
Mirai Botnets - _jomo
http://blog.level3.com/security/grinch-stole-iot/
======
BlickSilly
IANA Security Expert, but simple advice from Krebs:

>Anyone looking for an easy way to tell whether any of network ports may be
open and listening for incoming external connections could do worse than to
run Steve Gibson‘s “Shields Up” UPnP exposure test.

[https://krebsonsecurity.com/2016/10/who-makes-the-iot-
things...](https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-
attack/#more-36566)

another thing to remember... ALL IoT devices have admin credentials, its just
a matter of whether or not they can be connected to, whether the credentials
are compromised, and whether the device is susceptible to brute force.

------
robolange
The main take-aways are: 1) Use a firewall between your Internet connection
and your IoT devices, and 2) disable UPnP support on your firewall.

It's disturbing how many devices enable telnet and/or ssh by default, make it
difficult or impossible for a user to actually change the default password,
and subvert firewalls using P2P protocols. At the end of the day, to secure
your network you really do need to run nmap regularly against your subnet
checking for devices with open ports, and tcpdump between your gateway and
your devices, monitoring what connections they are actually making.

For ordinary users, the situation is truly hopeless. They are pwned by default
if they buy into IoT.

~~~
MereKatMoves
"For ordinary users, the situation is truly hopeless. They are pwned by
default if they buy into IoT."

when was it ever different? This is just a repeat of the "buy anti-virus"
phase of Windows, which wasn't sufficiently hammered home that it basically
failed. No doubt there will be some responsible IoT manufacturers that address
the vulnerabilities, but IMO, not many, and the market isn't exactly demanding
of 'secure amazon buttons' \- in fact there will be devastation because the
manufacturers won't give a flying fuck about security as they stamp out
thousands of pieces a day with default passwords in their factories.

If ever there was a use case for ipv6 then I suggest this is it. Sadly we
aren't going to get there in time to stop a new wave of botnets. Who do I
blame for the failure to properly roll out ipv6?

gotta love some of those domain name lolz

imscaredaf.xyz swinginwithme.ru santasbigcandycane.cx

~~~
joe_the_user
The average user is worried about their laptop. The idea of their laptop being
hacked is worrisome because they keep personal information on it and it's a
somewhat personal possession. So anti-virus get some play.

The average user doesn't care about their VCR. The average user won't set the
time on their VCR much less set a password. In fact, _I_ don't care about my
VCR or my light bulbs or whatever dumb thing someone decides should have the
capacity to be on the Internet (except I care enough not to knowing buy such
things but in the future may unknowingly buy the stuff). If someone
manufactures Trojans to put in people's homes and it causes other people
problems, it shouldn't be my problem.

~~~
MereKatMoves
Average users have a VCR? How would it work if they don't set the time on it?

You bought (whatever) it (is) - so that becomes your problem. The average user
falls for the marketing of "your app controls your fried chicken" bullshit and
buys the IoT chicken frier. So you won't buy that frier. Good for you

~~~
dublinben
The manufacturers of these devices are selling faulty products. If their
products are dangerously insecure, they should face repercussions.

~~~
zzleeper
The manufacturer might be in another country or bankrupt. You should go after
the user and then he might go after the manufacturer or his insurance if he
wants.

But on more realistic terms, my hope is that if this gets really bad, then a
consortium of huge internet firms can start blacklisting bad IPs. If John-
Random-Guy can't connect to google/facebook/akamai/etc then for sure he'll at
least unplug the device

------
weej
For those interested a couple weeks ago I did a source code review and write-
up: "Mirai (DDoS) Source Code Review"

[https://medium.com/@cjbarker/mirai-ddos-source-code-
review-5...](https://medium.com/@cjbarker/mirai-ddos-source-code-
review-57269c4a68f#.nm45chqa5)

------
M_Grey
The IoT is a disaster in slow-motion, and outside of highly technical circles,
it seems to be one that is totally invisible.

~~~
w8rbt
These devices, when taken as a whole, will be largely vulnerable and there
will be enough of them to carry-out enormous DDoS attacks. Our toasters are
gonna take down the Internet.

~~~
andrewflnr
> there _are_ enough of them to carry-out enormous DDoS attacks

Fixed that for you.

~~~
ryanlol
No there aren't. "Enormous" would be 15 million conficker nodes hitting
someone, not a shitty 500k node "IoT" net.

~~~
M_Grey
_5 million conficker nodes hitting someone_

I can't be the only person who moaned out loud at that notion, and who also
sees no way to stop it. People so often need to be burned to learn about fire,
but in this case owning an IoT item is unlikely to burn the owner.

I don't see a good solution to this, that is likely to actually happen, unless
as another person said, ISP's just start blacklisting people with compromised
IoT devices.

~~~
zzleeper
Why can't Google/Apple/FB et al get together and start blacklisting them? if
it gets bad enough, that might be the only chance (good luck getting a random
Moldovian ISP to blacklist their spammers)

~~~
ryanlol
Maybe because _almost everyone_ is infected with some sort of malware?

------
rasz_pl
>Level 3 Threat Research Labs will continue to identify and track developments
in these botnets

but not take any action against actual source of the traffic, AS that host
BOTs with static IP.

>We will also work with hosting providers and domain registrars to block
traffic to these C2s

but again not do anything to close the source of the problem. L3 admits they
have a list of ~500K static IPs with bots behind them, they arent blocking nor
reporting those, why? because traffic is traffic and they are in business of
selling pipes?

------
caycep
How bad are ubiquity devices, and the state of security and firmware updates
for them? I was thinking about switching to a ubiquity amplify home router
from tp-link partly out of concern for this, and was hoping that their
firmware and security updates would be a little more on-point. But one of
their routers are on this list...

------
alexvay
How many remember the Smurf Attack
–[https://en.wikipedia.org/wiki/Smurf_attack](https://en.wikipedia.org/wiki/Smurf_attack)
?

I remember claims that this type of attack was fixed forever. But physics
doesn't change... Easily.

