Death of the Internet, Film at 11
John Weekes
jw at nuclearfallout.net
Sun Oct 23 05:17:40 UTC 2016
>
> Ok, so this mailing list is a list of network operators. Swell. Every
> network operator who can do so, please raise your hand if you have
> *recently* scanned you own network and if you can -honestly- attest
> that you have taken all necessary steps to insure that none of the
> numerous specific types of CCVT thingies that Krebs and others identified
> weeks or months ago as being fundamentally insecure can emit a single
> packet out onto the public Internet.
Most of the time, scanning of your customers isn't strictly necessary,
though it certainly won't hurt.
That's because attackers will scan your network /for /you, compromise
the hosts, and use them to attack. When they inevitably attack one of my
customers, I'll send you an abuse email. Some other networks do the
same. So if you want to help, the real keys are to make sure that you
disallow spoofing, that the RIR has up-to-date contact information for
your organization, and that you handle abuse notifications effectively.
Large IoT botnets have been used extensively this year, launching
frequent 100+ Gbps attacks (they were also used in prior years, but it
wasn't to the degree that we've seen since January 2016). I've recorded
about 2.4 million IP addresses involved in the last two months (a number
that is higher than the number of actual devices, since most seem to
have dynamic IP addresses). The ISPs behind those IP addresses have
received notifications via email, so if you haven't heard anything,
you're probably in good shape, assuming the RIR has the right abuse
address on file for you.
The bulk of the compromised devices are non-NA. In a relatively small 40
Gbps IoT attack a couple of days ago, we saw about 20k devices, for
instance, and most were from a mix of China, Brazil, Russia, Korea, and
Venezuela.
-John
More information about the NANOG
mailing list