dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7258

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

10 recommendations

siljaline

Premium Member

Big Chunk of Internet Goes Down After DDoS Attack Hits Major DNS Provider

- Big Chunk of the Internet Goes Down After DDoS Attack Hits Major DNS Provider -
quote:
A DDoS attack on Dyn, a major upstream DNS provider, has shut down a large chunk of the Internet for about two hours, rendering millions of sites inaccessible.

On the list of websites users reported as down, we list a few such as Twitter, Reddit, Yelp, Imgur, PayPal, Shopify, Soundcloud, Spotify, GitHub, Heroku, Etsy, Box, Weebly, Wix, Squarespace, CPAN, NPM, Basecamp, Twilio, Zoho, HBO, CNN, Starbucks, Yammer, and others.
»news.softpedia.com/news/ ··· 24.shtml

»www.techmeme.com/161021/ ··· 161021p3

DonoftheDead
Old diver
Premium Member
join:2004-07-12
Clinton, WA

DonoftheDead

Premium Member

Going to Digital Attack Map (»www.digitalattackmap.com ··· view=map) shows we're still getting mass hits from all over the world. Tried Norse Attack Map but it's offline. Don't know if it's related to this but some other sites I tried were offline too. Some others were slow to connect but that could be on my end too I suppose. I wish our 3-letter agencies put more effort into dealing with this crap and less on spying on us.
DarkSithPro (banned)
join:2005-02-12
Tempe, AZ

3 recommendations

DarkSithPro (banned)

Member

All it would take is for the state department to go on live TV and blame Russia, then that would give the administration a green light to do whatever it is they need to do.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to DonoftheDead

Premium Member

to DonoftheDead
The folks at DYN the provider hit with the ongoing DDoS paints a picture for us.
quote:
Event cause:
On Friday October 21, 2016 at approximately 11:10 UTC, Dyn came under attack by a large Distributed Denial of Service (DDoS) attack against our Managed DNS infrastructure in the US-East region. Customers affected may have seen regional resolution failures in US-East and intermittent spikes in latency globally. Dyn’s engineers were able to successfully mitigate the attack at approximately 13:20 UTC, and shortly after, the attack subsided.

At roughly 15:50 UTC a second DDoS attack began against the Managed DNS platform. This attack was distributed in a more global fashion. Affected customers may have seen intermittent resolution issues as well as increased global latency. At approximately 17:00 UTC, our engineers were again able to mitigate the attack and service was restored. [...]
»www.dynstatus.com/

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude to siljaline

Premium Member

to siljaline
A power outage and SCE.com web site was in maintenance for many hours today. Related?

ashrc4
Premium Member
join:2009-02-06
australia

2 recommendations

ashrc4 to DarkSithPro

Premium Member

to DarkSithPro
I think web 3.0 is already passed the drawing board. And yes ddossing is a huge problem but not just by state sponsoring.
Frodo
join:2006-05-05

2 recommendations

Frodo

Member

said by ashrc4:

not just by state sponsoring

It could be a kid in his bedroom. The Register posted a story to software, with a link to the source code, which I downloaded myself.

The modem firewall entries are mostly port 23 (telnet) intrusion attempts. I'm probably averaging an attempt every two minutes.

This IOT has to get straightened out, in a hurry. I'm thinking the short term fix might just be for ISPs to shut off inbound telnet to residential customers.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

2 recommendations

NetFixer

Premium Member

said by Frodo:

said by ashrc4:

not just by state sponsoring

It could be a kid in his bedroom. The Register posted a story to software, with a link to the source code, which I downloaded myself.

The modem firewall entries are mostly port 23 (telnet) intrusion attempts. I'm probably averaging an attempt every two minutes.

This IOT has to get straightened out, in a hurry. I'm thinking the short term fix might just be for ISPs to shut off inbound telnet to residential customers.

RE Kid in bedroom: Rather than just a bored kid, it could also be a revenge/blackmail attack on Dyn (by either script kiddies or organized crime -- both of which might have reasons for hitting Dyn).

RE port 23: I am seeing a very large increase in port 23 intrusion attempts on all three of my currently in use public IP addresses that I use to locally host public services.

RE IoT: Don't hold your breath for an IoT security fix any time soon (or at all for equipment already in the field). Same goes for ISP's blocking inbound port 23 access (some ISPs use telnet for remote access to CPE devices).

Cartel
Intel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC

Cartel

Premium Member

I've been seeing port 23 spam for months.
Also norse attack map is down
»map.norsecorp.com
Frodo
join:2006-05-05

2 recommendations

Frodo

Member

said by Cartel:

I've been seeing port 23 spam for months.

On my connection, it used to be evenly split on port 22, 23 and 3389. But now, it is almost exclusively 23. Telnet is the low hanging fruit.

VikingBob
Go Jets Go!
Premium Member
join:2004-06-05
MB Canada

1 recommendation

VikingBob

Premium Member

1000 - 1300 hits a day on port 23 here.
Also discussed here: »The Short Life of a Vulnerable DVR Connected to the Internet

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

1 recommendation

Doctor Four to siljaline

Premium Member

to siljaline
According to Julian Assange, it was supporters of WikiLeaks who carried out the DDoS on DynDNS, possibly in retaliation for his internet connection being cut by the Ecuadoran government.

He tweeted, “Assange is still alive and WikiLeaks is still publishing,” the tweet said. “We ask supporters to stop taking down the U.S. Internet. You proved your point.”

Cartel
Intel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC

1 edit

2 recommendations

Cartel to siljaline

Premium Member

to siljaline
Looks like part 2 is hitting right now...sites are dropping like flies

also:

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage

A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.

»krebsonsecurity.com/2016 ··· -outage/

Ryan
Premium Member
join:2001-03-03
Boston, MA

Ryan to siljaline

Premium Member

to siljaline
Yesterday sucked for us.. Dyn is typically extremely good at defending DDoS attacks and they get attacked quite frequently, but this time well I don't think there was any stopping this.. Unfortunately one of our new SaaS applications wen't absolutely bonkers due to our code not handling the outage properly. Restarting it led to another issue that had me stuck in the office troubleshooting until about 4AM est.

Cartel
Intel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC

Cartel to siljaline

Premium Member

to siljaline
»map.norsecorp.com/#/?pro ··· t-server

Itguy2016
join:2015-09-01
Longwood, FL

2 recommendations

Itguy2016 to siljaline

Member

to siljaline
False flag? Obama testing his 'kill switch' in case the person he wasn't want replacing him wins and he has to declare the election void?

Just a thought.
Itguy2016

2 recommendations

Itguy2016 to VikingBob

Member

to VikingBob
said by VikingBob:

1000 - 1300 hits a day on port 23 here.
Also discussed here: »The Short Life of a Vulnerable DVR Connected to the Internet

This isn't actually possible to be done to me. My UTM has a shield that blocks more than 50 sessions a second on any device unless that device is whitelisted. Also any IoT device I have deployed has no direct outbound WAN access through THAT device. For example my cameras are blocked from all WAN traversal (including NTP), rather they can only talk to my camera server which also doesn't directly communicate to the outside unless polled by my specific application to access toe cameras through the server on a specific port.Also no device has default login/passwords, each has very long, complex passwords rendering access to them from remote to be absolutely impossible and 'near impossible' even from the internal network unless through a specific device on a specific port.

The problem here is people buy internet connected crap and plug it in and think the world is great. Companies that allow this and don't enforce proper security are just as liable.

DrStrange
Technically feasible
Premium Member
join:2001-07-23
Bristol, CT

DrStrange to Itguy2016

Premium Member

to Itguy2016
Not much of a 'kill switch'. I can think of better ways of 'killing' the Internet. No, I won't elaborate.
Itguy2016
join:2015-09-01
Longwood, FL

Itguy2016

Member

There are already contingencies in place if someone tried to killswitch it. EOC comes to mind, and unless they intend on taking out cell datastreams then they aren't going to fully shut it off. DNS isn't a big deal, local DNS caching and binding works fine for that in emergencies.

DrStrange
Technically feasible
Premium Member
join:2001-07-23
Bristol, CT

DrStrange

Premium Member

If it all goes down, I still remember which print sources have the answers... and my HF communications will still be up.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

3 recommendations

siljaline

Premium Member

"Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks."
»securityledger.com/2016/ ··· shpoint/

The Folks @Bullguard have posted an IoT scanner which enables you to determine if your IoT and or front facing connected devices are leaking to the Internet.

»iotscanner.bullguard.com/

ashrc4
Premium Member
join:2009-02-06
australia

2 recommendations

ashrc4

Premium Member

said by siljaline:

Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs

and even baby monitors according to news reports.
lawsoncl
join:2008-10-28
Spirit Lake, ID

2 recommendations

lawsoncl to siljaline

Member

to siljaline
said by siljaline:

The Folks @Bullguard have posted an IoT scanner which enables you to determine if your IoT and or front facing connected devices are leaking to the Internet.

This looks your IP up to see if it showed up on the Shodan scanner recently. Apparently the previous user of my IP had a Verizon modem with port 4567 open. Mine definitely does not.

As much as I dislike Steve Gibson's technobabble, his shields up utility is useful to check what ports you have open.

DonoftheDead
Old diver
Premium Member
join:2004-07-12
Clinton, WA

5 recommendations

DonoftheDead to siljaline

Premium Member

to siljaline
What gripes my butt is this was forseen quite a while ago and the ones that were supposed to protect us were nowhere to be seen as usual. They're good at the forensics after the fact but perfectly lousy at prevention. They had to know this was going to happen sooner or later and didn't do squat about it. Just let the IoT oem's peddle their insecure crap. Business as usual. The 3 letter agencies have all our data to "protect" us but I'm not seeing any "protection". What a lame joke they are. Thanx for that link siljaline. Looks like I'm ok. Norse is back up, here anyway and the Digital Attack Map shows that US is still getting hit (apparently not as bad tho') but now Brazil is getting slammed for whatever reason. Telnet seems to be the favorite port of entry, but it pretty much always has been.

Anon049e2
@fdcservers.net

Anon049e2

Anon

Was it related to the most recent Linux kernel local hack? such that all those servers were down & owned?

VikingBob
Go Jets Go!
Premium Member
join:2004-06-05
MB Canada

1 recommendation

VikingBob to Itguy2016

Premium Member

to Itguy2016
said by Itguy2016:

This isn't actually possible to be done to me.

You are the exception, not the rule. The vast majority out there just plug the thing in and want it to work.
Frodo
join:2006-05-05

3 recommendations

Frodo to Anon049e2

Member

to Anon049e2
said by Anon049e2 :

Was it related to the most recent Linux kernel local hack?

I put a link to the code. As far as I can tell, these IOTs use Upnp to set up connections in the router. The code contains scanner.c which hosts the ID/password combinations. That is the essence of the vulnerability; these IOTs are connected to the internet, with hard coded default IDs and passwords.

So, it is a pretty simple matter for a researcher to figure out what devices match these combinations.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

5 recommendations

siljaline

Premium Member

- Chinese firm admits its hacked products were behind Friday's massive DDOS attack -
quote:
A Chinese electronics component manufacturer says its products inadvertently played a role in a massive cyberattack that disrupted major internet sites in the U.S. on Friday.

Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, said on Sunday that security vulnerabilities involving weak default passwords in its products were partly to blame.

According to security researchers, malware known as Mirai has been taking advantage of these vulnerabilities by infecting the devices and using them to launch huge distributed denial-of service attacks, including Friday’s outage. [...]
»www.networkworld.com/art ··· ack.html

»twitter.com/artem_i_bara ··· 95380480

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

2 recommendations

Doctor Four to siljaline

Premium Member

to siljaline
There is soime speculation about the source of the attack on DYN - many on the Dark Web seem to think it was North Korea, specifically the country's cyberwarfare agency known as Bureau 121.
RonSMeyer
join:2000-05-12
Saint Louis, MO

1 recommendation

RonSMeyer to siljaline

Member

to siljaline
Alright. I keep hearing webcams and DVR's. So I have 5 IP cameras functioning as security cameras. I changed the default passwords as soon as I got them several years ago. I hate to think I may have been an unwitting participant in this attack. So trying to be responsible, how in the heck do you tell if your IP cameras have been hacked?

Then there's the DVR. I assume they are not talking about DVR's that you rent from the cable company? Or are they? They never say. So what are they talking about? And again, how would you tell?