DDoS Attacks against Dyn

Yesterday's DDoS attacks against Dyn are being reported everywhere.

I have received a gazillion press requests, but I am traveling in Australia and Asia and have had to decline most of them. That's okay, really, because we don't know anything much of anything about the attacks.

If I had to guess, though, I don't think it's China. I think it's more likely related to the DDoS attacks against Brian Krebs than the probing attacks against the Internet infrastructure, despite how prescient that essay seems right now. And, no, I don't think China is going to launch a preemptive attack on the Internet.

Posted on October 22, 2016 at 8:47 AM • 67 Comments

Comments

Mike MaliciousOctober 22, 2016 9:03 AM

I'm wondering why the attacks are against a DNS service provider, not some other target.

Is it possible (even theoretically) to launch a Man in the Middle attack against SSL (or other secure protocol) by temporarily disabling DNS in order to inject false DNS info?

GBOctober 22, 2016 9:41 AM

"I'm wondering why the attacks are against a DNS service provider, not some other target."

The research arm of Dyn (formerly known as Renesys) had been involved in investigating the attack against Brian Krebs's website, and one of their team had recently given a talk at NANOG about the attack. So it would not be inconceivable that the attack against Dyn was in retaliation to that.

LtDanOctober 22, 2016 9:48 AM

I have concerns that this attack is being initiated by the US intelligence services in order to blame on Russia and to distract from the Wikileaks data being dumped. The rhetoric and geopolitical situation currently is simply insane on the side of the United States.

The US has even painted F18s like Russian fighters (which look almost identical in shape, and now in color) presumably so they can bomb civilian targets and blame it on Russia. Do a web search if you don't believe me. It's like a group of people in Washington are trying as hard as they might to start WWIII. They have no ethics and will do whatever necessary in search of their ends including faking a cyber attack.

James DaleOctober 22, 2016 10:01 AM

Most likely, after Europe with Russia created a crater 15x40 meters on the surface of Mars with their "probe", Martians are only trying to communicate with us. Blame the ESA in the first place!

JacobOctober 22, 2016 10:21 AM

There is no reason that IoT should use the same ports as standard web applications.

If the professional internet bodies, with the support of national standards bodies, would mandate specific ports for such devices, e.g. 81 for web access, 24 for FTP, 54 for DNS requests, and these would be firmware locked, it would be easier to contain future attacks.

The DNS servers should be set up to that proposed port and must be setup and run by any vendor that sell more than x IoT pieces per year.

If national/Int'l organizations (like the FCC and IEC)can do that for RFI, other bodies (IETF?) can do the same with the internet.

I would go a step further, and divide the IoT devices to groups - life support, commercial/industrial control/monitoring, personal monitoring, entertainment etc, where each group would have its own ports group - locked by firmware.

LtDanOctober 22, 2016 11:04 AM

@Steve. I assume you're categorizing my comment as "tin foil hat". If you were at all paying attention, you wouldn't find such ideas so ridiculous. The government has basically said as much around many other areas in leaked or FOIA documents. Drop your bias and look at the data and you may change your tune.

The fact is, the US government is just as much or greater cyber and physical threat to people of the world and it's own citizens than Russia or China. They regularly have done despicable things and blamed it on some other country. There's been plenty of "conspiracy theories" in Syria that are now officially conspiracy fact with plenty of data to back it up. Virtually all wars of the last 50 years have been started based on verified lies i.e. Gulf of Tonkin.

Most Americans have become so incredibly stupid they cannot distinguish reality from the fiction peddled by their criminal leaders.

Net: Consider the US government as a serious cyber threat to your organizations. Do not make the mistake of giving them access to critical infrastructure. They have no qualms about murdering a bunch of people in furtherance of their agenda.

joachimOctober 22, 2016 11:13 AM

@LtDan the takeaway from your comment is that: "We'd would be safer by abandoning all HW/SW that has been created by a US corp or (or simply its involvement)?"
... Sounds pretty tin-foily to me.

AnorlundaOctober 22, 2016 11:42 AM

I don't understand how the victims mitigate DDOS attacks.

They could put all the IP addresses of those bots in a black list. But wouldn't that leave the bots free to transmit for eternity, soaking up Internet bandwidth?

Also, any solution that involves changing regulations and standards must address the millions of existing bots already out there. Who has the authority to physically consficate them?

LtDanOctober 22, 2016 12:09 PM

@joachim,

I am not saying don't use US corp products. I'm saying be very cautious and don't trust vendor x for all security. Use defense in depth principles overlapping security products, monitor everything heavily for anomalous behavior. And for goodness sake, don't allow government people access into your systems in cases of critical infrastructure or an attractive target of any kind.

Based on my read of the Snowden documents many exploits for a various piece of hardware could be detected by another vendor (Cisco vs. Palo Alto, etc.). My point is, trust nobody. Their incentives (vendors, governments, competitors) are rarely aligned with yours.

Snarki, child of LokiOctober 22, 2016 12:10 PM

Anorlunda:" any solution that involves changing regulations and standards must address the millions of existing bots already out there. Who has the authority to physically consficate them?"

Oh, you don't need to confiscate them. Just send them a "Ping of Death".

Post your IP and I'll show you.

JasonOctober 22, 2016 1:10 PM

@LtDan

I find it's generally more accurate to blame disaster and destruction on incompetence and ignorance than deliberately planned malice. Human frailties and failures are more than enough to explain our world's problems, without needing to descend into Machiavellian Illuminati controlling everything.

People all too often hear and see what they want. That's true of most *everyone*. Conspiracy theorists on the internet see planes for "Aggressor" squadrons painted in the colors of the units they're (openly) pretending to be and assume the worst. (Never minding that it's SOP, and we *are* trading threats and waving sabers with the Russians.)

Likewise, confused events generate spurious reports of conflict at sea. And then politicians who think war is a good idea (for reasons that may be selfish or selfless) use it as a casus belli.

And no one ever wants to lose face, change their minds to their own disadvantage, or admit they were wrong. And things snowball until you get an avalanche.

JohnOctober 22, 2016 1:25 PM

Perhaps the DNS infra needs to be a bit more distributed,
Wouldn't it be great if ISPs could have their own DNS resolving-servers secondary major DNS providers?
Sales-wise it would be beneficial as they could claim that they were able to protect their users from this kind of service denial.
One of these days getting to setup my own resolver, so that if it fails to resolve an IP address, it'll go back to the last one it did manage to get, even if its cache time is exceeded.

Fill in the blank: the name of this blog is Schneier on Fire

Stix N. StonnesOctober 22, 2016 3:07 PM

I did a cursory search to find a roll your own way to detect and defeat the Mirai trojan.

Instead I found 3 or 4 places to download the malware itself for personal use, easily. Of course there were several sites promoting their own non-specific versions of malware repair apps which may or may not be legitimate or might be malware themselves.

I did find out device default passwords is a huge issue regarding this particular exploit. Seems folks aren't interested in changing the default sign-in of, say, admin/12345.

So, for those interested, the best thing to do is change the password on the baby cam or whatever.

But, so many devices are out there now in IoT realm, tv, dvd, ip cams, etc.

Basically most people, governments and corporations aren't interested or motivated to defeat this kind of exploit, even if it only means taking 30 seconds to change a password, or in the case of government and corporations getting out the word to the world to:

CHANGE the DEFAULT password on EVERYTHING.

albertOctober 22, 2016 3:31 PM

@LtDan,

You're wasting you time on these guys. These are standard propaganda techniques.

hawk: That Wikileaks stuff is all fake. Brilliant job 'creating' Hil'rys emails.

Steve: that 'tin-foil hat' comment doesn't follow from anything you said. It's just trolling.

joachim: His 'take away' doesn't follow from anything you said. If that's the extent of his reading comprehension, then he's beyond hope.

Jason: Very naive. Militaries -do- make mistakes in battle, but the -engagements- are preplanned and deliberate. So are the policies.

By any objective standard, the US State Dept is run by psychopaths.

. .. . .. --- ....

EricOctober 22, 2016 3:42 PM

The core issue that I see is that nobody "owns" this. Meaning that consumers don't really care that their baby monitor is doing this - they have no idea and all they know is that the price was low.

The ISPs generally don't care. And by that I mean that some do, but many don't. They see their job as just delivering packets. Inspecting the packets is something that many are reluctant to do, and even if they were willing it requires resources.

The higher level people on the internet are bearing the brunt of it. In some ways the argument in the past just was that all that is needed are fatter pipes, but those fatter pipes are expensive, and I can't see investing in fatter pipes just to work around DDOS.

I watched the talk from NANOG, and it was kind of interesting. It had a lot to do with BGP hijacking, and one provider did this - they claim as a defensive measure since they were under attack. Virtually everyone in the audience felt that this was a bad idea, and in an ideal world, it probably is. But we are in a situation where nobody is in a position to fix this, and I suspect that we will see more and more BGP hijacks in the future. And yet with the widely distributed nature of the attacks these days, it isn't clear how much this would help even if you did this.

I suppose in theory if you could identify the C&C servers, you might be able to interrupt the attack, but given how trivial the IoT devices are to hack, the amount of effort required to set up a new C&C server and re-hack the IoT devices is going to be small.

SpibbitzOctober 22, 2016 4:39 PM

LtDan - Sooner or later you'll make Captain. Meanwhile, keep listening for the whap whap whap from the approaching black helicopters. Remember, if you know all about what they're doing, they're gonna come for you. Best leave long videos proving their nefarious intents .....

TatütataOctober 22, 2016 4:44 PM

I have a question: If a victim device is pwned, does it typically remain permanently pwned by the hacker, or it remains free for the next attacker and/or the next power up?

Since the tools are out in the wild, how about setting up the IoT bots to detect and attack each other, putting them out and their endpoints of commission? That might get their owners' attention. If technically feasible, the webcams bots could imprint a message like "Hacked!" across the image.

Impossibly StupidOctober 22, 2016 4:56 PM

@Anorlunda


I don't understand how the victims mitigate DDOS attacks.

They don't really, but they should have to. The blame is on the attacker, and so that means it's up to the ISP that is giving them access to take actions that cut them off from the greater Internet. Any ISP that refuses to keep their network under control shouldn't be peered.

They could put all the IP addresses of those bots in a black list. But wouldn't that leave the bots free to transmit for eternity, soaking up Internet bandwidth?

The economics of connectivity will take care of the problem. Nothing about it should be "free".

Also, any solution that involves changing regulations and standards must address the millions of existing bots already out there. Who has the authority to physically consficate them?

At some point, I fully expect there to be a recall of IoT products due to their insecurity alone. It ultimately is in the hands of the people who bought and use them to "confiscate" them in the end. If your ISP says they'll no longer have you as a customer unless you get rid of a compromised web cam (or whatever), you'd be a fool to keep buying and using junk like that.

MaxOctober 22, 2016 5:18 PM

@hawk, Steve, joachim, Jason, Spibbitz, et al.

Sadly, long gone are the days when simply labeling one a "conspiracy theorist" and/or "tin-foil hatter" discredited their argument. Besides it being the trademark of the lazy propagandist, far too many "official" lies/liars have been exposed. And far too many inconvenient truth tellers who exposed those lies have been unjustly punished for attempting to defend the public good.

Making matters worse is how absolutely lazy, arrogant, and filter-bubbled state propaganda has become. Presently, they seem to just be throwing whatever story they think up in the moment against the wall to see if it sticks. Their narrative has become so far removed from readily observable reality that the general public has begun to take notice. It's as if they have no idea that with each of their lies exposed, they lose that much more credibility (do they even have any left?). It's like they've forgotten the value of plausible deniability and maintaining the perception of moral high ground. Their behavior is as irresponsible as it is incompetent.

Regardless of the accuracy of this particular speculation, LtDan is - at least - well within reason to be highly skeptical of any "official" narrative. So if you simply enjoy belittling crazy sounding/improbable/counter-intuitive/nonsense statements, just go turn on CNN or listen the next White House press conference; you'll have a field day.

ColMusteredOctober 22, 2016 5:53 PM

The best argument against Lt.Dan's hypothesis is that the Wikileaks disclosures themselves have been credibly attributed to US officials with access to NSA's take.

http://www.zerohedge.com/news/2016-10-22/nsa-whistleblower-us-intelligence-worker-likely-behind-dnc-leaks-not-russia

LtDan is wise to consider every sort of CIA perfidy when interpreting events. But Binney is extremely plugged in, even after years of state persecution. Binney's story has a separate corroborating source:

https://www.craigmurray.org.uk/archives/2016/10/blanket-corporate-media-corruption/

Sancho_POctober 22, 2016 6:12 PM

@Tatütata

Until the device isn’t somewhat patched it remains open (admin/1234).
I guess one could send a “final denial of function” to these devices, but who would do that to such an useful weapon?
Let alone the legal consequences.

But yes, it would hurt the customer, the simple user, and boost business + electronic waste.
That’s what our gov prefers.
Good they don’t read here.

No, it’s not my neighbor’s fault who a baby-phone.

ISPs get paid for their service, have T&Cs but do not enforce them.
There's the money.
And ISPs cause the damage / traffic by not enforcing the T&Cs.
There is the liability.

Ah, surelyOctober 22, 2016 7:46 PM

I do wonder what percentage of the noisier commenters on here are Russian shills. Getting difficult to follow a sensible conversation, which is of course the point.

DieGoogleDieOctober 22, 2016 8:00 PM

A simple, interim solution for popular websites: replicate their services on the Tor .onion network.

Onion sites are now capable of heavy traffic and Facebook has already gone down this road.

This has multiple benefits:

1. Allows 100% service up-time unless the .onion and standard websites are attacked simultaneously, with the network resources being completely exhausted.
2. Encourages uptake of a far more secure network (.onion) that does not rely on CA rackets.
3. Encourages end-end encrypted traffic with 6 hops in total - frustrating the LE crims.
4. Doesn't rely on DNS look-ups - instead a rendezvous point is initialized between the client and the hidden service.
5. Lessons the impact of state-financed propaganda trolling by those frequenting schneir.com and elsewhere, whom unjustly demonize the Tor network.
6. Promotes security and anonymity in daily browsing activities for a far larger number of regular users. This includes those who want the 'services' of the corporate tyrants like Twitter, Google and co.
7. Encourages scaling-up of the Tor network, greater diversity in exit nodes over time, and greater volume of 'masking traffic' for those who desperately need anonymity.

The Tor network is in fact a far more suitable model for a future global Internet to replace the crap we are faced with today. However, since it will put a dent in the surveillance capitalist model based on complete data profiles of the populous (see recent Google, Yahoo et al. 'privacy' changes), the rate of uptake will be glacial.

wtafOctober 22, 2016 8:18 PM

I came on here to make snide commentary related to the inevitable "blame it on the US" line that seems so prevalent on this forum.

I'm almost disappointed how much it's not a joke. This page literally exists to demonize the US. wtaf, over

ThomasOctober 23, 2016 12:36 AM

@Jacob
> There is no reason that IoT should use the same ports as standard web applications.

It would also be easier to catch bankrobbers if getaway cars were speed-limited to 40kph.
The trick is to get the bad-guys to follow the rules.

@John
> Perhaps the DNS infra needs to be a bit more distributed,
> Wouldn't it be great if ISPs could have their own DNS resolving-servers secondary major DNS providers?

ISPs do, but they tend to to nasty stuff like DSN hijacking for marketing, so people bypass them.
Also, even if the ISP has a local DNS that DNS still has to get its information from somewhere. If that 'somewhere' is under DDOS attack then you're SOL.

@DieGoogleDie
> A simple, interim solution for popular websites: replicate their services on the Tor .onion network.

Tor is a kind of infrastructure DDOS attack as it multiples the BW requirements by 'unnecessarily' routing traffic through 'redundant' nodes.
Not sure how a .onion server is going to stand up to a DDOS any better just because the traffic is arriving via a few cut-outs.


@ Spibbitz
> ...Meanwhile, keep listening for the whap whap whap from the approaching black helicopters.

This kind of stuff really isn't helpful.
Your so-called "black helicopters" are
- Schrödinger-spectral rather than black
- silenced
- levitating using area 51-tech
so your msleading advice only makes it easier to the lizard overlords to control us.

Clive RobinsonOctober 23, 2016 2:21 AM

@ DieGoogleDie,

5. Lessons the impact of state-financed propaganda trolling by those frequenting schneir.com and elsewhere, whom unjustly demonize the Tor network.

I could safely argue that promoting a 'known to be broken' system like Tor is,"trolling" "schneir.com" and that your argument point does "unjustly demonize" those trying to point out the dangers of using Tor.

I've listed in the past some of the things Tor needs to do to limit the effects of it's current deficiencies in the face of traffic analysis and other more insidious attacks. But those responsible for Tor have decided that things like 'low latency' to 'grow usage' at the expense of security is the way to go.

The sad fact is the deficiencies of the Tor model where known long prior to the birth of the Internet. If you took a little time to understand Military Radio Trunk Networks you would have a much greater understanding of the problems.

A number of people on this blog are aware of the issues and have been so befor Tor even surfaced, please do not denegrate what they have to say because they are saying to try to get people to understand the limitations of the current Tor network, and thus be better able to protect themselves.

When it was only the IC capable of exploiting the Tor weaknesses it was perhaps acceptable. Now however it is also Law Enforcment such as the FBI funding 'Tor breaking" techniques, this is getting to the point where ordinary individuals are being attacked for not following others 'moral views'. If you look at what the New York prosecuters have been upto such as sending a SWAT team to a software developers house to make it clear he was to put backdoors into his software and then operate it illegaly for the NY LEO to find and prosecute people making bets on sporting events, you have to ask why? And Where it is going to? And what they would do with methods to exploit the Tor vulnerabilities?

TatütataOctober 23, 2016 11:06 AM

The sad fact is the deficiencies of the Tor model where known long prior to the birth of the Internet. If you took a little time to understand Military Radio Trunk Networks you would have a much greater understanding of the problems.

Clive, can you be more specific as to what you are referring to? Could it be the "flood routing" concept used in tactical systems (MSE, TRI-TAC & co.)?

albertOctober 23, 2016 11:16 AM

@Thomas,

Your example is irrelevant. The 'bad guys' are the are the hackers, but the -manufacturers- have the ball, and some don't know it, and most couldn't care less.

The bank was robbed because they leave the vault doors open at night.

@Jacob's idea is a good one, -provided- the ports are -hard coded- into the system.

Ask yourself: "what's the real problem here?" The answer is remote reprogrammability. Ever since Micro$oft standardized buggy releases (let the customer alpha test, and absolve yourself of any culpability), manufacturers have refused to market products with properly tested and verified code, because 'we can always fix it later'. If you're talking about an OS, that's a big issue, but IoT products are dipshit simple. There's just no excuse for bad code and no need for updatable code. If they can't market good products with ROMed code, then the market will quickly eliminate them. What percentage of attacks would be impossible in such a system?

The situation will only get worse, I guarantee.

. .. . .. --- ....

EmfurnOctober 23, 2016 1:34 PM

The DDOS attack was pretty bad for us. Our online store was non-functional for hours and we lost thousands of dollars in revenue.

Clive RobinsonOctober 23, 2016 1:42 PM

@ Tatütata,

Clive, can you be more specific as to what you are referring to?

There are a number of aspects to "anti traffic analysis" that came out of WWII and were developed as a reflection to the work of Gordon Welchman and known as SIXTA (hut SIX Traffic Analysis). If you can get hold of a "first edition" of his book "The Hut Six Story" you will find a discussion on this asspect of SigInt. It was unfortunate that he published when he did due to a real hornet raised in UK PM Margaret Thatcher's head, due to various pubLications about MI5's Roger Hollis being a Russian Spy and the shody MI6 investigation that cleared him. Thus appart from becoming persecuted by the NSA Gordon's book did not get the level of publicity required to make it a success, which is why there are very few first editions around (subisquent editions had the SigInt section removed).

The main points to note on TA are,

0, All stations are full nodes of the network and have links to multiple nodes (no leaf nodes).

1, All links between nodes encrypted under different keys (Link Layer Encryption).

2, All nodes act in "store and forward" mode whereby there is no correlation between traffic on different links to/from the node.

3, All items of traffic encrypted under their own end to end key.

4, All link "channel bandwidth" is fixed.

5, All link "channel bandwidth" is fully occupied at all times (use of traffic padding).

And a number of other points which do not apply to non RF broadcast systems.

Importantly though is the realisation that latency in the system is not just a given of "store and forward" but desirable from an anti-TA perspective. In the military world traffic is usually given fairly generous latency periods including "Flash Traffic" (measured in minutes not milliseconds).

Some GuyOctober 23, 2016 3:51 PM

A relatively simple solution, if it would work and I don't know if it would, is to block the common inbound telnet, ssh and similar ports to the consumer at the ISP level. If consumers want the inbound ports, charge a nominal but profitable fee to offer them with an acceptable use agreement. The vast majority of the customers don't need the service. Misuse ties up the ISPs bandwidth. So good for them. I suspect this does nothing to the already pwned equipment, but stops future growth.

Realm Of VincentOctober 23, 2016 4:46 PM

Yes, there are some things IoT users can do to protect themselves, but laying the blame solely on consumers is like blaming drivers for accidents due to manufacturing defects in their car brakes. Analysis here.

HopiumOctober 23, 2016 5:37 PM

I thought the attack was because of the pressure from Kerry on Ecuador to boot Assange?

CuriousOctober 24, 2016 3:29 AM

Hm.

Maybe the following legal move could paradoxically help solve DDos'ing issues in the future:

By making ddosing not illegal.

(Presumably forcing the industry to come up with some solution for preventing ddosing to ever happen again.)

Heh, just a thought though.

randomfakeaccount#23October 24, 2016 4:39 AM

" The tin-foil hat comments are hilarious. "

" the conspiracy comments are hilarious"

Whenever I see responses like this, it becomes obvious state/corporate-sponsored actors are here to deflect the narrative away from dangerous territory. It's hijacking 101. I hope the 10 cents you get per post is worth it.

ATSOctober 24, 2016 6:24 AM

@albert

The problem is that many of those IoT devices being use? They are consumer switch/routers/gateways. Can't exactly disable ports on those. And most of them are easy to hack because either people don't change their passwords or they have multiple exploits and are never patched.

WillOctober 24, 2016 9:20 AM

@Impossibly Stupid

Considering nation states are a not-implausible threat actor, "cutting them off" is not a realistic nor responsible solution.

I'd like to explore ways of limiting the potential bandwidth utilization of IoT devices on a physical level. Sadly I'm not educated enough to know what is or is not practical in this regard. I'd like to think it doable for wired connections, but I don't know enough about wireless to know what could be practical in this regard.

KrammenvherfOctober 24, 2016 10:24 AM

randomfakeaccount

No need to go that far.

Watch the news section on any website predominantly visited by the general population. Any security-related entry. Comments like that is what fills the head of your average joe when it comes to security. No difference if it's indeed conspiratorial or not.

albertOctober 24, 2016 10:55 AM

@ATS,

Point taken.

However...

Isn't remote programmability really the issue?
In the pre-Internet (Mesozoic) era one had to move a jumper in order to reprogram the BIOS (and that was being done locally:).

Does it make sense to allow remote programmability now? It's bad enough to access someones computer (or router) to simply read data, but why allow them to inject malware as well? A router doesn't have to run application programs like a computer.

. .. . .. --- ....

MarcelOctober 24, 2016 11:32 AM

@Some Guy:
It's even simpler than that. Normally every modem/router nowadays does NAT and as a side-effect blocks all incoming traffic already. Security-wise this is a good thing. But if you buy a Wifi-enabled security cam or PVR which you like to control with your smartphone from anywhere, you will have to configure your router to enable access to your device. This is complicated for non tech savvy people. They will call their ISPs, to tell them their internet is not working.

This is why they invented UPnP. This allowed devices you connect in your house, to ask your router to open a port, so they can be accessed from outside. This is in widespread use and requires no user interaction. So the customer is happy because everything works out of the box. The ISP is happy too, because he does not get all those support calls.

But with this, the foundation of the largest botnet ever is laid.

Simple solution: disable UPnP by default (or just remove it). Have people put in some extra effort if they want to open a port. Sooner or later that port will get abused.

pattigurlOctober 24, 2016 1:03 PM

Marcel, you are correct. I've mitigated DDoS attacks from compromised hosts before but the rapid increase in IoT devices with open ports where users don't change default login credentials is really troubling. And that's just IPV4! :-/

AlanSOctober 24, 2016 2:20 PM

The lesson from this is that the "Security Lessons from a Power Saw" are dependent on figuring out the sociology/economics/politics of getting companies to take product security seriously. The IoT is the poster-child for: "we can't be bothered with even minimal security even when we know this will create a Tsunami of Shit at some later point". Recently I was at a dinner and ended up sitting next to someone who works for a well-known company that sells "home automation" products. When I mentioned DDoS and the apparent lack of motivation for IoT companies to invest in security, he agreed and said it was all about "time to market".

ATSOctober 25, 2016 1:11 AM

@albert

nope, reprogramming isn't an issue. Most of the bot codes out there for IoT doesn't even bother updating the firmware. These devices are generally always on devices. So all you need for an infection is a live exploit, never have to touch the flash firmware. And by their nature, routers tend to be live systems running out of and using ram. They also tend to run COTS OSes like stripped linux due to cost issues.

Routers tend to run programs like firewalls et al. In fact, the primary problem with most home gateways/routers is that they aren't ever updated, either because the manufacturer doesn't do updates or the customers just never install them. Making it so that they cannot be updated won't solve the problem at all, these things are running real OSes because they basically need to and no software is ever going to ship bug/exploit free.

In almost all cases, the issue for IoT devices is that they are treated as throw aways devices never receiving any post sale support. In a sane world, the following would be true:

1) IoT devices require a password change to function.
2) IoT devices default to an automated update scheme using secure cryptographic hashes.
3) IoT device makers support security updates for a minimum of 5 years.

Those are the bare minimum requirements for IoT devices to remain viable going forward. Any solution that start with IoT devices be non-updatable is just a non-starter. You wouldn't buy a corporate or personal firewall that couldn't be updated because you KNOW there will be bugs and exploits. You wouldn't use a computer that cannot be updated because you KNOW there will be bugs and exploits. Hell, for mainstream CPUs where roughly 1/2 the development budget is spent on validation and verification and it is taken very seriously, bug still exist and bugs are still found years after they are shipped.

Also, people blaming UPnP are barking up the wrong tree. UPnP is a reality. It is not going away. The problem isn't UPnP. It is default passwords and unsupported software/hardware. Those two things make up 100% of the attack vectors. Sure without UPnP, the devices wouldn't exist in the first place, so something not called UPnP but doing the same thing would exist instead.

TJOctober 25, 2016 3:50 AM

@Sancho_P: You mean like printer cartridges that are 30% the cost of a new printer retail, CPU and GPU that have 5-15 year usefulness(GPUs typically less recently), the nightmare that is NAND and NOR wear leveling that nobody brings up when the subject of SSD and thumb-drives comes up, and such?

DDOS? Improve DNS infrastructure and fix reflection and someone will still use malware propagation to gain enough to overwhelm.. Especially given how everything has fine-grained metering in the name of capitalism and profit is king in the modern world. Never-mind ISP fiber links, DHCP, and downstream congestion..

Dan HOctober 25, 2016 7:48 AM

@LtDan You're insanely naive.

China tolerates no political opposition and deals brutally with dissent. People are still persecuted. It is an atheist government that does not allow members to practice a faith.

Recently Russia has signed legislation that revokes evangelizing outside of the Church. Movements that have opposed the Putin government have been crushed. The Duma passed a law allowing police to open fire on crowds. The number of political prisoners has increased.

34-49 million were killed by Stalin.

Mao Zedong killed 45 million in 4 years.

The US isn't perfect, but there isn't any systemic government practice to eliminate opposition or persecute people for their beliefs.

People can take issue with the US military, but without her might the world would be a much more dangerous place. During the ouster of Libyan leader Qadaffi (mistake), the other NATO countries involved could not function without US assistance of command and control. Europe was at a stalemate in their war until the US entered in 1917. Europe again was in the throes of war until the US entered in 1941; without which Russia would have dominated most of Europe because Germany could not have defeated Russia and England on her own could not have defeated Germany, nor could Britain have stopped a Russian westward push. Korea was a United Nations operation with a multitude of nations involved, but essentially a US led campaign. Vietnam was a cold war proxy fight, and the US could have crushed North Vietnam but the goal was not to topple the Hanoi government, but to keep South Vietnam free, which was accomplished until the US left. South Vietnam didn't have the command and control to fight the North on their own.

Take your childish rhetoric elsewhere and grow up and face reality.

albertOctober 25, 2016 10:15 AM

@LtDan,

You see a textbook example of propaganda techniques in @Dan H comment:

1. He prattles on about Russia and China having brutal governments, which is totally irrelevant. Sovereign nations may have any kind of government. It's not for anyone to judge what happens within their borders.

2. He bores us with a lot of ancient history, which is largely irrelevant today.

3. He ignore the brutality visited upon other sovereign nations by the US, and also within its own borders.

I could go on, but it's obvious that these people are totally brainwashed by the MSM, and that's not unusual within most of the countries in the world.

Everyone will have to choose sides when the revolution comes.

. .. . .. --- ....

Dan HOctober 25, 2016 10:47 AM

@albert, another closed minded dolt unable to see the world for what it is, but knows the US is evil. And how can you sit there and say that another nation has a government they want? You believe Cambodians want Pol Pot and the Khmer Rouge?

Oppression in China and Russia today is ancient history?

Your drivel bores me and your limited capacity for thought amuses me.

Jim LippardOctober 25, 2016 11:22 AM

Tens of millions of IP addresses does not mean tens of millions of devices. Level 3's reporting on Mirai estimated it at about half a million devices a few weeks ago, and it may be as high as a million bots now, but it's not ten million.

Flashpoint has stated in public media that this attack was perpetrated by neither nation-state attackers nor hacktivists. I suspect Krebs has already identified the names of individuals involved in or associated with this attack, in his past reporting on Mirai, NameCentral, vDOS, Datawagon, BackConnect, etc. Ben Chia, you should take a look at those posts, and Dyn researcher Doug Madory's talk in Dallas at NANOG 68, which occurred prior to the attack.

albertOctober 25, 2016 2:09 PM

@Lt Dan,

Note @Dan H response to me:

1. Name-calling and personal attack.

2. Attributing a different meaning to a statement I made.

3. Asking a question totally irrelevant to that statement.

4. Assuming hyperbole as fact.

Clever debunkers usually use the ad hominem approach as a last resort.

Not so in this case.

. .. . .. --- ....

Clive RobinsonOctober 25, 2016 4:27 PM

@ albert,

Clever debunkers usually use the ad hominem approach as a last resort.

I guess some "trainees" think they are better than the trainer... Pilots have a saying about "old and bold", in that you may see bold pilots, and you may see old pilots, but you seldom see old and bold pilots...

Some trainees have to learn not to jump over the gun, lest as they stand there with the gun barrel now at their backs, somebody pulls the lanyard...

TedOctober 26, 2016 10:38 AM

First major IoT attack and legal considerations.

According to Jeff John Roberts (law & cyber reporter at Fortune, @jeffjohnroberts), persons and entities who may have legal recourse under current laws for the recent IoT DDoS attack potentially include the US government, device owners, and Dyn.

The question he asks is, should device makers be held legally responsible considering that there have been reports of compromised internet-enabled devices for years?

Having spoken with a former cyber-crime prosecutor, Jeff writes that government agencies including the Federal Trade Commission (FTC) and state attorneys general may be in a position to sue the companies selling these devices for dangerous products and deceptive marketing.

A harder question to answer is if consumers have a case for a lawsuit. Class action lawyers may be watching closely. A Supreme Court case that was decided in May 2016 (Spokeo, Inc. v. Robins) ruled that consumers must prove concrete harm to collect damages.

Jeff says that the internet services company Dyn has not yet responded to a voice message from Fortune asking about potential future actions.

albertOctober 26, 2016 3:53 PM

@ATS,

Yes, most routers fall into the computer OS category. It is indeed almost impossible for manufacturers to ignore COTS OSs like Linux with built-in everything-you-need-for-a-wireless-IoT-product.

It's especially ironic that a majority of Iot hacks (especially DDOS) are due to default/simple passwords. Folks would holler like a stuck pig of they were forced to use strong passwords and user names*. Then they bitch when their bank get DDOSed. Wouldn't it be funny if their baby-cam was one of the DOS-bots?

I have to manage a dozen or so wireless devices, including 3-5 that change at different monthly intervals, I have learned to hate wifi.

As long as manufacturers control their products, there's little that can be done.

---------
* I'd prefer to see devices that -force- a user to select a strong password and user name. Hardcoding leave a single point of failure (the manufacturer)

. .. . .. --- ....

Clive RobinsonOctober 26, 2016 9:28 PM

@ Albert, All,

As long as manufacturers control their products, there's little that can be done.

Part of that reason for the mayhem that is WiFi-IoT is "the law of unintended consequences of the DMCA.

A law, written by corporate lawyers for corporate interests, now causing as a consequence corporate harm...

It would be funny if it were not so predictable.

I fully expect to see more "back peddling" from the FCC [1] when the message from these attacks starts to sink in.

Especialy if some people do try to sue the device manufacturers. The manufacturers lawyers are almost certain to try to "pass the buck" back to the USG by dropping it in the FCC's lap, by blaiming their poorly worded requirments, that the FCC has already started back peddling on...

[1] For those that have not heard the FCC "Fear of SDR" caused them to issue an edict about not alowing gear with WiFi in it to be modifiable by the end user. So in effect requiring manufactures to prevent customers putting OpenSource wireless router software etc on their devices. The FCC have already back peddled on this saying they only ment the software for controling the radio devices. However for most low end / consumer routers / IoT devices etc there is but one SoC in the devices so it's the whole software that gets locked. This might have a fall out of doing what was mandated for mobile radio in the GSM system with the likes of smart phones where the radio is treated like a modem and issolated from the OS and apps of the smart computer.

Sheel Be'RightmateOctober 28, 2016 12:07 AM

Most crimminals use the Internet for crime. Most radicals don't know how anything works and couldn't get it together if they did. Most politicians are too driven by self interest.

Some kid is probably getting paid for DDoS or some other kid is bored and waiting for mum to give him a kick up the.

Ask yourself, why would any government go busted something that is used to keep an eye on everyone else's business? Where else would they post pictures of dopey grins and various forms of chest puffing?

If the police use 12345 for 10 years, not too many other businesses are going to bother giving much thought to security, and many obviouly don't. There eyes don't glaze over because they are zombies, what's surprising is it doesn't happen more often.


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.