Death of the Internet, Film at 11

Mel Beckman mel at beckman.org
Sat Oct 22 21:21:53 UTC 2016 

> Vast majority of homes are behind NAT, which means that an incoming
> packet has very little chance of reaching the IoT gizmo.


UPNP exposes many IoT devices to the Internet, plus they're always exposed on the LAN, where many viruses find them and use backdoors to conscript them. Several bad actors are currently selling access to their IoT minions for ddos purposes. 

This is not new. What's new is that minion control seems to have been aggregated into a small number of malicious twerps. 

 -mel beckman

> On Oct 22, 2016, at 1:48 PM, Jean-Francois Mezei <jfmezei_nanog at vaxination.ca> wrote:
> 
> Generic question:
> 
> The media seems to have concluded it was an "internet of things" that
> caused this DDoS.
> 
> I have not seen any evidence of this. Has this been published by an
> authoritative source or is it just assumed?
> 
> Has the type of device involved been identified?
> 
> I am curious on how some hacker in basement with his TRS80 or Commodore
> Pet would be able to reach "bilions" of these devices to reprogram them.
> Vast majority of homes are behind NAT, which means that an incoming
> packet has very little chance of reaching the IoT gizmo.
> 
> I amn guessing/hoping such devices have been identified and some
> homweoners contacted ans asked to volunteer their device for forensic
> analysis of where the attack came from ?
> 
> Is it more plausible that those devices were "hacked" in the OEM
> firmware and sold with the "virus" built-in ? That would explain the
> widespread attack.
> 
> Also, in cases such as this one, while the target has managed to
> mitigate the attack, how long would such an attack typically continue
> and require blocking ?
> 
> Since the attack seemed focused on eastern USA DNS servers, would it be
> fair to assume that the attacks came mostly from the same region (aka:
> devices installed in eastern USA) ? (since anycast would point them to
> that).
> 
> OPr did the attack use actual IP addresses instead of the unicast ones
> to specifically target servers ?
> 
> 
> 
> BTW, normally, if you change the "web" password on a "device", it would
> also change telnet/SSH/ftp passwords.

More information about the NANOG mailing list