Largest DDoS Attack Ever Pulled Off By Bored Teens?

[HardOCP News]

That huge DDoS attack on Dyn last month was pulled off by bored teens? Imagine how bored they will be in jail. Ugh, kids these days.

“Kids,” said Mikko Hypponen, chief research officer with security firm F-Secure. “Kids who have the capability and don’t know what to do with it.” “The source code that was released could have been written by a high school student, a smart high school student, but a high school student nonetheless,” security expert Rob Graham said after examining the malware used in the attacks. “It wasn’t particularly sophisticated.”

 

[Kor]

Not really surprising.

 

[oROEchimaru]

yet still proves until companies/govt take stuff seriously... crappy stuff keeps getting put out that is not secure.. go buy a usb-c cable from amazon and pray it doesnt burn your house down or fry your new phone. then go buy a baby camera from amazon and pray that the pos is not already hacked.

low quality cheap products only make the problem worse. old school out of date crap doesnt help either.

 

[westrock2000]

Wait.....so not Russia??

Jon Lech Johansen was just a teenager when he brought the movie industry to it's knees with deCSS. So I'd be careful of using "high school student" as a pejorative.

 

[Twisted Kidney]

Guys, it's not like it's hard. While kids may act like idiots most of the time that doesn't make them stupid.

 

[spugm1r3]

What's worse: an unsophisticated hack? Or the fact that we build so many devices that are susceptible to unsophisticated hacks? It's like college football coaches complaining when they get beat by trick plays.

 

[Ur_Mom]

There is probably some wanna be 40 year old hacker living in a basement somewhere extremely pissed off.

"I can do better than a teenager! Those guys *huff huff wheeze* don't know what they are talk about!"

 

[/usr/sbin]

yet still proves until companies/govt take stuff seriously... crappy stuff keeps getting put out that is not secure.. go buy a usb-c cable from amazon and pray it doesnt burn your house down or fry your new phone. then go buy a baby camera from amazon and pray that the pos is not already hacked.

low quality cheap products only make the problem worse. old school out of date crap doesnt help either.

Why does a thermostat or printer have access to the Internet? This is poor security protocol. Proper security is to drop traffic by default, white list what you need. You never truly know what your devices will try to do. As an example, I installed security cameras outside my home and linked them to a linux based PVR for the interface/recording. I noticed that my firewall was dropping tons of data from the IPs assigned to the cameras. A quick dump of the traffic (below) uncovered all cameras trying to connect out to a pair of IPs hosted on amazonaws, plus 2 hardcoded ips. I never asked or gave consent for this to happen, nor was this behavior listed in the manual. The same thing would go with a printer, I don't want it to have access to the Internet. The only thing I want it to do is to print pages I send to it.

master@EdgeRouter:~$ sudo tcpdump -i eth0 host 192.168.1.248
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:13:46.947684 IP 192.168.1.248.58611 > 192.168.1.1.domain: 895+ A? www.nwsvr1.com. (32)
22:13:46.948215 IP 192.168.1.1.domain > 192.168.1.248.58611: 895 1/0/0 A 54.247.103.91 (48)
22:13:46.996373 IP 192.168.1.248.33102 > 239.255.255.250.1900: UDP, length 421
22:13:48.191871 IP 192.168.1.248.14620 > ec2-54-245-98-57.us-west-2.compute.amazonaws.com.32100: UDP, length 4
22:13:48.192026 IP 192.168.1.248.14620 > 123.56.159.92.32100: UDP, length 4
22:13:48.192104 IP 192.168.1.248.14620 > ec2-54-217-201-148.eu-west-1.compute.amazonaws.com.32100: UDP, length 4

It might seem extreme to some but as far as I'm concerned the only sane thing to do is treat *every* device as hostile until you know otherwise, drop all packets with a hardware firewall by default, and only approve the traffic you want to go out.

 

[MrGuvernment]

Why does a thermostat or printer have access to the Internet? This is poor security protocol. Proper security is to drop traffic by default, white list what you need. You never truly know what your devices will try to do. As an example, I installed security cameras outside my home and linked them to a linux based PVR for the interface/recording. I noticed that my firewall was dropping tons of data from the IPs assigned to the cameras. A quick dump of the traffic (below) uncovered all cameras trying to connect out to a pair of IPs hosted on amazonaws, plus 2 hardcoded ips. I never asked or gave consent for this to happen, nor was this behavior listed in the manual. The same thing would go with a printer, I don't want it to have access to the Internet. The only thing I want it to do is to print pages I send to it.

master@EdgeRouter:~$ sudo tcpdump -i eth0 host 192.168.1.248
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:13:46.947684 IP 192.168.1.248.58611 > 192.168.1.1.domain: 895+ A? www.nwsvr1.com. (32)
22:13:46.948215 IP 192.168.1.1.domain > 192.168.1.248.58611: 895 1/0/0 A 54.247.103.91 (48)
22:13:46.996373 IP 192.168.1.248.33102 > 239.255.255.250.1900: UDP, length 421
22:13:48.191871 IP 192.168.1.248.14620 > ec2-54-245-98-57.us-west-2.compute.amazonaws.com.32100: UDP, length 4
22:13:48.192026 IP 192.168.1.248.14620 > 123.56.159.92.32100: UDP, length 4
22:13:48.192104 IP 192.168.1.248.14620 > ec2-54-217-201-148.eu-west-1.compute.amazonaws.com.32100: UDP, length 4

It might seem extreme to some but as far as I'm concerned the only sane thing to do is treat *every* device as hostile until you know otherwise, drop all packets with a hardware firewall by default, and only approve the traffic you want to go out.

That great for those in the know and those who have routers that can do this, but 99% of the house holds out there don't know and dont' have routers that can do this, nor do they care.

 

[Todd Walter]

Why does a thermostat or printer have access to the Internet? This is poor security protocol. Proper security is to drop traffic by default, white list what you need. You never truly know what your devices will try to do. As an example, I installed security cameras outside my home and linked them to a linux based PVR for the interface/recording. I noticed that my firewall was dropping tons of data from the IPs assigned to the cameras. A quick dump of the traffic (below) uncovered all cameras trying to connect out to a pair of IPs hosted on amazonaws, plus 2 hardcoded ips. I never asked or gave consent for this to happen, nor was this behavior listed in the manual. The same thing would go with a printer, I don't want it to have access to the Internet. The only thing I want it to do is to print pages I send to it.

master@EdgeRouter:~$ sudo tcpdump -i eth0 host 192.168.1.248
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:13:46.947684 IP 192.168.1.248.58611 > 192.168.1.1.domain: 895+ A? www.nwsvr1.com. (32)
22:13:46.948215 IP 192.168.1.1.domain > 192.168.1.248.58611: 895 1/0/0 A 54.247.103.91 (48)
22:13:46.996373 IP 192.168.1.248.33102 > 239.255.255.250.1900: UDP, length 421
22:13:48.191871 IP 192.168.1.248.14620 > ec2-54-245-98-57.us-west-2.compute.amazonaws.com.32100: UDP, length 4
22:13:48.192026 IP 192.168.1.248.14620 > 123.56.159.92.32100: UDP, length 4
22:13:48.192104 IP 192.168.1.248.14620 > ec2-54-217-201-148.eu-west-1.compute.amazonaws.com.32100: UDP, length 4

It might seem extreme to some but as far as I'm concerned the only sane thing to do is treat *every* device as hostile until you know otherwise, drop all packets with a hardware firewall by default, and only approve the traffic you want to go out.

A large number of them have frame-relay for smartphones to access when a tunnel cannot be established. Samsung's series of cameras do this but the manual is so poorly written you may not notice. If they're using a knockoff of the Techwin firmware this is probably the cause.

 

[Chupachup]

... “It wasn’t particularly sophisticated.”

Apparently, it didn't need to be! And THAT should scare the hell out of every one!

 

[i960]

Why does a thermostat or printer have access to the Internet? This is poor security protocol. Proper security is to drop traffic by default, white list what you need. You never truly know what your devices will try to do. As an example, I installed security cameras outside my home and linked them to a linux based PVR for the interface/recording. I noticed that my firewall was dropping tons of data from the IPs assigned to the cameras. A quick dump of the traffic (below) uncovered all cameras trying to connect out to a pair of IPs hosted on amazonaws, plus 2 hardcoded ips. I never asked or gave consent for this to happen, nor was this behavior listed in the manual. The same thing would go with a printer, I don't want it to have access to the Internet. The only thing I want it to do is to print pages I send to it.

Do you or anyone else know of a camera that does not "phone home", or have SSH/telnet enabled, default passwords you can't change, wifi, etc? In other words, is there a camera that is secure by default? I'm looking to replace an old Foscam. I know it can be blocked at the firewall, but I would prefer a camera from a manufacture that gives a shit. I don't mind paying more. I was looking at the Arlo Q, but I haven't been able to confirm if it's secure or not. I don't like the fact that it comes with cloud storage. I don't need or want recordings stored outside of my network, and I'm afraid that even if you disable it, it will still try to send recordings out. I get why some people might want that, but not me. I don't even need record capability. It's primarily so my GF can check in on our cats from her phone on demand. The camera is unplugged when we get home.

 

[Vildayyan2003]

This is why the internet will be completely controlled by all governments before to long. Enjoy!

 

[Silentbob343]

Why does a thermostat or printer have access to the Internet? This is poor security protocol. Proper security is to drop traffic by default, white list what you need. You never truly know what your devices will try to do. As an example, I installed security cameras outside my home and linked them to a linux based PVR for the interface/recording. I noticed that my firewall was dropping tons of data from the IPs assigned to the cameras. A quick dump of the traffic (below) uncovered all cameras trying to connect out to a pair of IPs hosted on amazonaws, plus 2 hardcoded ips. I never asked or gave consent for this to happen, nor was this behavior listed in the manual. The same thing would go with a printer, I don't want it to have access to the Internet. The only thing I want it to do is to print pages I send to it.

master@EdgeRouter:~$ sudo tcpdump -i eth0 host 192.168.1.248
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:13:46.947684 IP 192.168.1.248.58611 > 192.168.1.1.domain: 895+ A? www.nwsvr1.com. (32)
22:13:46.948215 IP 192.168.1.1.domain > 192.168.1.248.58611: 895 1/0/0 A 54.247.103.91 (48)
22:13:46.996373 IP 192.168.1.248.33102 > 239.255.255.250.1900: UDP, length 421
22:13:48.191871 IP 192.168.1.248.14620 > ec2-54-245-98-57.us-west-2.compute.amazonaws.com.32100: UDP, length 4
22:13:48.192026 IP 192.168.1.248.14620 > 123.56.159.92.32100: UDP, length 4
22:13:48.192104 IP 192.168.1.248.14620 > ec2-54-217-201-148.eu-west-1.compute.amazonaws.com.32100: UDP, length 4

It might seem extreme to some but as far as I'm concerned the only sane thing to do is treat *every* device as hostile until you know otherwise, drop all packets with a hardware firewall by default, and only approve the traffic you want to go out.

Isn't that Amazon's storage service? Do these cameras offer offsite upload as a feature? I know I would have offsite storage in case a thief breaks in they can't simply steal/trash the DVR and drives.

 

[Ur_Mom]

Isn't that Amazon's storage service? Do these cameras offer offsite upload as a feature? I know I would have offsite storage in case a thief breaks in they can't simply steal/trash the DVR and drives.

Some DVR's have the capability to upload images/video. Some have alerts that can send an SMS message with a screen shot to your phone so you can decide whether to act on it or ignore it. That's moreso the feature of the DVR and not the camera itself, though.

 

[/usr/sbin]

Do you or anyone else know of a camera that does not "phone home", or have SSH/telnet enabled, default passwords you can't change, wifi, etc? In other words, is there a camera that is secure by default? I'm looking to replace an old Foscam. I know it can be blocked at the firewall, but I would prefer a camera from a manufacture that gives a shit. I don't mind paying more. I was looking at the Arlo Q, but I haven't been able to confirm if it's secure or not. I don't like the fact that it comes with cloud storage. I don't need or want recordings stored outside of my network, and I'm afraid that even if you disable it, it will still try to send recordings out. I get why some people might want that, but not me. I don't even need record capability. It's primarily so my GF can check in on our cats from her phone on demand. The camera is unplugged when we get home.

A good read: https://forums.whirlpool.net.au/archive/2270750

Apparently contacting out on port 32100 is common for ip cams. They are trying to setup the ability to view your camera form the manufacturers web service. Still, I don't want my cameras doing that and they will remained blocked. This behavior should be disclosed in the documentation and there also should eb an option to disable it (and be disabled by default IMO).

 

[ZLoth]

Why does a thermostat or printer have access to the Internet?

I don't know about the printer having access to the Internet. As for a thermostat or a garage door opener.... why not start heating the home while on the drive home from work or to check if you turned down the thermostat on the way to work? And lord knows how many times I've turned around to check if I really closed the garage door?

 

[Armenius]

I don't know about the printer having access to the Internet. As for a thermostat or a garage door opener.... why not start heating the home while on the drive home from work or to check if you turned down the thermostat on the way to work? And lord knows how many times I've turned around to check if I really closed the garage door?

Buy a programmable thermostat with a scheduler? Don't be in such a hurry? Maybe wake up 15 minutes earlier?

 

[MrGuvernment]

They need to make companies liable for the hacks and damage done, once you start making these companies liable for millions in damages due to DDoS attacks they will learn to tighten things up.

 

[Shintai]

They need to make companies liable for the hacks and damage done, once you start making these companies liable for millions in damages due to DDoS attacks they will learn to tighten things up.

The issue is that IPv4, especially IPv6 and the entire infrastructure is broken. Its a wild, wild west where you have trillions of $ in value placed.

 

[CSI_PC]

One hack that made me smile was the one quite awhile back where one person used other peoples' NAS devices for crypto mining.
Pretty smart thinking and shows just how flexible this is with such hacks and products beyond traditional PC-laptop devices.
Has been done with various other devices as well, more smart use IMO than zombie DDoS attacks.

Cheers

 

[MrGuvernment]

The issue is that IPv4, especially IPv6 and the entire infrastructure is broken. Its a wild, wild west where you have trillions of $ in value placed.

Absolutely, but IPv6 wont fix this, initially, they will find ways to get around all that IPv6 is supposed to fix. This problem is software with 0 QA done and only consideration of "let people plug it in and it works, who cares if it is secure"

 

[/dev/null]

Why does a thermostat or printer have access to the Internet? This is poor security protocol. Proper security is to drop traffic by default, white list what you need. You never truly know what your devices will try to do. As an example, I installed security cameras outside my home and linked them to a linux based PVR for the interface/recording. I noticed that my firewall was dropping tons of data from the IPs assigned to the cameras. A quick dump of the traffic (below) uncovered all cameras trying to connect out to a pair of IPs hosted on amazonaws, plus 2 hardcoded ips. I never asked or gave consent for this to happen, nor was this behavior listed in the manual. The same thing would go with a printer, I don't want it to have access to the Internet. The only thing I want it to do is to print pages I send to it.

master@EdgeRouter:~$ sudo tcpdump -i eth0 host 192.168.1.248
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:13:46.947684 IP 192.168.1.248.58611 > 192.168.1.1.domain: 895+ A? www.nwsvr1.com. (32)
22:13:46.948215 IP 192.168.1.1.domain > 192.168.1.248.58611: 895 1/0/0 A 54.247.103.91 (48)
22:13:46.996373 IP 192.168.1.248.33102 > 239.255.255.250.1900: UDP, length 421
22:13:48.191871 IP 192.168.1.248.14620 > ec2-54-245-98-57.us-west-2.compute.amazonaws.com.32100: UDP, length 4
22:13:48.192026 IP 192.168.1.248.14620 > 123.56.159.92.32100: UDP, length 4
22:13:48.192104 IP 192.168.1.248.14620 > ec2-54-217-201-148.eu-west-1.compute.amazonaws.com.32100: UDP, length 4

It might seem extreme to some but as far as I'm concerned the only sane thing to do is treat *every* device as hostile until you know otherwise, drop all packets with a hardware firewall by default, and only approve the traffic you want to go out.

I usually just leave the default gateway unconfigured.....

 

[Shintai]

Absolutely, but IPv6 wont fix this, initially, they will find ways to get around all that IPv6 is supposed to fix. This problem is software with 0 QA done and only consideration of "let people plug it in and it works, who cares if it is secure"

IPv6 is actually worse than IPv4 in a security view. And one of the reasons are that that IPv6 was designed for privacy and before the "great security focus". IPv6 is from 1998.

 

[MrGuvernment]

Wow, i didn't realize IPv6 went back THAT far!

I could see it being less secure because every device is to have an IP making it "open" to the internet so to speak not really hiding behind anything..