Only 150,000 ?<p>We see upwards of 2 million unique ipv4 sources scan us on port 23 every day. These are all compromised IoT devices and routers.<p>In the past hour we saw 350k+ unique sources.<p>In just the past 3 minutes that number is 168,230<p>Top sources in the past 3 minutes:<p><pre><code> 848 211.201.69.50
840 180.66.99.72
838 222.121.157.61
759 95.17.97.136
639 171.248.123.112
542 189.78.49.194
511 176.109.222.124
386 60.249.84.179
378 118.161.69.18
377 61.75.42.129
252 125.142.55.218
252 183.102.221.85
245 106.186.20.183
233 112.162.191.217
203 121.143.65.181
199 115.86.134.94
190 89.163.242.12
183 91.205.123.37
181 86.90.10.151
179 91.240.140.14
177 191.103.72.251
173 185.129.2.236
169 218.201.74.122
168 116.99.113.72
164 82.119.65.190
160 118.129.105.9
158 194.88.205.101
156 77.88.202.60
156 82.79.75.5
155 112.165.227.205
</code></pre>
We see 2000pps of this shit all day every day. No one cares.
As system administrator of my home network, it worries me that a device on my network might be involved in an attack like this, and I would never know.<p>Maybe the target of such an attack could gather a list of IP addresses used in the attack, then pass them to Google, who might warn on their search homepage if you browse from one of the IPs on the list? (e.g. "Some of your internet devices may be at risk, click here to find out more") I know IP addresses are a poor proxy for identity, but it could be a step in the right direction.
@internetofshit will have a field day with this.<p>In all seriousness, this is only going to become worse in the future. Can't wait until the day when smart fridges, toasters and bicycle locks join in on a multi-Tbps attack and break the entire internet.
It's unfortunately way too easy to find such devices. A quick scan of the (less scary) end of the ipv4 address space and I was able to find ~15k cameras and I was only searching for a couple of models for fun... Here was the result: <a href="http://opencam.ma.rtin.so/" rel="nofollow">http://opencam.ma.rtin.so/</a> -- most of the pins probably wont work anymore, as it's a couple of years old.. Still crazy.
Jesus I was just thinking about the consequences of no patch routine in the IoT device world. And, here it is. :)<p>Imagine having to internationally co-ordinate patching of 150000 devices. Because the alternative is that 150000 homes will have their NATed IP-addresses blocked from each service being attacked.<p>Just wow...
<a href="http://blog.level3.com/security/attack-of-things/" rel="nofollow">http://blog.level3.com/security/attack-of-things/</a><p>Getting manufacturers to patch, and users to update these embedded linux devices is going to be pretty hard
And now let's apply such a scenario to autonomous vehicles, on land and in air.<p>but rather than causing a virtual DDOS, now in physical space. shutting down a whole city, for the lulz.<p>IoT and AV show that the "Facebook" method of software development - move fast, break things, agile/scrum, whatever label is used for non-engineering, will not work for the next stage.<p>ditto the skills of most young CS grads. most companies can't even secure their shitty email services - but cars is easier?<p>a whole new supply chain for code needs to be developed, from languages to curriculums. take what the airline industry has been doing and commoditize it, it must be braindead easy to build a secure and robust piece of code for this new world.
I remember when the ntp exploit came out few years ago datacenter where we have a rack contacted me saying the Supermicro IPMI devices on the Supermicro servers were participating in an amplification attack.<p>I was like wtf! Matter was quickly resolved of course, also they learned a lesson and moved ipmi ips to 10mbit limited connnections not 1gbit.<p>Tho ideally a local ip that accessible only via a vpn would have been the best option for remote management but yeh, little steps I suppose with some providers.
The problem is that that there are ISP's who are not implementing BCP38 (<a href="http://www.bcp38.info" rel="nofollow">http://www.bcp38.info</a>)
Finally, the WiFi router invasion that we were warned of as early as 2007 is coming: <a href="https://www.flickr.com/photos/dullhunk/3109815261" rel="nofollow">https://www.flickr.com/photos/dullhunk/3109815261</a> (original source from 2007 is 404)
It should be easier managing devices that have access to the Internet on the router level.<p>Most can't understand access restrictions, IP Tables or installing custom firmware. There needs to be a common standard, API on each router to manage devices connecting to the Internet and seeing which devices do and don't.<p>This would open the doors to creating apps etc and possibly help mitigate threats from unknown Chinese IoT devices.
I manage a huge fleet of raspberry pi in my jobs. There are geographically everywhere.<p>I wish that there will not be found by some bad guy, but I know our system and I'm 100% sure that will happen one day. We have a basic level security, like so many other startup in that field though.
Feels like how things might have been when home electricity was first becoming pervasive.<p>Lots of dubious devices and a laisez-faire approach to eg. electrocution risks and fire hazards.<p>After enough public outcry regulation is introduced, standards are developed and enforced and your television is no longer at risk of bursting into flames or frying the cat.<p>Or, in today's world, of being conscripted into a global botnet and DDOS'ing your neighbours.
This isn't bad enough, not yet, for some kind of protocol that allows source quench / notify a remote ISP of a suspected infected host and suppress traffic from said host.<p>It would need to be out of band, and I suggest it use OpenPGP for signatures (chain of trust from IP allocating bodies), actually it would also need to query a database of allocated IP ranges.
IoT = Internet of Targets<p>Something needs to be done about DDOS at the backbone and tier-1 level of the Internet or we are going to lose the public Internet.