IP addresses being attacked in Krebs DDoS?
Patrick W. Gilmore
patrick at ianai.net
Sun Sep 25 21:50:38 UTC 2016
On Sep 25, 2016, at 4:01 PM, Brett Glass <nanog at brettglass.com> wrote:
> As an ISP who is pro-active when it comes to security, I'd like to know what IP address(es) are being hit by the Krebs on Security DDoS attack. If we know, we can warn customers that they are harboring infected PCs and/or IoT devices. (And if all ISPs did this, it would be possible to curtail such attacks and plug the security holes that make them possible.)
[Pardon the slightly less than specific details below. Must be careful about disclosing names or information which is not public yet.]
What Brett is asking seems reasonable, even useful. Unfortunately, it is not as simple as posting a list of addresses on a website.
Many devices are compromised because of default user/pass settings. Publishing a list of IP addresses which are so trivially compromised is handing the miscreants a gift.
We have done things like this with open DNS resolvers and open NTP servers. (THANK YOU JARED!!!) However, we had a hope of the administrators fixing the problem, and they were at least somewhat easier to find.
This list is different. Harder to find, harder to fix. Grandma is unlikely to think about logging into her webcam and changing the admin password - to say nothing of reading NANOG in the first place. Hell, even if she did, how exactly do you remove malware from a SmartTV?
Obviously we do not consider Brett a bad actor. It is likely we can work something out with ISPs like Brett and give them the addresses on their network which need remediation. But this is not a five minute job. Plus most of the people working on this do so in their spare time. So please be patient as the lists are gathered, sorted, and offered in a reasonable manner.
If you are a member of the various secops lists, more info will be forthcoming. If not, I’m sure someone will make information available in wider channels.
To be clear, I am not doing this work personally, so do not email me. The people who are doing this work deserve a hearty and huge thanks from the community. If you know one of them, buy them a drink or dinner, or at least give them a hug. :) I know I will be doing so in Dallas if they let me.
More information about the NANOG