BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] The Mirai botnet
- Subject: [Discuss] The Mirai botnet
- From: richb at pioneer.ci.net (Rich Braun)
- Date: Mon, 31 Oct 2016 21:45:53 -0700
I haven't seen a discussion here yet about the DDOS attacks of 20-Sep and 21-Oct; it affected me at my work because we're a Dyn customer (and hadn't ever gotten around to setting up secondary servers; we're finally starting to talk about putting SPOF-elimination on our roadmap, but you can imagine how non-glamorous those things are to the higher-ups so who knows how much time we'll have budgeted). What's got me curious about all the mainstream-media hype about the Mirai botnet is--where are those 300,000 devices installed, what brands of products are they, were they compromised remotely or did they get infected before they left the (physical) factory, and what can we/the router vendors/the Linux community do to prevent such attacks from being successful in the future? As an example, at home I have two of those Linux-based Chinese webcams installed at my house, brand name Dahua, never changed the default password. My network is connected to the Internet with a ho-hum Netgear router. Default UPnP config of the NetGear: enabled Default UPnP config of the Dahua units: disabled I never would've given UPnP much thought if it weren't for this week's breach; I would've expected that router vendors would leave TCP/IP ports **closed** unless I explicitly opened them. Now that I see what UPnP does, it's horrendous. It seems that NetGear, DLink and Linksys ship routers with UPnP enabled, and ports wide open to the Internet, just so they don't have to deal with customer-service headaches caused by people having trouble enabling IoT devices on their LAN. This seems like a wake-up call: if usability of IoT devices for cloud services is that important, they'll need to be designed with a different protocol than UPnP--that's my initial $0.02 as I try to catch up on this particular DDOS event. In the meantime, it looks like the router vendors will need to send out a software updates, and whatever IoT device vendors are exploited will have to issue a recall notice. This looks like a world-class mess. What do y'all think? How do we shut down Mirai and block future botnets from exploiting IoT? (And have you checked your own devices' UPnP settings? Is there really any good reason to ever use UPnP--I certainly don't need it...) -rich
- Follow-Ups:
- [Discuss] Ban UPnP? Re: The Mirai botnet
- From: richb at pioneer.ci.net (Rich Braun)
- [Discuss] The Mirai botnet
- From: guy1gold at gmail.com (Guy Gold)
- [Discuss] The Mirai botnet
- From: slitt at troubleshooters.com (Steve Litt)
- [Discuss] Ban UPnP? Re: The Mirai botnet
- Next by Date: [Discuss] The Mirai botnet
- Next by thread: [Discuss] The Mirai botnet
- Index(es):