Spitballing IoT Security

John Weekes jw at nuclearfallout.net
Sun Oct 30 06:16:26 UTC 2016

On 10/29/2016 9:43 PM, Eric S. Raymond wrote:
> I in turn have to call BS on this.  If it were really that easy, we'd
> be inundated by Mirais -- we'd have several attacks a*day*.

Some of us are seeing many significant attacks a day.

That's because botnets are frequently used to hit game servers and game 
players. In fact, the Mirai-targeted devices were not newly-seen; 
easily-exploited devices like older DVRs have been observed for years in 
attacks on game servers. The main difference in the recent botnet 
attacks (mostly, 2016) is that they have been larger and more frequent, 
likely because of incremental improvements to scanners (including in 
time-to-exploitation, which is important to building the botnet because 
these devices are so frequently rebooted) and payloads (to better block 
further exploitation by competitors). If you run a honeypot and take a 
look at what happens to one of these devices over time, you'll see an 
interesting tug-of-war between many different actors that are 
compromising them and running their own binaries.

Reflection attacks are still common, as well, of course. Previously, 
those were the ones that created the largest flows. But, the 
higher-amplification-factor reflection attacks can be mostly mitigated 
upstream with basic ACLs (as long as the upstream is willing to help, 
and has the internal capacity to do it; many NSPs do not). It is not 
uncommon to see a botnet attack at the same time as a reflection attack.


More information about the NANOG mailing list