Death of the Internet, Film at 11
VICTOR LASZLO: If we stop fighing our enemies, the world will die. RICK BLAINE: Well, what of it? It will be out of its misery. -- From the movie "Casablanca" (1942) Sorry, but some days I just can't help thinking to myself "Oh well, as much fun as it has been, this whole lab experiment called The Internet was never really going last or stand the test of time anyway." The problem isn't the technology. It's the politics. It's fragility by design. Oh! And by the way, one news source that I was just reading a few minutes ago stated that all of the carnage at Dyn today was caused by something on the order of just 1/10th of the known CCTV bots out there. And I'm thinking, like, "Gee! I guess that we ought to count ourselves as lucky that whoever was running this thing, for whatever reason, just didn't much feel like firing up the whole entire bloody thing today. Otherwise, you know, we might have REALLY had a problem." :-) Regards, rfg P.S. To all of you Ayn Rand devotees out there who still vociferously argue that it's nobody else's business how you monitor or police your "private" networks, and who still refuse to take even minimalist steps (like BCP 38), congratulations. Via your inaction and self-centered intransigence you have today moved us all one step closer to the day when the relevant decisions will be taken out of your hands. You are succeding brilliantly at creating the exact thing that you most abhor, i.e. government control. Clemenceau said that war is too important to be left to the generals. Well, guess what? The Internet is too important to be left to the [[fill in the blank]]. It has already begun... https://krebsonsecurity.com/2016/10/europe-to-push-new-security-rules-amid-i... This is just the first timid step. A few more days like today and more, much more, will follow.
On 2016-10-22 00:39, Ronald F. Guilmette wrote:
P.S. To all of you Ayn Rand devotees out there who still vociferously argue that it's nobody else's business how you monitor or police your "private" networks, and who still refuse to take even minimalist steps (like BCP 38), congratulations.
What does BCP38 have to do with this? All that does is block one specific type of attack (and cause a lot of collateral damage). The IoT devices do not need to spoof addresses - they can just generate attack traffic directly. This is even better, because you can't cut those eyeball addresses off - those are the same addresses your target audience is using. If you cut off the eyeball networks there's not much point to running an internet business website anymore. -Laszlo
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/21/2016 5:52 PM, Laszlo Hanyecz wrote:
On 2016-10-22 00:39, Ronald F. Guilmette wrote:
P.S. To all of you Ayn Rand devotees out there who still vociferously argue that it's nobody else's business how you monitor or police your "private" networks, and who still refuse to take even minimalist steps (like BCP 38), congratulations.
What does BCP38 have to do with this? All that does is block one specific type of attack (and cause a lot of collateral damage). The IoT devices do not need to spoof addresses - they can just generate attack traffic directly. This is even better, because you can't cut those eyeball addresses off - those are the same addresses your target audience is using. If you cut off the eyeball networks there's not much point to running an internet business website anymore.
Don't let the perfect be the enemy of the good. - - ferg (BCP38 instigator) - -- Paul Ferguson ICEBRG.io, Seattle USA -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlgKunAACgkQKJasdVTchbJJCQD+N6cosKffmfTqERBJ8q3pX+20 jY/FQvzUuKoy+iY3C4wA/2qKV01Z0e16BQ0/030euhCCmTUW0jut+Hp8xyWrVKkN =+oT7 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/21/2016 8:08 PM, Randy Bush wrote:
What does BCP38 have to do with this?
nothing technical, as these iot attacks are not spoofed.
think of it as a religion.
I'm going to save this e-mail forever! Cheers, - - ferg - -- Paul Ferguson ICEBRG.io, Seattle USA -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlgK2ukACgkQKJasdVTchbJDywD/frHeNpPnlwT1ddgh4kZyi5MJ YkH5lbx41an0WNpg3NAA/043VNnfKK5JQ7+dCsXyx8LEno8aIoIPvIvPGsWyjY50 =HMfV -----END PGP SIGNATURE-----
What does BCP38 have to do with this? nothing technical, as these iot attacks are not spoofed. think of it as a religion. I'm going to save this e-mail forever!
no extra charge we deploy it more than most. we talk about it less than most. and every time something untoward happens on the internet, we do not tell everyone that they should deploy bcp38, iltering, origin validation, dnssec, ipv6, ... talk is cheap.
* Randy Bush:
What does BCP38 have to do with this?
nothing technical, as these iot attacks are not spoofed.
How do you know? Has anyone disclosed specifics? I can understand that keeping details under wraps is sometimes required for operational security, but if the attacks are clearly succeeding, I would have expected those who posted “do something, now!” messages at least some pointer to technical details of what was going on. Not that the underlying threat will go away until we find a way to clean up almost all of the compromised devices (and without breaking the Internet along the way, forever).
A number of people are asking for advice on how to detect this bug. Here are some thoughts. Im a mathematician, and not a network operator, so would love feedback. The source code of Mirai is here, and Ive had some fun taking it apart over the last week: https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massi... Notable findings: * Primary infection vector is via telnet scanning. Port 23 is literally hardcoded in. 10% of the time, it scans for port 2323. Found that odd, but I suppose one of the devices its targeting uses that port. * The malware disables any services running on ports 22, 23, and 80, primarily to prevent other infection opportunities. This surprises me, for I figured that killing port 80 might attract attention from the device owner, but evidently the risk of reinfection is too high to not do it. See line 88: https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/killer.c * The malware uses a large set of signatures to kill other bots running in memory, like QBot. I find this interesting. A script kiddie wont, but a more sophisticated adversary could add Mirai itself to this list of signatures to out compete the released variant of the code. You can see the library of signatures here : https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/table.c Digging around, I found that several samples of Mirai related malware have been uploaded and processed by the Indian honeynet's Linux sandbox. Heres a sample: https://detux.org/report.php?sha256=0b28b39f25c748b69369c18f72e937950826f189...
From the host connectivity log, you can see all of the port 23 scanning activity. The scanning is completely random, and not sequential, hopping all over the place. From a detection standpoint, that is where I would start, but this assumes that the hosts on your network are actively scanning and not lying dormant.
This file, starting on line 124, has all of the hard-coded passwords that the malware uses to login to telnet sessions: https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/scanner.... - Googling around, you can find the make and model number that each of those user/password combinations are associated with. Brian compiled a list actually: https://krebsonsecurity.com/wp-content/uploads/2016/10/IoTbadpass-Sheet1.csv My question for you guys, since Im a theoretician and not a seasoned operator: how feasible or legal is it to find telnet scanning activity or any of these passwords in high-bandwidth netflows? If its feasible, then this at least gets you the active scanning population of hosts, along with the IPs of all of their victims. Aside from the active scanning population, finding dormant hosts might only be feasible if we know the list of C&Cs used, which can very widely. For Mirai in particular, the actual bot itself is delivered via tftp or wget from another dropper host. Take a look at this other sample for this kind of behavior. It connects to a webserver in the netherlands and pulls down the payload binary: https://detux.org/report.php?sha256=996167e00f2aef787c432ca4ce4613edf39c5f83... I think its unlikely that skilled users of this malware would keep using the default 'mirai.arm7' payload, but evidently some are in the wild! Finding these http drops might help you find recent successful infections. More importantly however, the payload delivered itself will have information about the C&C, which if we as a community gather and analyze, we can find more easily the total set of dormant devices waiting to attack. Ultimately if you know the C&C being used, you can much more easily find the bots. Im going to pull apart the server code next. About time I learn GO... Lastly, studying this malware long enough, some techniques jump to mind which could hypothetically infect and patch a large number of vulnerable hosts. Im sure someone brave enough might do this. Totally worked out for Robert Morris. On Sun, Oct 23, 2016 at 3:16 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
* Randy Bush:
What does BCP38 have to do with this?
nothing technical, as these iot attacks are not spoofed.
How do you know? Has anyone disclosed specifics?
I can understand that keeping details under wraps is sometimes required for operational security, but if the attacks are clearly succeeding, I would have expected those who posted “do something, now!” messages at least some pointer to technical details of what was going on.
Not that the underlying threat will go away until we find a way to clean up almost all of the compromised devices (and without breaking the Internet along the way, forever).
Clinton, This is excellent information. While it's not possible to see passwords in netflows (only headers are included, not packet contents), it's a sure thing that attacked victims could extract a list of infected machines from the IP address scan and then run verification scans against just those devices. Any confirmed infected devices could then be published on a blacklist, a la spam blockers. Providers then could either blackhole (at the source) or filter those addresses. -mel
On Oct 23, 2016, at 5:20 AM, clinton mielke <clinton.mielke@gmail.com> wrote:
A number of people are asking for advice on how to detect this bug. Here are some thoughts. Im a mathematician, and not a network operator, so would love feedback.
The source code of Mirai is here, and Ive had some fun taking it apart over the last week: https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massi...
Notable findings:
* Primary infection vector is via telnet scanning. Port 23 is literally hardcoded in. 10% of the time, it scans for port 2323. Found that odd, but I suppose one of the devices its targeting uses that port.
* The malware disables any services running on ports 22, 23, and 80, primarily to prevent other infection opportunities. This surprises me, for I figured that killing port 80 might attract attention from the device owner, but evidently the risk of reinfection is too high to not do it. See line 88: https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/killer.c
* The malware uses a large set of signatures to kill other bots running in memory, like QBot. I find this interesting. A script kiddie wont, but a more sophisticated adversary could add Mirai itself to this list of signatures to out compete the released variant of the code. You can see the library of signatures here : https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/table.c
Digging around, I found that several samples of Mirai related malware have been uploaded and processed by the Indian honeynet's Linux sandbox. Heres a sample: https://detux.org/report.php?sha256=0b28b39f25c748b69369c18f72e937950826f189...
From the host connectivity log, you can see all of the port 23 scanning activity. The scanning is completely random, and not sequential, hopping all over the place. From a detection standpoint, that is where I would start, but this assumes that the hosts on your network are actively scanning and not lying dormant.
This file, starting on line 124, has all of the hard-coded passwords that the malware uses to login to telnet sessions: https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/scanner.... - Googling around, you can find the make and model number that each of those user/password combinations are associated with. Brian compiled a list actually: https://krebsonsecurity.com/wp-content/uploads/2016/10/IoTbadpass-Sheet1.csv
My question for you guys, since Im a theoretician and not a seasoned operator: how feasible or legal is it to find telnet scanning activity or any of these passwords in high-bandwidth netflows? If its feasible, then this at least gets you the active scanning population of hosts, along with the IPs of all of their victims.
Aside from the active scanning population, finding dormant hosts might only be feasible if we know the list of C&Cs used, which can very widely. For Mirai in particular, the actual bot itself is delivered via tftp or wget from another dropper host. Take a look at this other sample for this kind of behavior. It connects to a webserver in the netherlands and pulls down the payload binary: https://detux.org/report.php?sha256=996167e00f2aef787c432ca4ce4613edf39c5f83...
I think its unlikely that skilled users of this malware would keep using the default 'mirai.arm7' payload, but evidently some are in the wild! Finding these http drops might help you find recent successful infections. More importantly however, the payload delivered itself will have information about the C&C, which if we as a community gather and analyze, we can find more easily the total set of dormant devices waiting to attack. Ultimately if you know the C&C being used, you can much more easily find the bots.
Im going to pull apart the server code next. About time I learn GO...
Lastly, studying this malware long enough, some techniques jump to mind which could hypothetically infect and patch a large number of vulnerable hosts. Im sure someone brave enough might do this. Totally worked out for Robert Morris.
On Sun, Oct 23, 2016 at 3:16 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
* Randy Bush:
What does BCP38 have to do with this?
nothing technical, as these iot attacks are not spoofed.
How do you know? Has anyone disclosed specifics?
I can understand that keeping details under wraps is sometimes required for operational security, but if the attacks are clearly succeeding, I would have expected those who posted “do something, now!” messages at least some pointer to technical details of what was going on.
Not that the underlying threat will go away until we find a way to clean up almost all of the compromised devices (and without breaking the Internet along the way, forever).
Clinton, On 10/23/2016 8:12 AM, clinton mielke wrote:
My question for you guys, since Im a theoretician and not a seasoned operator: how feasible or legal is it to find telnet scanning activity or any of these passwords in high-bandwidth netflows? If its feasible, then this at least gets you the active scanning population of hosts, along with the IPs of all of their victims.
If there is enough concentration of common flows from a certain set of IPs, it's quite possible to detect the scanning activity using sampled flow data if one were collecting such data. I say sampled as 1-for-1 flow data collection is not common. You would not see packet content just using flow data. regards, Victor K
In message <874m43qsk2.fsf@mid.deneb.enyo.de>, Florian Weimer <fw@deneb.enyo.de> wrote:
Not that the underlying threat will go away until we find a way to clean up almost all of the compromised devices (and without breaking the Internet along the way, forever).
The Internet *is* already broken. After the attack on Krebs, the terabit+ attack on OVH, and the events of Friday, if there are still some people who fail to grasp this fundamental point, then it can only be because some folks have become really adept at living in denial. Regards, rfg
Block one type of attack enough times and you've accomplished something. Because script kiddies are taking advantage of published exploits doesn't mean we stop setting passwords on things. You have to protect from them all. No, no collateral damage. We discussed this a couple weeks ago and there was no credible evidence of collateral damage. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Laszlo Hanyecz" <laszlo@heliacal.net> To: nanog@nanog.org Sent: Friday, October 21, 2016 7:52:42 PM Subject: Re: Death of the Internet, Film at 11 On 2016-10-22 00:39, Ronald F. Guilmette wrote:
P.S. To all of you Ayn Rand devotees out there who still vociferously argue that it's nobody else's business how you monitor or police your "private" networks, and who still refuse to take even minimalist steps (like BCP 38), congratulations.
What does BCP38 have to do with this? All that does is block one specific type of attack (and cause a lot of collateral damage). The IoT devices do not need to spoof addresses - they can just generate attack traffic directly. This is even better, because you can't cut those eyeball addresses off - those are the same addresses your target audience is using. If you cut off the eyeball networks there's not much point to running an internet business website anymore. -Laszlo
On Oct 21, 2016, at 17:39, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
P.S. To all of you Ayn Rand devotees out there who still vociferously argue that it's nobody else's business how you monitor or police your "private" networks, and who still refuse to take even minimalist steps
What does Ayn Rand have to do with it? She would hardly countenance incompetence.
Then, again, Ayn Rands idea of "sex" was to get slapped around first.. I am not sure I would acquire my "life philosophy" from her.... and, as *proudly* *independent* as she was, in the end, she relied upon American Social Security to get by.... talk is cheap. On 10/21/2016 09:02 PM, James Downs wrote:
On Oct 21, 2016, at 17:39, Ronald F. Guilmette <rfg@tristatelogic.com> wrote: P.S. To all of you Ayn Rand devotees out there who still vociferously argue that it's nobody else's business how you monitor or police your "private" networks, and who still refuse to take even minimalist steps What does Ayn Rand have to do with it? She would hardly countenance incompetence.
participants (11)
-
clinton mielke -
Florian Weimer -
James Downs -
Laszlo Hanyecz -
Mel Beckman -
Mike Hammett -
Paul Ferguson -
Randy Bush -
Richard Irving -
Ronald F. Guilmette -
Victor Kuarsingh