Brian Krebs site hit with 665 Gbps DDoS attack is back. Why the silencing of KrebsOnSecurity opens a troubling chapter for the ‘Net? Let Brian Krebs answer to that with his The Democratization of Censorship article. Here is my short overview of that article showing some of the main points:
John Gilmore, an American entrepreneur and civil libertarian, once famously quipped that “the Internet interprets censorship as damage and routes around it.” The recent events have shown that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach.The Internet can’t route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. This is called “The Democratization of Censorship.”
Krebs used a DDoS protection provider. That company made a business decision after facing long world’s biggest DDoS attack to terminate the pro bono customer agreement. Now the site is up usingnder Project Shield, a free program run by Google to help protect journalists from online censorship. DDoS attacks are uniquely effective weapons for stomping on free speech because the economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user or independent journalists. The companies that have capacity to handle attacks like this cost between $150,000 and $200,000 per year.
What exactly was it that generated the record-smashing DDoS of 620 Gbps attack? There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices. The reality is that there are currently millions — if not tens of millions — of insecure or poorly secured IoT devices that are ripe for being enlisted in these attacks at any given time. The problem of DDoS conscripts goes well beyond the millions of IoT devices that are shipped insecure by default. Many ISPs do nothing to prevent devices being used for attack – best practice BCP38 is designed to filter such spoofed traffic. is rarely followed. To handle those problems, we probably need an industry security association, with published standards that all members adhere.
There was another attack at almost the same time. OVH, a major Web hosting provider based in France, said in a post on Twitter this week that it was recently the victim of an even more massive attack. That attack was launched by a botnet consisting of more than 145,000 compromised IP cameras and DVRs. For more details on this attack read OVH hosting hit by 1Tbps DDoS attack, the largest one ever seen article.
This DDoS attack is a growing threat to free speech and ecommerce. It’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world. This kind of attack has also potential to endanger human lives, shut down critical national infrastructure systems, or disrupt national elections. There is big election soon in USA, and let’s see how well they have prepared.
The article also mentions Bruce Schneier’s unusually alarmist column titled, “Someone Is Learning How to Take Down the Internet.” Citing unnamed sources, Schneier warned that there was strong evidence indicating that nation-state actors were actively and aggressively probing the Internet for weak spots that could allow them to bring the entire Web to a virtual standstill.
If you want to worry more, remember that last month a large number of hacking tools used by NSA were leaked to Internet. NSA hushed up zero-day spyware tool losses for three years article says that sources close to the investigation into how NSA surveillance tools and zero-day exploits ended up in the hands of hackers has found that the agency knew about the loss for three years but didn’t want anyone to know. Also just few days ago largest hack ever was revealed: Yahoo says 500 million accounts stolen.
Should you start to worry?
44 Comments
Tomi Engdahl says:
Someone is Testing Methods for Taking Down the Entire Internet
http://fortune.com/2016/09/25/internet-infastructure-attack/
And it’s probably China.
Earlier this month, security expert Bruce Shneier revealed that companies responsible for the basic infrastructure of the Internet are experiencing an escalating series of coordinated attacks that appear designed to test the defenses of its most critical elements. He says that, based on the scale of the attacks, the most likely culprit is a large state cyberwarfare unit, with China at the top of the list of suspects.
The ultimate goal of the efforts could include a “global blackout of all websites and e-mail addresses in the most common top-level domains.”
Schneier, CTO of IBM’s Resilient and a fellow at Harvard’s Berkman Center, said that most of the attacks were standard, though huge, DDoS attacks —blasts of data designed to overwhelm servers. What distinguished them was their methodically escalating nature. The attacks, described by sources speaking to Schneier anonymously, are coming in slowly mounting waves, forcing companies to “demonstrate their defense capabilities for the attacker.”
There were also non-DDoS attacks, including attempts to tamper with Internet addresses and routing.
His inside findings align with a public report from domain registrar Verisign, which says that DDoS attacks have “continued to become more frequent, persistent, and complex.”
both China and Russia have made significant strides in building systems that would resist any such mass takedown
Tomi Engdahl says:
Extra-Large Denial of Service Attack Uses DVRs, Webcams
http://hackaday.com/2016/09/26/extra-large-denial-of-service-attack-uses-dvrs-webcams/
Brace yourselves. The rest of the media is going to be calling this an “IoT DDOS” and the hype will spin out of control. Hype aside, the facts on the ground make it look like an extremely large distributed denial-of-service attack (DDOS) was just carried out using mostly household appliances (145,607 of them!) rather than grandma’s old Win XP system running on Pentiums.
We can argue all day about whether a digital video recorder (DVR) or an IP webcam is an “IoT” device and whether this DDOS attack is the biggest to date or merely among them, but the class of devices exploited certainly are not traditional computers, and this is a big hit. Most of these devices run firmware out of flash, and it’s up to the end user (who is not a sysadmin) to keep it up to date or face the wrath of hackers. And it’s certainly the case that as more Internet-facing devices get deployed, the hacker’s attack surface will grow.
Why did the DDOS network use these particular devices? We’re speculating, but we’d guess it’s a combination of difficult-to-update firmware and user “convenience” features like uPnP.
We alternate between Jekyll and Hyde on the IoT. On one hand, we love having everything in our own home hooked up to our local WiFi network and running on Python scripts. On the other hand, connecting each and every device up to the broader Internet and keeping it secure would be a system administration headache. Average users want the convenience of the latter without having to pay the setup and know-how costs of the former. Right now, they’re left out in the cold. And their toasters are taking down ISPs.
Tomi Engdahl says:
150,000 IoT Devices Abused for Massive DDoS Attacks on OVH
http://www.securityweek.com/150000-iot-devices-abused-massive-ddos-attacks-ovh
The hosting provider OVH continues to be targeted by massive distributed denial-of-service (DDoS) attacks powered by a large botnet capable of generating significant attack traffic.
The first major attack was reported last week by investigative journalist Brian Krebs, whose website had been hit by a 620 Gbps attack.
OVH, one of the world’s largest hosting providers, later reported that its systems had been hit by simultaneous attacks that peaked at nearly 1 terabit per second (Tbps).
According to Octave Klaba, the founder and CTO of OVH, the attacks are powered by more than 150,000 Internet of Things (IoT) devices, including cameras and DVRs, capable of launching attacks that exceed 1.5 Tbps.
Tomi Engdahl says:
Early analysis suggests the largest DDoS attack in history, targeted at security reporter Brian Krebs, may have leveraged flaws within IoT devices, says Synopsys’ Robert Vamosi.
Source: http://semiengineering.com/blog-review-sept-28/
Tomi Engdahl says:
Security Journalist Silenced By IoT-based DDoS Attack
https://blogs.synopsys.com/codereview/2016/09/26/security-journalist-silenced-by-iot-based-ddos-attack/
Last week security reporter Brian Krebs suffered the largest DDoS attack in history, and lost his internet protection company and, briefly, no one had access to his site.
As of Monday morning, KrebsOnSecurity.com is back up, this time using the DDoS protection service provided by Google. Krebs said his previous protection company, Akami, with its Prolaxic technology, informed him last Wednesday he had two hours to transition his site to another protection network. The attack occurred at 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second and it was starting to cost them a fair amount of money to mitigate.
Early analysis suggests that the individuals responsible may have leveraged flaws within devices used for the Internet of Things (IoT) to mount such a robust and sustained attack on his website.
Krebs started his independent blog after being laid off from the Washington Post.
Project Shield is a free program run by Google to help protect journalists from online censorship, says Krebs.
https://jigsaw.google.com/projects/#project-shield
Tomi Engdahl says:
Record-breaking DDoS reportedly delivered by >145k hacked cameras
Once unthinkable, 1 terabit attacks may soon be the new normal.
http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/
Last week, security news site KrebsOnSecurity went dark for more than 24 hours following what was believed to be a record 620 gigabit-per-second denial of service attack brought on by an ensemble of routers, security cameras, or other so-called Internet of Things devices. Now, there’s word of a similar attack on a French Web host that peaked at a staggering 1.1 terabits per second, more than 60 percent bigger.
The attacks were first reported on September 19 by Octave Klaba, the founder and CTO of OVH. The first one reached 1.1 Tbps while a follow-on was 901 Gbps. Then, last Friday, he reported more attacks that were in the same almost incomprehensible range. He said the distributed denial-of-service (DDoS) attacks were delivered through a collection of hacked Internet-connected cameras and digital video recorders. With each one having the ability to bombard targets with 1 Mbps to 30 Mbps, he estimated the botnet had a capacity of 1.5 Tbps.
On Wednesday, he said more than 15,000 new devices had participated in attacks over the past 48 hours.
DDoS mitigation experts haven’t confirmed the numbers, and Klaba didn’t respond to a request for an interview. Still, his account is believable and largely squares with what’s being reported by Akamai, the company that until recently fought the record-breaking attacks directed at KrebsOnSecurity. Indeed, Klaba said evidence suggests his network and KrebsOnSecurity may be targeted by the same botnet. But even if they’re different botnets, the events over the past week are likely to set a new precedent for DDoS attacks.
“Now that we’ve seen a 600 gig botnet, we have to plan that within one to two years, those are going to become common,”
Prior to last week, the biggest DDoS attack Akamai had mitigated was one in June that peaked at 363 Gbps.
Tomi Engdahl says:
Earlier this year:
Large CCTV Botnet Leveraged in DDoS Attacks
https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html
Tomi Engdahl says:
Distributed Censorship or Extortion? The IoT vs Brian Krebs
http://hackaday.com/2016/09/29/distributed-censorship-or-extortion-the-iot-vs-brian-krebs/
Now it’s official. The particular website that was hit by a record-breaking distributed denial of service (DDOS) attack that we covered a few days ago was that of white-hat security journalist [Brian Krebs]: Krebs on Security.
During the DDOS attack, his site got 600 Gigabits per second of traffic. It didn’t involve amplification or reflection attacks, but rather a distributed network of zombie domestic appliances: routers, IP webcams, and digital video recorders (DVRs). All they did was create HTTP requests for his site, but there were well in excess of 100,000 of these bots.
In the end, [Krebs’] ISP, Akamai, had to drop him. He was getting pro bono service from them to start with, and while they’ve defended him against DDOS attacks in the past, it was costing them too much to continue in this case.
The Democratization of Censorship
[Krebs’] takeaway from the whole event is summarized in his blog post (now that he’s back online): “The Democratization of Censorship“. It’s worth a read
His basic point, however, is that it used to take a nation-state to censor information on the Web — strongman regimes or agencies with spooky contacts in big ISPs. But if any script-kiddie can leverage IoT devices with hardcoded passwords to pull selected websites off the Net, the game has fundamentally changed.
You’d have to be a fairly dedicated anarchist to say that this is a good development. After all, we haven’t traded government censorship and surveillance for private censorship. There’s just another actor on the stage, and what’s worse, that other actor is criminal.
[Krebs] also makes the case that sufficiently motivated groups can now effectively silence journalists, and makes the case for thinking about how we can protect free speech on the Internet. For his part, [Krebs] is now hosted as part of a Google project (Project Shield) that aims to mitigate such attacks
The timing makes it look like it was the “vDOS” folks who were selling DDOS services, and two of whom are now in jail.
In the last few years, ransomware has become so widespread that people outside the security community have even heard of it. But DDOS ransom attacks are the true growth industry. And these extortionists even have cute nicknames now: “booters” or “stressers”.
[Krebs] estimates that getting DNS services that will protect him in the event of a similar attack would cost him $100,000 to $300,000 per year. Clearly, he’s not able to fork out that much for legit protection, but the cost of protection against this sort of attack should provide an upper bound on how much ransom these criminals can ask for.
The point is that one could make a good living running a botnet of DVRs, threatening to knock websites off the Internet for a day or two. We see this as a much more likely threat than [Krebs’] fear of censorship. DDOS extortion is illegal and wrong, but where there’s money, there’s going to be a criminal to fit the crime.
Why? Why Not?
Given that botnets of DVRs can be converted into cash, [Krebs] was asked why he thought anyone would do this. Before the attack, whoever was running the IoT botnet had 100,000+ computers under their control, all of which were entirely under the radar. But now the IP addresses of all of these machines are known, and someone might get around to patching the devices someday. Who would burn a gigantic botnet just to make [Brian] mad?
[Krebs’] answer is terrifying, but probably spot-on. It doesn’t matter who launched the attack. There are tens of millions of insecure IoT devices out there. Using up 100,000 here or there is a drop in the ocean.
We also cynically think that hitting [Brian Krebs] is good advertising for the groups who are selling DDOS extortion — if there was a single sysadmin who hadn’t heard of the concept, they will have now.
In June 2016, Sucuri wrote about defending against a “large” botnet of only 25,000 CCTV appliances. In August, Level 3 wrote about vulnerabilities in over one million units of one brand of DVR. What counts as a “large” botnet has quadrupled over a few months, and the amount of traffic that one can generate has kept pace. And all of this is just the tip of the iceberg.
Tiny Headless Servers Everywhere
The problem is one that we’ve written about before, more or less obliquely. IoT devices contain headless computers that are connected to the Internet and talking to the outside world without human oversight. They’re what the layman thinks of as servers: a “box” somewhere with no GUI, accessed remotely, and dishing out data 24/7. The important difference between an IoT device and a traditional server is that the bigger server has an administrator who can apply patches and software tools that help him or her keep an eye on things.
With IoT devices, the ability to update, upgrade, audit, and administer is still in its infancy. The root passwords to some of the DVR devices used in this attack have been known since 2013, and scriptable attacks against the devices are included as a Metasploit module. A competent sysadmin would have patched that by now. (And a competent manufacturer never would have let that out the door.)
Instead the devices are administered by (millions of) people who don’t even really know that there’s a tiny little computer inside.
How to Fix It?
The security problem of IoT appliances is real
Exploiting botnets of IoT devices has become a viable criminal option. Unpatched IoT appliances are the (pre-service-pack-two) Windows XP machines of the moment: they’re a public menace because they enable criminal activity. And it’s going to take both industry involvement and user education to get us out of this mess.
One solution is remote-push firmware upgrades. Of course, this is its own avenue for malware distribution, but it might be less dangerous than leaving hard-coded administrator passwords in place, or running outdated software with known exploitable bugs. There are a number of known bad ways to implement this: a single key for all devices “hidden” in the EEPROM, for instance. What are the good ways?
People don’t like change, though
And companies go out of business or simply decide to pull support for their products. Other firms just don’t care.
In short, the consumer IoT botnet problem is a thorny one, and it’s not one that we’ve heard the last of. What do we do?
Tomi Engdahl says:
Krebs Warns Source Code Leaked From Massive IoT Botnet Attack
https://it.slashdot.org/story/16/10/02/2039229/krebs-warns-source-code-leaked-from-massive-iot-botnet-attack
The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Infected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot…
Now that the source code has been released online for that 620-Gbps attack, Krebs predicts “there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems.”
Source Code for IoT Botnet ‘Mirai’ Released
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.
The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.
Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.
Sources tell KrebsOnSecurity that Mirai is one of at least two malware families that are currently being used to quickly assemble very large IoT-based DDoS armies. The other dominant strain of IoT malware, dubbed “Bashlight,” functions similarly to Mirai in that it also infects systems via default usernames and passwords on IoT devices.
According to research from security firm Level3 Communications, the Bashlight botnet currently is responsible for enslaving nearly a million IoT devices and is in direct competition with botnets based on Mirai.
“Both [are] going after the same IoT device exposure and, in a lot of cases, the same devices,” said Dale Drew, Level3’s chief security officer.
Infected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot.
Tomi Engdahl says:
The 665 Gbps attack on “Krebs On Security”
http://www.spoofit.org/
During the month of September 2016, we have been monitoring the activities of the Ghost Squad Hacker (GSH), a hacker group that until then actively participated in different Anonymous operations as #OpIcarus targeting banks or #OpIsrael. In a YouTube video, s1ege spokesman of GSH stated that attacking the banks and the media in #OpIcarus and #OpSilence was a legitimate form of fighting for justice against the elites.
Our first reading of the events was that the attack against “Krebs on Security” did not fit into the modus operandi of these groups and rather tried to retaliate against a journalist that was openly disclosing how the “stress testing scene” works.
Tomi Engdahl says:
Are Stress testing services legitimate?
http://www.spoofit.org/legitimate-stress-testing-services/
The business logic behind stress testing services is that site owners should have the right to test and benchmark the security and performance of their websites. Stress testing owners offer a service that “in theory” is supposed to be used for legitimate purposes.
Here is a collection of reasons why we believe that stress testing services fail to show that their business is legitimate.
Site ownership: Stress testing services do not provide any common means to verify that the attacker really owns the website. There are dozens of known well mechanisms where site ownership can be proofed to a third party. Typical means are e-mail verification, placing certain content inside of the website or adding special DNS records. Stress testing services fail to provide adequate means to ensure that the traffic is sent with the consent of the site owner.
Traffic Generation: Many of the attack vectors available in the stress testing sites require reflection techniques to achieve traffic amplification. This amplification is always built abusing third party infrastructure (DNS, NTP, Game Servers,…). To our knowledge, we are not aware of any stress testing service that can deliver more than 10 Gbps without amplification or using compromised services.
Traceability: Stress testing services ensure that the attacker is untraceable, something that is not consistent with the logic that the site owner is testing his own services.
High Collateral Damage: Stress testing services have a high impact in third party infrastructure and neighbors of the victims.
Tomi Engdahl says:
Splunk CTO Urges Collaboration Against Cyberattacks – And ‘Shapeshifting’ Networks
https://developers.slashdot.org/story/16/10/02/2337218/splunk-cto-urges-collaboration-against-cyberattacks—and-shapeshifting-networks?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
“The cost of cyber attacks is 1/10th to 1/100th the cost of cyber defense,” says the CTO of Splunk — because the labor is cheap, the tools are free, and the resources are stolen. “He says what’s needed to bring down the cost of defense is collaboration between the public sector, academia and private industry…the space race for this generation,” reports Slashdot reader davidmwilliams.
Cyber defence collaboration to be the space race of our generation
http://www.itwire.com/enterprise-solutions/75026-cyber-defence-collaboration-to-be-the-space-race-of-our-generation.html
1. Cybernomics
Number one on Snehan’s list is what he labels “cybernomics.”
“The cost of cyber attacks is 1/10th to 1/100th the cost of cyber defence,” he said. This is because attack tools are freely distributed, the computing resources are stolen, and because the labour costs in state-sponsored attacks are typically low.
“This creates an unsustainable trajectory from a cyber-defence checkpoint. We have to fundamentally change the economics of cyber defence to a thousandth.”
This cannot be performed in isolation. “It will take tremendous collaboration across the public sector, academia and private business,” Snehal stated.
“This will be a collaboration not seen since the space race. I believe this will be the space race of our generation.
“This will be achieved through six levers,”
2. Data storytelling
Snehal describes “data storytelling” as the last mile of analytics. “It will become absolutely critical,” he states.
“Storytelling is getting these complex insights and analytics so as many people can consume the information as possible – it’s truly telling stories of the data. That’s the ‘last mile’ of analytics,”
3. IoT as a business data source
The Internet of Things – or IoT – is well-established with industrial systems and SCADA systems. Yet, Snehal sees it as a vital data source for business analytics in time and will drive much higher business outcomes.
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Source code behind IoT device botnet Mirai, responsible for DDoS of KrebsOnSecurity, publicly released by Hackforums user — The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) …
Source Code for IoT Botnet ‘Mirai’ Released
http://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.
The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.
Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.
Tomi Engdahl says:
SANS issues call to arms to battle IoT botnets
Do try this at home – but carefully
http://www.theregister.co.uk/2016/10/04/sans_issues_call_to_arms_to_battle_iot_botnets/
The SANS Institute is hoping sysadmins can help it to do what vendors won’t: improve Internet of Things security.
The call comes in the wake of not one but two IoShitT-based botnet attacks – the 600 Gbps-plus slam that sent security publication Krebs on Security from Akamai to Google Shield, and the same botnet escalating to nearly 1 Tbps in an attack on French hosting provider OVH. SANS wants suitably skilled sysadmins to lay out the honey.
Ulrich’s own DVR honeypot, when he connected it to the Internet, was hit with so many telnet attempts that it had to be rebooted regularly.
The Short Life of a Vulnerable DVR Connected to the Internet
https://isc.sans.edu/forums/diary/The+Short+Life+of+a+Vulnerable+DVR+Connected+to+the+Internet/21543/
Tomi Engdahl says:
Weak Credentials Fuel IoT Botnets
http://www.securityweek.com/weak-credentials-fuel-iot-botnets
Botnets powered by Internet of Things (IoT) devices have recently made headlines after powering massive distributed denial of service (DDoS) attacks. The underlying issues with IoT devices, however, are by no means new. IoT botnets are possible mainly because enslaved devices often have security flaws, many of which have been discussed numerous times before.
The rise of DDoS botnets leveraging IoT devices for their dirty work once again brought to the spotlight how easily such products can be hacked to install backdoors. A slew of IoT devices reuse cryptographic keys and/or use easy-to-guess, hardcoded default login credentials, making them susceptible to brute-force and other types of attacks, especially since many users don’t or can’t change those credentials.
Mirai, a Linux backdoor initially detailed in early September, was observed relying on this weakness to find and ensnare IoT devices into a botnet. The botnet’s source code has been released online several days ago and is said to have been used to launch DDoS attacks against Brian Krebs’ website and hosting provider OVH, and to be powered by more than 150,000 IoT devices, including cameras and digital video recorders (DVRs).
To find and ensnare devices into the botnet, the malware scans the Telnet service on DVRs and WebIP Cameras on Busybox, as well as on other Linux-based IoT boxes with Busybox, and on unattended Linux servers, then attempts to login using hardcoded usernames and passwords to brute-force discovered devices. BASHLITE, a botnet that supposedly abuses over 1 million IoT devices, uses the same attack method.
“The IP address is hit by telnet attempts pretty much every minute.”
Ullrich was attempting to test how bad it would be to expose a DVR to an Internet connection, and he didn’t have to wait long to discover. The attacks tried a variety of passwords, but only one of them was set up on the honeypot, so only some attacks were successful.
The issue, however, is that this DVR isn’t the only insecure device exposed to the Internet, but that there are a great deal of other devices that also lack proper security right from the start. Mirai’s source code contains 68 username and password pairs, and “many of those are generic and used by dozens of products, including routers, security cameras, printers and digital video recorder (DVRs),” Brian Krebs reveals.
Tomi Engdahl says:
IoT Botnet Targets Olympics in 540Gbps DDoS Attacks
http://www.securityweek.com/iot-botnet-targets-olympics-540gbps-ddos-attacks
The 2016 Rio Olympics weren’t all about the games, but also about overcoming some of the largest distributed denial of service (DDoS) attacks, Arbor Networks researchers reveal.
This year’s Olympic games, which took place in Brazil, were targeted by sustained, sophisticated, large-scale DDoS attacks reaching up to 540 Gigabits per second (Gbps) fueled by an Internet of Things (IoT) botnet, coupled with a few other botnets. The attacks, researchers say, were directed towards public-facing properties and organizations affiliated with the Olympics.
According to Arbor Networks, many DDoS attacks were going on for months before the Olympics kicked off, some in the tens of Gbps or the hundreds of Gbps ranges. However, the DDoS activity intensified as soon as the actual games started, and “the longest-duration sustained 500gb/sec-plus DDoS attack campaign” was observed.
“By any metric, the Rio Olympics have set the bar for rapid, professional, effective DDoS attack mitigation under the most intense scrutiny of any major international event to date,” the Arbor Networks researchers say.
A single IoT botnet was responsible for most of the pre-Olympics attacks, while help received from other botnets allowed it to fuel the record-breaking DDoS campaign. The botnet, Arbor Networks reveals, is none other than LizardStresser, which was already known to abuse IoT devices to launch DDoS attacks upwards of 400Gbps.
Tomi Engdahl says:
Who Makes the IoT Things Under Attack?
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
As KrebsOnSecurity observed over the weekend, the source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released. Here’s a look at which devices are being targeted by this malware.
The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords.
most of the devices are network-based cameras, with a handful of Internet routers, DVRs and even printers sprinkled in.
Mainly, I turned to Google to determine which hardware makers used which credential pairs, but in some cases this wasn’t obvious or easy.
“Even when users are interested in and looking for this information, the vendor doesn’t always make it easy,” Dormann said.
Dormann said instead of hard-coding credentials or setting default usernames and passwords that many users will never change, hardware makers should require users to pick a strong password when setting up the device.
Indeed, according to this post from video surveillance forum IPVM, several IoT device makers — including Hikvision, Samsung, and Panasonic — have begun to require unique passwords by default
“As long as the password can’t be reversed — for example, an algorithm based off of a discoverable tidbit of information — that would be a reasonable level of security.”
Some readers have asked how these various IoT devices could be exposed if users have configured them to operate behind wired or wireless routers. After all, these readers note, most consumer routers assign each device inside the user’s home network so-called Network Address Translation (NAT) addresses that cannot be directly reached from the Internet.
many IoT devices will use a technology called Universal Plug and Play (UPnP) that will automatically open specific virtual portholes or “ports,” essentially poking a hole in the router’s shield for that device that allows it to be communicated with from the wider Internet.
Regardless of whether your device is listed above, if you own a wired or wireless router, IP camera or other device that has a Web interface and you haven’t yet changed the factory default credentials, your system may already be part of an IoT botnet. Unfortunately, there is no simple way to tell one way or the other whether it has been compromised.
Mirai is loaded into memory, which means it gets wiped once the infected device is disconnected from its power source.
If possible, reset the device to the factory-default settings. This should ensure that if any malware has been uploaded to the device that it will be wiped permanently.
navigate to the administration panel, enter the default credentials, and then change the default password to something stronger and more memorable.
Unfortunately, many of these devices also require periodic software or “firmware” updates to fix previously unknown security vulnerabilities that the vendor discovers or that are reported to the hardware maker post-production. However, relatively few hardware makers do a good job of making this process simple and easy for users, let alone alerting customers to the availability of firmware updates.
“When it comes to software updates, automatic updates are good,” Dormann said. “Simple updates that notify the user and require intervention are okay. Updates that require the user to dig around to find and install manually are next to worthless. Devices that don’t have updates at all are completely worthless. And that can be applied to traditional computing as well. It’s just that with IoT, you likely have even-less-technical users at the helm.”
BUT WAIT, THERE’S MORE
Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat.
often times IP camera users can change whatever settings they want in the device’s Web interface, but that’s no guarantee the changes will affect how the device can be accessed via Telnet or SSH.
“The problem is there’s no hard and fast rule,” Karas said.
Tomi Engdahl says:
Case in point: In February 2016 I published This is Why People Fear the Internet of Things, which examined a whole slew of IP cameras sold by Chinese Web camera giant Foscam that — by default — included a feature which would quietly phone home to a vast peer-to-peer (P2P) network run by the company. As I explained in that piece, while the Web interface for those P2P cameras included a setting allowing users to disable the P2P traffic, disabling that option didn’t actually do anything to stop the device from seeking out other Foscam P2P cameras online.
https://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/
Tomi Engdahl says:
Linux/Mirai ELF, when malware is recycled could be still dangerous
http://securityaffairs.co/wordpress/50929/malware/linux-mirai-elf.html
Then it seems that the infection is really going widespread and the Botnet seems to be really very large.
At the moment for all the sysadmins who want to protect their systems there is a list of mitigations actions:
If you have an IoT device, please make sure you have no telnet service open and running.
Blocking the used TCP/48101 port if you don’t use it, it’s good to prevent infection & further damage,
Monitor the telnet connections because the Botnet protocol used for infection is the Telnet service,
Reverse the process looking for the strings reported in the MalwareMustDie detections tool tips.
But, what we know about this Linux/Mirai ELF malware exactly, and why it is not so common among the malware analysts?
“The reason why not so many people know it”, says MalwareMustDie – “is that antivirus thinks it is a variant of Gafgyt or Bashlite or Bashdoor. Then, the real samples of this malware is hard to get since most malware analysts have to extract it from memory on an infected device, or maybe have to hack the CNC to fetch those.”
Tomi Engdahl says:
Mirai DDoS Trojan Is the Next Big Threat for IoT Devices and Linux Servers
http://www.securitynewspaper.com/2016/09/05/mirai-ddos-trojan-next-big-threat-iot-devices-linux-servers/
Tomi Engdahl says:
Mirai Linux Backdoor Targets IoT Devices
http://www.securityweek.com/mirai-linux-backdoor-targets-iot-devices
A newly observed Linux Trojan backdoor is actively targeting Internet of Things (IoT) devices and enjoying very low detection rate, even on systems using the x86 architecture, researchers say.
Dubbed Linux/Mirai, the backdoor infects devices via the Linux system’s SSH or Telnet accounts, because some of them use default passwords. After gaining shell access to the exposed device, the attacker would download and execute the malware, sometimes without parameters.
The backdoor uses the PF_INET socket and is opening UDP/53 port to access Google DNS server at 8.8.8.8 to establish a connection
While analyzing the threat, researchers observed that it delays the launch of its nefarious operations to avoid early detection. Immediately after infection, the malware just waits, while making sure that the opened backdoor port is up and used.
The Trojan uses hardcoded usernames and passwords to brute-force discovered devices and, once it has gained shell access, it sends a “shell one-liner command to install malware.”
Tomi Engdahl says:
Mirai “internet of things” malware from Krebs DDoS attack goes open source
https://nakedsecurity.sophos.com/2016/10/05/mirai-internet-of-things-malware-from-krebs-ddos-attack-goes-open-source/
Mirai, as the malware is known, is badly programmed and unfinished, but that doesn’t matter.
It works, and it’s effective primarily because of bad programming in the very IoT devices it uses to do its dirty work.
he Mirai bot, called simply bot in the source code, is written in C, and has three main components:
A call-home system that connects to a command-and-control server (which could be another insecure IoT device) to download details of whom to attack, and how.
A set of attack routines that can generate a range of legitimate-looking but purposeless streams of network traffic to eat away at the victim’s network capacity.
A network scanner that searches randomly across the internet and tries to login in various ways to build and report a list of insecure IoT devices for the next wave of attacks.
The Mirai source code package also includes a command-and-control tool, called cnc, written in Go.
Cross-platform support is one of Go’s strong points: the compiler directly supports seven different computer architecures, including the 32-bit and 64-bit Intel chips in most modern laptops and servers, and the AMD and MIPS chips common in price-sensitive home IoT devices.
In other words, both the attack bot and the control server can be built to run on regular computers as well as many commonly-used hardware devices.
How to steal 600 Gbit/sec
As we suggested above, between 60,000 and 600,000 home networks connecting simultaneously is, indeed, enough for a monster-sized attack of 600 gigabits per second.
We’re disappointed, but not at all surprised, to hear that malware like Mirai has things so easy.
What to do?
If you’re a device vendor, this list is for you:
Don’t use hardwired passwords.
Don’t set default passwords.
Don’t allow unauthenticated or unencrypted protocols for inbound connections.
Don’t open administrative connections on the outside interface by default.
Source Code for IoT Botnet ‘Mirai’ Released
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.
One security expert who asked to remain anonymous said he examined the Mirai source code following its publication online and confirmed that it includes a section responsible for coordinating GRE attacks.
Tomi Engdahl says:
Source Code Released for Mirai DDoS Malware
https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/
against security journalist Brian Krebs’ website that peaked at better than 620 Gbps.
See more at: Source Code Released for Mirai DDoS Malware https://wp.me/p3AjUX-vuf
Mirai is now the second such malware family herding these IoT cats into botnets. At the end of August, Level 3 Communications disclosed research on the Bashlite malware, which the company said is responsible for compromising more than one million web-connected cameras and DVRs. Bashlite accelerated its activity quickly in July
Arbor Networks said it monitored 540 Gbps DDoS attacks targeting websites and organizations associated with the Rio Summer Olympic Games. The attackers fluctuated for months before the games, and ramped up during the 16 days of competition.
The DDoS attack against the Olympics-related websites, Arbor said, were UDP packet floods against port 179, designed to mimic attacks against BGP TCP ports. Arbor also uncovered the LizardStresser IoT botnet in June, which was using more than 1,000 webcams to launch 400 Gbps DDoS attacks against banks in Brazil, government agencies and gaming companies in the U.S.
“These types of attacks have already superseded [traditional DDos attacks],” Dobbins said. “IoT botnets are not an upcoming threat. I’m not concerned about the future; I’m concerned about the past. If I could wave a magic wand, I would make it so there are no unsecured embedded devices out there. We still have a huge problem; we still have tens of millions of these devices out there.”
See more at: Source Code Released for Mirai DDoS Malware https://wp.me/p3AjUX-vuf
Tomi Engdahl says:
Check also:
http://www.epanorama.net/newepa/2016/10/03/meet-linux-mirai-trojan-a-ddos-nightmare/
Tomi Engdahl says:
How To Become Part Of An IoT Botnet
http://hackaday.com/2016/10/06/how-to-become-part-of-an-iot-botnet/
We should all be familiar with the so-called Internet Of Things, a proliferation of Internet-connected embedded electronics. The opportunities offered to hardware hackers by these technologies have been immense, but we should also be aware of some of the security issues surrounding them.
Recently, the website of the well-known security researcher [Brian Krebs] suffered a DDoS attack. What made this attack different from previous ones wasn’t its severity, but that it had been directed not from botnets of malware-laced Windows PCs but from compromised IoT devices.
One might ask how it could be possible to take control of such low-end embedded hardware, seeing as it would normally be safely behind a firewall, preloaded with its own firmware, and without a clueless human at its terminal to open malware-laden email attachments. The answer is quite shocking but not entirely surprising, and lies in some astonishingly poor security on the part of the devices themselves. An exposé of one such mechanism comes courtesy of [Brian Butterly], who took an unremarkable IP webcam and documented its security flaws.
How to Become Part of an IoT Botnet
https://www.insinuator.net/2016/10/how-to-become-part-of-an-iot-botnet/
I suppose there are many people out there who want to achieve a greater good, fight evil corp and “show those guys”. So why not set a statement and become part of a botnet? #Irony!!! Of course I suppose (hope) that none of you actually want to be part of something like an IoT botnet, but joining could in theory be dead easy. So quite a while back I bought a dead cheap WiFi camera for use at home. It was kind of just as insecure as I had expected, so it got it’s own VLAN and stuff and here is why….
My Camera(s)
For this blog post neither model nor manufacturer are relevant. Not because I do not want to disclose any information, but because I have seen the same firmware on a lot of different webcams with different brandings. It is also the exact same firmware for both cameras with motors (pointing the camera) and ones without.
When running UPnP I’ve so far seen two different results: (1) Only the web interface is exposed, (2) telnet is also exposed. One of my cameras had this feature enable by default, so the moment you attach it to your network it will rip a hole into your defense lines.
Also when activating UPnP the camera does not enforce the activation of authentication, so if its exposed to the Internet it will be owned.
When going through the settings menu you can change IP settings, usernames and passwords (max 8 characters or it will kind of break), set alarms but there is no sign of Telnet settings.
I’m not planning on starting a discussion on Telnet now but it’s insecure and simply not made to be exposed to the public Internet. Especially if the user himself has no way of actually configuring telnet and does not even know the password. Luckily, using some secret sophisticated Hacker magic and some advanced tools I was able to crack a valid account on the device: root:123456 .
As the camera’s platform is generally open it would be trivial to put together a small binary for running on the webcam and, well, making it your slave.
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Dahua’s IoT devices, largely responsible for Krebs DDoS attack, have default passwords hardcoded in firmware; EU is working on IoT device security regulations
Europe to Push New Security Rules Amid IoT Mess
http://krebsonsecurity.com/2016/10/europe-to-push-new-security-rules-amid-iot-mess/
The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.
According to a report at Euractive.com, the Commission is planning the new IoT rules as part of a new plan to overhaul the European Union’s telecommunications laws. “The Commission would encourage companies to come up with a labeling system for internet-connected devices that are approved and secure,”
In last week’s piece, “Who Makes the IoT Things Under Attack?,” I looked at which companies are responsible for IoT products being sought out by Mirai — malware that scans the Internet for devices running default usernames and passwords and then forces vulnerable devices to participate in extremely powerful attacks designed to knock Web sites offline.
One of those default passwords — username: root and password: xc3511 — is in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use it in their own products.
“The issue with these particular devices is that a user cannot feasibly change this password,” said Flashpoint’s Zach Wikholm. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present.
Flashpoint says the majority of media coverage surrounding the Mirai attacks on KrebsOnSecurity and other targets has outed products made by Chinese hi-tech vendor Dahua as a primary source of compromised devices. Indeed, Dahua’s products were heavily represented in the analysis I published last week.
For its part, Dahua appears to be downplaying the problem.
Dahua said the company’s investigation determined the devices that became part of the DDoS attack had one or more of these characteristics:
-The devices were using firmware dating prior to January 2015.
-The devices were using the default user name and password.
-The devices were exposed to the internet without the protection of an effective network firewall.
Dahua also said that to the best of the company’s knowledge, DDoS [distributed denial-of-service attacks] threats have not affected any Dahua-branded devices deployed or sold in North America.
Flashpoint’s Wikholm said his analysis of the Mirai infected nodes found differently, that in the United States Dahua makes up about 65% of the attacking sources (~3,000 Internet addresses in the US out of approximately 400,000 addresses total).
Dahau’s statement that devices which were enslaved as part of the DDoS botnet were likely operating under the default password is duplicitous, given that threats like Mirai spread via Telnet and because the default password can’t effectively be changed.
Dahua and other IoT makers who have gotten a free pass on security for years are about to discover that building virtually no security into their products is going to have consequences. It’s a fair bet that the European Commission’s promised IoT regulations will cost a handful of IoT hardware vendors plenty.
Also, in the past week I’ve heard from two different attorneys who are weighing whether to launch class-action lawsuits against IoT vendors who have been paying lip service to security over the years and have now created a massive security headache for the rest of the Internet.
Commission plans cybersecurity rules for internet-connected machines
https://www.euractiv.com/section/innovation-industry/news/commission-plans-cybersecurity-rules-for-internet-connected-machines/
Tomi Engdahl says:
A SSHowDowN in security: IoT devices enslaved through 12 year old flaw
http://www.zdnet.com/article/a-sshowdown-in-security-iot-devices-attack-devices-through-12-year-old-flaw/
A vulnerability which has existed for over a decade in OpenSSH has led to today’s IoT devices being used in targeted attacks.
A vulnerability which has existed for over a decade in OpenSSH has led to today’s IoT devices being used in targeted attacks.
In what researchers call the “Internet of Unpatchable Things,” a 12-year-old security flaw is being exploited by attackers in a recent spate of SSHowDowN Proxy attacks.
The Internet of Things (IoT) is an emerging market full of Wi-Fi and networked devices including routers, home security systems, and lighting products. While the idea of making your home more efficient and automating processes is an appealing one, unfortunately, vendors en masse are considering security as an afterthought for thousands of devices now in our homes, leaving our data vulnerable.
There is another edge to this sword — by connecting such vulnerable devices to the web, attackers can harness these products to create armies of traffic-generating systems which can be used to overload legitimate services.
On Wednesday, cloud service provider Akamai Technologies released a report into rising IoT-based attacks which documented the discovery of cyberattackers utilizing a 12-year-old vulnerability in OpenSSH to remotely generate vast amounts of traffic in a recent spate of SSHowDowN Proxy attacks.
The security flaw being exploited to create IoT slave networks, CVE 2004-1653, relates to OpenSSH default configurations which enables TCP forwarding and port bounces when a proxy is in use.
While the vulnerability itself is nothing new, the research team found that the continual failure of IoT device vendors to secure IoT and implementing default and hard-coded credentials is throwing the door wide open for attackers to exploit them.
Akamai says that SSHowDowN Proxy large-scale attacks are being made possible through millions of vulnerable devices, including CCTV, satellite antenna equipment, routers, and external storage products.
Lax credential security has paved the way for attackers to access web admin consoles of vulnerable devices, create SSH tunnels and launch attacks only against internal networks which host IoT devices, but also “any kind of Internet target and against any kind of Internet-facing service such as HTTP, SMTP and network scanning,” according to the team.
“We’re entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,”
“New devices are being shipped from the factory not only with this vulnerability exposed but also without any effective way to fix it,” Kobrin added. “We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”
change any factory and default credentials as soon as you activate your products, and for the more technically-minded, establishing inbound firewall rules which prevent SSH access from external forces will also improve security.
CVE-2004-1653
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1653
Tomi Engdahl says:
Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure
https://threatpost.com/bruce-schneier-on-probing-attacks-testing-core-internet-infrastructure/120608/
Bruce Schneier talks to Mike Mimoso about information he was given regarding an increase in DDoS and probing attacks targeting companies running core internet infrastructure in an attempt to test their defenses.
For some additional context about this conversation, read an article by Schneier on these incidents, and check out a recent VeriSign report quantifying the volume of these DDoS attacks.
Tomi Engdahl says:
Hajime, Yet Another IoT Botnet
http://hackaday.com/2016/10/20/hajime-yet-another-iot-botnet/
Following on the heels of Mirai, a family of malware exploiting Internet of Things devices, [Sam Edwards] and [Ioannis Profetis] of Rapidity Networks have discovered a malicious Internet worm dubbed Hajime which targets Internet of Things devices.
Around the beginning of October, news of an IoT botnet came forward, turning IP webcams around the world into a DDoS machine. Rapidity Networks took an interest in this worm, and set out a few honeypots in the hopes of discovering what makes it tick.
Looking closely at the data, there was evidence of a second botnet that was significantly more sophisticated. Right now, they’re calling this worm Hajime.
The Hajime worm affects Internet of Things devices running BusyBox,
The Hajime worm propagates itself through port 23 – Telnet – via usernames and password combinations hardcoded into a list of credentials.
Right now, the extent of the Hajime worm is small. It appears the author is still in the propagation phase of his botnet.
Millions of Internet of Things devices have been sold with Telnet open and hardcoded credentials. The fact that devices like this exist makes IoT botnets inevitable.
Hajime: Analysis of a decentralized internet worm for IoT devices
https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf
Tomi Engdahl says:
DDoS attacks: For the hell of it or targeted – how do you see them off?
Cloud-based DDoS defences introduce delays
http://www.theregister.co.uk/2016/09/22/ddos_attack_defence/
Distributed Denial of Service (DDoS) attacks can be painful and debilitating. How can you defend against them? Originally, out-of-band or scrubbing-centre DDoS protection was the only show in town, but another approach, inline mitigation, provides a viable and automatic alternative.
DDoS attacks can be massive, in some cases reaching hundreds of Gbits/sec, but those mammoths are relatively rare. For the most part, attackers will flood companies with around 1 Gbit/sec of traffic or less. They’re also relatively short affairs, with most attacks lasting 30 minutes or less. This enables attackers to slow down computing resources or take them offline altogether while flying under the radar, making it especially difficult for companies to detect and stop them.
This shows up in industry statistics. In May 2015 the Ponemon Institute published a report on cyberthreats in the financial industry that found it took an average of 27 days for financial institutions to detect a denial of service attack. Then, it took 13 days to mitigate it.
These attacks are often highly costly. Another Ponemon report showed an average cost of $1.5m in DDoS costs, almost a third of which was down to the cessation of customer-facing services. Yet a DDoS attack costs about $38 per hour (PDF) to mount on average. Time to get some protection, then.
Inline vs out-of-band
The industry initially evolved with out-of-band DDoS protection. In this model, the appliance sits on the network independently of the router that is passing through traffic from the Internet. The router will send samples of metadata describing that traffic to the appliance, which then raises the alert if it detects suspicious packets that point to an emerging DDoS attack.
Conversely, in-band DDoS protection puts itself in front of the firehose, sitting directly in the stream of traffic, analysing it, processing it, and determining whether to drop the attack traffic or pass the good user traffic along.
“Out-of-band analysis allows for more complex analysis of traffic without impacting traffic flow, however there is a delay between the detection of an attack and the application of rules to defend against it,”
For this reason, out-of-band solutions tend to react more slowly to DDoS patterns. They also aren’t in a position to do anything about it themselves, but must alert another system to take action.
Dave Larson, COO and CTO at Corero Network Security, explains: “Deploying an in-line, automatic DDoS mitigation solution allows security teams to stay one step ahead of attackers. By the time traffic is swung over to an out-of-band DDoS mitigation service, usually after at least 30 minutes of downtime, the damage has already been done. To keep up with the growing problem of increasingly sophisticated and damaging DDoS attacks, effective solutions need to automatically remove the threats as they occur and provide real-time visibility into the network.”
Redirection is a key feature in out-of-band systems
Traffic must be redirected from the router to the DDoS appliance so that it can conduct a deep-dive packet analysis. If you’re a big company and you have two ISPs instead of one for load balancing purposes, that redirection entails one service provider letting the other one inject routes into its core, he warned, calling it a “big no-no”.
“It can cause instability to let one of your competitors screw with your routing tables,”
Inline mitigation has developed as a worthy alternative, but this too can be implemented in different ways, points out Dornbrook. “There are other guys that do DDoS protection where they have a content distribution network and some kind of filtering capability and they filter the traffic and pass it on to you and they do it inline,” he said. “Those services definitely have a role to play but they’re better for smaller customers.”
In its paper on withstanding DDoS attacks, the SANS Institute points out that cloud-based services may not protect companies as readily from “low and slow” DDoS attacks, in which incoming packets are consume server resources as a way to starve out legitimate traffic without heavily flooding the network.
If you’re planning an inline solution, you’ll want to be sure that you can scale it to suit your traffic needs. Performance is critical as any inline solution with performance limitations could itself be exploited and become a traffic bottleneck.
Tomi Engdahl says:
Battling the Botnet Armies
http://www.securityweek.com/battling-botnet-armies
Botnet armies have become bigger, more active and more heavily armed than ever before. In the first quarter of 2016, attacks launched by bots reached a record high of 311 million—a 300 percent increase compared with the same period in 2015 and a 35 percent increase compared with the final quarter of 2015.
Many botnets are used to launch distributed denial of service (DDoS) attacks, which are also becoming substantially stronger and more frequent.
This issue is being exacerbated by the wrangling of IoT devices into the hordes of infected devices being leveraged for these botnets.
As the botnet armies step up their attacks, how can organizations better defend their networks?
Who’s targeting you?
Traditionally, there have been two main strategies available to businesses looking to protect themselves against botnet attacks. The first relates to websites’ and networks’ abilities to deal with the unexpected spikes in inbound traffic to your network, resulting from DDoS attacks. Load balancing strategies based on real-world network testing can help to smooth the peaks and troughs in traffic by spreading traffic volumes, and this can be an important method for mitigating the impact of DDoS attempts. However, even an effective load-balancing strategy can be overwhelmed by a large-scale DDoS attack, bringing applications to a grinding halt—and as we saw earlier, attacks are increasing in strength.
The second strategy relates to the actual security tools, such as firewalls, which focus on identifying and blocking malicious traffic. This is extremely effective, but the processing power needed to proactively analyze very high volumes of network traffic, identify malicious packets and block them places a heavy burden even on latest-generation, high-capacity firewalls. Throw enough non-relevant traffic at them and the flood will significantly reduce their analysis performance which, in turn, causes a performance drain across the network as well.
Intelligent IP filtering
However, there is a third strategy: preventing malicious traffic generated by botnets from reaching your firewall in the first place, by intelligently pre-filtering it.
This can be done using a specialized gateway that continually monitors and proactively filters out IP addresses under botnet control. The gateway is fed with real-time, constantly updated threat and application intelligence feeds on known bad IP addresses—that is, addresses that are known to be infected with bots or are known to harbor malware.
This same strategy can even be extended to block traffic from the IP addresses of entire geographical areas where you do not have business interests or are known to harbor threats.
There’s an additional benefit of using threat intelligence gateways to filter IP traffic: they can also identify bot infections already on your network that could be stealthily sending sensitive data to criminals. The gateway can also inspect traffic leaving your network: if that traffic is heading to an IP address known to be a botnet command and control server, it is filtered and blocked automatically, cutting off the data leak permanently.
Clearly, the immediate advantage of the IP address filtering strategy is the dramatic reduction of your organization’s vulnerability to both external DDoS attacks from botnets and stopping data leaks by existing internal bot infections.
Tomi Engdahl says:
This Is Probably Why Half the Internet Shut Down Today [Updating]
http://gizmodo.com/this-is-probably-why-half-the-internet-shut-down-today-1788062835
Twitter, Spotify and Reddit, and a huge swath of other websites were down or screwed up this morning. This was happening as hackers unleashed a large distributed denial of service (DDoS) attack on the servers of Dyn, a major DNS host. It’s probably safe to assume that the two situations are related.
Dyn posted this update on its website: “Starting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.”
At the time of publication Dyn said that it was still dealing with the problem.
Tomi Engdahl says:
DDoS Attack on DNS; Major sites including GitHub, Twitter Suffering Outage
https://www.hackread.com/ddos-attack-dns-sites-suffer-outage/
Major websites have gone down worldwide — The reason is still unclear but a major DNS provider is suffering a massive DDoS attack and experts are connecting the dots.
Twitter, Reddit, Spotify, Esty, Box, Wix Customer Sites Squarespace Customer Sites and bunch of other websites were offline earlier today. That’s because someone conducted a massive distributed denial of service (DDoS) attack on the Dyn, a world renowned Domain Name Servers (DNS) service provider.
Imagine a scenario where a DNS provider that is used by Reddit, Twitter or Facebook is under DDoS attack, there is no way a user can visit any of these sites and it looks like that’s what’s going on right now.
Tomi Engdahl says:
William Turton / Gizmodo:
DNS provider Dyn says it’s investigating another attack after reports of widespread outages across many popular sites, including Twitter, Spotify, and Reddit — Twitter, Spotify and Reddit, and a huge swath of other websites were down or screwed up this morning.
This Is Probably Why Half the Internet Shut Down Today [Update: It’s Happening Again]
http://gizmodo.com/this-is-probably-why-half-the-internet-shut-down-today-1788062835
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Researchers: Friday’s internet outage, caused by DDoS attack on DynDNS, was powered in part by a Mirai-based botnet of DVRs and cameras with XiongMai components — A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites
Hacked Cameras, DVRs Powered Today’s Massive Internet Outage
http://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.
Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company
Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.
According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.
“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.
“At least one Mirai [control server] issued an attack command to hit Dyn,”
As I noted earlier this month in Europe to Push New Security Rules Amid IoT Mess, many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.
“The issue with these particular devices is that a user cannot feasibly change this password,”
The wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval. Consumers also would need to be educated to look for that seal of approval. Something like Underwriters Laboratories (UL), but for the Internet, perhaps.
Until then, these insecure IoT devices are going to stick around like a bad rash — unless and until there is a major, global effort to recall and remove vulnerable systems from the Internet. In my humble opinion, this global cleanup effort should be funded mainly by the companies that are dumping these cheap, poorly-secured hardware devices onto the market in an apparent bid to own the market. Well, they should be made to own the cleanup efforts as well.
Tomi Engdahl says:
Michael Kan / Computerworld:
Xiongmai admits its products were part of Mirai botnet, says it patched the flaws in September 2015 but older devices still vulnerable — Botnets created from the Mirai malware were involved in the cyberattack — A Chinese electronics component manufacturer says its products inadvertently played …
Chinese firm admits its hacked products were behind Friday’s DDOS attack
Botnets created from the Mirai malware were involved in the cyberattack
http://www.computerworld.com/article/3134097/security/chinese-firm-admits-its-hacked-products-were-behind-fridays-ddos-attack.html?nsdr=true
A Chinese electronics component manufacturer says its products inadvertently played a role in a massive cyberattack that disrupted major internet sites in the U.S. on Friday.
Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, said on Sunday that security vulnerabilities involving weak default passwords in its products were partly to blame.
According to security researchers, malware known as Mirai has been taking advantage of these vulnerabilities by infecting the devices and using them to launch huge distributed denial-of service attacks, including Friday’s outage.
“Mirai is a huge disaster for the Internet of Things,” Xiongmai said in an email to IDG News Service. “(We) have to admit that our products also suffered from hacker’s break-in and illegal use.”
Mirai works by enslaving IoT devices to form a massive connected network. The devices are then used to deluge websites with requests, overloading the sites and effectively taking them offline.
Because these devices have weak default passwords and are easy to infect, Mirai has been found spreading to at least 500,000 devices, according to internet backbone provider Level 3 Communications.
Tomi Engdahl says:
Funny comment from http://www.computerworld.com/article/3134097/security/chinese-firm-admits-its-hacked-products-were-behind-fridays-ddos-attack.html?nsdr=true by Jerry:
I can just see some review board at DHS
‘Wait, you mean to tell me a TOASTER RUNNING JAVA DID THIS ? ‘
‘No sir, it wasn’t JUST the toasters this time, it was the Refrigerators AND the Washing Machines.’
‘Those Maytag’s – they can really network together’.
Ugh if this was oversight by China.
Ugh if not.
Tomi Engdahl says:
Who Should We Blame For Friday’s DDOS Attack?
https://it.slashdot.org/story/16/10/23/2135246/who-should-we-blame-for-fridays-ddos-attack
“Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list, tweeted Trend Micro’s Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras.
Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in.
If you’re worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices.
Tomi Engdahl says:
Slashdot Asks: How Can We Prevent Packet-Flooding DDOS Attacks?
https://ask.slashdot.org/story/16/10/24/0418205/slashdot-asks-how-can-we-prevent-packet-flooding-ddos-attacks
Just last month Brian Krebs wrote “What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale,” warning that countless ISPs still weren’t implementing the BCP38 security standard, which was released “more than a dozen years ago” to filter spoofed traffic. That’s one possible solution, but Slashdot reader dgallard suggests the PEIP and Fair Service proposals by Don Cohen:
PEIP (Path Enhanced IP) extends the IP protocol to enable determining the router path of packets sent to a target host. Currently, there is no information to indicate which routers a packet traversed on its way to a destination (DDOS target), enabling use of forged source IP addresses to attack the target via packet flooding…
“We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure.” I
Is the best solution technical or legislative — and does it involve hardware or software?
Comments:
Why not both?
Why is it so hard to grasp the concept that both a problem and a solution can be more than ONE THING?
Technical measures that prevent address spoofing are quickly becoming obsolete anyway; AFAICT, the recent attacks on Krebbs and Dyn, the two biggest DDoS attacks ever, didn’t use spoofed source addresses. A spoofed address is only useful in an amplification attack, where you send a small request which provokes a much larger response; then if you don’t spoof the source address, you get a huge firehose of responses coming at you and it’s you that gets DDoSed, not the target.
In this case, the attackers didn’t bother spoofing source addresses, because they didn’t use an amplification attack; they just used a huge botnet all making ostensibly-valid requests and each device dealing with the response individually. It looks like the only way we have of preventing this sort of attack is to make the devices secure – easier said than done.
As most of this traffic was “genuine”, i.e. not spoofed, not faked, not bouncebacks, not violation of the protocol, etc. it’s hard to do much about it. Even if you were running protocols where each packet had to be part of an authenticated stream, you would still have the same problem.
The only technical solution I can think of is a protocol with which you can communicate with an upstream host and have them implement a filter of your choice to the traffic they send you before it comes down your line.
Quite literally “please block anything from these IP’s or traffic that matches this pattern”.
But I cannot imagine such a thing ever be implemented as it pushes the burden further and further upstream and the top-layer will be overwhelmed with traffic and their filters running hot all day long, especially if they have millions of customers all specifying complex rules.
Tomi Engdahl says:
Hajime, Yet Another IoT Botnet
http://hackaday.com/2016/10/20/hajime-yet-another-iot-botnet/
Following on the heels of Mirai, a family of malware exploiting Internet of Things devices, [Sam Edwards] and [Ioannis Profetis] of Rapidity Networks have discovered a malicious Internet worm dubbed Hajime which targets Internet of Things devices.
Around the beginning of October, news of an IoT botnet came forward, turning IP webcams around the world into a DDoS machine. Rapidity Networks took an interest in this worm, and set out a few honeypots in the hopes of discovering what makes it tick.
Hajime: Analysis of a decentralized internet worm for IoT devices
https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf
Tomi Engdahl says:
Mirai Botnets Used for DDoS Attacks on Dyn
http://www.securityweek.com/mirai-botnets-used-ddos-attacks-dyn
Experts determined that the distributed denial-of-service (DDoS) attacks launched last week against Dyn’s DNS infrastructure were powered by Internet of Things (IoT) devices infected with the malware known as Mirai.
The first attack started on Friday at 7 am ET and it took the DNS provider roughly two hours to mitigate it. During this time, users directed to the company’s DNS servers on the east coast of the U.S. were unable to access several major websites, including Twitter, Reddit, GitHub, Etsy, Netflix, PagerDuty, Airbnb, Spotify, Intercom and Heroku.
A few hours later, a second, more global attack led to some users having difficulties in accessing the websites of Dyn customers. This second attack was mitigated within an hour. A third attack attempt was also detected, but it was mitigated before impacting users.
Dyn Chief Strategy Officer Kyle York pointed out in a blog post that the company “did not experience a system-wide outage at any time.”
Akamai and Flashpoint have confirmed that the attacks leveraged Mirai botnets and Dyn said it had observed tens of millions of IPs involved in the incident.
Dyn Statement on 10/21/2016 DDoS Attack
http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
It’s likely that at this point you’ve seen some of the many news accounts of the Distributed Denial of Service (DDoS) attack Dyn sustained against our Managed DNS infrastructure this past Friday, October 21. We’d like to take this opportunity to share additional details and context regarding the attack. At the time of this writing, we are carefully monitoring for any additional attacks. Please note that our investigation regarding root cause continues and will be the topic of future updates. It is worth noting that we are unlikely to share all details of the attack and our mitigation efforts to preserve future defenses.
I also don’t want to get too far into this post without:
1. Acknowledging the tremendous efforts of Dyn’s operations and support teams in doing battle with what’s likely to be seen as an historic attack.
2. Acknowledging the tremendous support of Dyn’s customers, many of whom reached out to support our mitigation efforts even as they were impacted. Service to our customers is always our number one priority, and we appreciate their understanding as that commitment means Dyn is often the first responder of the internet.
3. Thanking our partners in the technology community, from the operations teams of the world’s top internet companies, to law enforcement and the standards community, to our competition and vendors, we’re humbled and grateful for the outpouring of support.
Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different (more on that later). Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers. Unfortunately, during that time, internet users directed to Dyn servers on the East Coast of the US were unable to reach some of our customers’ sites, including some of the marquee brands of the internet
After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET.
News reports of a third attack wave were verified by Dyn based on our information. While there was a third attack attempted, we were able to successfully mitigate it without customer impact.
Tomi Engdahl says:
Hacker group claims responsibility for cyberattacks
http://www.silive.com/news/index.ssf/2016/10/hacker_group_claims_responsibi.html
Withering cyberattacks on server farms of a key internet firm repeatedly disrupted access to major websites — including SILive.com — and online services including Twitter, Netflix and PayPal across the United States on Friday.
The White House called the disruption malicious and a hacker group claimed responsibility, though its assertion couldn’t be verified.
Manchester, New Hampshire-based Dyn Inc. said its data centers were hit by three waves of distributed denial-of-service attacks, which overwhelm targeted machines with junk data traffic.
“What they are actually doing is moving around the world with each attack.”
The data flood came from tens of millions of different Internet-connected machines — including increasingly popular but highly insecure household devices such as web-connected cameras.
Dyn provides services to some 6 percent of America’s Fortune 500 companies
Members of a shadowy collective that calls itself New World Hackers claimed responsibility for the attack via Twitter. They said they organized networks of connected “zombie” computers called botnets that threw a staggering 1.2 terabits per second of data at the Dyn-managed servers.
“We didn’t do this to attract federal agents, only test power,”
The collective, @NewWorldHacking on Twitter, has in the past claimed responsibility for similar attacks against sites including ESPN.com in September and the BBC on Dec. 31. The attack on the BBC marshaled half the computing power of Friday’s onslaught.
The collective has also claimed responsibility for cyberattacks against Islamic State.
the incident was an example of how attacks on key junctures in the network can yield massive disruption.
Tomi Engdahl says:
Webcams used to attack Reddit and Twitter recalled
http://www.bbc.com/news/technology-37750798
Home webcams that were hijacked to help knock popular websites offline last week are being recalled in the US.
Chinese electronics firm Hangzhou Xiongmai issued the recall soon after its cameras were identified as aiding the massive web attacks.
They made access to popular websites, such as Reddit, Twitter, Spotify and many other sites, intermittent.
Security experts said easy-to-guess default passwords, used on Xiongmai webcams, aided the hijacking.
The web attack enrolled thousands of devices that make up the internet of things – smart devices used to oversee homes and which can be controlled remotely.
In a statement, Hangzhou Xiongmai said hackers were able to take over the cameras because users had not changed the devices’ default passwords.
Xiongmai rejected suggestions that its webcams made up the bulk of the devices used in the attacks.
“Security issues are a problem facing all mankind,” it said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”
It has also pledged to improve the way it uses passwords on its products and will send customers a software patch to harden devices against attack.
Could this happen again?
Yes, and it probably will. The smart devices making up the IoT are proving very popular with the malicious hackers who make their living by selling attack services or extorting cash by threatening firms with devastating attacks.
Before the rise of the IoT it was tricky to set up a network of hijacked machines as most would be PCs that, generally, are more secure. Running such a network is hard and often machines had to be rented for a few hours just to carry out attacks. Now anyone can scan the net for vulnerable cameras, DVRs and other gadgets, take them over and start bombarding targets whenever they want.
Why should I care if my webcam is hijacked?
For the same reason you would care if your car was stolen and used by bank robbers as a getaway vehicle.
And because if your webcam, printer or DVR is hijacked you have, in effect, allowed a stranger to enter your home. Hackers are likely to start using these gadgets to spy on you and scoop up valuable data. It’s worth taking steps to shut out the intruders.
Can the IoT-based attacks be stopped?
Not easily. Many of the devices being targeted are hard to update and the passwords on some, according to one report, are hard-coded which means they cannot be changed.
There is also the difficulty of identifying whether you are using a vulnerable product. A lot of IoT devices are built from components sourced from lots of different places. Finding out what software is running on them can be frustrating.
Also, even if recalls and updates are massively successful there will still be plenty of unpatched devices available for malicious hackers to use. Some manufacturers of cheaper devices have refused to issue updates meaning there is a ready population of vulnerable gadgets available.
Why are these devices so poorly protected?
Because security costs money and electronics firms want to make their IoT device as cheap as possible. Paying developers to write secure code might mean a gadget is late to market and is more expensive. Plus enforcing good security on these devices can make them harder to use – again that might hit sales.
Who was behind the massive web attacks?
Right now, we don’t know. Some hacker groups have claimed responsibility but none of their claims are credible.
Tomi Engdahl says:
Sh… IoT just got real: Mirai botnet attacks targeting multiple ISPs
Now ZyXEL and D-Link routers from Post Office and TalkTalk under siege
http://www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis/
The Mirai botnet has struck again, with hundreds of thousands of TalkTalk and Post Office broadband customers affected. The two ISPs join a growing casualty list from a wave of assaults that have also affected customers at Deutsche Telekom, KCOM and Irish telco Eir over the last two weeks or so.
Problems at the Post Office and TalkTalk both began on Sunday and collectively affected hundreds of thousands of surfers. Similar attacks against thousands of KCOM broadband users around Hull that started about the same time targeted users of telco-supplied routers. Thousands of punters at the smaller ISP were left without a reliable internet connection as a result of the assault, which targeted routers from Taiwanese manufacturer ZyXEL.
It’s unclear who is responsible for the growing string of attacks on ISP customers across Europe or their motives. The mechanism of the attack is, however, all too clear. Hackers are using the infamous Mirai malware or one of its derivatives to wreak havoc. The IoT malware scans for telnet before attempting to hack into vulnerable devices, using a brute-force attack featuring 61 different user/password combinations, the various default settings of kit from various manufacturers. Up to 5m devices are up for grabs thanks to wide open management ports, according to some estimates.
Jean-Philippe Taggart, senior security researcher at Malwarebytes, said: “The leaked Mirai code, poorly secured remote administration on IoT devices, coupled with the recent availability of a Metasploit module to automate such attacks make for an ideal botnet recruitment campaign.
“So far, it seems the infection does not survive a reboot, but the malicious actors tend to disable access to the remote administration as part of the infection. This prevents the ISP from applying an update that would solve these issues. The botnet gains a longer life as users seldom reboot their routers unless they’re experiencing a problem.”
Other experts imply further attacks along the same lines are inevitable because the state of router security is poor and unlikely to improve any time soon.
“The current state of IoT security is in bad shape, and will get a whole lot worse before it gets any better. The Mirai botnet, which is powered by 100,000 IoT devices that are insecure by default, is just the most obvious and topical example.”