KrebsOnSecurity hit by same IoT botnet that hit a record DDoS on Cloudflare(twitter.com)
twitter.com
KrebsOnSecurity hit by same IoT botnet that hit a record DDoS on Cloudflare
https://twitter.com/briankrebs/status/1436309299131789326
37 comments
IoT device manufacturers should be sued for negligence.
You mean the manufacturers based in china that have little in the way of assets, and might disappear before the issues become apparent?
AFAICS, this attack is running on Microtik routers. Mikrotik is a Latvian company. They are successfully competing with Cisco and Juniper in feature-set and performance at a fraction of a price.
The thing is, they provided a large, under-educated user base with powerful, complex and utterly sophisticated tools.
That the attacker targeted those and not less numerous and better guarded mainstream manufacturers only pays tribute to the success of Mikrotik.
The thing is, they provided a large, under-educated user base with powerful, complex and utterly sophisticated tools.
That the attacker targeted those and not less numerous and better guarded mainstream manufacturers only pays tribute to the success of Mikrotik.
> The thing is, they provided a large, under-educated user base with powerful, complex and utterly sophisticated tools.
Do you think the expensive manufacturers don’t do that? I’ve seen un-configured, un-updated, EoL Cisco equipment. Small businesses get sold it because it’s “the best”, but they don’t actually need anything nearly that complicated and don’t want to pay the ongoing costs so you end up with things like managed switches being used like you’d use a dumb switch that’s 1/10th of the price.
Do you think the expensive manufacturers don’t do that? I’ve seen un-configured, un-updated, EoL Cisco equipment. Small businesses get sold it because it’s “the best”, but they don’t actually need anything nearly that complicated and don’t want to pay the ongoing costs so you end up with things like managed switches being used like you’d use a dumb switch that’s 1/10th of the price.
>I’ve seen un-configured, un-updated, EoL Cisco equipment.
I was in a server room a couple of years ago that looked like a Cisco museum, with some of the kit dating back to the early 2000s. When I mentioned that running a business on gear that had been EoL'd for a decade+ wasn't quite up to security best practices my contact shrugged and said they wouldn't be updating any of it in any case since they'd long since lost all of their access passwords.
I was in a server room a couple of years ago that looked like a Cisco museum, with some of the kit dating back to the early 2000s. When I mentioned that running a business on gear that had been EoL'd for a decade+ wasn't quite up to security best practices my contact shrugged and said they wouldn't be updating any of it in any case since they'd long since lost all of their access passwords.
I trashed my Microtik router as soon as I started seeing my bandwidth jump and a lot of traffic from Isreal a few years ago. There was no mitigation of whatever was going on and clearly there were issues...turns out Microtik's RouterOS had multiple vulnerabilities. Ubiquiti on the other hand has been more than adequate for my needs and is even easier to setup than Microtik.
https://www.cvedetails.com/product/23641/Mikrotik-Routeros.h...
https://www.cvedetails.com/product/23641/Mikrotik-Routeros.h...
Ubiquity tarnished its image with the leak of client credentials from its Cloud offering.
No doubt that was concerning. That hack (not really a leak) sounds like it was due to an AWS issue and probably someone with intricate knowledge of their systems. Eventually they responded, but not until a whistleblower called them out first (thanks to their legal team holding them back from disclosing the event).
You forgot to include your affiliate link.
I am unaffiliated irregular customer They have great hardware, but I prefer rinning OpenWRT on their hardware.
Step 1: Require commercial IoT to meet software compliance
Step 2: Ban IoT that doesn't meet software compliance
Step 3: Pray that the compliance standard makes any sense and that the NSA don't require backdoors or suspect CRNG.
Step 2: Ban IoT that doesn't meet software compliance
Step 3: Pray that the compliance standard makes any sense and that the NSA don't require backdoors or suspect CRNG.
If it is Chinese companies, then presumably a lot of those devices are in China as well. Wondering whether they might be used to bring down the Great FireWall of China. At least any attempt might force the Chinese government to crack down on the manufacturers to improve device security.
Or, mandatory 3rd party liability insurance for anyone operating an internet connection. Insurance premium discounts for running only security-audited devices.
Users shouldn't be punished by the negligence of manufacturers. Sure the majority of HN will know to ensure they run secure products or something, but you can't expected nana to know that. She just wants to talk to some device to help her a little.
A good way to teach people to run secure products is to charge them more for running insecure products.
The general public can’t distinguish between secure and insecure products, but they can read a list of products that are covered by the $0.99/month insurance plan, and anything not on that list you need the $1.99/month plan.
DDoS victims can then make a claim against the insurance companies (who own the liability arising from each IP address; ISPs can de-NAT), a court can evaluate the evidence if necessary, and the insurance providers pay out.
N.B. It’s actually experts who would be penalized most by this scheme, because if you do something like run a customized FreeBSD box, it’s unlikely to appear on the audited-device list.
The general public can’t distinguish between secure and insecure products, but they can read a list of products that are covered by the $0.99/month insurance plan, and anything not on that list you need the $1.99/month plan.
DDoS victims can then make a claim against the insurance companies (who own the liability arising from each IP address; ISPs can de-NAT), a court can evaluate the evidence if necessary, and the insurance providers pay out.
N.B. It’s actually experts who would be penalized most by this scheme, because if you do something like run a customized FreeBSD box, it’s unlikely to appear on the audited-device list.
> N.B. It’s actually experts who would be penalized most by this scheme, because if you do something like run a customized FreeBSD box, it’s unlikely to appear on the audited-device list.
The "audit" can be as simple as the insurance company running automated pentests trying published exploits and passwords.
That would still achieve the desired goal (the majority of botnets spread via well-known vulnerabilities and/or bruteforced credentials, custom equipment where manual effort is needed on the attacker's part are a minority) while allowing enthusiasts to run custom hardware.
The "audit" can be as simple as the insurance company running automated pentests trying published exploits and passwords.
That would still achieve the desired goal (the majority of botnets spread via well-known vulnerabilities and/or bruteforced credentials, custom equipment where manual effort is needed on the attacker's part are a minority) while allowing enthusiasts to run custom hardware.
How can a home user protect themselves from this, when most manufactures only release a very, shockingly small number of firmware updates, and don't notify users of the updates?
The current state of affairs arises because insecurity is an externality that is not considered by consumers. As soon as security has a monetary value, consumers will start to demand it and manufacturers will start to meet that demand.
IMHO this would be an easier problem to address with a voluntary body that coordinates among ISPs or (cringe) a govt. agency.
I worked for a popular service that regularly received DDoS attacks from botnets. We had logs with the IPs of tens of thousands of vulnerable devices. If you scanned them you could see the vast majority were compromised routers, VPNs, or IoT devices. Most of them had open proxies installed and were easy to identify as compromised. For the larger ones we could reach out and get them shut down (usually). But we didn't have time to contact thousands of ISPs.
I would've been happy to forward those logs, even with verification of compromise, to an independent body that could follow up and get them shut down. Even if a small fraction of ISPs didn't comply it would still remove the majority of compromised devices. Most of the companies we contacted were more than happy to get rid of problematic hosts and acted quickly. They just didn't have the expertise to monitor for such things themselves.
It would all have to be voluntary, of course, but it could be done.
This is the type of thing that I think CERT was originally intended for, but for whatever reason doesn't seem to handle.
I worked for a popular service that regularly received DDoS attacks from botnets. We had logs with the IPs of tens of thousands of vulnerable devices. If you scanned them you could see the vast majority were compromised routers, VPNs, or IoT devices. Most of them had open proxies installed and were easy to identify as compromised. For the larger ones we could reach out and get them shut down (usually). But we didn't have time to contact thousands of ISPs.
I would've been happy to forward those logs, even with verification of compromise, to an independent body that could follow up and get them shut down. Even if a small fraction of ISPs didn't comply it would still remove the majority of compromised devices. Most of the companies we contacted were more than happy to get rid of problematic hosts and acted quickly. They just didn't have the expertise to monitor for such things themselves.
It would all have to be voluntary, of course, but it could be done.
This is the type of thing that I think CERT was originally intended for, but for whatever reason doesn't seem to handle.
Something like https://www.spamhaus.org/xbl/ ?
I wonder if there are other RBLs worth subscribing to and blocking.
As an end user with a compromised device, it might be frustrating though... but then they probably should know and do something about it.
I wonder if there are other RBLs worth subscribing to and blocking.
As an end user with a compromised device, it might be frustrating though... but then they probably should know and do something about it.
Can someone point to explanation on IoT botnets / what happened with Cloudflare / how they differ from regular DDoS
high-level IoT botnet explanation: Imagine you discovered a massive flaw in a robot vacuum/video doorbell/smart fridge/wi-fi connected blender/router/etc, where it would accept and execute any command you sent it.
Next you come up with some way to discover and exploit as many of these devices as you can. It could be by finding all IP addresses of exposed devices via something like Shodan, or exploiting and taking over a centralized server that all these devices communicate with, or some other novel way.
Anyways, once your in control of all these devices, you pick a target URL and send a command to all your devices to start CURLing a specific address over and over and over.
Boom, you have a IoT botnet for DDoS attacks.
Next you come up with some way to discover and exploit as many of these devices as you can. It could be by finding all IP addresses of exposed devices via something like Shodan, or exploiting and taking over a centralized server that all these devices communicate with, or some other novel way.
Anyways, once your in control of all these devices, you pick a target URL and send a command to all your devices to start CURLing a specific address over and over and over.
Boom, you have a IoT botnet for DDoS attacks.
Some details are here: https://blog.cloudflare.com/cloudflare-thwarts-17-2m-rps-ddo...
Does Cloudflare provide any reporting or notification to AS' or ISPs (abuse@ emails or webhook subscriptions, for example) where rouge devices are connected for triage and handling with their customers?
TLDR: Botnets composed of compromised IoT devices with low processing power like routers (are routers really IoT devices?) and security cameras, mostly compromised by their use of default baked-in credentials, instead of conventional botnets made up of conventional Windows desktops.
I think it's safe to consider routers IoT devices, but I would suggest that basically any independent embedded device is an IoT device. Literally any "smart home" device can get silently taken over and become part of a DDOS network.
They typically need exposure to the internet though, right? Or are they taking over e.g. update-delivery servers for IoT stuff and delivering their software that way?
That is one way. Generally there are several vectors when it comes to exploits.
Like, is the git repo secure? Can we add code that allows a backdoor or reaches out to a command-and-control server? Or how are their packages secured? Can we upload a malicious one to their package repo? Is the distribution server secure? Are the devices exposed directly to a WAN? Can we sell knock-off devices or modify legit devices before we resell them? Can we design them from the beginning to be exploitable? Were the engineers lazy and implement zero security controls? etc, etc...
This is why defensive security is rather difficult. You have to get everything right, but attackers only have to be right one time. Then when you get consumers involved, it becomes significantly more complicated and difficult. Some of these devices can stay active for years, and the owners realize no difference as long as it still works as expected.
Like, is the git repo secure? Can we add code that allows a backdoor or reaches out to a command-and-control server? Or how are their packages secured? Can we upload a malicious one to their package repo? Is the distribution server secure? Are the devices exposed directly to a WAN? Can we sell knock-off devices or modify legit devices before we resell them? Can we design them from the beginning to be exploitable? Were the engineers lazy and implement zero security controls? etc, etc...
This is why defensive security is rather difficult. You have to get everything right, but attackers only have to be right one time. Then when you get consumers involved, it becomes significantly more complicated and difficult. Some of these devices can stay active for years, and the owners realize no difference as long as it still works as expected.
Are there any traffic pattern you can watch for on a router/firewall to detect these coming from your network?
Disabling outbound connections from things that have no business talking to the outside is a great coarse-grained approach.
I have a stereo component and a couple other things that I'll periodically allow to check for updates and then re-enable the blocks. If you have things like surveillance speakers that require a mothership to function, exceptions for those endpoints would of course be needed.
I have a stereo component and a couple other things that I'll periodically allow to check for updates and then re-enable the blocks. If you have things like surveillance speakers that require a mothership to function, exceptions for those endpoints would of course be needed.
Many IoT devices refuse to work if they're not allowed to "phone home".
Someone recently gifted me an RGB lightbulb which demanded to be added to my WiFi network to set it up. None of the functions would work without the lightbulb being connected to the internet, even after setup (except on/off). The bulb would only take commands from the remote server! Infuriating. They also used some TLS so it wasn't straight-forward to spoof the packet.
It's been collecting dust not being plugged in since then. I feel bad not using it, and didn't tell my friend who gifted it to me. But I'm not going to let that thing run in my network sending usage statistics to the company. Or worse, get exploited. The lightbulb runs a web server, for fucks sake. What a dilemma.
Someone recently gifted me an RGB lightbulb which demanded to be added to my WiFi network to set it up. None of the functions would work without the lightbulb being connected to the internet, even after setup (except on/off). The bulb would only take commands from the remote server! Infuriating. They also used some TLS so it wasn't straight-forward to spoof the packet.
It's been collecting dust not being plugged in since then. I feel bad not using it, and didn't tell my friend who gifted it to me. But I'm not going to let that thing run in my network sending usage statistics to the company. Or worse, get exploited. The lightbulb runs a web server, for fucks sake. What a dilemma.
The Netherlands has the National Scrubbing Center against DDoS attacks NaWas https://www.nbip.nl/en/nawas/faq/. It is a non-profit.
> The NaWas infrastructure is designed as an on-demand service. After detecting an attack, the traffic is routed via BGP to the NaWas hardware and then the mitigation process starts. All traffic is then rerouted and the own connections can thus manage with less capacity
> NaWas has a BGP session with the participants on the clean side (with IXPs) on a private VLAN. A member can redirect a specific prefix or / 24 by advertising that prefix on the NaWas BGP session. NaWas advertises the prefix on our upstreams (transits & peering). So the trigger for redirecting is done manually or automatically by the participants.
They handle on average 9 attacks per day. Italy is following suite and setting up a similar organization.
> The NaWas infrastructure is designed as an on-demand service. After detecting an attack, the traffic is routed via BGP to the NaWas hardware and then the mitigation process starts. All traffic is then rerouted and the own connections can thus manage with less capacity
> NaWas has a BGP session with the participants on the clean side (with IXPs) on a private VLAN. A member can redirect a specific prefix or / 24 by advertising that prefix on the NaWas BGP session. NaWas advertises the prefix on our upstreams (transits & peering). So the trigger for redirecting is done manually or automatically by the participants.
They handle on average 9 attacks per day. Italy is following suite and setting up a similar organization.
Brian gets all the love.
What’s politically being done against (IoT) botnets? Are members of such forced to take their devices offline?
Is there larger scale accessible research on these botnets and the devices they affect?
Is there larger scale accessible research on these botnets and the devices they affect?