nanog mailing list archives

Re: Death of the Internet, Film at 11

From: Mel Beckman <mel () beckman org>
Date: Sat, 22 Oct 2016 21:21:53 +0000

Vast majority of homes are behind NAT, which means that an incoming
packet has very little chance of reaching the IoT gizmo.



UPNP exposes many IoT devices to the Internet, plus they're always exposed on the LAN, where many viruses find them and 
use backdoors to conscript them. Several bad actors are currently selling access to their IoT minions for ddos 
purposes. 

This is not new. What's new is that minion control seems to have been aggregated into a small number of malicious 
twerps. 

 -mel beckman

On Oct 22, 2016, at 1:48 PM, Jean-Francois Mezei <jfmezei_nanog () vaxination ca> wrote:

Generic question:

The media seems to have concluded it was an "internet of things" that
caused this DDoS.

I have not seen any evidence of this. Has this been published by an
authoritative source or is it just assumed?

Has the type of device involved been identified?

I am curious on how some hacker in basement with his TRS80 or Commodore
Pet would be able to reach "bilions" of these devices to reprogram them.
Vast majority of homes are behind NAT, which means that an incoming
packet has very little chance of reaching the IoT gizmo.

I amn guessing/hoping such devices have been identified and some
homweoners contacted ans asked to volunteer their device for forensic
analysis of where the attack came from ?

Is it more plausible that those devices were "hacked" in the OEM
firmware and sold with the "virus" built-in ? That would explain the
widespread attack.

Also, in cases such as this one, while the target has managed to
mitigate the attack, how long would such an attack typically continue
and require blocking ?

Since the attack seemed focused on eastern USA DNS servers, would it be
fair to assume that the attacks came mostly from the same region (aka:
devices installed in eastern USA) ? (since anycast would point them to
that).

OPr did the attack use actual IP addresses instead of the unicast ones
to specifically target servers ?



BTW, normally, if you change the "web" password on a "device", it would
also change telnet/SSH/ftp passwords.

Current thread:

Re: Death of the Internet, Film at 11, (continued)
- - - Re: Death of the Internet, Film at 11 Randy Bush (Oct 24)
    - Re: Death of the Internet, Film at 11 Stephen Satchell (Oct 22)
    - Re: Death of the Internet, Film at 11 Chris Boyd (Oct 22)
    - Re: Death of the Internet, Film at 11 jim deleskie (Oct 22)
    - Re: Death of the Internet, Film at 11 Stephen Satchell (Oct 22)
    - Re: Death of the Internet, Film at 11 Luke Guillory (Oct 22)
    - Re: Death of the Internet, Film at 11 jim deleskie (Oct 22)
    - Re: Death of the Internet, Film at 11 Luke Guillory (Oct 22)
    - Re: Death of the Internet, Film at 11 Mike Hammett (Oct 22)
    - Re: Death of the Internet, Film at 11 Jean-Francois Mezei (Oct 22)
    - Re: Death of the Internet, Film at 11 Mel Beckman (Oct 22)
    - Re: Death of the Internet, Film at 11 Peter Baldridge (Oct 22)
    - Re: Death of the Internet, Film at 11 Mike Hammett (Oct 22)
    - Re: Death of the Internet, Film at 11 Ray Van Dolson (Oct 22)
    - Re: Death of the Internet, Film at 11 Mike Hammett (Oct 22)
    - Re: Death of the Internet, Film at 11 Jean-Francois Mezei (Oct 22)
    - Re: Death of the Internet, Film at 11 Ronald F. Guilmette (Oct 23)
    - Re: Death of the Internet, Film at 11 Valdis . Kletnieks (Oct 23)
    - Re: Death of the Internet, Film at 11 Rich Kulawiec (Oct 24)
    - Re: Death of the Internet, Film at 11 sthaug (Oct 23)
    - Re: Death of the Internet, Film at 11 Mark Andrews (Oct 22)

(Thread continues...)