[192208] in North American Network Operators' Group
Re: Death of the Internet, Film at 11
daemon@ATHENA.MIT.EDU (Mel Beckman)
Sat Oct 22 17:22:02 2016
X-Original-To: nanog@nanog.org
From: Mel Beckman <mel@beckman.org>
To: Jean-Francois Mezei <jfmezei_nanog@vaxination.ca>
Date: Sat, 22 Oct 2016 21:21:53 +0000
In-Reply-To: <580BD066.8050407@vaxination.ca>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> Vast majority of homes are behind NAT, which means that an incoming
> packet has very little chance of reaching the IoT gizmo.
UPNP exposes many IoT devices to the Internet, plus they're always exposed =
on the LAN, where many viruses find them and use backdoors to conscript the=
m. Several bad actors are currently selling access to their IoT minions for=
ddos purposes.=20
This is not new. What's new is that minion control seems to have been aggre=
gated into a small number of malicious twerps.=20
-mel beckman
> On Oct 22, 2016, at 1:48 PM, Jean-Francois Mezei <jfmezei_nanog@vaxinatio=
n.ca> wrote:
>=20
> Generic question:
>=20
> The media seems to have concluded it was an "internet of things" that
> caused this DDoS.
>=20
> I have not seen any evidence of this. Has this been published by an
> authoritative source or is it just assumed?
>=20
> Has the type of device involved been identified?
>=20
> I am curious on how some hacker in basement with his TRS80 or Commodore
> Pet would be able to reach "bilions" of these devices to reprogram them.
> Vast majority of homes are behind NAT, which means that an incoming
> packet has very little chance of reaching the IoT gizmo.
>=20
> I amn guessing/hoping such devices have been identified and some
> homweoners contacted ans asked to volunteer their device for forensic
> analysis of where the attack came from ?
>=20
> Is it more plausible that those devices were "hacked" in the OEM
> firmware and sold with the "virus" built-in ? That would explain the
> widespread attack.
>=20
> Also, in cases such as this one, while the target has managed to
> mitigate the attack, how long would such an attack typically continue
> and require blocking ?
>=20
> Since the attack seemed focused on eastern USA DNS servers, would it be
> fair to assume that the attacks came mostly from the same region (aka:
> devices installed in eastern USA) ? (since anycast would point them to
> that).
>=20
> OPr did the attack use actual IP addresses instead of the unicast ones
> to specifically target servers ?
>=20
>=20
>=20
> BTW, normally, if you change the "web" password on a "device", it would
> also change telnet/SSH/ftp passwords.
