[Discuss] The Mirai botnet

[slitt at troubleshooters.com (Steve Litt)]

On Mon, 31 Oct 2016 21:45:53 -0700
"Rich Braun" <richb at pioneer.ci.net> wrote:

> I haven't seen a discussion here yet about the DDOS attacks of 20-Sep
> and 21-Oct; it affected me at my work because we're a Dyn customer
> (and hadn't ever gotten around to setting up secondary servers; we're
> finally starting to talk about putting SPOF-elimination on our
> roadmap, but you can imagine how non-glamorous those things are to
> the higher-ups so who knows how much time we'll have budgeted).
> 
> What's got me curious about all the mainstream-media hype about the
> Mirai botnet is--where are those 300,000 devices installed, what
> brands of products are they, were they compromised remotely or did
> they get infected before they left the (physical) factory, and what
> can we/the router vendors/the Linux community do to prevent such
> attacks from  being successful in the future?
> 
> As an example, at home I have two of those Linux-based Chinese webcams
> installed at my house, brand name Dahua, never changed the default
> password. My network is connected to the Internet with a ho-hum
> Netgear router.
> 
> Default UPnP config of the NetGear: enabled
> Default UPnP config of the Dahua units: disabled
> 
> I never would've given UPnP much thought if it weren't for this
> week's breach; I would've expected that router vendors would leave
> TCP/IP ports **closed** unless I explicitly opened them.  Now that I
> see what UPnP does, it's horrendous. It seems that NetGear, DLink and
> Linksys ship routers with UPnP enabled, and ports wide open to the
> Internet, just so they don't have to deal with customer-service
> headaches caused by people having trouble enabling IoT devices on
> their LAN.
> 
> This seems like a wake-up call: if usability of IoT devices for cloud
> services is that important, they'll need to be designed with a
> different protocol than UPnP--that's my initial $0.02 as I try to
> catch up on this particular DDOS event. In the meantime, it looks
> like the router vendors will need to send out a software updates, and
> whatever IoT device vendors are exploited will have to issue a recall
> notice.
> 
> This looks like a world-class mess. What do y'all think? How do we
> shut down Mirai and block future botnets from exploiting IoT? (And
> have you checked your own devices' UPnP settings? Is there really any
> good reason to ever use UPnP--I certainly don't need it...)
> 
> -rich

Thanks very much for this post, Rich!

I know absolutely nothing about this kind of stuff, so after seeing
this post I checked my wifi and my pfSense firewall/router/nat. On the
wifi, I can't tell whether I had UPnP turned on or off: When I clicked
on it nothing happened. I'm going to assume for now it's not relevant
because I had my wifi machine set to be an access point.

My pfSense firewall/router/nat had UPnP turned off, so I left it that
way.

The other thing that worries me is I have no idea what devices around
the house are wifi enabled, except my Brother printer, and maybe some
of my wife's cameras/video-recorders. And I don't know how to disable
wifi on my Brother printer, nor do I know how to reset its password (I
didn't know it had one until now). Tomorrow I'll try to access those
things from its front panel.

This is good information. Thanks!
 
SteveT

Steve Litt 
September 2016 featured book: Twenty Eight Tales of Troubleshooting
http://www.troubleshooters.com/28