Major DDOS attacks today

[zapta]

Major DDOS attacks today, including on major sites.

Couldn't access github earlier but it's up again.

http://www.usatoday.com/story/tech/2016/10/21/cyber-attack-takes-down-east-coast-netflix-spotify-twitter/92507806/

I wonder if the timing is related to current events such as blocking Assange's internet access or the tension with Russia.

[Bud]

Some kids playing with crappy IoTs.

We had Edward Snowden speaking at a major Security conference here in Toronto couple days back (via a link) , nobody gave shit to try blocking him.

[David Hess]

We had Edward Snowden speaking at a major Security conference here in Toronto couple days back (via a link) , nobody gave shit to try blocking him.

Snowden has not been peeing into Hillary's Cheerios.

Maybe DynDNS did not pay their DDOS protection money or one of their customers is the target.

[raptor1956]

Wikileaks issued a statement for there guys to stop messing with the internet in the USA.  Assange said "you made your point!"


Brian

[zapta]

Wikileaks issued a statement for there guys to stop messing with the internet in the USA.  Assange said "you made your point!"


Brian

Did Assange imply that he sees this DDOS related to his internet embargo?

As for snowden, he is not disclosing anything new these days.

[AntiProtonBoy]

Some kids playing with crappy IoTs.

I reckon it's more than that. In the past month Bruce Schneier has been talking about the possibility of someone (i.e. large foreign entities, such as governments) probing the defences of various networking infrastructure. The latest attack might have been part of that test.

https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html

[vodka]

I think that is a preemptive  attack of Putin ,because is very curious that the russians were waiting during days  an  DDOS attack from CIA .
And  resulted that Usa is attacked by the same method that wanted to attack to Rusia .

[denverpilot]

https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

Building lots and lots of small Internet of Things devices with poor security practices in them, now has significant consequences.

They'll become someone's bot farm.

[raptor1956]

https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

Building lots and lots of small Internet of Things devices with poor security practices in them, now has significant consequences.

They'll become someone's bot farm.

So, when the whole things falls to the ground it will be the toasters and refrigerators that are behind it.


Brian

[Brumby]

So, when the whole things falls to the ground it will be the toasters and refrigerators that are behind it.

The true face of Skynet is revealed.

[raptor1956]

So, when the whole things falls to the ground it will be the toasters and refrigerators that are behind it.

The true face of Skynet is revealed.

If you listen to Elon Musk he's pretty worried about Skynet actually happening...


Brian

[AntiProtonBoy]

I think Elon should just stick with making cars.

[sleemanj]

The number of bots out there trying to compromise your stuff is crazy,  a few weeks ago I had a look in my logs and was surprised just how constantly IP's are trying to log into my personal home workstation via SSH (and failing naturally).

Just today 21 newcomers gave it a shot, mostly from China, a couple Vietnam.

Some nice almost sequential IP's too...

 [ssh] Ban 119.249.54.66
 [ssh] Ban 119.249.54.68
 [ssh] Ban 119.249.54.75
 [ssh] Ban 119.249.54.88
 [ssh] Ban 121.18.238.104
 [ssh] Ban 121.18.238.109
 [ssh] Ban 121.18.238.114
 [ssh] Ban 121.18.238.98
 [ssh] Ban 123.31.34.217
 [ssh] Ban 123.31.41.212
 [ssh] Ban 163.172.16.102
 [ssh] Ban 211.64.120.91
 [ssh] Ban 212.129.2.234
 [ssh] Ban 221.194.44.143
 [ssh] Ban 221.194.47.208
 [ssh] Ban 221.194.47.224
 [ssh] Ban 221.194.47.229
 [ssh] Ban 221.194.47.249
 [ssh] Ban 222.186.21.35
 [ssh] Ban 58.30.52.46
 [ssh] Ban 89.163.224.128

[dansan]

The negligence of these vendors is insane.  They are shipping millions of devices that are insecure by default and can be trivially compromised.  To make matters worse, the nature of the devices can make detection and removal difficult or impossible.  People hate intrusive government regulation, but market failures like this practically invite it.

[batteksystem]

The negligence of these vendors is insane.  They are shipping millions of devices that are insecure by default and can be trivially compromised.  To make matters worse, the nature of the devices can make detection and removal difficult or impossible.  People hate intrusive government regulation, but market failures like this practically invite it.

Unless you can convince consumer that their priority is security, but not "how can I login to this damn thing, ah admin admin"

[TheNewLab]

Right, convince consumers to make security their priority (sarcasm here).

More seriously, We are enamored with all these devices and their connectivity. Interesting with people anywhere in the world is exhilarating, fascinated, more connected, yet more disconnected.
We need a greater awareness for the need for Internet security (security and need for some privacy in general)
It is like the Boiling frog analogy. "Bring the heat up slowly, and the frog stays in and boils" It is vague and existential to most Americans..that is, until they have been hacked and have their identities stolen. Then they take it very seriously. At a server and domain level, 90% of people only vaguely understand what those words mean.

We are still dependent on the programmers, hardware designers, Internet managers, and organizations dedicated only to  keeping us current of where security needs to improve and where we have failed.

I now have an app on my smart phone that aggregates articles and updates on Internet security. Glad I have it. It follows up on old stories, Our mainstream news doesn't do that. I am learning that hacks, DDOS, man-in-the-middle. New devices and that new hardware products are getting hacked, or exploits found, BEFORE they hit market.  This is both good and bad.

About Julian Assange being cut off. His Ambassadorial hosts are getting hard threats regarding major national economic De-stabilization for their country.

My view? WE just need to keep speaking up about these matters, those of us who know. And just keep naging those who don't to learn and understand the state of Internet security.

[David Hess]

It is too bad the NSA and other government agencies worked to sabotage various internet security protocols and especially IPSEC.  Ubiquitous encryption would have helped in a general way.

[Neilm]

I notice that the webcams used have now been recalled in the US

[rx8pilot]

I have isolated all my IOT stuff - DVR's, doorbell, etc on a separate network which helps protect my internal systems. That, however, does not help keep them out of a dDOS attack pool. In theory, I could setup static routes, port filtering, or whatever may help prevent that, but even if I was successful in keeping making my iot devices useless to hackers - I would be in a microscopic minority.

What the heck is the solution? If all the devices were heavily secured, they would cost more and the iot sector would cry foul when the sales dry up. We cannot expect the general public to understand or care. Every manufacturer that makes boring stuff is adding a stupid WiFi 'feature' to let you know the temperature of your toast and allow you to monitor the status of your toaster from anywhere in the world.

Like most things, it will take a major disaster before anyone cares.

[madires]

Yep, all IoT devices should be placed into a separated network and controlled/protected via a firewall. Anything else would plain stupid.

[madires]

They'll become someone's bot farm.

They already are.

[madires]

It is too bad the NSA and other government agencies worked to sabotage various internet security protocols and especially IPSEC.  Ubiquitous encryption would have helped in a general way.

How would that protect us from insecure defaults settings, firmwares with tons of security issues, firmwares with outdated versions of network services with known security issues, lack of security fixes by vendors and users not updating firmwares?

[Cerebus]

The number of bots out there trying to compromise your stuff is crazy,  a few weeks ago I had a look in my logs and was surprised just how constantly IP's are trying to log into my personal home workstation via SSH (and failing naturally).

Just today 21 newcomers gave it a shot, mostly from China, a couple Vietnam.

I'm currently seeing ~30000 telnet or ssh attempts a day, mostly unique IPs. A few weeks back 2000-3000 a day was typical.

[madires]

[ssh] Ban 119.249.54.66
 [ssh] Ban 119.249.54.68
 [ssh] Ban 119.249.54.75
 [ssh] Ban 119.249.54.88
 [ssh] Ban 121.18.238.104
 [ssh] Ban 121.18.238.109
 [ssh] Ban 121.18.238.114
 [ssh] Ban 121.18.238.98
 [ssh] Ban 123.31.34.217
 [ssh] Ban 123.31.41.212

You can simplify things by taking the allocations:
119.248.0.0/14
121.16.0.0/13
123.30.0.0/15
...

BTW, I haven't seen any attempt via IPv6 yet.

[madires]

The number of bots out there trying to compromise your stuff is crazy,  a few weeks ago I had a look in my logs and was surprised just how constantly IP's are trying to log into my personal home workstation via SSH (and failing naturally).

Just today 21 newcomers gave it a shot, mostly from China, a couple Vietnam.

I'm currently seeing ~30000 telnet or ssh attempts a day, mostly unique IPs. A few weeks back 2000-3000 a day was typical.

Another approach is to rate-limit the connection attempts. Could be done per IP or network.

[rx8pilot]

Do you use Wireshark to monitor the inbound connection attempts?

Another approach is to rate-limit the connection attempts. Could be done per IP or network.

Can you do this with a consumer router? Do you need a more robust solution?

[madires]

Do you use Wireshark to monitor the inbound connection attempts?

Another approach is to rate-limit the connection attempts. Could be done per IP or network.

Can you do this with a consumer router? Do you need a more robust solution?

Yes, if your router is supported by OpenWrt. It's a feature of the linux netfilter Despite most consumer routers run linux, vendors don't enable those features.

[Cerebus]

The number of bots out there trying to compromise your stuff is crazy,  a few weeks ago I had a look in my logs and was surprised just how constantly IP's are trying to log into my personal home workstation via SSH (and failing naturally).

Just today 21 newcomers gave it a shot, mostly from China, a couple Vietnam.

I'm currently seeing ~30000 telnet or ssh attempts a day, mostly unique IPs. A few weeks back 2000-3000 a day was typical.

Another approach is to rate-limit the connection attempts. Could be done per IP or network.

The problem with the current spate is that it's coming from everywhere and anywhere. You won't see the same IP or even subnet more than once or twice in one day - it's already effectively rate limited at source.

In my case I'm just dropping any inbound telnet or ssh attempts at both firewalls (I have one inside another so that expoits, bugs and misconfigurations that get through one hopefully don't get through the other. The two are completely different hardware, OS, codebase etc.).

[madires]

The problem with the current spate is that it's coming from everywhere and anywhere. You won't see the same IP or even subnet more than once or twice in one day - it's already effectively rate limited at source.

From what I see, there are only a very few scanners trying to fly below the radar. Most are trying to run the dictionary attack as fast as possible or every few minutes over a few days.

EDIT: >50% of the source addresses are assigned to China. They got the Big Firewall, but most of the bots

[raptor1956]

I'm no IT guy so let me ask what are the options for monitoring the IP's looking to get access to your network?  If I have a cable modem that's connected to a wifi router which also has a LAN hub and I don't actually have a PC running at all times to do that kind of monitoring -- does the router log this stuff so a PC on the network can periodically look at the log?


Brian

[Cerebus]

I'm no IT guy so let me ask what are the options for monitoring the IP's looking to get access to your network?  If I have a cable modem that's connected to a wifi router which also has a LAN hub and I don't actually have a PC running at all times to do that kind of monitoring -- does the router log this stuff so a PC on the network can periodically look at the log?

For the vast majority of consumer level kit, no.

I have a, now relatively ancient, professional Cisco router that is also configured as a firewall. This is configured to log, via syslog, over the network to a server that runs 24/7. That server has two network cards and is also configured as a firewall (linux, ipfilter) which also does its own logging. Furthermore the server regularly polls the router, via SNMP, to get more statistical information from the router that's also stored and graphed on the server. It's all a bit of a pain in the butt to configure but that kind of thing used to be my day job.

Some consumer level kit is better than others and, with the right software, will provide quite useful monitoring; but most consumer level kit is, from this perspective, quite useless.

Whatever you're using, if you want monitoring and logging at the level that would record individual IPs for firewall logs you're going to need something turned on 24/7 to store the logs. Kind of obviously, if you're going this for security monitoring you want the device recording the logs to not be the same device recording the logs, so that if the latter fails or is compromised you still have the records stored on a working, uncompromised device.

Advice on how to do this is going to be, at least in part, dependent on the specific kit you're using and is often best found on forums dedicated to that kit. For consumer kit, your best bet is using user supported replacement firmware for the platform - things like OpenWRT.

[Cerebus]

The problem with the current spate is that it's coming from everywhere and anywhere. You won't see the same IP or even subnet more than once or twice in one day - it's already effectively rate limited at source.

From what I see there are only a very few scanners trying to fly below the radar. Most are trying to run the dictionary attack as fast as possible or every few minutes over a few days.

That certainly was the case but what I'm seeing recently looks much more like each compromised host is trying widely separated target IPs for each successive attempt.

So, I see an attempt from one source IP and then I don't see it again for hours or days. I haven't done any detailed analysis (and I'm not going to) but what it looks like to me seems to be confirmed by what I can see recorded at places like DShield.

Previously I'd see probes from a few tens, perhaps a few hundred, different source addresses a day, currently I'm seeing probes from tens of thousand different source addresses a day. Yesterday's logs show 36,582 telnet attempts from 23,431 different IP source addresses hitting 41 destination addresses - if those were scans as opposed to random probes I'd expect to see, on average, 41 attempts per source address but what I'm seeing is an average 1.56 attempts per source address.

[madires]

I'm no IT guy so let me ask what are the options for monitoring the IP's looking to get access to your network?  If I have a cable modem that's connected to a wifi router which also has a LAN hub and I don't actually have a PC running at all times to do that kind of monitoring -- does the router log this stuff so a PC on the network can periodically look at the log?

As Cerebus already said, the best option is a cheap consumer router, like TP-Link, supported by OpenWrt. But check https://wiki.openwrt.org/toh/start before you buy a new router. Possibly your current one is already supported. Or you can check the models you're interested in. In a professional environment logging is done via syslog to dedicated log servers. For home usage an USB stick connected to the router could be fine (with the security implications Cerebus hinted at). Or a small NAS might offer syslog too.

[madires]

From what I see there are only a very few scanners trying to fly below the radar. Most are trying to run the dictionary attack as fast as possible or every few minutes over a few days.

That certainly was the case but what I'm seeing recently looks much more like each compromised host is trying widely separated target IPs for each successive attempt.

Are you running sshd on port 22 or have you moved it to another port?

Previously I'd see probes from a few tens, perhaps a few hundred, different source addresses a day, currently I'm seeing probes from tens of thousand different source addresses a day. Yesterday's logs show 36,582 telnet attempts from 23,431 different IP source addresses hitting 41 destination addresses - if those were scans as opposed to random probes I'd expect to see, on average, 41 attempts per source address but what I'm seeing is an average 1.56 attempts per source address.

I see, you're talking about telnet. Does anyone run telnet, besides for a telnet BBS? I just had a quick look and I see both, distributed attemps under the radar, as-fast-as-possible attacks from single IP addresses and delayed attemps over several hours/days from single IP addresses. Sources are from around the globe, and no IPv6.

[C]

I'm no IT guy so let me ask what are the options for monitoring the IP's looking to get access to your network?  If I have a cable modem that's connected to a wifi router which also has a LAN hub and I don't actually have a PC running at all times to do that kind of monitoring -- does the router log this stuff so a PC on the network can periodically look at the log?

Adding Cerebus & madires stated,
Some brands & model routers come with OpenWrt pre-installed.

A log is just information, it might help or not in use to set firewall rules.

Think this thread started with a DDOS attack on DYN's DNS service. Very hard to do something in this case. The bad devices request could look like a good device request. The source IP address used could be a bad device, Google, business network or ISP making the request. And in some cases you can spoof the source IP address.

If you want remote access to your local network, you need a hole in firewall that lets you in while keeping others out. Your network has to survive others trying to get in through the hole and preventing it & let you in when you try.
One device on your network could talk to some Internet device. If the Internet device shares some information with another Internet device, it could get in. The device on your network created the hole in your firewall if firewall rules did not prevent it. The firewall would need a rule that a second ip address is not allowed in using first hole. 
Stated in simple terms, Access a web site, web site passes some information it now has to new guy, new guy enters.
A lot of programs that share files on your computer with a second computer somewhere use this to make the connection. If you want security while doing this use certificates at both ends of connection. 

[Cerebus]

Are you running sshd on port 22 or have you moved it to another port?

I'm just discussing ports as normally assigned, what I'm seeing hitting the outside of the firewall. Here nothing inbound gets beyond the firewall to even start handshaking unless it's essential - so mail gets in and DNS queries get in, beyond that it's tunnelled or strictly related to connections initiated from inside the firewall.

I see, you're talking about telnet. Does anyone run telnet, besides for a telnet BBS? I just had a quick look and I see both, distributed attemps under the radar, as-fast-as-possible attacks from single IP addresses and delayed attemps over several hours/days from single IP addresses. Sources are from around the globe, and no IPv6.

Telnet has suddenly got interesting again from the POV of malefactors as open telnet ports with default credentials on consumer routers and IoT kit provide easy starting points. I don't know why it's now and not six or twelve months ago but that's what's happening. It appears that these DDOS attacks are from malware that gets in initially via telnet.

I've seen an uptick in SSH attempts but nothing like the 10 to 20-fold increase in telnet I've seen over the same period.

Probably half of my legitimate traffic is IPv6. Similar to you I see almost no malicious IPv6 traffic - no doubt that will eventually change but it's been that way since I first started using IPv6 back in its experimental days.

[R005T3r]

The number of bots out there trying to compromise your stuff is crazy,  a few weeks ago I had a look in my logs and was surprised just how constantly IP's are trying to log into my personal home workstation via SSH (and failing naturally).

Just today 21 newcomers gave it a shot, mostly from China, a couple Vietnam.

Some nice almost sequential IP's too...

........

Tsk!
I've also noticed that there are a lot of events stated as "DoS attack" in my logs. However, I don't know if it's a router misspell or what... They too many to be true: one event happens every 10 seconds on average...
And, most of them are from the East.

[madires]

I've also noticed that there are a lot of events stated as "DoS attack" in my logs. However, I don't know if it's a router misspell or what... They too many to be true: one event happens every 10 seconds on average...
And, most of them are from the East.

This would be like calling ten cars on the highway a traffic jam.

[Cerebus]

And, most of them are from the East.

In attributing where attacks come from based on the geography of source IP addresses there are some rules:

1) If they mostly seem to be coming from Korea it's because Korea has such widespread fast access that it's just going to statistically appear more often. (This pattern is changing)

2) If none of the packets come from one country but every other country is represented then an amateur from that country is responsible for the attack.

3) If all the packets seem to come from one country targetted at another country that's a traditional adversary of the first country, someone is trying to make the first country look bad.

4) If they represent roughly the proportions of people with internet access then they are always going to appear to be from East Asia even when they are not and you can't actually tell anything about the origin.

[StillTrying]

An Internet of (millions of cheaply made) Things, what could possibly go wrong...

[metrologist]

So, what has apparently stopped the attack?

[madires]

Dyn's statement: http://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.html