ISP Operators AISURU/Kimwolf botnet
I would appreciate if any ISP Operators could help some of the smaller ISP like us in stopping the traffic from these new Malware infected customers that have devices with Aisiura/Kimwolf botnet, These are Residential Proxies for the most part, but hard to stop. Any help would be greatly appreciated.
How? On Fri, Jan 16, 2026 at 8:34 AM Corey Smith via NANOG <nanog@lists.nanog.org> wrote:
I would appreciate if any ISP Operators could help some of the smaller ISP like us in stopping the traffic from these new Malware infected customers that have devices with Aisiura/Kimwolf botnet,
These are Residential Proxies for the most part, but hard to stop.
Any help would be greatly appreciated. _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAWGTYD5...
As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'. Cybersecurity blogs are not on our typical customers reading list. On Fri, Jan 16, 2026 at 9:03 AM Josh Luthman via NANOG < nanog@lists.nanog.org> wrote:
How?
On Fri, Jan 16, 2026 at 8:34 AM Corey Smith via NANOG < nanog@lists.nanog.org> wrote:
I would appreciate if any ISP Operators could help some of the smaller ISP like us in stopping the traffic from these new Malware infected customers that have devices with Aisiura/Kimwolf botnet,
These are Residential Proxies for the most part, but hard to stop.
Any help would be greatly appreciated. _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAWGTYD5...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZKPV5KFP...
Benjamin, It sounds like you recognize that this botnet exploits compromised devices on your customers’ networks, which are generating massive volumes of outbound DDoS traffic from your network. It’s thus your responsibility to address egress hygiene as a core operational standard and monitor and suppress malicious traffic leaving your network. One way to do this is via DDoS filtering services like Lumen’s Lotus Defender. These have been effective at disrupting the botnet's infrastructure by filtering the low-volume inbound control channel. Yes, such services are not free, but the problem on your network is due to your customers, not anybody else’s. It is your customers’ android IoT devices that are compromised. You could ask your complaining customers to shut off their android devices and see if their Internet improves, thus demonstrating the problem is with their IoT gear. As for mainstream media coverage, “big” ISPs can’t make them publish anything. But you can point your customers to this well-written piece by Krebs On Security that clearly identifies consumers as the problem before it goes into the technical details: <https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/> [pawsat-eth.png] Who Benefited from the Aisuru and Kimwolf Botnets?<https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/> krebsonsecurity.com<https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/> -mel beckman On Jan 16, 2026, at 7:16 AM, Benjamin Hatton via NANOG <nanog@lists.nanog.org> wrote: As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'. Cybersecurity blogs are not on our typical customers reading list. On Fri, Jan 16, 2026 at 9:03 AM Josh Luthman via NANOG < nanog@lists.nanog.org> wrote: How? On Fri, Jan 16, 2026 at 8:34 AM Corey Smith via NANOG < nanog@lists.nanog.org> wrote: I would appreciate if any ISP Operators could help some of the smaller ISP like us in stopping the traffic from these new Malware infected customers that have devices with Aisiura/Kimwolf botnet, These are Residential Proxies for the most part, but hard to stop. Any help would be greatly appreciated. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAWGTYD5... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZKPV5KFP... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/OCDKF3WF...
Am 16.01.2026 um 16:12:43 Uhr schrieb Mel Beckman via NANOG:
One way to do this is via DDoS filtering services like Lumen’s Lotus Defender. These have been effective at disrupting the botnet's infrastructure by filtering the low-volume inbound control channel. Yes, such services are not free, but the problem on your network is due to your customers, not anybody else’s. It is your customers’ android IoT devices that are compromised.
How does this work if the devices use TOR to contact their command and control server? -- Gruß Marco Send unsolicited bulk mail to 1768576363muell@cartoonies.org
You would have to ask Lumen. But they likely have pattern recognition techniques that work, or people wouldn’t be widely reporting successful relief. It’s not just Lumen. There are several DDoS filtering services available. So it boils down to a cost of doing business as an ISP. -mel beckman
On Jan 16, 2026, at 8:18 AM, Marco Moock via NANOG <nanog@lists.nanog.org> wrote:
Am 16.01.2026 um 16:12:43 Uhr schrieb Mel Beckman via NANOG:
One way to do this is via DDoS filtering services like Lumen’s Lotus Defender. These have been effective at disrupting the botnet's infrastructure by filtering the low-volume inbound control channel. Yes, such services are not free, but the problem on your network is due to your customers, not anybody else’s. It is your customers’ android IoT devices that are compromised.
How does this work if the devices use TOR to contact their command and control server?
-- Gruß Marco
Send unsolicited bulk mail to 1768576363muell@cartoonies.org _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SIUGXVHC... <mime-attachment>
How does this work if the devices use TOR to contact their command and control server?
The most detailed analysis I have seen makes no mention of C2s comms via TOR. If you have a reference that it does, can you share? On Fri, Jan 16, 2026 at 11:18 AM Marco Moock via NANOG < nanog@lists.nanog.org> wrote:
Am 16.01.2026 um 16:12:43 Uhr schrieb Mel Beckman via NANOG:
One way to do this is via DDoS filtering services like Lumen’s Lotus Defender. These have been effective at disrupting the botnet's infrastructure by filtering the low-volume inbound control channel. Yes, such services are not free, but the problem on your network is due to your customers, not anybody else’s. It is your customers’ android IoT devices that are compromised.
How does this work if the devices use TOR to contact their command and control server?
-- Gruß Marco
Send unsolicited bulk mail to 1768576363muell@cartoonies.org _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SIUGXVHC...
On Jan 16, 2026, at 22:16, Benjamin Hatton via NANOG <nanog@lists.nanog.org> wrote: As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'. <https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> The Kimwolf Botnet is Stalking Your Local Network<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> krebsonsecurity.com<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> [favicon.ico]<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
Roland, The Krebs article you cite is even better than the one I linked, because it shows pictures of the many consumer devices that can be infiltrated. People are likely to immediately recognize any they own, which will drive home the point that this is their problem. -mel
On Jan 16, 2026, at 5:43 PM, Dobbins, Roland via NANOG <nanog@lists.nanog.org> wrote:
On Jan 16, 2026, at 22:16, Benjamin Hatton via NANOG <nanog@lists.nanog.org> wrote:
As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'.
<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> The Kimwolf Botnet is Stalking Your Local Network<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> krebsonsecurity.com<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> [favicon.ico]<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GC4T5N6X...
“immediately recognize any they own, which will drive home the point that this is their problem” That’s some grade A victim blaming bs there. “The rubbish CPE that we forced you to have is now owned and it’s upsetting our eyeballs only peering arrangements so you need to sort it out” ISPs are only not accountable legally for the content of the packets they transport. That doesn’t mean they are not responsible for the terrible routers they give out. Your customers in the main don’t care as they are used to flaky internet service. It’s the problem of the ISP as it only really impacts on them in an aggregated form so as that’s where the pain is, that’s who is “it” for solving it. -don’t hand out cheap pos un-updatable CPE or do (shareholder value/ enshittification) and accept the consequences with good grace.
On 17 Jan 2026, at 02:10, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
immediately recognize any they own, which will drive home the point that this is their problem
Mike, I agree with you where ISPs choose insecure CPE and force their customers to use it. But in the case of AISURU, It’s not the CPE causing the problem, it’s the customer’s buggy android-based IoT. -mel
On Jan 17, 2026, at 4:16 AM, Mike Simpson <mikie.simpson@gmail.com> wrote:
“immediately recognize any they own, which will drive home the point that this is their problem”
That’s some grade A victim blaming bs there.
“The rubbish CPE that we forced you to have is now owned and it’s upsetting our eyeballs only peering arrangements so you need to sort it out”
ISPs are only not accountable legally for the content of the packets they transport. That doesn’t mean they are not responsible for the terrible routers they give out.
Your customers in the main don’t care as they are used to flaky internet service. It’s the problem of the ISP as it only really impacts on them in an aggregated form so as that’s where the pain is, that’s who is “it” for solving it.
-don’t hand out cheap pos un-updatable CPE or do (shareholder value/ enshittification) and accept the consequences with good grace.
On 17 Jan 2026, at 02:10, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
immediately recognize any they own, which will drive home the point that this is their problem
Again tho. What does it matter to the customer. It’s not impacting on their bottom line. They are used to fairly rubbish service for a huge multitude of reasons so their bandwidth being a bit slashdotted doesn’t matter to them. That’s why it’s a ddos. The only reason they got infected wasn’t their fault. It’s the fault of every company that believes that a eula is the end of their liability. If you didn’t want your customers being infected then don’t serve them malware and then blame them for getting owned and it impacting on your network or your upstreams. This is something that should have been sorted out after nimda but that wouldn’t have boosted shareholder value apparently. Your users aren’t aware that it’s not safe to plug stuff into the network you provide in the same way that they would expect a firewall not to get them owned or that a VPN device would be safe to use. -this is our fault, our failing, and we need to stop our knee jerk victim shaming and do better.
On 17 Jan 2026, at 12:49, Mel Beckman <mel@beckman.org> wrote:
Mike,
I agree with you where ISPs choose insecure CPE and force their customers to use it. But in the case of AISURU, It’s not the CPE causing the problem, it’s the customer’s buggy android-based IoT.
-mel
On Jan 17, 2026, at 4:16 AM, Mike Simpson <mikie.simpson@gmail.com> wrote:
“immediately recognize any they own, which will drive home the point that this is their problem”
That’s some grade A victim blaming bs there.
“The rubbish CPE that we forced you to have is now owned and it’s upsetting our eyeballs only peering arrangements so you need to sort it out”
ISPs are only not accountable legally for the content of the packets they transport. That doesn’t mean they are not responsible for the terrible routers they give out.
Your customers in the main don’t care as they are used to flaky internet service. It’s the problem of the ISP as it only really impacts on them in an aggregated form so as that’s where the pain is, that’s who is “it” for solving it.
-don’t hand out cheap pos un-updatable CPE or do (shareholder value/ enshittification) and accept the consequences with good grace.
On 17 Jan 2026, at 02:10, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
immediately recognize any they own, which will drive home the point that this is their problem
On Sat, 17 Jan 2026, Mike Simpson via NANOG wrote:
Again tho. What does it matter to the customer. It’s not impacting on their bottom line. They are used to fairly rubbish service for a huge multitude of reasons so their bandwidth being a bit slashdotted doesn’t matter to them. That’s why it’s a ddos.
It matters to the customer when the various infected devices on their network start causing problems they (or their neighbors) notice. DDoS is far from the only thing compromised things is used for. There's spam sending bots, brute force auth attempt bots, etc. I thought I'd dealt with the spam bots a year or two ago with port 25 filters. Looking at the ACL counters, I can see those bots are still constantly trying. But now there appear to be spam bots using authenticated/encrypted SMTP Submission. Likely, this is related to the bots doing brute force authentication bypass attempts on large provider IMAP servers (getting our IPs internally blacklisted by those providers, resulting in customer support calls "XYZ is saying my IP is temporarily blacklisted when I try checking my mail."). The more gear in a customer's home network that's compromised, the more vectors there are for getting into their computers, phones, etc., and then there's the chance of RATs being installed, data theft, etc. It's far from just an issue of our outband traffic capacity possibly being "stolen" and misused. That's probably the least of my concerns. For me, IP reputation is probably the top one, though customer safety is right up there next to it. Getting the customer gear cleaned up, seems to me, to be a non-starter. Attempting this could easily be a full time job...and I have done the exercise of picking a customer known to be infected[1], getting into their CPE, identifying the internal IP/MAC of the infected "thing" [it wasn't the CPE], but that's as far as I could get. The MAC resolved to some company in China I'd never heard of, so it provided no clue to me as to what the device is. Imagine trying to talk a customer through identifying some random device on their home network by IP/MAC. I could break its Internet connectivity with a filter on their CPE, but even if we find it by then looking for the thing that's fallen off the network, then what? If it's a streaming TV device, thermostat, or other IoT device, how are they supposed to clean off the malware, and what's going to stop it from getting re-infected? In the case of insecure gear that can be compromised by any other device on the local network, do we tell them "you just can't have that on your network...throw it away, or demand a refund from whoever you bought it from."? [1] We're currently in a trial of Spamhaus's "BGP Firewall" that provides a feed of known botnet C&C IPs (for null routing to break their communication with & control of bots on our network). Rather than just null routing that traffic, we're sending it to a system where we can capture the packets...so I've identified at least a subset of our infected customers. The Spamhaus data is clearly helpful, but doesn't seem to be a complete cure for the issue...so I'm curious if there are other similar services that could be combined to get more/better coverage? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Blue Stream Fiber, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Oh, please. This isn’t victim shaming. Is a taxi driver responsible for the food poisoning you got at a restaurant? Would he be “victim shaming” if he said you should go to the hospital and get treatment? Is he obligated to refuse to take you to a restaurant that he thinks has dodgy sanitation? Does he even need a EULA to order you out of his cab to puke? No. Like an ISP, he’s a common carrier. Legally and ethically. ISPs don’t sell IoT and have no control over what customers buy. ISPs, especially smaller ones, don’t deliver “fairly rubbish” service. But even if they did, that doesn’t make them responsible for customer IoT gear. Sorry, but your logic makes no sense. -mel
On Jan 17, 2026, at 6:23 AM, Mike Simpson <mikie.simpson@gmail.com> wrote:
Again tho. What does it matter to the customer. It’s not impacting on their bottom line. They are used to fairly rubbish service for a huge multitude of reasons so their bandwidth being a bit slashdotted doesn’t matter to them. That’s why it’s a ddos.
The only reason they got infected wasn’t their fault. It’s the fault of every company that believes that a eula is the end of their liability.
If you didn’t want your customers being infected then don’t serve them malware and then blame them for getting owned and it impacting on your network or your upstreams.
This is something that should have been sorted out after nimda but that wouldn’t have boosted shareholder value apparently.
Your users aren’t aware that it’s not safe to plug stuff into the network you provide in the same way that they would expect a firewall not to get them owned or that a VPN device would be safe to use.
-this is our fault, our failing, and we need to stop our knee jerk victim shaming and do better.
On 17 Jan 2026, at 12:49, Mel Beckman <mel@beckman.org> wrote:
Mike,
I agree with you where ISPs choose insecure CPE and force their customers to use it. But in the case of AISURU, It’s not the CPE causing the problem, it’s the customer’s buggy android-based IoT.
-mel
On Jan 17, 2026, at 4:16 AM, Mike Simpson <mikie.simpson@gmail.com> wrote:
“immediately recognize any they own, which will drive home the point that this is their problem”
That’s some grade A victim blaming bs there.
“The rubbish CPE that we forced you to have is now owned and it’s upsetting our eyeballs only peering arrangements so you need to sort it out”
ISPs are only not accountable legally for the content of the packets they transport. That doesn’t mean they are not responsible for the terrible routers they give out.
Your customers in the main don’t care as they are used to flaky internet service. It’s the problem of the ISP as it only really impacts on them in an aggregated form so as that’s where the pain is, that’s who is “it” for solving it.
-don’t hand out cheap pos un-updatable CPE or do (shareholder value/ enshittification) and accept the consequences with good grace.
On 17 Jan 2026, at 02:10, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
immediately recognize any they own, which will drive home the point that this is their problem
If you didn’t want your customers being infected then don’t serve them malware and then blame them for getting owned and it impacting on your network or your upstreams.
ISPs aren't 'serving customers malware'. Come on. There is a shared responsibility here. ISPs need to take reasonable precautions to block bad, while also ensuring that users can use the access they provide in the ways they chose to do so. End users need to have a basic level of understanding that the 'naked' internet is a nasty place, and many network enabled devices are poorly designed, so having some level of network security is important. On Sat, Jan 17, 2026 at 9:23 AM Mike Simpson via NANOG < nanog@lists.nanog.org> wrote:
Again tho. What does it matter to the customer. It’s not impacting on their bottom line. They are used to fairly rubbish service for a huge multitude of reasons so their bandwidth being a bit slashdotted doesn’t matter to them. That’s why it’s a ddos.
The only reason they got infected wasn’t their fault. It’s the fault of every company that believes that a eula is the end of their liability.
If you didn’t want your customers being infected then don’t serve them malware and then blame them for getting owned and it impacting on your network or your upstreams.
This is something that should have been sorted out after nimda but that wouldn’t have boosted shareholder value apparently.
Your users aren’t aware that it’s not safe to plug stuff into the network you provide in the same way that they would expect a firewall not to get them owned or that a VPN device would be safe to use.
-this is our fault, our failing, and we need to stop our knee jerk victim shaming and do better.
On 17 Jan 2026, at 12:49, Mel Beckman <mel@beckman.org> wrote:
Mike,
I agree with you where ISPs choose insecure CPE and force their customers to use it. But in the case of AISURU, It’s not the CPE causing the problem, it’s the customer’s buggy android-based IoT.
-mel
On Jan 17, 2026, at 4:16 AM, Mike Simpson <mikie.simpson@gmail.com> wrote:
“immediately recognize any they own, which will drive home the point that this is their problem”
That’s some grade A victim blaming bs there.
“The rubbish CPE that we forced you to have is now owned and it’s upsetting our eyeballs only peering arrangements so you need to sort it out”
ISPs are only not accountable legally for the content of the packets they transport. That doesn’t mean they are not responsible for the terrible routers they give out.
Your customers in the main don’t care as they are used to flaky internet service. It’s the problem of the ISP as it only really impacts on them in an aggregated form so as that’s where the pain is, that’s who is “it” for solving it.
-don’t hand out cheap pos un-updatable CPE or do (shareholder value/ enshittification) and accept the consequences with good grace.
On 17 Jan 2026, at 02:10, Mel Beckman via NANOG < nanog@lists.nanog.org> wrote:
immediately recognize any they own, which will drive home the point that this is their problem
NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAEZI4VP...
Why use tor when you can ride the carriers wave? This report is an example: https://github.com/0verdu/Stepped-On_Silicon/blob/main/infrastructure/tmobil... Tor isn’t even in the picture. The setup bypasses the MVNO layer entirely and hits the MNO core to tunnel into private AWS space (172.31.35.241). When the C2 is integrated into the IMS core and uses a system-level NEVPN, it’s invisible to the user. -------- Original Message -------- On Friday, 01/16/26 at 11:35 Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:
How does this work if the devices use TOR to contact their command and control server?
The most detailed analysis I have seen makes no mention of C2s comms via TOR. If you have a reference that it does, can you share? On Fri, Jan 16, 2026 at 11:18 AM Marco Moock via NANOG < nanog@lists.nanog.org> wrote:
Am 16.01.2026 um 16:12:43 Uhr schrieb Mel Beckman via NANOG:
One way to do this is via DDoS filtering services like Lumen’s Lotus Defender. These have been effective at disrupting the botnet's infrastructure by filtering the low-volume inbound control channel. Yes, such services are not free, but the problem on your network is due to your customers, not anybody else’s. It is your customers’ android IoT devices that are compromised.
How does this work if the devices use TOR to contact their command and control server?
-- Gruß Marco
Send unsolicited bulk mail to 1768576363muell@cartoonies.org _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SIUGXVHC...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TKCEPDNY...
Hello, I love seeing these old school descriptions of overflows and device compromise. Reminds me when I was doing SOC work for another company.Thank you and know some of us older guys and gals enjoy this immensely. Sincerely,Richard Golodner Info@infratection.com -------- Original message --------From: Intergalactic Auditor via NANOG <nanog@lists.nanog.org> Date: 1/17/26 10:45 (GMT-06:00) To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marco Moock <mm@dorfdsl.de>, Intergalactic Auditor <fr0mTheCloud@proton.me> Subject: Re: ISP Operators AISURU/Kimwolf botnet Why use tor when you can ride the carriers wave?This report is an example:https://github.com/0verdu/Stepped-On_Silicon/blob/main/infrastructure/tmobil... isn’t even in the picture. The setup bypasses the MVNO layer entirely and hits the MNO core to tunnel into private AWS space (172.31.35.241).When the C2 is integrated into the IMS core and uses a system-level NEVPN, it’s invisible to the user.-------- Original Message --------On Friday, 01/16/26 at 11:35 Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:>> How does this work if the devices use TOR to contact their command and> control server?The most detailed analysis I have seen makes no mention of C2s comms viaTOR. If you have a reference that it does, can you share?On Fri, Jan 16, 2026 at 11:18 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:> Am 16.01.2026 um 16:12:43 Uhr schrieb Mel Beckman via NANOG:>> > One way to do this is via DDoS filtering services like Lumen’s Lotus> > Defender. These have been effective at disrupting the botnet's> > infrastructure by filtering the low-volume inbound control channel.> > Yes, such services are not free, but the problem on your network is> > due to your customers, not anybody else’s. It is your customers’> > android IoT devices that are compromised.>> How does this work if the devices use TOR to contact their command and> control server?>> --> Gruß> Marco>> Send unsolicited bulk mail to 1768576363muell@cartoonies.org> _______________________________________________> NANOG mailing list>> https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SIUGXVHC... mailing listhttps://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TKCEPDNY... mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/AJEL3YS3...
Thanks Richard. When your daily driver turns into a beacon for bad guys, your world becomes the SOC. -------- Original Message -------- On Saturday, 01/17/26 at 12:26 rgolodner via NANOG <nanog@lists.nanog.org> wrote: Hello, I love seeing these old school descriptions of overflows and device compromise. Reminds me when I was doing SOC work for another company.Thank you and know some of us older guys and gals enjoy this immensely. Sincerely,Richard Golodner Info@infratection.com -------- Original message --------From: Intergalactic Auditor via NANOG <nanog@lists.nanog.org> Date: 1/17/26 10:45 (GMT-06:00) To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Marco Moock <mm@dorfdsl.de>, Intergalactic Auditor <fr0mTheCloud@proton.me> Subject: Re: ISP Operators AISURU/Kimwolf botnet Why use tor when you can ride the carriers wave?This report is an example:https://github.com/0verdu/Stepped-On_Silicon/blob/main/infrastructure/tmobil... isn’t even in the picture. The setup bypasses the MVNO layer entirely and hits the MNO core to tunnel into private AWS space (172.31.35.241).When the C2 is integrated into the IMS core and uses a system-level NEVPN, it’s invisible to the user.-------- Original Message --------On Friday, 01/16/26 at 11:35 Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:>> How does this work if the devices use TOR to contact their command and> control server?The most detailed analysis I have seen makes no mention of C2s comms viaTOR. If you have a reference that it does, can you share?On Fri, Jan 16, 2026 at 11:18 AM Marco Moock via NANOG <nanog@lists.nanog.org> wrote:> Am 16.01.2026 um 16:12:43 Uhr schrieb Mel Beckman via NANOG:>> > One way to do this is via DDoS filtering services like Lumen’s Lotus> > Defender. These have been effective at disrupting the botnet's> > infrastructure by filtering the low-volume inbound control channel.> > Yes, such services are not free, but the problem on your network is> > due to your customers, not anybody else’s. It is your customers’> > android IoT devices that are compromised.>> How does this work if the devices use TOR to contact their command and> control server?>> --> Gruß> Marco>> Send unsolicited bulk mail to 1768576363muell@cartoonies.org> _______________________________________________> NANOG mailing list>> https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SIUGXVHC... mailing listhttps://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TKCEPDNY... mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/AJEL3YS3... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3P3IEZLN...
The problem I see is that an article like this is intended for an IT/security professional audience. These TV piracy boxes are often used by uneducated folks that would not read such an article. They just want their sports and $cableNewsChannel, and if you tell them it’s illegal or full of malware, they will just tell you you’re wrong, keep using it, and let it cause their 1Gbps circuit to get saturated by botnet traffic, all in the name of “free television”. I have joined a few social media groups about these devices out of sheer curiosity, and have seen a number of threads from folks that ask why an ISPs security offering (typically Comcast’s “XFi Security” or AT&T’s “Active Armor”) would be complaining about traffic coming from the device… the common trend is to tell people to disable the security services, as “Infinity [SIC] is just trying to force you to buy their cable”. Hooray for Stockholm syndrome.
On Jan 16, 2026, at 20:10, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
Roland,
The Krebs article you cite is even better than the one I linked, because it shows pictures of the many consumer devices that can be infiltrated. People are likely to immediately recognize any they own, which will drive home the point that this is their problem.
-mel
On Jan 16, 2026, at 5:43 PM, Dobbins, Roland via NANOG <nanog@lists.nanog.org> wrote:
On Jan 16, 2026, at 22:16, Benjamin Hatton via NANOG <nanog@lists.nanog.org> wrote:
As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'.
<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> The Kimwolf Botnet is Stalking Your Local Network<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> krebsonsecurity.com<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> [favicon.ico]<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GC4T5N6X...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3LYEDZZ6...
You should write the article and submit it to the New York Times technology group. I believe David Pogue still works there, and he is a tech guy, so maybe he would be a good vehicle to get it published. I used to work with DAVID at Macworld magazine. But it’s not the job for an ISP, or even something an ISP could get the major media to publish. -mel via cell
On Jan 17, 2026, at 4:50 PM, Tim Burke <tim@mid.net> wrote:
The problem I see is that an article like this is intended for an IT/security professional audience.
These TV piracy boxes are often used by uneducated folks that would not read such an article. They just want their sports and $cableNewsChannel, and if you tell them it’s illegal or full of malware, they will just tell you you’re wrong, keep using it, and let it cause their 1Gbps circuit to get saturated by botnet traffic, all in the name of “free television”.
I have joined a few social media groups about these devices out of sheer curiosity, and have seen a number of threads from folks that ask why an ISPs security offering (typically Comcast’s “XFi Security” or AT&T’s “Active Armor”) would be complaining about traffic coming from the device… the common trend is to tell people to disable the security services, as “Infinity [SIC] is just trying to force you to buy their cable”.
Hooray for Stockholm syndrome.
On Jan 16, 2026, at 20:10, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
Roland,
The Krebs article you cite is even better than the one I linked, because it shows pictures of the many consumer devices that can be infiltrated. People are likely to immediately recognize any they own, which will drive home the point that this is their problem.
-mel
On Jan 16, 2026, at 5:43 PM, Dobbins, Roland via NANOG <nanog@lists.nanog.org> wrote:
On Jan 16, 2026, at 22:16, Benjamin Hatton via NANOG <nanog@lists.nanog.org> wrote:
As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'.
<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> The Kimwolf Botnet is Stalking Your Local Network<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> krebsonsecurity.com<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> [favicon.ico]<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GC4T5N6X...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3LYEDZZ6...
Write it and submit it to the NYT and that crowd would just call it mass media lies. Whatever happened to all the walled gardens Comcast and others were working on? If you see this traffic just cut the connection based on the customer bumming free tv with a knockoff Chinese device, if not for the malware. --srs ________________________________ From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Sunday, January 18, 2026 9:41:54 AM To: Tim Burke <tim@mid.net> Cc: nanog@lists.nanog.org <nanog@lists.nanog.org>; Corey Smith <cosmith80001@gmail.com>; Roland Dobbins <Roland.Dobbins@netscout.com>; Mel Beckman <mel@beckman.org> Subject: Re: ISP Operators AISURU/Kimwolf botnet You should write the article and submit it to the New York Times technology group. I believe David Pogue still works there, and he is a tech guy, so maybe he would be a good vehicle to get it published. I used to work with DAVID at Macworld magazine. But it’s not the job for an ISP, or even something an ISP could get the major media to publish. -mel via cell
On Jan 17, 2026, at 4:50 PM, Tim Burke <tim@mid.net> wrote:
The problem I see is that an article like this is intended for an IT/security professional audience.
These TV piracy boxes are often used by uneducated folks that would not read such an article. They just want their sports and $cableNewsChannel, and if you tell them it’s illegal or full of malware, they will just tell you you’re wrong, keep using it, and let it cause their 1Gbps circuit to get saturated by botnet traffic, all in the name of “free television”.
I have joined a few social media groups about these devices out of sheer curiosity, and have seen a number of threads from folks that ask why an ISPs security offering (typically Comcast’s “XFi Security” or AT&T’s “Active Armor”) would be complaining about traffic coming from the device… the common trend is to tell people to disable the security services, as “Infinity [SIC] is just trying to force you to buy their cable”.
Hooray for Stockholm syndrome.
On Jan 16, 2026, at 20:10, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
Roland,
The Krebs article you cite is even better than the one I linked, because it shows pictures of the many consumer devices that can be infiltrated. People are likely to immediately recognize any they own, which will drive home the point that this is their problem.
-mel
On Jan 16, 2026, at 5:43 PM, Dobbins, Roland via NANOG <nanog@lists.nanog.org> wrote:
On Jan 16, 2026, at 22:16, Benjamin Hatton via NANOG <nanog@lists.nanog.org> wrote:
As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'.
<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> The Kimwolf Botnet is Stalking Your Local Network<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> krebsonsecurity.com<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> [favicon.ico]<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GC4T5N6X...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3LYEDZZ6...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HZIDJSNE...
Suresh, Aye, there’s the rub. It’s very difficult to classify DDoS traffic at the ASN level unless you can see it across ASNs on the Internet backbone, then and correlate it using sophisticated pattern recognition. This what services such as Black Lotus, CloudFlare, and Fastlick do. Especially for small ISPs, this is impossible to do in-house, at least today anyway. Hackers quickly learn how all these DDoS recognition services work, so it’s a constant battle or whack-a-mole trying to stay ahead of them and their information hiding techniques. There are CPE devices — NG enterprise firewalls — that can detect and block some large output streams. But customers aren’t willing to pay a $2000 setup fee and turn over the shelf space and endure the noise footprint for these products. But you’re right about one thing: ISPs, where they can identify abusive outbound traffic, can turn off those customers and leave it to them clean up their home networks. -mel On Jan 17, 2026, at 5:50 PM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote: Write it and submit it to the NYT and that crowd would just call it mass media lies. Whatever happened to all the walled gardens Comcast and others were working on? If you see this traffic just cut the connection based on the customer bumming free tv with a knockoff Chinese device, if not for the malware. --srs ________________________________ From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Sunday, January 18, 2026 9:41:54 AM To: Tim Burke <tim@mid.net> Cc: nanog@lists.nanog.org <nanog@lists.nanog.org>; Corey Smith <cosmith80001@gmail.com>; Roland Dobbins <Roland.Dobbins@netscout.com>; Mel Beckman <mel@beckman.org> Subject: Re: ISP Operators AISURU/Kimwolf botnet You should write the article and submit it to the New York Times technology group. I believe David Pogue still works there, and he is a tech guy, so maybe he would be a good vehicle to get it published. I used to work with DAVID at Macworld magazine. But it’s not the job for an ISP, or even something an ISP could get the major media to publish. -mel via cell
On Jan 17, 2026, at 4:50 PM, Tim Burke <tim@mid.net> wrote:
The problem I see is that an article like this is intended for an IT/security professional audience.
These TV piracy boxes are often used by uneducated folks that would not read such an article. They just want their sports and $cableNewsChannel, and if you tell them it’s illegal or full of malware, they will just tell you you’re wrong, keep using it, and let it cause their 1Gbps circuit to get saturated by botnet traffic, all in the name of “free television”.
I have joined a few social media groups about these devices out of sheer curiosity, and have seen a number of threads from folks that ask why an ISPs security offering (typically Comcast’s “XFi Security” or AT&T’s “Active Armor”) would be complaining about traffic coming from the device… the common trend is to tell people to disable the security services, as “Infinity [SIC] is just trying to force you to buy their cable”.
Hooray for Stockholm syndrome.
On Jan 16, 2026, at 20:10, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
Roland,
The Krebs article you cite is even better than the one I linked, because it shows pictures of the many consumer devices that can be infiltrated. People are likely to immediately recognize any they own, which will drive home the point that this is their problem.
-mel
On Jan 16, 2026, at 5:43 PM, Dobbins, Roland via NANOG <nanog@lists.nanog.org> wrote:
On Jan 16, 2026, at 22:16, Benjamin Hatton via NANOG <nanog@lists.nanog.org> wrote:
As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'.
<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> The Kimwolf Botnet is Stalking Your Local Network<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> krebsonsecurity.com<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> [favicon.ico]<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GC4T5N6X...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3LYEDZZ6...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HZIDJSNE...
On Fri, Jan 16, 2026 at 5:31 AM Corey Smith via NANOG <nanog@lists.nanog.org> wrote:
I would appreciate if any ISP Operators could help some of the smaller ISP like us in stopping the traffic from these new Malware infected customers that have devices with Aisiura/Kimwolf botnet,
I don't know anything about the AISURU/Kimwolf botnet, but back in the day I'd point my default route at an IDS where I could monitor and log port scans sent from customers to unrouted IP address space. This worked because it was adjacent to a router with a full BGP table. This told me which customers had malware, and when contacted it let me say, "We recorded at least X hundred thousand unlawful network packets from your computers between date and date. If you're willing to turn things off one by one, we can help you identify which of your devices is at fault, but if you're unable to repair it yourself you'll have to seek assistance from a repair shop." And if it's equipment I sent the customers, I'd figure that out pretty quickly because it would have hit most of the customers I sent that equipment to. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/
Bill, I, too, lived in those days, and had similar NetFlow surveillance. Alas, those days are over. You probably already know this, but in case others don’t, the problem with the AISURU is that home user’s infected devices don’t do scanning, so you can’t detect them. They simply send DDoS packets — which just look like normal traffic —against pre-defined targets communicated over the botnet C2 network. The botnet uses DNS-over-TLS (DoT) to hide C2 communication, preventing traditional network monitoring tools from seeing what the bots are doing. So the infected user’s outbound traffic is indistinguishable from, for example, ordinary web surfing. The DDoS filtering services are correlating attack traffic from the backbone to identify the target IPs, which they can then filter at the target’s border router. For a hefty fee, of course, using BGP redirect. But there’s nothing anybody can do on the source end without the customers’ intervention. That’s this problem in a nutshell. But there are many other DDoS attack modes, such as DNS amplification, UDP flood, SYN flood, etc. The sad truth is, if a DDoS hacker wants to put you out of business, you can’t really stop them without spending a ton of money. And it cost them nothing. That’s why fixing the vulnerable IOT devices is such a high priority. -mel via cell On Jan 17, 2026, at 9:10 PM, William Herrin via NANOG <nanog@lists.nanog.org> wrote: On Fri, Jan 16, 2026 at 5:31 AM Corey Smith via NANOG <nanog@lists.nanog.org> wrote: I would appreciate if any ISP Operators could help some of the smaller ISP like us in stopping the traffic from these new Malware infected customers that have devices with Aisiura/Kimwolf botnet, I don't know anything about the AISURU/Kimwolf botnet, but back in the day I'd point my default route at an IDS where I could monitor and log port scans sent from customers to unrouted IP address space. This worked because it was adjacent to a router with a full BGP table. This told me which customers had malware, and when contacted it let me say, "We recorded at least X hundred thousand unlawful network packets from your computers between date and date. If you're willing to turn things off one by one, we can help you identify which of your devices is at fault, but if you're unable to repair it yourself you'll have to seek assistance from a repair shop." And if it's equipment I sent the customers, I'd figure that out pretty quickly because it would have hit most of the customers I sent that equipment to. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/6QXGVOHX...
On Sat, Jan 17, 2026 at 10:13 PM Mel Beckman <mel@beckman.org> wrote:
Alas, those days are over. You probably already know this, but in case others don’t, the problem with the AISURU is that home user’s infected devices don’t do scanning, so you can’t detect them. They simply send DDoS packets — which just look like normal traffic —against pre-defined targets communicated over the botnet C2 network.
Hi Mel, From what I gather, modern botnets provide the attacker with a swiss army knife of capabilities including the one you mention. If your purpose is to detect them rather than automate filtering, you don't have to catch them doing everything, you only have to catch them doing one thing. Look at it this way: the attacker has to hide _everything_ he does from you. You only have to catch _one_ thing he does to detect that intrusion. It's the reverse of the normal pattern where the attacker can infiltrate a system by succeeding once while the defender has to succeed every time to keep him out. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/
I’m glad this thread is getting back to exploring options and solutions …. One recommendation every ISP needs to consider is subscribing to the Shadowserver Foundation’s daily reports. That reporting gives you data on your customer infection rate from the wide range of sources fed into Shadowserver. When you ask to subscribe, ask for multiple reprints - where you get the ASN report, then a IP report on your core network infrastructure, and a separate IP report on your customer IP blocks. That makes it easier to work with the risk profile from your infected customers. Finally, once of the ways you can feed in data into Shadowserver is through their DDoS Reputation API. Organizations who are attacked, can use the API to query the source IPs of the attack and find out details Shadowserver has on the IPs. That DDoS instance is then added to the telemetry. That is then delivered to the ISPs who subscribe to Shadowserver to let them know their infected customers are being used for attacks. So If you have an Anti-DDoS provider, ask them if they are using the Shadowserver DDoS Reputation API. That helps the “small ISPs” get details on which infected customers are being used by the miscreants.
Yeah that’s why my focus was on isps detecting this outbound - if only through feeds like shadow server - and cutting off infected customers. --srs ________________________________ From: Mel Beckman <mel@beckman.org> Sent: Sunday, January 18, 2026 10:44:34 AM To: Suresh Ramasubramanian <ops.lists@gmail.com> Cc: nanog@lists.nanog.org <nanog@lists.nanog.org>; Tim Burke <tim@mid.net>; Corey Smith <cosmith80001@gmail.com>; Roland Dobbins <Roland.Dobbins@netscout.com> Subject: Re: ISP Operators AISURU/Kimwolf botnet Suresh, Aye, there’s the rub. It’s very difficult to classify DDoS traffic at the ASN level unless you can see it across ASNs on the Internet backbone, then and correlate it using sophisticated pattern recognition. This what services such as Black Lotus, CloudFlare, and Fastlick do. Especially for small ISPs, this is impossible to do in-house, at least today anyway. Hackers quickly learn how all these DDoS recognition services work, so it’s a constant battle or whack-a-mole trying to stay ahead of them and their information hiding techniques. There are CPE devices — NG enterprise firewalls — that can detect and block some large output streams. But customers aren’t willing to pay a $2000 setup fee and turn over the shelf space and endure the noise footprint for these products. But you’re right about one thing: ISPs, where they can identify abusive outbound traffic, can turn off those customers and leave it to them clean up their home networks. -mel On Jan 17, 2026, at 5:50 PM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote: Write it and submit it to the NYT and that crowd would just call it mass media lies. Whatever happened to all the walled gardens Comcast and others were working on? If you see this traffic just cut the connection based on the customer bumming free tv with a knockoff Chinese device, if not for the malware. --srs ________________________________ From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Sunday, January 18, 2026 9:41:54 AM To: Tim Burke <tim@mid.net> Cc: nanog@lists.nanog.org <nanog@lists.nanog.org>; Corey Smith <cosmith80001@gmail.com>; Roland Dobbins <Roland.Dobbins@netscout.com>; Mel Beckman <mel@beckman.org> Subject: Re: ISP Operators AISURU/Kimwolf botnet You should write the article and submit it to the New York Times technology group. I believe David Pogue still works there, and he is a tech guy, so maybe he would be a good vehicle to get it published. I used to work with DAVID at Macworld magazine. But it’s not the job for an ISP, or even something an ISP could get the major media to publish. -mel via cell
On Jan 17, 2026, at 4:50 PM, Tim Burke <tim@mid.net> wrote:
The problem I see is that an article like this is intended for an IT/security professional audience.
These TV piracy boxes are often used by uneducated folks that would not read such an article. They just want their sports and $cableNewsChannel, and if you tell them it’s illegal or full of malware, they will just tell you you’re wrong, keep using it, and let it cause their 1Gbps circuit to get saturated by botnet traffic, all in the name of “free television”.
I have joined a few social media groups about these devices out of sheer curiosity, and have seen a number of threads from folks that ask why an ISPs security offering (typically Comcast’s “XFi Security” or AT&T’s “Active Armor”) would be complaining about traffic coming from the device… the common trend is to tell people to disable the security services, as “Infinity [SIC] is just trying to force you to buy their cable”.
Hooray for Stockholm syndrome.
On Jan 16, 2026, at 20:10, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
Roland,
The Krebs article you cite is even better than the one I linked, because it shows pictures of the many consumer devices that can be infiltrated. People are likely to immediately recognize any they own, which will drive home the point that this is their problem.
-mel
On Jan 16, 2026, at 5:43 PM, Dobbins, Roland via NANOG <nanog@lists.nanog.org> wrote:
On Jan 16, 2026, at 22:16, Benjamin Hatton via NANOG <nanog@lists.nanog.org> wrote:
As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'.
<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> The Kimwolf Botnet is Stalking Your Local Network<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> krebsonsecurity.com<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> [favicon.ico]<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GC4T5N6X...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3LYEDZZ6...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HZIDJSNE...
But that’s the problem: you can’t detect even one thing because the attack traffic looks like normal traffic 💯 . It is, in fact, normal traffic in the sense that it’s exercising the service, such as HTTP, on the victims network. What makes it a distributed DoS attack is that many attackers present a huge load to this victim server while not showing any particularly intensive stream on the consumer attacking network. The consumer attacking network is then directed to attack many distant victims, but that just looks like more normal traffic to a lot of different web hosts. In extreme cases, the attacker may max out the upstream capacity of the consumer proxy network. But once again, that’s not terribly surprising because some consumers just hit their limit based on gaming or whatever it is, they’re doing. It’s not an AUP violation to use all the band with you’re paying for. -mel via cell On Jan 17, 2026, at 11:22 PM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote: Yeah that’s why my focus was on isps detecting this outbound - if only through feeds like shadow server - and cutting off infected customers. --srs ________________________________ From: Mel Beckman <mel@beckman.org> Sent: Sunday, January 18, 2026 10:44:34 AM To: Suresh Ramasubramanian <ops.lists@gmail.com> Cc: nanog@lists.nanog.org <nanog@lists.nanog.org>; Tim Burke <tim@mid.net>; Corey Smith <cosmith80001@gmail.com>; Roland Dobbins <Roland.Dobbins@netscout.com> Subject: Re: ISP Operators AISURU/Kimwolf botnet Suresh, Aye, there’s the rub. It’s very difficult to classify DDoS traffic at the ASN level unless you can see it across ASNs on the Internet backbone, then and correlate it using sophisticated pattern recognition. This what services such as Black Lotus, CloudFlare, and Fastlick do. Especially for small ISPs, this is impossible to do in-house, at least today anyway. Hackers quickly learn how all these DDoS recognition services work, so it’s a constant battle or whack-a-mole trying to stay ahead of them and their information hiding techniques. There are CPE devices — NG enterprise firewalls — that can detect and block some large output streams. But customers aren’t willing to pay a $2000 setup fee and turn over the shelf space and endure the noise footprint for these products. But you’re right about one thing: ISPs, where they can identify abusive outbound traffic, can turn off those customers and leave it to them clean up their home networks. -mel On Jan 17, 2026, at 5:50 PM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote: Write it and submit it to the NYT and that crowd would just call it mass media lies. Whatever happened to all the walled gardens Comcast and others were working on? If you see this traffic just cut the connection based on the customer bumming free tv with a knockoff Chinese device, if not for the malware. --srs ________________________________ From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Sunday, January 18, 2026 9:41:54 AM To: Tim Burke <tim@mid.net> Cc: nanog@lists.nanog.org <nanog@lists.nanog.org>; Corey Smith <cosmith80001@gmail.com>; Roland Dobbins <Roland.Dobbins@netscout.com>; Mel Beckman <mel@beckman.org> Subject: Re: ISP Operators AISURU/Kimwolf botnet You should write the article and submit it to the New York Times technology group. I believe David Pogue still works there, and he is a tech guy, so maybe he would be a good vehicle to get it published. I used to work with DAVID at Macworld magazine. But it’s not the job for an ISP, or even something an ISP could get the major media to publish. -mel via cell
On Jan 17, 2026, at 4:50 PM, Tim Burke <tim@mid.net> wrote:
The problem I see is that an article like this is intended for an IT/security professional audience.
These TV piracy boxes are often used by uneducated folks that would not read such an article. They just want their sports and $cableNewsChannel, and if you tell them it’s illegal or full of malware, they will just tell you you’re wrong, keep using it, and let it cause their 1Gbps circuit to get saturated by botnet traffic, all in the name of “free television”.
I have joined a few social media groups about these devices out of sheer curiosity, and have seen a number of threads from folks that ask why an ISPs security offering (typically Comcast’s “XFi Security” or AT&T’s “Active Armor”) would be complaining about traffic coming from the device… the common trend is to tell people to disable the security services, as “Infinity [SIC] is just trying to force you to buy their cable”.
Hooray for Stockholm syndrome.
On Jan 16, 2026, at 20:10, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
Roland,
The Krebs article you cite is even better than the one I linked, because it shows pictures of the many consumer devices that can be infiltrated. People are likely to immediately recognize any they own, which will drive home the point that this is their problem.
-mel
On Jan 16, 2026, at 5:43 PM, Dobbins, Roland via NANOG <nanog@lists.nanog.org> wrote:
On Jan 16, 2026, at 22:16, Benjamin Hatton via NANOG <nanog@lists.nanog.org> wrote:
As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'.
<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> The Kimwolf Botnet is Stalking Your Local Network<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> krebsonsecurity.com<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> [favicon.ico]<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GC4T5N6X...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3LYEDZZ6...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HZIDJSNE...
Yeah so that’s why third party malware feeds feeding into SP walled gardens are about the only way you can reasonably mitigate this. Can’t be done at the destination, as you say. --srs ________________________________ From: Mel Beckman <mel@beckman.org> Sent: Sunday, January 18, 2026 3:45:19 PM To: Suresh Ramasubramanian <ops.lists@gmail.com> Cc: nanog@lists.nanog.org <nanog@lists.nanog.org>; Tim Burke <tim@mid.net>; Corey Smith <cosmith80001@gmail.com>; Roland Dobbins <Roland.Dobbins@netscout.com> Subject: Re: ISP Operators AISURU/Kimwolf botnet But that’s the problem: you can’t detect even one thing because the attack traffic looks like normal traffic 💯 . It is, in fact, normal traffic in the sense that it’s exercising the service, such as HTTP, on the victims network. What makes it a distributed DoS attack is that many attackers present a huge load to this victim server while not showing any particularly intensive stream on the consumer attacking network. The consumer attacking network is then directed to attack many distant victims, but that just looks like more normal traffic to a lot of different web hosts. In extreme cases, the attacker may max out the upstream capacity of the consumer proxy network. But once again, that’s not terribly surprising because some consumers just hit their limit based on gaming or whatever it is, they’re doing. It’s not an AUP violation to use all the band with you’re paying for. -mel via cell On Jan 17, 2026, at 11:22 PM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote: Yeah that’s why my focus was on isps detecting this outbound - if only through feeds like shadow server - and cutting off infected customers. --srs ________________________________ From: Mel Beckman <mel@beckman.org> Sent: Sunday, January 18, 2026 10:44:34 AM To: Suresh Ramasubramanian <ops.lists@gmail.com> Cc: nanog@lists.nanog.org <nanog@lists.nanog.org>; Tim Burke <tim@mid.net>; Corey Smith <cosmith80001@gmail.com>; Roland Dobbins <Roland.Dobbins@netscout.com> Subject: Re: ISP Operators AISURU/Kimwolf botnet Suresh, Aye, there’s the rub. It’s very difficult to classify DDoS traffic at the ASN level unless you can see it across ASNs on the Internet backbone, then and correlate it using sophisticated pattern recognition. This what services such as Black Lotus, CloudFlare, and Fastlick do. Especially for small ISPs, this is impossible to do in-house, at least today anyway. Hackers quickly learn how all these DDoS recognition services work, so it’s a constant battle or whack-a-mole trying to stay ahead of them and their information hiding techniques. There are CPE devices — NG enterprise firewalls — that can detect and block some large output streams. But customers aren’t willing to pay a $2000 setup fee and turn over the shelf space and endure the noise footprint for these products. But you’re right about one thing: ISPs, where they can identify abusive outbound traffic, can turn off those customers and leave it to them clean up their home networks. -mel On Jan 17, 2026, at 5:50 PM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote: Write it and submit it to the NYT and that crowd would just call it mass media lies. Whatever happened to all the walled gardens Comcast and others were working on? If you see this traffic just cut the connection based on the customer bumming free tv with a knockoff Chinese device, if not for the malware. --srs ________________________________ From: Mel Beckman via NANOG <nanog@lists.nanog.org> Sent: Sunday, January 18, 2026 9:41:54 AM To: Tim Burke <tim@mid.net> Cc: nanog@lists.nanog.org <nanog@lists.nanog.org>; Corey Smith <cosmith80001@gmail.com>; Roland Dobbins <Roland.Dobbins@netscout.com>; Mel Beckman <mel@beckman.org> Subject: Re: ISP Operators AISURU/Kimwolf botnet You should write the article and submit it to the New York Times technology group. I believe David Pogue still works there, and he is a tech guy, so maybe he would be a good vehicle to get it published. I used to work with DAVID at Macworld magazine. But it’s not the job for an ISP, or even something an ISP could get the major media to publish. -mel via cell
On Jan 17, 2026, at 4:50 PM, Tim Burke <tim@mid.net> wrote:
The problem I see is that an article like this is intended for an IT/security professional audience.
These TV piracy boxes are often used by uneducated folks that would not read such an article. They just want their sports and $cableNewsChannel, and if you tell them it’s illegal or full of malware, they will just tell you you’re wrong, keep using it, and let it cause their 1Gbps circuit to get saturated by botnet traffic, all in the name of “free television”.
I have joined a few social media groups about these devices out of sheer curiosity, and have seen a number of threads from folks that ask why an ISPs security offering (typically Comcast’s “XFi Security” or AT&T’s “Active Armor”) would be complaining about traffic coming from the device… the common trend is to tell people to disable the security services, as “Infinity [SIC] is just trying to force you to buy their cable”.
Hooray for Stockholm syndrome.
On Jan 16, 2026, at 20:10, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
Roland,
The Krebs article you cite is even better than the one I linked, because it shows pictures of the many consumer devices that can be infiltrated. People are likely to immediately recognize any they own, which will drive home the point that this is their problem.
-mel
On Jan 16, 2026, at 5:43 PM, Dobbins, Roland via NANOG <nanog@lists.nanog.org> wrote:
On Jan 16, 2026, at 22:16, Benjamin Hatton via NANOG <nanog@lists.nanog.org> wrote:
As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'.
<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> The Kimwolf Botnet is Stalking Your Local Network<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> krebsonsecurity.com<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/> [favicon.ico]<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GC4T5N6X...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/3LYEDZZ6...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HZIDJSNE...
participants (15)
-
Barry Greene -
Benjamin Hatton -
Corey Smith -
Dobbins, Roland -
Intergalactic Auditor -
Jon Lewis -
Josh Luthman -
Marco Moock -
Mel Beckman -
Mike Simpson -
rgolodner -
Suresh Ramasubramanian -
Tim Burke -
Tom Beecher -
William Herrin