Lessons From the Dyn DDoS Attack

A week ago Friday, someone took down numerous popular websites in a massive distributed denial-of-service (DDoS) attack against the domain name provider Dyn. DDoS attacks are neither new nor sophisticated. The attacker sends a massive amount of traffic, causing the victim's system to slow to a crawl and eventually crash. There are more or less clever variants, but basically, it's a datapipe-size battle between attacker and victim. If the defender has a larger capacity to receive and process data, he or she will win. If the attacker can throw more data than the victim can process, he or she will win.

The attacker can build a giant data cannon, but that's expensive. It is much smarter to recruit millions of innocent computers on the internet. This is the "distributed" part of the DDoS attack, and pretty much how it's worked for decades. Cybercriminals infect innocent computers around the internet and recruit them into a botnet. They then target that botnet against a single victim.

You can imagine how it might work in the real world. If I can trick tens of thousands of others to order pizzas to be delivered to your house at the same time, I can clog up your street and prevent any legitimate traffic from getting through. If I can trick many millions, I might be able to crush your house from the weight. That's a DDoS attack ­ it's simple brute force.

As you'd expect, DDoSers have various motives. The attacks started out as a way to show off, then quickly transitioned to a method of intimidation ­ or a way of just getting back at someone you didn't like. More recently, they've become vehicles of protest. In 2013, the hacker group Anonymous petitioned the White House to recognize DDoS attacks as a legitimate form of protest. Criminals have used these attacks as a means of extortion, although one group found that just the fear of attack was enough. Military agencies are also thinking about DDoS as a tool in their cyberwar arsenals. A 2007 DDoS attack against Estonia was blamed on Russia and widely called an act of cyberwar.

The DDoS attack against Dyn two weeks ago was nothing new, but it illustrated several important trends in computer security.

These attack techniques are broadly available. Fully capable DDoS attack tools are available for free download. Criminal groups offer DDoS services for hire. The particular attack technique used against Dyn was first used a month earlier. It's called Mirai, and since the source code was released four weeks ago, over a dozen botnets have incorporated the code.

The Dyn attacks were probably not originated by a government. The perpetrators were most likely hackers mad at Dyn for helping Brian Krebs identify ­ and the FBI arrest ­ two Israeli hackers who were running a DDoS-for-hire ring. Recently I have written about probing DDoS attacks against internet infrastructure companies that appear to be perpetrated by a nation-state. But, honestly, we don't know for sure.

This is important. Software spreads capabilities. The smartest attacker needs to figure out the attack and write the software. After that, anyone can use it. There's not even much of a difference between government and criminal attacks. In December 2014, there was a legitimate debate in the security community as to whether the massive attack against Sony had been perpetrated by a nation-state with a $20 billion military budget or a couple of guys in a basement somewhere. The internet is the only place where we can't tell the difference. Everyone uses the same tools, the same techniques and the same tactics.

These attacks are getting larger. The Dyn DDoS attack set a record at 1.2 Tbps. The previous record holder was the attack against cybersecurity journalist Brian Krebs a month prior at 620 Gbps. This is much larger than required to knock the typical website offline. A year ago, it was unheard of. Now it occurs regularly.

The botnets attacking Dyn and Brian Krebs consisted largely of unsecure Internet of Things (IoT) devices ­ webcams, digital video recorders, routers and so on. This isn't new, either. We've already seen internet-enabled refrigerators and TVs used in DDoS botnets. But again, the scale is bigger now. In 2014, the news was hundreds of thousands of IoT devices ­ the Dyn attack used millions. Analysts expect the IoT to increase the number of things on the internet by a factor of 10 or more. Expect these attacks to similarly increase.

The problem is that these IoT devices are unsecure and likely to remain that way. The economics of internet security don't trickle down to the IoT. Commenting on the Krebs attack last month, I wrote:

The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

To be fair, one company that made some of the unsecure things used in these attacks recalled its unsecure webcams. But this is more of a publicity stunt than anything else. I would be surprised if the company got many devices back. We already know that the reputational damage from having your unsecure software made public isn't large and doesn't last. At this point, the market still largely rewards sacrificing security in favor of price and time-to-market.

DDoS prevention works best deep in the network, where the pipes are the largest and the capability to identify and block the attacks is the most evident. But the backbone providers have no incentive to do this. They don't feel the pain when the attacks occur and they have no way of billing for the service when they provide it. So they let the attacks through and force the victims to defend themselves. In many ways, this is similar to the spam problem. It, too, is best dealt with in the backbone, but similar economics dump the problem onto the endpoints.

We're unlikely to get any regulation forcing backbone companies to clean up either DDoS attacks or spam, just as we are unlikely to get any regulations forcing IoT manufacturers to make their systems secure. This is me again:

What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.

That leaves the victims to pay. This is where we are in much of computer security. Because the hardware, software and networks we use are so unsecure, we have to pay an entire industry to provide after-the-fact security.

There are solutions you can buy. Many companies offer DDoS protection, although they're generally calibrated to the older, smaller attacks. We can safely assume that they'll up their offerings, although the cost might be prohibitive for many users. Understand your risks. Buy mitigation if you need it, but understand its limitations. Know the attacks are possible and will succeed if large enough. And the attacks are getting larger all the time. Prepare for that.

This essay previously appeared on the SecurityIntelligence website.

Posted on November 8, 2016 at 6:25 AM • 37 Comments


Dr. I. Needtob AtheNovember 8, 2016 7:06 AM

If an IoT device can be commandeered into a botnet then it can also be bricked. A law that bricked devices must be replaced for free, coupled with a project to brick all vulnerable devices on the internet, might be the answer.

...or not.

Kyle HNovember 8, 2016 7:06 AM

Pornhub.com wasn't severely impacted by the DDoS of Dyn's servers because they took an extra precaution that very few other companies have implemented: they actually had multiple DNS providers, implementing true multi-network DNS redundancy.

Every single point of failure is a single point of failure. Every contractor is a point of attack. If you can afford it (and you should do everything you can to afford it), you should try to put redundancy everywhere it makes sense to be redundant but you've currently only got a single provider. This might not work for email servers, for example. But it definitely does work for DNS providers.

MikeNovember 8, 2016 7:38 AM

The market can be made to care about security of IoT if the advice of commentor "Dr. I. Needtob Athe" is followed. Both the buyer and the seller will care if these unsecured devices are suddenly bricked and rendered useless via the same channel being used to control the devices for DDoS attacks. Ethical gray area, but if a negative to some IoT devices result in large positives for the entire internet I can see a good argument to be made in favor.

ChipNovember 8, 2016 7:39 AM

I'm still really skeptical of that 1.2Tbps number. Dyn's own blog posts say that number is unsubstantiated. I doubt they have the edge capacity to directly observe that much traffic, so the information would have to come from their upstreams.

The 100,000 endpoints number is suspect as well. Dyn's initial blog post said 10's of millions of unique sources, which I think was just pure hyperbole, and communications sent to customers put the number at a much more reasonable 40,000.

In general, I think this attack has highlighted the inherent issues with centralizing a key part of the Internet's infrastructure in single companies. If your website is popular, it's probably worth diversifying your DNS delegation across a few providers, and it looks like a lot of high profile Dyn customers are doing just that following this attack, mostly adding Amazon's Route 53 to their delegations.

Couldn'tPossiblyCommentNovember 8, 2016 7:50 AM

I feel the article missed the alleged worrisome trend of some people offering both the cause and solution to DDoS, in that since attribution is hard (unless you're the DNC in which case it's obviously Russia - sorry, can't help myself), how do you know that your attacker isn't the salesperson trying to sell you more DDoS defense, or just a competing product?

That piece of cynicism aside, the article calls out all the right worrying things... The advice in several comments about eliminating single points of failure is an interesting bandaid.

TheDoctorNovember 8, 2016 8:19 AM

Make the USERS of the IoT crap liable.

They are easy to identify, in the end they provide network access for the device.

To be fair, give them means to lash back on the manufacturer, maybe in the form that the manufacturer has to prove the basis security of the device, or else he pays the fine.

TantereiNovember 8, 2016 10:02 AM

@ Mike
Whatever this might be ethically, legally this is definitely vigilante justice and would land, at least at the moment, anybody who tries it (and does not cover his trail well enough) in jail for unauthorized computer access or whatever the appropriate law is called in the US (and elsewhere).

Also, if I am not mistaken, it was Mirai or its derivatives which patched the devices in such a way that they were not hijack-able by other malware so that might complicate things.

Hoping for a governmental solution is naive. The IT-literacy of the government is imho too low to act effectively on this issue.

A possible solution would be for ISPs to block AND warn those users, whose connections are participating in the attacks.

Ross SniderNovember 8, 2016 11:00 AM

"The problem is that these IoT devices are unsecure and likely to remain that way."

No, that's not the problem. Though there seems to be the echo chamber in some parts of the security community thinking that is the problem at the moment.

There was DDoS before IoT. There is DDoS during IoT. There will be DDoS after IoT.

IoT isn't the problem. The brittleness of the name resolution service and the dependency that huge parts of the internet have on single points of failure is the problem.

The entire original point of the original ARPANET was to remove single points of failure. Now we're experiencing one and the desire to control people's IoT devices has gotten in the way of the desire for a flexible and resilient internet infrastructure.

fjarlqNovember 8, 2016 11:16 AM

Sounds like it's high time for consumer router software to be strengthened so that, by default, when some new device tries to connect to a router, a batch of tests are performed to ensure the device is at least basically secure. That way if a user wants to use their new gadget on the public net, they'll have to first set the admin password on it. (This rule should include the router itself, too.)

But, such router fanciness won't be arriving soon. In the meantime, I wonder if the problem will become so serious that a group like the US Cyber Command, or some gray hat hacker cabal, will develop their own proactive cure of sorts, regardless of the laws they'd be violating. It's a race for control of the dumb new Things, and some criminals have already seized "tens of millions" of them.

Daniel JoubertNovember 8, 2016 12:14 PM

I personally like to idea of hunting down all the unsecure devices and turning them into bricks. At least the suppliers will be forced to ensure that their devices are secure.

halpNovember 8, 2016 1:02 PM

Someone help me with this "internet of things" explanation.

You would have me believe these devices are opening ports on a firewall?

Otherwise, how does one get across a common NAT-type firewall to find one or more of these "internet of things" devices?

Uncle Joe StalinNovember 8, 2016 1:18 PM

Didn't see no Rooskie hackers at the polling place.
Didn't see no riggers neither.

But I did see "fractional voting" articles for GEMS vote counters at Black Box Voting.

nonameNovember 8, 2016 1:30 PM

This essay previously appeared on the SecurityIntelligence website.

That's a problem. It should have appeared in the Economist (magazine).

I've known an awful lot of people over the years who place a lot of value on five 9s uptime. Folks who lose millions of dollars every minute their computers are down. Naturally there's a lot of barriers between such core critical systems and the internet. But IoT may provide a way around those firewalls.

When you can affect a company's stock price via DDOS. Market manipulation for profit. I wonder how long before it happens.

It's not the problem from last week you need to worry about. It's what they're going to do tomorrow.

Home Servers MatterNovember 8, 2016 1:53 PM

IMnsHO the issue is the spooky unconvergence of Network Neutrality, Hillary's Email Scandal, and widespread ISP persecution of home (email,game,web,etc) servers. It seems obvious from a logic perspective that Network Neutrality should protect home server traffic as much as any other. But it clearly doesn't. If it did, thousands of geeks at home would be leveraging FOSS to make systems that were so secure that these crap insecure devices wouldn't survive in the free market.


MattNovember 8, 2016 1:53 PM

I agree that the problem comes from the manufacturers, and the lack of security built-in to their IoT devices. The reason they don't care, is because like many other software companies, they're not very good at testing. In particular, I would say that they don't do much (if any) black box security testing against their own devices. Why not? Most likely, because they don't see themselves as software vendors; they're selling hardware, the software to them is ancillary. I would argue, it's the other way around - they should view themselves as software companies first, and hardware second. This shift in mindset might start putting them on the road to writing more secure software, since that's what they're selling - the hardware is just the box the software comes in.

Jesse ThompsonNovember 8, 2016 2:24 PM


thomas is right, the most common way is that the device communicates with the router via the rather insecure upnp protocol to ask for a port to be opened up.

OTOH, since these are cameras we are talking about, causing UPNP to vanish tomorrow would just prompt the manufacturers and end-users to go back to the dinosaur old days of opening the ports manually. Remember, the customer remotely accessing the camera is the entire point of this exercise.

Also, router be damned, but many models of camera just NAT-bust by VPN'ing past the router and connecting directly to the manufacturer's servers, where those wait for commands from the ostensible client.


@brick all the things

Man this is a conundrum. Basically, the skills to get away with this gadfly approach line up perfectly with the motivation NOT to do it — because it undermines the very tools that the cyber-ninja skillset values.

For example, the most popular way you would even attack all of the devices to brick them would be through a botnet. However insecure devices are the literal *food* of a botnet. O_O

Just Passin' ThruNovember 8, 2016 2:51 PM

During development, being able to telnet or ssh into a device is important, and having a password then is not important.

When a product ships, if there is often no "maintenance" or upgrades, then the communication should be removed.

But that would be a pretty big risk to the engineers. What if the product has problems in the field that they did not encounter in the lab. The would want to log in to affected devices to diagnose the problem. So, what do they do? They put in a fixed password, that works for all their product.

It seems to me that one way to get around this is to hash the MAC address with your own hash and salt to generate the password. During development, you are on the same subnet as the device, so you can easily find its MAC address -- so you can easily write a front-end tool to telnet or ssh to let you in without typing in a painfully unique password.

The same could be done to generate the "user name".

So, how to stop someone from installing s/w on your subnet supplied by your ISP to try to find these devices? Install a lockout to ignore requests that come too frequently.

This is cheap to implement in embedded devices.

If the embedded industry would develop a standard, that also specifies that the password need be at least, say 12 chars long, this DDOS from embedded devices could be a thing of the past. And if the industry adopts it, it would keep government dictates and supervision at bay. And it could be a marketing tool, too, like advertising a product as "industry approved as internet safe".

Maybe the govt needs to rattle its saber to kick things off.

Just Passin' ThruNovember 8, 2016 2:56 PM

One other thing, maybe turning all offending devices into bricks is a good idea -- it would mean that "industry approved as internet safe" would have real meaning to consumers.

Clive RobinsonNovember 8, 2016 3:23 PM

@ Dr. I. Needtob Athe,

If an IoT device can be commandeered into a botnet then it can also be bricked.

It's quite likely with Flash ROM that is used these days in low cost consumer items.

However noting that something is possible is not the same as exploiting it. Thus tempting as it would be to do

a project to brick all vulnerable devices on the internet, might be the answer.

Is probably not a good idea. Because an increasing number of IoT devices control other things which would cause secondary losses.

For instance an IoT freezer if bricked would probably not just destroy the freezer but also it's contents. With some people the contents of their freezer may be worth considerably more than the freezer[1]. Likewise bricking an environmental control IoT could actually kill people... Which would not go unnoticed by the local police force.

[1] The clasic example of this was an expensive art work. It was a self portrait sculpture the artist had done in their own frozen blood. The person who had paid big money for the sculpture had workmen in who cut the power to the freezer the artwork was kept frozen in and it melted...

BugNovember 8, 2016 3:25 PM

This is just a random thought, but I wonder if one of the more straightforward and easy-to-implement ways of making IoT-devices less harmful would be to (legally) require them to set a hard limit on the bandwith they can use. Of course, if it's just a flag set in software somewhere it's easily overridden once the device gets hacked, but if done well it's a minimal change that would drastically change the effectiveness of this kind of attack.

I know, the assumption that all the billion different devices will be changed is probably a pipe-dream, and it opens up the possibility of similar limits being put on actual PCs, but we're going to need *some* way to fix this mess. "Improve security" is too vague to get anything done, unless followed by either specific instructions like above, or companies being legally/financially liable in case shit hits the fan.

BGNovember 8, 2016 4:10 PM

IoT should be spelled iOUT - Internet of Unsecured Things.

uPnP should not be on by default, on the routers and on the iOUT devices.

gordoNovember 8, 2016 5:55 PM

"We're unlikely to get ... any regulations" - @ Bruce Schneier

Yes, hopefully unlikely, as with the first item below.

Changes to Rule 41, however, un-vetted and un-amended, i.e., un-addressed, by Congress, are fast upon us.

Forum shopping and government-sanctioned anti-malware, i.e., lawful hacking or LEOware at potentially massive scales, are both examples of unsafe approaches. A worst-case interpretation: Brick the bot and see what else they've got.

I'm generally not a proponent of "Shoot first, ask questions later" approaches. We've seen how badly such approaches have failed, in other contexts.


Heads Up Internet: Time to Kill Another Dangerous CFAA Bill

Their latest proposal is ostensibly directed at stopping botnets. It's even named it the “Botnet Prevention Act of 2016.” But the bill includes various provisions that go far beyond protecting against attacks by zombie computers: ...



...and on that not un-related Rule 41 change:

Grassley Seeks Details on FBI Spyware Programs
News Release | Jun 12, 2015

WASHINGTON – Senator Chuck Grassley, Chairman of the Senate Judiciary Committee, is pressing the Federal Bureau of Investigation (FBI) for more information on its spyware program.

The request comes amid the Justice Department’s push to amend Rule 41 of the Federal Rules of Criminal Procedure in order to allow judges to grant warrants for remote searches of computers located outside their district or when the location of the computer is unknown. Currently, federal prosecutors generally must seek a warrant in the judicial district in which the target of the search is located.

In a letter to FBI Director James Comey, Grassley wrote, “It is essential that law enforcement has the necessary technological tools and legal framework to keep the public safe,” however, “Publicly available information on the FBI’s use of spyware is often inconsistent.”



June 20, 2016
Blog post courtesy of Assistant Attorney General Leslie R. Caldwell of the Criminal Division

Congress is currently considering proposed amendments to Rule 41, which are scheduled to take effect on Dec. 1, 2016.

This marks the end of a three-year deliberation process, which included extensive written comments and public testimony. ... .



Sens. Leahy and Lee asked Judiciary Chairman Chuck Grassley for hearing on Rule 41 expansion of FBI hacking in June
@dnvolz 9 Sep 2016

[letter copy, June 30, 2016]

Leahy seeks hearing on mass hacking of Americans' computers by feds
USA TODAY | Erin Kelly and Nicole Gaudiano | October 24, 2016

Sens. Patrick Leahy, D-Vt., and Mike Lee, R-Utah, have written a letter urging Judiciary Committee Chairman Chuck Grassley, to hold a hearing. So far, Grassley has not scheduled one.



U.S. lawmakers raise privacy concerns over new hacking rules
Reuters | By Dustin Volz | Thu Oct 27, 2016

In their letter, the lawmakers asked how the government would prevent under the expanded rule so-called "forum shopping," where prosecutors seek warrants in districts considered more favorable to law enforcement.

They also asked how the Justice Department intends to notify users when electronic devices have been searched and whether law enforcement has the authority to disable malicious software on a protected device, including those belonging to innocent Americans, among other questions.



Congress Needs More Information Before the Government’s New Hacking Powers Kick in

The federal government is set to get massively expanded hacking powers later this year. Thankfully, members of Congress are starting to ask questions.

In a letter this week to U.S. Attorney General Loretta Lynch, 23 members of Congress—including Sens. Ron Wyden and Patrick Leahy and Rep. John Conyers—pressed for more information and said they “are concerned about the full scope of the new authority” under pending changes to federal investigation rules.



Will Congress ever vote on the “The Stop Mass Hacking Act”?
Naked Security | by Bill Camarda | 15 SEP 2016

in May, tech-savvy Democrat Ron Wyden and libertarian Republican Rand Paul proposed The Stop Mass Hacking Act (S. 2952, H.R. 5321). It’s basically one sentence: “To prevent the proposed amendments to rule 41 of the Federal Rules of Criminal Procedure from taking effect.”



Sens. Wyden, Paul, Baldwin, Daines, Tester: Stopping Mass Hacking (SMH) Act

Even if, as DOJ asserts, these Rule changes are merely a “venue change,” they are a venue change with very significant policy implications​.



Prepare for that?

Uncle Joe StalinNovember 8, 2016 5:58 PM

Polls just about closed and the massive vote rigging predicted by Trump has occurred and the incredible mass Rooskie election hack happened.

Oh the humanity!

Can the USA survive this terrible cyber first strike?

I got 3 words for the Bruce "election Russian hack propaganda": Wen Ho Lee

Clive RobinsonNovember 8, 2016 6:27 PM

@ Uncle Joe Stalin,

Polls just about closed and the massive vote rigging predicted...

Tomorrow, the US Public will awake and realize that there has been a mistake, a terrible mistake, they will have voted in a president who will make their wildest nightmares look tame...

That's the only consistant thing about the whole event, the two most unelectable candidates ended up the front runners and the US citizen's will have chosen one of them by what the US call "a democratic process", that is anything but... And the rest of the world looks on and shakes their heads.

My InfoNovember 8, 2016 6:42 PM

For the record I am strongly in favor of IPv6. We have simply outgrown IPv4.

Having said that, I am not in favor of the Internet of All Things IPv6-Addressable. Those are almost all highly proprietary MPAA-protected devices built on a cheap budget, to wit: "There are no user serviceable parts inside this unit."

#1.) They are insecure and unsecurable.

#2.) They tend to have microphones and cameras.

As a consequence of these two properties, they make George Orwell's wildest dreams come true.

ab praeceptisNovember 8, 2016 7:22 PM

Aargh. Yet another IPv6 fan.

Funny that they skipped IPv5 (not really, I know, but I like the metapher), i.e. 64 bit adresses.

Would be easier and cheaper to remember and handle and use. You think "cheap" is not necessary as we're talking mere 8 bytes difference? a see my next point. and b) you know, handling some billion packets per day in a router those byties sum up ...

Hello? Anyone there? Didn't it strike them that chosing an adress size way beyond current word widths was maybe not the smartest thing to do?
But, hey man, soon we'll have 128 bit CPUs all over the place, you say? Nope. Yo see there is a reason for washing machines and zillions of plastic modem/router boxen not having jumped up to 64 bit processors. It's very similar to the reason for us not having had 64 (and even 32) bit processors for a long time. It complicated, it's expensive, it eats more electricity which is a bad thing for solar or battery powered devices.

"IPv5", i.e. 64 bit addresses would have provided about 2 billion IPs to each and every human on this planet. In case they wanted to *really long term* plan it would still provide a todays /8 to each and every human in case world population grew to far beyond 100 billion (a very theoretical assumption).

And, best of all, pretty every desktop or tablet processor could handle such an adress in its ALU (and, of course its registers).

Assuming a more reasonable a realistic address ordering/distribution scheme of say a "mere" 65k IPs per customer/household (where them thin plastic boxen live) a 16 bit CPU would be fine for almost everything needed ("my net or outside?" plus "inside affic.I deal with that" would be largely enough).

And, alas, what a coincidence that 64 processors find raging taking up while IPv6 is a pain to sell.

Sidenote: There are other, sometimes quite trivial, reaons for desirable processor word width, too. Things like "What's about the biggest number we might ever have to deal with?". On classical measure is national budgets or GDPs. 32 bit is a little tight but 64 bit is plenty. This is for "everyday stuff and numbers". For other areas, say crypto or astrophysics, the difference is quite irrelevant as the numbers needed there tend to go far beyond even 128 or 256 bits, so the 32 or 64 bits question is rather moot there. But for Joe and Jane and acme inc. 64 bits happens to be the "sweetspot with a generous reserve built in" and hence that's what they want and buy.

lorenNovember 8, 2016 7:36 PM

I saw various mentions that caching wasn't possible because of the randomly generated names. But couldn't it be done if the authoritative and recursing servers supported DNSSEC? After enough queries, the recursors should have enough NSEC records to send NXDOMAIN--even to non-DNSSEC clients--without talking to anyone.

John SmithNovember 8, 2016 7:48 PM

I like the old concept of "outlaw".

Internet users, as a class, file suit to have an offending device
declared as outlawed, literally outside the law.

If the suit is successful, the outlawed device and the internet service
it uses are no longer protected by any law or regulation. They are now
"fair game".

Vigilantes are free to attack the device in any manner, up to and including
its destruction, and cannot be punished for it.

Before you buy a IoT device, you check the outlawed list.

Let the epic lulz begin!

My InfoNovember 8, 2016 7:55 PM

@ab praeceptis

Uh huh... the version number "6" skipped over "5," the fact that the addresses are in "hex," and the whole six-pointed pentagram aspect of it...

There are things not to like.

Sancho_PNovember 9, 2016 6:18 PM

@Dr. I. Needtob Athe, Mike, …

“brick the devices, make seller replace them …”

Nope, bad idea.

First, you’d brick quite a lot of businesses and public service, huge damage.
Second, you’d pile up a mountain of electronic waste.
Third, the seller would shut down and restart selling shit using a different name.
Fourth, the innocent user would again waste money for crap.
Fifth, it’s useless because we don’t know how to produce secure crapware.
(Hint: This means nowadays there is no such thing as a secure consumer router)

-> The ISPs have to stop the attack.
No private, dynamic IP address can be used to hammer requests to the same target in that speed for that period of time. Something like a proxy would already help.

If an ISP doesn’t enforce it’s T&C it must be held responsible for the damage.
It's their liability.
No new regulations, just enforce them.

Ryan CNovember 10, 2016 4:49 PM

Botnets this large can actually take down Google.

"(Hint: This means nowadays there is no such thing as a secure consumer router)"
in a sane world all routers would use OpenWRT.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.