SoylentNews is people
SoylentNews
I found the following story which explains the nature of the DDoS threat facing us all. In the past, the main culprit of DDoS attacks were compromised computers which partially resulted in the multi-million dollar business of antivirus programs and similar software. Nowadays, the source is more likely to be a compromised CCTV camera, DVR, or some other device on the IoT.
Last week, the hosting provider OVH faced 1Tbps DDoS attack, likely the largest one ever seen.
The OVH founder and CTO Octave Klaba reported the 1Tbps DDoS attack on Twitter sharing an image that lists the multiple sources of the attack.
Klaba explained that the servers of its company were hit by multiple attacks exceeding 100 Gbps simultaneously concurring at 1 Tbps DDoS attack. One of the attacks documented by the OVH reached 93 MMps and 799 Gbps.
Now Klaba added further information on the powerful DDoS attacks, the CTO of the OVH claimed that the botnet used by attackers is powered by more than 150,000 Internet of Things (IoT) devices, including cameras and DVRs.
"This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn." — Octave Klaba / Oles (@olesovhcom) 23 settembre 2016
The bad news for the OVH company is that attacks are still ongoing and the size of the botnet is increasing.
(Score: 2) by Farkus888 on Thursday September 29 2016, @09:33AM
Does anyone have a plan for not being a part of one of these botnets? Is it better than just doing the updates and monitoring outbound traffic at the router? Routing rules that keep traffic from crossing the router to or from those devices defeat the purpose of having them so that is out. Not having cool tech just for fun is also unreasonable and not a valid solution.
(Score: 3, Insightful) by ticho on Thursday September 29 2016, @09:59AM
No, routing rules (or firewall rules) that by default keep traffic away from those devices are a damn good idea. Unless you're running a public service on them, keep them isolated.
Just add rules that only allow _legitimate_ traffic to and from these devices. Also important is to restrict any new outgoing connection from these devices to the internet. These devices should at most reach out to your LAN, e.g. for backup purposes.
(Score: 2) by jimshatt on Thursday September 29 2016, @10:12AM
(Score: 4, Interesting) by zocalo on Thursday September 29 2016, @10:34AM
UNIX? They're not even circumcised! Savages!
(Score: 2) by Farkus888 on Thursday September 29 2016, @10:20AM
A large part of the reason for IOT devices is checking in and making changes while away from home. Smart routing rules are a possibility depending on how predictable your IOT devices are but walling them off from the internet in general defeats the purpose of buying them.
Just as an example, a smart thermostat like the nest is essentially already a bot device talking to a set of command and control servers to get its orders during normal operation. Does it connect out to the servers or do they initiate the connection? How many different IPs will it contact talking to those servers?
Short of spending hours with a packet sniffer you are unlikely to ever be able to answer any of the questions that need answered to make a usable set of firewall and routing rules. In the case of something like the nest thermostat a set of rules that allows it to still work is likely to be so permissive as to be nearly pointless.
(Score: 1) by baldrick on Thursday September 29 2016, @03:21PM
when I used to set up IPcams they were behind a router with a openVPN server running on it
... I obey the Laws of Physics
(Score: 2) by ticho on Thursday September 29 2016, @07:04PM
Nobody is forcing you to buy "Things" that are impossible to use securely. Also, you can either keep finding excuses why it's difficult to secure them, and why it's not worth it to even try, or you can try finding a way how to do it.
(Score: 0) by Anonymous Coward on Thursday September 29 2016, @08:44PM
Hear, hear. I think if I ever wanted to go IoT and give every lightbulb in the house an IPv6, I'd have to roll my own. Been looking at electronic/computing maker stuff lately thanks to a few links dropped elsewhere on this site and damn. Might be a bit bulky, but hell, it'd be secure and functional no matter what $big_valley_company's cloud is doing today.
(Score: 5, Interesting) by zocalo on Thursday September 29 2016, @10:12AM
That's all far too complex for a non-technical user to even begin to grasp; there's no realistic way you can expect a non-technical user to even know where to begin on determining what external hosts a device might need access to, or how to go about setting up a VPN - assuming their provider and router would even let them do so. Clearly that's not a viable solution for the mass market, nor is is a viable solution for the technical market on a long term basis. I think we also need to assume that vendors are going to keep on pushing out insecure devices and then ignoring and security issues that might be discovered in them, so assuming that an IoT device is insecure by default needs to be the policy. The question then becomes where and how to apply that policy.
If we assume "insecure by default", then my current thoughts on that is that the CPE router is probably the best bet despite it obviously being less than ideal approach, and in that area the tools we currently have are distinctly lacking. Apparently the DDoS on Brain Krebs and OVH did not bother spoofing the source IPs; they just redirected a large volume of video data from cameras and DVRs at the targets, which negates the effect of BCP38 in this instance, but packet spoofing is still a major problem and vendors making BCP38 a simple and automatically configured setting based on its internal routing table would kill this at a stroke. Providing a dedicated "IoT" VLAN port and SSID, with a sane set of default firewall rules in there, would be another good step - the vendor isn't going to know what specific IPs might be required, but they can certainly do some broad brush strokes, then allow the user to tune them if they are able. I'm thinking something like a wizard on the router that you need run after it detects a new device might help here; basic things like set a device type (CCTV, DVR, kitchen appliance, PC etc.) to give the the router some idea of what traffic types is likely and which network is belongs on, whether you need access *from* the internet, access *to* the Internet, whether it needs to talk to/from IOT and non-IOT networks, and so on might help a lot here.
"How would you fix the IoT problem?" might be a good idea for an "Ask Soylent", come to think of it...
UNIX? They're not even circumcised! Savages!
(Score: 2) by Farkus888 on Thursday September 29 2016, @10:36AM
Network is right in my job title and I don't want to do any of that for my home network. Right now I periodically check outbound traffic when the network is idle, thankfully they aren't doing amplification much any more. An IDS could automate that and notify me but then I have to configure and manage an IDS. Realistically since I use a home grade router that means adding a computer physically in line and potentially adding lag to my games.
(Score: -1, Flamebait) by Anonymous Coward on Thursday September 29 2016, @10:45AM
Good news, gamer! Masturbation Simulator isn't affected by latency because it only uses the network to upload your high scores.
(Score: 3, Interesting) by zocalo on Thursday September 29 2016, @12:58PM
UNIX? They're not even circumcised! Savages!
(Score: 3, Informative) by Scruffy Beard 2 on Thursday September 29 2016, @06:21PM
If you are putting a computer in the line anyway, use it as the router: it will probably be faster than whatever CPU your router uses.
Of course, there is still technically some more latency if you disable DHCP and use the router as a switch. However, I suspect the extra routing speed of your computer will make up for it.
(Score: 0) by Anonymous Coward on Thursday September 29 2016, @11:15AM
for your question at the end: Nuke it from orbit, it's the only way to be sure.
(Score: 0) by Anonymous Coward on Friday September 30 2016, @04:58AM
A bucket of brine will do.
(Score: 2) by LoRdTAW on Thursday September 29 2016, @02:59PM
Interesting setup. What router hardware and software are you using?
I agree. I'd love to see that happen.
(Score: 0) by Anonymous Coward on Thursday September 29 2016, @10:15AM
Yes, the plan is to have 128kbps of bandwidth. Anything unauthorized is immediately noticeable because it eats all the available bandwidth. Then you hunt it down and kill it.
(Score: 3, Insightful) by rob_on_earth on Thursday September 29 2016, @12:15PM
"Anything unauthorized is immediately noticeable because it eats all the available bandwidth."
and find it's an iOS or XBOX one update or maybe a new free version of windows, or all three which are targeting multiple devices.
(Score: 1, Interesting) by Anonymous Coward on Thursday September 29 2016, @01:16PM
you want mitigation? isolate the camera to a separate vlan, that is not accessible from outside. Make a box with two network cards, put one input from the super secure vlan in the box, and a normal uplink from your insecure vlan. Connect to the box remotely, look at whatever, disconnect.
For extra security, do not use remote management on the box, just have it in the _basement_, locked behind three sets of doors?
I'd like to talk to the leet haxxor, who can penetrate such setup, without copying the physical keys, kek.
If you absolutely insist on putting the damn device on a network with people on it... Route all the addresses it talk to to 0.0.0.0? MITM, SSLstrip and/or proxy the fuck out of connections that originate from the devices port ? Rewrite packets originating from the device and going outside to overwrite the payload with "FUCKYOUASSHOLES"? Patch the image of the firmware in memory to remove all ip adresses it talks to? If the image isn't validated by device, or validated trivially by checking header length... Dissasemble the image, replace the parts that initiate outbound connections by NOP's somehow, reassemble image, flash it to device? Replace the SSL certificates device uses by same method or by patching it in ram directly?
(Score: 1, Interesting) by Anonymous Coward on Thursday September 29 2016, @02:26PM
> Does anyone have a plan for not being a part of one of these botnets?
In my spare time I've been working on a product that is sort of a "firewall as a service" - all of the devices that are not speed or latency critical get their traffic sent to a central "router in the cloud." At that point we do all kinds of traffic analysis to keep them from misbehaving. For example, no outbound traffic except with their own known servers, no inbound traffic on any suspicious ports, etc. Its also has the side benefit of being a big traffic mix-master so anyone trying to cross-reference the traffic from multiple devices to profile the users in the home gets a ton of noise in the data because its mixed in with thousands of other users.
(Score: 2) by bob_super on Thursday September 29 2016, @04:48PM
Easy: Change the password!
Really. The botnet guys don't bother to run advanced cracking techniques. Using the default passwords for various devices, which are often blank, you can build an army of little bots.
If you don't have the default passwords, or are behind a basic firewall, then your bandwidth is not worth the time.
Remember: You don't have to outrun the bear...
(Score: 0) by Anonymous Coward on Thursday September 29 2016, @10:03PM
> Remember: You don't have to outrun the bear...
It doesn't work like that online.
All it takes is to find one exploit and then that exploit can be automated to attack hundreds of millions of devices. Changing the default password just stops the laziest attackers. But a default password is functionally no different than any other vulnerability. Once an the exploit is identified the specific details don't matter.
(Score: 4, Interesting) by mcgrew on Thursday September 29 2016, @04:49PM
Yes, don't put your car, fridge, furnace, stove on the internet. IoT is a stupid idea for most things. Security cameras? Yeah, they need the internet. Perhaps there should be a hefty fine for producing internet things with poor or nonexistant security?
mcgrewbooks.com mcgrew.info nooze.org
(Score: 1, Touché) by Anonymous Coward on Thursday September 29 2016, @05:11PM
Nope, I'll count on getting more bandwidth, greater redundancy, and less personal responsibility for what happens in my local network. That'll take care of it.
Well, that's been the Internet's collective answer on how to deal with it so far, isn't it?
(Score: 2) by dmc on Friday September 30 2016, @06:33AM
Is it reasonable to be notified by your ISP (who was notified by a victim) that you have a malfunctioning device, and that if you want to use it on their network you are going to have to get it fixed? Sort of like if the bottom of your bowling shoes were so scratched up that they were damaging the floor of the bowling alley. I'm pretty sure it's unreasonable to expect the bowling alley to allow you to damage their business so you can get have the fun of knocking over some of their pins.
(Score: 2) by Farkus888 on Friday September 30 2016, @07:11AM
Port scan a big range of IPs and Comcast will notify you, or at least they used to. I don't let noobs have as long a leash with nmap any more.
This looks like there was a lot of SYN flooding in this attack, unless I am misreading the broken English. There are toys to close those connections if you are there victim but they aren't home user ready. I don't know of anything that can easily be configured to watch into your own network for those kind of shenanigans.