mental note to be sure to include key words in the title, first, last, and every other sentence in the future.
5. Re:which damn country? by The+Grim+Reefer · 2016-11-03 09:51 · Score: 1
  
  It's /., there's no way in hell I'm going to read an editors note. Or even notice it for that matter. Besides, every one knows /. doesn't have editors. ;-)
6. Re:which damn country? by Sir+Holo · 2016-11-03 11:07 · Score: 1
  
  Is that too hard to put in the post, which country?
  It's Liberia.
  And the article calls Liberia a "little-known country"?!? WTF?
  Liberia is hugely important in world history, having adopted a Constitutional Government in 1947, although it was inhabited before then. Who took part in this mass migration? A particular group of humans in the US who were emancipated from being chattels (property) used for uncompensated labor (slavery). . . to being people under US Law. A lot of them wanted to go back at leastto their home continent, and many probably wanted to just get the hell out of the US.
  I hear it's lovely to visit, and is on my list. I don't need only white people around to feel safe, FFS. Just don't dress like an imperialist douche, be chill, and interact with the people. Also plan a couple of hikes.
7. Re:which damn country? by Sir+Holo · 2016-11-03 11:10 · Score: 1
  
  1847, NOT 1947.
  Yes, that was roughly 20 years before the US Constitutional Amendment banning chattel slavery, but there were indeed some "free men" at the time. It's the source of the surname "Freeman".
Whelp hope America is prepared on Election Day... by Dust038 · 2016-11-03 07:28 · Score: 2

Given the last response, anyone else have a bad feeling that on November 8th we're going to have a Blackout in America?
I'm impressed... by bigdady92 · 2016-11-03 07:34 · Score: 1

seriously, I'm astoundingly impressed that this magnitude of data can bring an entire country's infrastructure to it's knees. The power that this botnet has is unprecedented, this is a digital Godzilla (DigiZilla?) running rampant on the streets of LIberia with the only defense some antiquated machine guns.

I'm not condoning this by any stretch of the means but I damn sure am amazed from a spectator's point of view. /hope they catch these guys //electrocute them with cattle prods ///then toss them in a shark tank ////PPV $99.99 make it happen

--
Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
Re:"...the internet has been on edge..." by Thud457 · 2016-11-03 07:37 · Score: 1

"bored teenagers set mailbox on fire" yeesh.

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Which country? by TimothyHollins · 2016-11-03 07:38 · Score: 1

I was hoping it would be Denmark.
I'd have enjoyed a sensible chuckle if South Park had been spot on yet again.
Re:Typo by I4ko · 2016-11-03 07:45 · Score: 1

Both are true. The devices are insecure by design, and are not secured in practice.
Eurocentrism by FranklinWebber · 2016-11-03 07:45 · Score: 5, Informative

It's not just the post: the linked article fails to name the country until the 7th paragraph.
Re: "small, little-known African country":
-- Liberia has more land area than Portugal or Hungary or Austria.
-- Liberia is well-known to USers as a destination for freed slaves in the 19th century.
Seems like the author of the article could use a broader perspective.
1. Re:Eurocentrism by Talderas · 2016-11-03 07:50 · Score: 1
  
  There was a recent ebola outbreak in Liberia. "little-known" seems like a big stretch.
  
  --
  "Lack of speed can be overcome. In the worst case by patience." --Znork
2. Re:Eurocentrism by nukenerd · 2016-11-03 08:13 · Score: 2, Interesting
  
  Re: "small, little-known African country":
  -- Liberia has more land area than Portugal or Hungary or Austria.
  -- Liberia is well-known to USers as a destination for freed slaves in the 19th century ... Seems like the author of the article could use a broader perspective.
  You could do with some broader perspective too. Not everyone in the World is interested in a 19th century destination for freed US slaves, even if it interests some Americans as such. In the UK here I doubt that one person in 20 could point to it on a map or even know that it is in Africa. It did have a claim to fame once as having the largest fleet of merchant ships in the world (as a flag of convenience). Land area has nothing to do with it.
  Oh, before you accuse me of narrow-mindedness, I am a bit exceptional in that I once had a Liberian GF, who claimed descent from those slaves, and said there was a lot of tension today between such descendants (who tend to form the upper classes) and the "natives" of Liberia because obviously the slaves did not neccesarily originate from Liberia. The ex-slaves were imposed on the natives by the USA in a fit of idealism; in fact it was a USA colony although that can only be whispered as the USA is supposed to be against colonialism. The capital Monrovia was named after the US president Monroe, and the flag is obviously inspired by the Stars and Stripes.
  My GF said that the whole place is a shit-hole, in a state of more-or-less permanent civil war, gang warfare and broken infrastructure. She never wanted to go back there again.
Devices by mwfischer · 2016-11-03 07:47 · Score: 1

What devices are in the Mirai botnet?
1. Re:Devices by wbr1 · 2016-11-03 08:42 · Score: 1
  
  All the things!
  
  --
  Silence is a state of mime.
Demonstrates some simple things by wierd_w · 2016-11-03 07:48 · Score: 1

In my opinion, this demonstrates some simple things.
If the IoT creators cannot be bothered to properly secure their devices out of the gate, then they need to give some nonvolatile storage of some kind that can hold the files in /etc, and perhaps /home.
It does not need to be big. 2mb would be spacious.
Just enough that the init system can be tailored, the root password can be changed, and the cryptokeys can be regenerated and retained.
That way somebody can honest to god actually secure their device after purchase. You know, disable that open Telnet daemon, change the default root password, and use some hard to crack 4096bit keys for SSH that aren't all over the damn net.
They could do this the way eg, OpenWRT does it, with a pivot root. It could be reset to the "Factory insecure state" by holding in the reset button that way, preventing users from breaking it on a misconfiguration. If it would cost too much to make the devices properly secure out of the box, then at least give them enough real internal storage that mounts properly on boot, that people that DO know what they are doing can fix their fuckups after purchase, and have it stick.
1. Re:Demonstrates some simple things by wierd_w · 2016-11-03 08:07 · Score: 3, Insightful
  
  Here is how you do it:
  1) The device ships in "Insecure, please rape the shit out of me!" mode, with open Telnet, and a default root password.
  2) The software that comes with the IoT device looks for this insecured bundle of filth. It then generates a random 32byte password, stores it in its local config file for the device, sets it on the device, and tells the device to generate a new crypto key pair. It then connects over the secure connection, and remotely disables the telnet port. It does all this while the user looks at pretty pictures or something.
  3) Once the device is in "Secure mode", it no longer listens on any port for telnet traffic, and does everything over SSH with the generated keys, and the random password.
  All the user has to do is "insert the damn CD into the tray and set up the device, idiot." and off they go with a secured device.
  For those of us with the inclination, we can start with the unsecured mode, manually log in via telnet, and set it up the way WE want.
  Everyone happy.
2. Re:Demonstrates some simple things by Pascoea · 2016-11-03 08:11 · Score: 1
  
  That way somebody can honest to god actually secure their device after purchase. You know, disable that open Telnet daemon, change the default root password, and use some hard to crack 4096bit keys for SSH that aren't all over the damn net.
  Sure, I bet my grandpa, who just wants a DVR to record his outdoor cameras, will be able to accomplish what you just outlined. I mean, I certainly understand that what you are describing needs to be accomplished, it is has just been proven (time and time again) that the end user isn't going to do it.
  From my armchair perspective of what's going on, these devices aren't getting exploited by some hard-to-find backdoor, they are getting exploited by having the same damn password on every device that ships. THAT is an easy problem to solve, and it doesn't require the end user to have a CS degree.
3. Re:Demonstrates some simple things by wierd_w · 2016-11-03 08:17 · Score: 1
  
  See my reply to the AC.
  Easy to fix. Always unique keys, always unique root passwords. Cheap and easy to implement.
  Unless inserting a CD and running SETUP is to hard for your grandpa, anyway.
4. Re:Demonstrates some simple things by Pascoea · 2016-11-03 08:35 · Score: 2
  
  1) The device ships in "Insecure, please rape the shit out of me!" mode, with open Telnet, and a default root password.
  And will only stay on in "rape me" mode for 5 minutes at a time, if the config process hasn't been completed it shuts off until the user unplugs it and plugs it back in. And the default password shouldn't be "password" or "000000" it should be unique to the device, this day and age there is no reason you can't generate a random password during manufacturing and put a sticker on the side of it.
5. Re:Demonstrates some simple things by Pascoea · 2016-11-03 08:36 · Score: 1
  
  You haven't met my grandpa...
6. Re:Demonstrates some simple things by indi0144 · 2016-11-03 09:46 · Score: 1
  
  No, how about programmers put their shit together and send the thing properly secured and stop passing the buck to the rest of the world? Is not your problem, it's grampa problem, or marketing problem, or PHB problem, never a problem with the people that actually copy pasted the Linux on those things.
  
  I also love how in the whole discussion nobody mentions most of these things are running Linux and how Linus should be brought to the international court of justice which is the standard procedure when Microblows fuck up.
7. Re:Demonstrates some simple things by wierd_w · 2016-11-03 10:25 · Score: 1
  
  These devices would be just as terrible running any other OS, since they basically tell the whole universe how to log into then with cookie cutter default credentials.
8. Re:Demonstrates some simple things by wierd_w · 2016-11-04 11:37 · Score: 1
  
  Which is why the device should not work "as expected" until you set it up.
  Don't even enable the services it needs to have running unless both telnet is disabled, and sshd is running.
  Have step 1 of troubleshooting be "did you run the configuration software?".
  But I see you like moving the goal post. Good luck with that.
9. Re:Demonstrates some simple things by indi0144 · 2016-11-17 15:00 · Score: 1
  
  I don't know, by default no updated install of windows or OS X can be telnetted/ftped from the outside with any sort of "default" password. Comparison is tricky because you can't really compare a kernel+webstack+controllers with a full blown desktop OS, you are right but it does not negate my point, programmers have to apply the most basic security checks, and any company that fails to employ proper professional should be taken out of business. Just like any government can close any factory that pollutes a river, they are polluting the tubes and the whole world is downstream.
Small-Scale Testing? by sehlat · 2016-11-03 08:00 · Score: 5, Insightful

Why do I have the feeling that this is a dry run, with bigger target(s) in mind?
"little known" country? by Anonymous Coward · 2016-11-03 08:05 · Score: 1

Liberia was supposed to be the America of Africa, until the locals DID NOT WANT. In fact it's capitol was named after one of our presidents.
Not exactly "little known"
static host files by h4ck7h3p14n37 · 2016-11-03 08:54 · Score: 2

Why don't affected organizations simply publish a host file for people to use until DNS service has been restored?
1. Re:static host files by TroII · 2016-11-03 09:09 · Score: 1
  
  This wasn't an attack on DNS, it was an attack on all transit into and out of Liberia.
  
  --
  "If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
You all fail basic math by BarbaraHudson · 2016-11-03 09:23 · Score: 1

The error is both in the summary and the original

The attack was said to be upwards of 1.1Tbps -- more than double the attack a few weeks earlier on security reporter Brian Krebs' website, which was about 620Gbps in size,
It's easy enough to do in your head - 1.1Tbps is less than half 620.Gbps. It would have had to be more than 1.24 Tbps, more than 10% larger than the claimed "upwards of 1.1Tbps", and there's no indication in the original story that it ever got anywhere near that high. Aside from satellite connections, the single fibre connection s the only way in or out. That is confirmed by the article stating that the attack was directed against one of the two companies cooperatively operating the fibre.

One transit provider said the attacks were over 500Gbps in size.
So from the story, it's an attack on one company, and Level 3 reported far less. In an email, Dale Drew, chief security officer at Level 3 Communications, confirmed it had "witnessed an attack against a telecommunications company in Liberia" from the Mirai botnet.
Far less than 1.24 Tbps, and no facts cited to even make it more than 620 Gbps. There is no actual data in the article to justify the claimed size, irrespective of the bad math. So, Zack Whittaker at ZDNet needs to go back to school to learn basic math and to not include speculative figures that he made out of his head, without citing any facts to justify them, in his clickbait "reports."
F'ing internet. This is a story worthy of Facebook, not slashdot ... at least not the old slashdot at the turn of the century.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
1. Re:You all fail basic math by Sir+Holo · 2016-11-03 15:29 · Score: 1
  
  F'ing internet. This is a story worthy of Facebook, not slashdot ... at least not the old slashdot at the turn of the century.
  You mean the one that is effectively extinct?
2. Re:You all fail basic math by BarbaraHudson · 2016-11-04 11:56 · Score: 1
  
  I only noticed that I reversed it after - no "edit" function. My bad :-)
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
3. Re: You all fail basic math by BarbaraHudson · 2016-11-04 11:58 · Score: 1
  
  look at morgan fairchild for a while.
  Why? I'm not a lesbian ...
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
unfair description of Liberia by blogagog · 2016-11-03 09:51 · Score: 1

You say Liberia is a little known country. But every Liberian I've asked today knows lots about it!
Advertising... by Aero77 · 2016-11-03 10:14 · Score: 1

Hey Look! We took an entire country offline.
1. Re:Advertising... by sehlat · 2016-11-03 10:19 · Score: 1
  
  Hey Look! We took an entire country offline.
  Maybe. Liberia is small potatoes, though. The bigger the ultimate target, the bigger the street cred. I seriously doubt, however, that anybody would take down an entire country of any size just for bragging rights.
Here's an acronym... by knorthern+knight · 2016-11-03 14:33 · Score: 3, Insightful

> Both are true. The devices are insecure by design, and are not secured in practice.
Insecurely Designed Internet Of Things
Acronym... IDIOT

--

I'm not repeating myself
I'm an X window user; I'm an ex-Windows user