[192216] in North American Network Operators' Group
Re: Death of the Internet, Film at 11
daemon@ATHENA.MIT.EDU (Ray Van Dolson)
Sat Oct 22 18:35:57 2016
X-Original-To: nanog@nanog.org
Date: Sat, 22 Oct 2016 15:35:50 -0700
From: Ray Van Dolson <rvandolson@esri.com>
To: Mike Hammett <nanog@ics-il.net>
In-Reply-To: <826459920.4830.1477172878616.JavaMail.mhammett@ThunderFuck>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
https://urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__hub.dyn.com_dyn-2Dblo=
g_dyn-2Dstatement-2Don-2D10-2D21-2D2016-2Dddos-2Dattack&d=3DDQIBAg&c=3Dn6-c=
guzQvX_tUIrZOS_4Og&r=3Dr4NBNYp4yEcJxC11Po5I-w&m=3DiGvkbfzRJPqKO1A6YGa-c1m0R=
BLNkRk03hCjvVGTH3k&s=3DbScBNFncB3kt_cG0L3iys0mfXBmwwUR7A8rIDmi94D4&e=3D=20
On Sat, Oct 22, 2016 at 04:48:01PM -0500, Mike Hammett wrote:
> Until Dyn says or someone says Dyn said, everything is assumed.=20
>=20
> ----- Original Message -----
>=20
> From: "Peter Baldridge" <petebaldridge@gmail.com>=20
> To: "Jean-Francois Mezei" <jfmezei_nanog@vaxination.ca>=20
> Cc: nanog@nanog.org=20
> Sent: Saturday, October 22, 2016 4:45:13 PM=20
> Subject: Re: Death of the Internet, Film at 11=20
>=20
> On Sat, Oct 22, 2016 at 1:47 PM, Jean-Francois Mezei=20
> <jfmezei_nanog@vaxination.ca> wrote:=20
> > Generic question:=20
> >=20
> > The media seems to have concluded it was an "internet of things" that=20
> > caused this DDoS.=20
> >=20
> > I have not seen any evidence of this. Has this been published by an=20
> > authoritative source or is it just assumed?=20
>=20
> Flashpoint[0], krebs[1], arstechnica[2]. I'm not sure what credible=20
> looks like unless they release a packet but this is probably=20
> consensus.=20
>=20
> > Has the type of device involved been identified?=20
>=20
> routers and cameras with shitty firmware [3]=20
>=20
> > Is it more plausible that those devices were "hacked" in the OEM=20
> > firmware and sold with the "virus" built-in ? That would explain the=20
> > widespread attack.=20
>=20
> The source code has been released. krebs [4], code [5]=20
>=20
> > Also, in cases such as this one, while the target has managed to=20
> > mitigate the attack, how long would such an attack typically continue=20
> > and require blocking ?=20
> This is an actual question that hasn't been answered.=20
>=20
> > Since the attack seemed focused on eastern USA DNS servers, would it be=
=20
> > fair to assume that the attacks came mostly from the same region (aka:=
=20
> > devices installed in eastern USA) ? (since anycast would point them to=
=20
> > that).=20
>=20
> Aren't heat maps just population graphs?=20
>=20
> > BTW, normally, if you change the "web" password on a "device", it would=
=20
> > also change telnet/SSH/ftp passwords.=20
>=20
> Seems like no one is doing either.=20
