Death of the Internet, Film at 11

John Weekes jw at
Sun Oct 23 05:17:40 UTC 2016

> Ok, so this mailing list is a list of network operators.  Swell.  Every
> network operator who can do so, please raise your hand if you have
> *recently* scanned you own network and if you can -honestly- attest
> that you have taken all necessary steps to insure that none of the
> numerous specific types of CCVT thingies that Krebs and others identified
> weeks or months ago as being fundamentally insecure can emit a single
> packet out onto the public Internet.

Most of the time, scanning of your customers isn't strictly necessary, 
though it certainly won't hurt.

That's because attackers will scan your network /for /you, compromise 
the hosts, and use them to attack. When they inevitably attack one of my 
customers, I'll send you an abuse email. Some other networks do the 
same. So if you want to help, the real keys are to make sure that you 
disallow spoofing, that the RIR has up-to-date contact information for 
your organization, and that you handle abuse notifications effectively.

Large IoT botnets have been used extensively this year, launching 
frequent 100+ Gbps attacks (they were also used in prior years, but it 
wasn't to the degree that we've seen since January 2016). I've recorded 
about 2.4 million IP addresses involved in the last two months (a number 
that is higher than the number of actual devices, since most seem to 
have dynamic IP addresses). The ISPs behind those IP addresses have 
received notifications via email, so if you haven't heard anything, 
you're probably in good shape, assuming the RIR has the right abuse 
address on file for you.

The bulk of the compromised devices are non-NA. In a relatively small 40 
Gbps IoT attack a couple of days ago, we saw about 20k devices, for 
instance, and most were from a mix of China, Brazil, Russia, Korea, and 


More information about the NANOG mailing list