
DDoS attack halts heating in Finland amidst winter - pimeys
https://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter
======
mrweasel
Regardless of the reason, deliberate targetting, accidental "drive by DDoS" or
bad configuration, the question that remains is "Why is the heating dependent
on being online?"

It is completely reasonable if the heat system every so often "phones home",
so report on usage, but it shouldn't actually stop working, if the network
connection isn't available.

You can blame, DDoS, hackers, network outages, the Russians, I don't care, it
doesn't cover up the fact that your system has a stupid design.

~~~
EugeneOZ
1\. Why russians? We actually neighbors (40 minutes from my home to Finland),
we like them and we prefer to be friends with them.

2\. Everybody can be smart after the case :) I'm sure now the'll design
something more safe.

~~~
saucetenuto
> we like them and we prefer to be friends with them.

How true is this? Every Finnish person I've ever met has mistrusted and feared
Russia.

~~~
EugeneOZ
100%. Russia is multi-national country and we have some nations inside country
that we don't like (sorry, but it's true), so I can say we like Finns even
more than some russians :) They have awesome vodka (much, much better than any
russian vodka), they are smart and friendly, not arrogant - awesome people. I
highly doubt any russian leader, even Putler, will try to offend them.

~~~
zzzcpan
Russia is like the only enemy Finland has at this point, it doesn't matter
whether you, personally, like them or not.

~~~
EugeneOZ
Bullshit. Do not read Soviet newspapers until dinner. It's not "just me".
Looks like you get your information from news portals which nobody read in
Russia because they are owned by government.

~~~
geoka9
The Russian military has been skirting/violating the Finnish airspace lately.
It's in the (Western) news.

~~~
EugeneOZ
They are violating somebody's airspace every week, nobody cares. It's just
political games of the current moment, it's not whole nation's decisions. Or
you think we call referendum before each airspace trespassing?

~~~
geoka9
I guess when Russia tried to invade them back in 1939 there was no referendum
and it wasn't a whole nation's decision either. Heck, you could even deem the
Russian people friendly towards the Finns (they were trying to free their
Finnish comrades from the capitalist yoke!). I don't think it made the Finns
any happier though.

What I CAN see is the glee on the Russian discussion boards whenever an
incident like that is mentioned in the news. It's either that or outright
denial blaming the Finns (British, Estonians, etc.) for making these claims up
out of "russophobia".

~~~
EugeneOZ
You will not believe, but yes! Putin is fan of Stalin and they both use
internal and external propaganda. And it may sound wild or ridiculous for you,
but there is official agency where people get salary for writing comments on
forums, youtube, facebook and other well-known public services. There was even
article about it in some western newspaper. And reaction of people: 2 guys
threw molotov cocktails to the window of that agency - that's our real
relation to Putin.

~~~
lisivka
So, I assume, when our army will start to bomb Moscow to throw out Putin
regime, you will be happy?

You said you are OK with event, which can cause a war, and you dislike Putin.

------
ge0rg
That sounds like either clueless reporting or an attempt at blame shifting.

The heating system of a building is not a typical DDoS target, and it's
improbable that somebody living outside of that building had a take against
the inhabitants, knew of the right IP(s) for that building, and the effect a
DDoS would have.

It's more plausible that the control system was designed so badly that
exposing it to the Internet (and the accompanying background noise from port
scanners, be it botnets, spammers or IoT malware) caused it to break down.

Then, the operators saw the effect of the misconfiguration and proclaimed it
was a DDoS, because you don't get fired for breaking down under a DDoS, as
opposed to having miserable IT security in place. This is similar to getting
hacked by "the Russians" (or other state-level evildoers) where it is widely
accepted that you just can't prevent such incidents.

~~~
zmb_
It is bad reporting. The systems in question were used as a part of launching
a DDoS attack, they were not the target of the attack. The high load then
caused the systems to crash repeatedly.

~~~
ge0rg
Do you have a better source for that? In the article it rather reads like the
control system was at the receiving end:

 _The systems that were attacked tried to respond to the attack by rebooting
the main control circuit._

~~~
shandor
Officials reported (sorry, no link) that they had "heavy reasons" to think
that the attack was

1) done by actual criminals 2) pointed elsewhere, and the heating system was
just one of the many systems used to initiate the attack.

They weren't more specific as to who attacked and who was the actual intended
victim, but they were pretty sure the heatimg systems going down was just
collateral.

Welcome to the Internet of Shit.

------
cesarb
In my experience, embedded systems tend to behave poorly when faced with large
amounts of traffic (normal traffic to these systems is tiny). I have once been
locked out of work due to an errant workstation flooding the network with
broadcast DHCP packets, which overloaded the embedded system which validates
the key cards and unlocks the door (later permanently solved by moving the
embedded system to its own firewalled VLAN).

As an aside: lovely Netscape favicon on that site.

------
protomyth
Perhaps, regardless of the convenience factor, we shouldn't hook critical
infrastructure to the internet.

~~~
oelmekki
<Insert battlestar galactica reference> :) [1]

One thing is sure: we won't ever make 100% secure networks. For now,
ransomware are few and only on a big scale, but they could indeed become a big
problem with IoT. I'm not exactly sure why we need to connect those devices to
the internet: sounds like a local network should be enough. And if we want to
send usage data to some kind of aggregation service, devices still can issue
POST requests to our connected desktop, or be bluetooth connected to our
mobiles.

[1] for those who didn't watch it, the battlestar galactica is one of the only
human spaceships not destroyed by robots, thanks to the fact its captain
always refused to connect the ship on the network

------
ryanlol
This was almost certainly a case of outgoing DoS, not incoming DDoS. Terrible
reporting.

Remote management hardware got infected with Mirai or the like.

~~~
SixSigma
I'm calling: Local newspaper, written in English by Finnish speaking Finns who
are not computer specialists.

~~~
ryanlol
The Finnish original wasn't any better.

~~~
invid_regent
hello Finnish IoT ddos expert

------
0xmohit
[Appears that this was submitted several times on HN before being noticed.]

It appears that it's been fixed.
[https://twitter.com/Symbiatch/status/796407575776526341](https://twitter.com/Symbiatch/status/796407575776526341)

Also see
[https://twitter.com/internetofshit/status/796405149501706240](https://twitter.com/internetofshit/status/796405149501706240)

------
akerro
Will botnet build of smart kettles and smart ovens burn houses, neighbourhoods
and cities?

~~~
jpalomaki
If we had large amount of devices like heaters and boilers attached to remote
control system it would be probably possible to cause major problems to the
electrical network by just turning the devices on and off in synchronised
fashion.

And actually this is not so far fetched, since there are already discussions
about making these devices smart and remotely controllable so that the utility
company could balance the electricity need.

~~~
akerro
That's related: [http://www.telegraph.co.uk/news/2016/10/03/no-more-
electrici...](http://www.telegraph.co.uk/news/2016/10/03/no-more-electricity-
surges-as-the-nation-switches-on-the-kettle/)

~~~
adrianN
Yet another end-of-civilization scenario: Netflix crashes -> kettles get
turned on -> the grid crashes -> looting, revolution etc etc

------
Raed667
In school we have studied a scenario that is exactly like this: "The effects
of IoT security on utility and daily life functions"

From hacking boilers to stop water delivery, to locking people outside their
doors.

The next few years will be very fun for "infoSec" people.

~~~
Ftuuky
Something like this could happen too:
[https://twitter.com/ariellejjohnson/status/79470832530046566...](https://twitter.com/ariellejjohnson/status/794708325300465664)

------
philfrasty
There is a great book with this exact topic called „Blackout“ by Marc Elsberg.
Highly recommend!

Edit: Amazon link
[https://www.amazon.com/dp/B01FCQLSPC](https://www.amazon.com/dp/B01FCQLSPC)

~~~
schlowmo
[little spoiler warning]

I wouldn't call it "this exact topic", since the primary attack vector in the
story are smart meters, but still can second your recommendation. The book is
highly based on a study founded by the german government[0], analyzing the
outcome of a great scale blackout. The study is also worth reading,
unfortunately only a german version is available.

[0] [http://www.tab-beim-
bundestag.de/de/untersuchungen/u137.html](http://www.tab-beim-
bundestag.de/de/untersuchungen/u137.html)

------
mmaunder
It's not long now until we see the first death directly attributable to a
cyber attack.

------
adaisadais
And so it begins!

