Death of the Internet, Film at 11

Mike Hammett nanog at ics-il.net
Sat Oct 22 12:34:55 UTC 2016


"taken all necessary steps to insure that none of the numerous specific types of CCVT thingies that Krebs and others identified" 

Serious question... how? 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Ronald F. Guilmette" <rfg at tristatelogic.com> 
To: nanog at nanog.org 
Sent: Saturday, October 22, 2016 12:53:42 AM 
Subject: Re: Death of the Internet, Film at 11 


Laszlo Hanyecz wrote: 

>What does BCP38 have to do with this? 

Your're right. That's not specifically related to *this* attack. Nobody 
needs to spoof anything when you've got a zillion fire hoses just lying 
around where any 13 year old can command them from the TRS 80 in his mom's 
basement. (I've seen different estimates today. One said there's about 
a half million of these things, but I think I saw where Dyn itself put 
the number of unique IPs in the attack at something like ten million.) 

I just threw out BCP 38 as an example of something *very* minimal that 
the collective Internet, if it had any brains, would have made de rigueur 
for everyone ten+ years ago. BCP 38 is something that I personally view 
as a "no brainer", that is already widely accepted as being necessary, 
and yet is a critical security step that some (many?) are still resisting. 
So, it's like "Well, if the Internet-at-large can't even do *this* simple 
and relatively non-controversial thing, then we haven't got a prayer in 
hell of ever seeing a world-wide determined push to find and neutralize 
all of these bloody damn stupid CCTV things. And when the day comes when 
somebody figures out how to remotely pop a default config Windoze XP 
box... boy oh boy, will *that* be a fun day... NOT! Because we're not 
ready. Nobody's ready. Except maybe DoD, and I'm not even taking bets 
on that one." 

I didn't intend to focus on BCP 38. Everybody knows that's only one 
thing, designed to deal with just one part of the overall problem. The 
overall problem, in my view, is the whole mindset which says "Oh, we 
just connect the wires. Everything else is somebody else's problem." 

Ok, so this mailing list is a list of network operators. Swell. Every 
network operator who can do so, please raise your hand if you have 
*recently* scanned you own network and if you can -honestly- attest 
that you have taken all necessary steps to insure that none of the 
numerous specific types of CCVT thingies that Krebs and others identified 
weeks or months ago as being fundamentally insecure can emit a single 
packet out onto the public Internet. 

And, cue the crickets... 

Recent events, like the Krebs DDoS and the even bigger OVH DDoS, and 
today's events make it perfectly clear to even the most blithering of 
blithering idiots that network operators, en mass, have to start scanning 
their own networks for insecurities. And you'd all better get on that, 
not next fiscal year or even next quarter, but right effing now, because 
the next major event is right around the corner. And remember, *you* 
may not be scanning your networks for easily pop'able boxes, but as we 
should all be crystal clear on by now, that *does not* mean that nobody 
else is doing so. 


Regards, 
rfg 


P.S. The old saying is that idle hands are the devil's playground. In 
the context of the various post-invasion insurgancies, etc., in Iraq, is 
is often mentioned that it was a somewhat less than a brilliant move for 
the U.S. to have disbanded the Iraq army, thereby leaving large numbers 
of trained young men on the streets with no jobs and nothing to do. 

To all of the network operators who think that (or argue that) it will 
be too expensive to hire professionals to come in an do the work to 
scan your networks for known vulnerabilities, I have a simple suggestion. 
Go down to your local high school, find the schmuck who teaches the 
kids about computers, and ask him for the name of his most clever student. 
Then hire that student and put him to work, scanning your network. 

As in Iraq, it will be *much* better to have capable young men inside the 
tent, pissing out, rather than the other way around. 



More information about the NANOG mailing list