The clumsy, amateurish IoT botnet has now infected devices in virtually all of the world's countries


#1

Originally published at: http://boingboing.net/2016/10/11/the-clumsy-amateurish-iot-bot.html


#2

ISPs should have some liability when their network is part of a DDOS attack. Inspecting packet headers to verify that the from address is actually on their network isn’t a huge burden.


#3

how do i test my things?


#4

Is there a way to detect the traffic on a SOHO network?
My router has an implementation of dd-wrt, so I assume that I should be able to get relevant info.


#5

Well, I guess SkyNet beta is operational. Crap.


#6

While they’re at it, we could just have them check for child pornography. Because everybody agrees that’s bad. And terrorist recruitment messages, because those couldn’t possibly benefit anybody. And why not check for suspicious encrypted messages? And…

I prefer the ISPs be regulated like utilities, myself, and bear no responsibility for their traffic.


#7

Good looking out, Greenland!


#9

I don’t buy the slippery slope argument. I do agree that they should be regulated like utilities though. The grid operators, for example, have very stringent standards for equipment that hooks up to the grid. That’s basically the level of control I’m talking about. You shouldn’t be allowed on the grid or the network if your gear behaves so poorly it takes out your neighbors.

Edit: This is what I’m talking about. It’s an IETF standard for how the networks that make up the internet should behave.


#10

That paper is much too technical for me, but it looks like it would work. Making it a standard is not a bad idea, but mandating it by law is. Has anybody on Capitol Hill ever written good technical policy? The very first lobbyist in line would be the RIAA asking the router to also block copyrighted material.

This is one of the things I think the market might actually handle best. Even if nobody knows what X dot 1492 dot Y means, they can read the advertisement that says “our router protects you from attacks. Theirs doesn’t.”


#11

The other part is shitty device vendors should be named and shamed. Where’s the list of IoT devices that are being hijacked?


#12

Long winded oversimplification man to your rescue!

Both ingress and egress filtering are Internet standards.

If someone is an Internet Service Provider, and they are selling what they claim is Internet, but they are not implementing ingress and egress filtering, then they are committing misrepresentation or fraud. Because what they are selling is not Internet, by definition.

For comparison, suppose I set up a truck stop and sell fuel from pumps marked “diesel fuel”. As long as that fuel actually conforms to the legal limits for sulphur content and the ASTM standard for diesel fuel, I am OK. But what if I am actually pumping gasoline out of those pumps? Well, after a few truck engines catch fire or explode, I will go to jail because I lied about what I was selling. The standards are what determines the fact that I lied.

Anyway, what ingress filtering does is it says “I will not let anything in the door that is not intended for one of my subscribers”. So, if something says it’s for China, I won’t allow it to enter New York City, because that’s obviously misrouted and should fail according to the standards.

Egress filtering is even more important; it says “I will not let anything out the door that does not have a source address of one of my subscribers”. So, if something says it comes from Egypt, I will not let my customer send it out of my network, since it’s obviously got a forged return address and thus only useful for harmful activities.

So this should be simple and straightforward - if you are claiming to sell Internet, but you aren’t following the standards, you are already committing a crime, there’s no need for any new laws.

There are two problems.

One, many ISPs are telcos. American telcos are basically not subject to the rule of law (thanks, Obama). So it’s a bit of a sticky wicket there.

Two, judges are picked politically, not on technical merit, and juries are often picked to represent the least common denominator of the American public. That really strongly decreases the chances of anyone in a courthouse having the technical and literary background necessary to cut through the lies of large wealthy corporations. It doesn’t help that the standards documents are called “Requests for Comments” (no, really, they are).

Note: Verizon, AOL, and many others violate the standards routinely. Don’t expect them to go to jail any time soon.

In the case of ingress and egress filtering it’s not about traffic content. It’s very much like utility regulation - a US utility is required to send you electricity between 112 and 125 volts, at exactly sixty cycles per second. If they don’t, they have violated the standards, and your dishwasher will burn up or your electric heater will explode. Just so with Internet standards - they are not about content, they are about what is and isn’t a reasonable behavior for a participant in a workable system.

The Internet is not made of wires and computers. You can send data packets by carrier pigeon and it is still Internet. The Internet is made of rules. If you don’t follow the rules, it’s not Internet, just as gasoline is not diesel fuel.


#13

Well if you eggheads say they can inspect headers without looking at my porn, I’ll take your word for it - thanks!


#14


#15

If you meant BGP you should have said so, if not what did you mean?


#16

Straight up network edge packet filtering. All leaf networks should have ingress filtering, and even trunks should have some minimal egress filtering based on physical topography and permissible addresses for routing. Minimally as per RFC2827 (BCP 38), RFC1918 (BCP 5), and RFC6890 (BCP 153).

Paul Vixie eludicates (see 2nd section, Source Address Validation).

There’s a program called sing (Send ICMP Nasty Garbage) that a clever, knowledgeable person could use to punish ISPs with bad ingress and egress filtering (which is probably most of them) but I do not recommend or endorse vigilante actions so I’ll leave it at that.


#17

Torrents too! Those pirates need to be stopped!


#18

I’m not sure you can fruitfully compare people moving bytes that might have been illicitly obtained (torrents) with people actually maliciously attacking computers and services (DDOS).

For one thing, you’d need deep packet inspection to determine if a torrent was illicit. It’d be equivalent to opening someone’s mail to see if there were real lottery tickets or fake lottery tickets inside. What @chesterfield is talking about is very different; to determine if someone’s faked their return address does not require opening the envelope, and it’s also pretty clear cut evidence of fraudulent intent.


#19

Duh! It’s made of tubes (and cat videos). Everybody knows this.


#20

Plenty of ISPs would happily just decide that torrent == piracy and leave it at that.


#21

That certainly seems to be the case. And it’s actually worse than that; I pretty much encrypt everything all the time (both as a habit, and because I often work with legally privileged data) so nearly all the traffic in and out of my home network is running over SSH or HTTPS. When I was still a Comcast customer, they were running Sandvine, and they used to inject reset packets into my streams at regular intervals, even though I never use more than a fraction of the bandwidth I’m paying for. Basically if I used SSH overnight for any reason (like monitoring a task at work) they figured encrypted=criminal and broke the link. And then pretended they hadn’t.

(Sandvine is deep packet inspection, exactly the sort of thing @Boundegar was objecting to, as opposed to simply following the rules of the Internet, as @Chesterfield was recommending. The ISPs seem to want to do the former - they want to use relatively complex and expensive technology to look at your porn or whatever else you are doing - but they don’t want to expend any effort on protecting their customers from criminals by following the simple technical rules. The sandvine system could not see inside my SSH connections, so they broke them instead.)

If you’re wondering why ISPs block port25, preventing the use of private mailservers, it’s the same thing. They want to be able to look at your mail, and they spend their effort on that rather than on preventing email spam from traversing their networks.